Mirrors
/
vxug-VXAPI
mirror of https://github.com/vxunderground/VX-API
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

2.0.488 

2.0.488
This commit is contained in:
vxunderground 2022-12-17 16:45:33 -06:00
parent abfecdda83
commit 1e198d4dd8
11 changed files with 340 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
# VX-API
Version: 2.0.477
Version: 2.0.488
Developer: smelly__vx
@ -40,7 +40,8 @@ You're free to use this in any manner you please. You do not need to use this en
| StringRemoveSubstring | smelly__vx | String Manipulation |
| StringTerminateStringAtChar | smelly__vx | String Manipulation |
| StringToken | Apple (c) 1999 | String Manipulation |
| ZeroMemoryEx | ReactOS | String Manipulation |
| ZeroMemoryEx | ReactOS | String Manipulation |
| ConvertCharacterStringToIntegerUsingNtdll | smelly__vx | String Manipulation |
| AdfCloseHandleOnInvalidAddress | Checkpoint Research | Anti-debug |
| AdfIsCreateProcessDebugEventCodeSet | Checkpoint Research | Anti-debug |
| AdfOpenProcessOnCsrss | Checkpoint Research | Anti-debug |
@ -61,6 +62,7 @@ You're free to use this in any manner you please. You do not need to use this en
| CreatePseudoRandomInteger | Apple (c) 1999 | Cryptography Related |
| CreatePseudoRandomString | smelly__vx | Cryptography Related |
| HashFileByMsiFileHashTable | smelly__vx | Cryptography Related |
| CreatePseudoRandomIntegerFromNtdll | smelly__vx | Cryptography Related |
| GetLastErrorFromTeb | smelly__vx | Error Handling |
| GetLastNtStatusFromTeb | smelly__vx | Error Handling |
| RtlNtStatusToDosErrorViaImport | ReactOS | Error Handling |
@ -82,6 +84,8 @@ You're free to use this in any manner you please. You do not need to use this en
| HookEngineUnhookHeapFree | rad9800 | Evasion |
| SleepObfuscationViaVirtualProtect | 5pider | Evasion |
| RemoveRegisterDllNotification | Rad98, Peter Winter-Smith | Evasion |
| CreateProcessByWindowsRHotKey | smelly__vx | Evasion |
| CreateProcessByWindowsRHotKeyEx | smelly__vx | Evasion |
| GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
| GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
| GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |

44
VX-API/ConvertCharacterStringToIntegerUsingNtdll.cpp Normal file
View File

@ -0,0 +1,44 @@
#include "Win32Helper.h"
ULONG ConvertCharacterStringToIntegerUsingNtdllA(_In_ PCHAR InString)
{
RTLCHARTOINTEGER RtlCharToInteger = NULL;
HMODULE hModule = NULL;
ULONG ConvertedString = ERROR_SUCCESS;
hModule = GetModuleHandleEx2W(L"ntdll.dll");
if (hModule == NULL)
return 0;
RtlCharToInteger = (RTLCHARTOINTEGER)GetProcAddressA((DWORD64)hModule, "RtlCharToInteger");
if (!RtlCharToInteger)
return 0;
if (RtlCharToInteger(InString, 10, &ConvertedString) != STATUS_SUCCESS)
return 0;
return ConvertedString;
}
ULONG ConvertCharacterStringToIntegerUsingNtdllW(_In_ PWCHAR InString)
{
RTLCHARTOINTEGER RtlCharToInteger = NULL;
HMODULE hModule = NULL;
ULONG ConvertedString = ERROR_SUCCESS;
CHAR pBuffer[MAX_PATH] = { 0 };
hModule = GetModuleHandleEx2W(L"ntdll.dll");
if (hModule == NULL)
return 0;
RtlCharToInteger = (RTLCHARTOINTEGER)GetProcAddressA((DWORD64)hModule, "RtlCharToInteger");
if (!RtlCharToInteger)
return 0;
WCharStringToCharString(pBuffer, InString, StringLengthW((PWCHAR)InString));
if (RtlCharToInteger(pBuffer, 10, &ConvertedString) != STATUS_SUCCESS)
return 0;
return ConvertedString;
}

133
VX-API/CreateProcessByWindowsRHotKey.cpp Normal file
View File

@ -0,0 +1,133 @@
#include "Win32Helper.h"
DWORD CreateProcessByWindowsRHotKeyW(_In_ PWCHAR FullPathToBinary)
{
INPUT ExecuteHotkey[4] = { 0 };
INPUT BinaryInputBuffer[2] = { 0 };
INPUT ExecuteBinaryCommand[2] = { 0 };
UINT Result = ERROR_SUCCESS;
HWND RunWindow = NULL;
ExecuteHotkey[0].type = INPUT_KEYBOARD;
ExecuteHotkey[0].ki.wVk = VK_LWIN;
ExecuteHotkey[1].type = INPUT_KEYBOARD;
ExecuteHotkey[1].ki.wVk = 0x52;
ExecuteHotkey[2].type = INPUT_KEYBOARD;
ExecuteHotkey[2].ki.wVk = 0x52;
ExecuteHotkey[2].ki.dwFlags = KEYEVENTF_KEYUP;
ExecuteHotkey[3].type = INPUT_KEYBOARD;
ExecuteHotkey[3].ki.wVk = VK_LWIN;
ExecuteHotkey[3].ki.dwFlags = KEYEVENTF_KEYUP;
Result = SendInput(ARRAYSIZE(ExecuteHotkey), ExecuteHotkey, sizeof(INPUT));
if (Result != ARRAYSIZE(ExecuteHotkey))
return Win32FromHResult(Result);
Sleep(100);
RunWindow = FindWindowW(NULL, L"Run");
if (RunWindow == NULL)
return GetLastErrorFromTeb();
if(!AttachThreadInput(GetCurrentThreadId(), GetWindowThreadProcessId(GetAncestor(RunWindow, GA_ROOT), NULL), TRUE))
return GetLastErrorFromTeb();
if(SetFocus(RunWindow) == NULL)
return GetLastErrorFromTeb();
for (DWORD dwX = 0; dwX < StringLengthW(FullPathToBinary); dwX++)
{
BinaryInputBuffer[0].type = INPUT_KEYBOARD;
BinaryInputBuffer[0].ki.wVk = VkKeyScanW(FullPathToBinary[dwX]);
BinaryInputBuffer[1].type = INPUT_KEYBOARD;
BinaryInputBuffer[1].ki.wVk = VkKeyScanW(FullPathToBinary[dwX]);
BinaryInputBuffer[1].ki.dwFlags = KEYEVENTF_KEYUP;
Result = SendInput(ARRAYSIZE(BinaryInputBuffer), BinaryInputBuffer, sizeof(INPUT));
if (Result != ARRAYSIZE(BinaryInputBuffer))
return Win32FromHResult(Result);
}
ExecuteBinaryCommand[0].type = INPUT_KEYBOARD;
ExecuteBinaryCommand[0].ki.wVk = 0x0D;
ExecuteBinaryCommand[1].type = INPUT_KEYBOARD;
ExecuteBinaryCommand[1].ki.wVk = 0x0D;
ExecuteBinaryCommand[1].ki.dwFlags = KEYEVENTF_KEYUP;
Result = SendInput(ARRAYSIZE(ExecuteBinaryCommand), ExecuteBinaryCommand, sizeof(INPUT));
if (Result != ARRAYSIZE(ExecuteBinaryCommand))
return Win32FromHResult(Result);
return ERROR_SUCCESS;
}
DWORD CreateProcessByWindowsRHotKeyA(_In_ PCHAR FullPathToBinary)
{
INPUT ExecuteHotkey[4] = { 0 };
INPUT BinaryInputBuffer[2] = { 0 };
INPUT ExecuteBinaryCommand[2] = { 0 };
UINT Result = ERROR_SUCCESS;
HWND RunWindow = NULL;
ExecuteHotkey[0].type = INPUT_KEYBOARD;
ExecuteHotkey[0].ki.wVk = VK_LWIN;
ExecuteHotkey[1].type = INPUT_KEYBOARD;
ExecuteHotkey[1].ki.wVk = 0x52;
ExecuteHotkey[2].type = INPUT_KEYBOARD;
ExecuteHotkey[2].ki.wVk = 0x52;
ExecuteHotkey[2].ki.dwFlags = KEYEVENTF_KEYUP;
ExecuteHotkey[3].type = INPUT_KEYBOARD;
ExecuteHotkey[3].ki.wVk = VK_LWIN;
ExecuteHotkey[3].ki.dwFlags = KEYEVENTF_KEYUP;
Result = SendInput(ARRAYSIZE(ExecuteHotkey), ExecuteHotkey, sizeof(INPUT));
if (Result != ARRAYSIZE(ExecuteHotkey))
return Win32FromHResult(Result);
Sleep(100);
RunWindow = FindWindowW(NULL, L"Run");
if (RunWindow == NULL)
return GetLastErrorFromTeb();
if (!AttachThreadInput(GetCurrentThreadId(), GetWindowThreadProcessId(GetAncestor(RunWindow, GA_ROOT), NULL), TRUE))
return GetLastErrorFromTeb();
if (SetFocus(RunWindow) == NULL)
return GetLastErrorFromTeb();
for (DWORD dwX = 0; dwX < StringLengthA(FullPathToBinary); dwX++)
{
BinaryInputBuffer[0].type = INPUT_KEYBOARD;
BinaryInputBuffer[0].ki.wVk = VkKeyScanA(FullPathToBinary[dwX]);
BinaryInputBuffer[1].type = INPUT_KEYBOARD;
BinaryInputBuffer[1].ki.wVk = VkKeyScanA(FullPathToBinary[dwX]);
BinaryInputBuffer[1].ki.dwFlags = KEYEVENTF_KEYUP;
Result = SendInput(ARRAYSIZE(BinaryInputBuffer), BinaryInputBuffer, sizeof(INPUT));
if (Result != ARRAYSIZE(BinaryInputBuffer))
return Win32FromHResult(Result);
}
ExecuteBinaryCommand[0].type = INPUT_KEYBOARD;
ExecuteBinaryCommand[0].ki.wVk = 0x0D;
ExecuteBinaryCommand[1].type = INPUT_KEYBOARD;
ExecuteBinaryCommand[1].ki.wVk = 0x0D;
ExecuteBinaryCommand[1].ki.dwFlags = KEYEVENTF_KEYUP;
Result = SendInput(ARRAYSIZE(ExecuteBinaryCommand), ExecuteBinaryCommand, sizeof(INPUT));
if (Result != ARRAYSIZE(ExecuteBinaryCommand))
return Win32FromHResult(Result);
return ERROR_SUCCESS;
}

113
VX-API/CreateProcessByWindowsRHotKeyEx.cpp Normal file
View File

@ -0,0 +1,113 @@
#include "Win32Helper.h"
DWORD CreateProcessByWindowsRHotKeyExW(_In_ PWCHAR FullPathToBinary)
{
HWND RunWindow = NULL;
HWND EditWindow = NULL;
HWND TopWindowForChildElement = NULL;
INPUT ExecuteHotkey[4] = { 0 };
UINT Result = ERROR_SUCCESS;
ExecuteHotkey[0].type = INPUT_KEYBOARD;
ExecuteHotkey[0].ki.wVk = VK_LWIN;
ExecuteHotkey[1].type = INPUT_KEYBOARD;
ExecuteHotkey[1].ki.wVk = 0x52;
ExecuteHotkey[2].type = INPUT_KEYBOARD;
ExecuteHotkey[2].ki.wVk = 0x52;
ExecuteHotkey[2].ki.dwFlags = KEYEVENTF_KEYUP;
ExecuteHotkey[3].type = INPUT_KEYBOARD;
ExecuteHotkey[3].ki.wVk = VK_LWIN;
ExecuteHotkey[3].ki.dwFlags = KEYEVENTF_KEYUP;
Result = SendInput(ARRAYSIZE(ExecuteHotkey), ExecuteHotkey, sizeof(INPUT));
if (Result != ARRAYSIZE(ExecuteHotkey))
return Win32FromHResult(Result);
Sleep(100);
RunWindow = FindWindowW(NULL, L"Run");
if (RunWindow == NULL)
return GetLastErrorFromTeb();
if (!AttachThreadInput(GetCurrentThreadId(), GetWindowThreadProcessId(GetAncestor(RunWindow, GA_ROOT), NULL), TRUE))
return GetLastErrorFromTeb();
TopWindowForChildElement = FindWindowExW(RunWindow, NULL, L"ComboBox", NULL);
if (TopWindowForChildElement == NULL)
return GetLastErrorFromTeb();
EditWindow = FindWindowExW(TopWindowForChildElement, NULL, L"Edit", NULL);
if (EditWindow == NULL)
return GetLastErrorFromTeb();
if (SetFocus(RunWindow) == NULL)
return GetLastErrorFromTeb();
for (DWORD dwX = 0; dwX < StringLengthW(FullPathToBinary); dwX++)
{
PostMessageW(EditWindow, WM_CHAR, (WCHAR)FullPathToBinary[dwX], 0);
}
PostMessageW(RunWindow, WM_KEYDOWN, VK_RETURN, NULL);
return ERROR_SUCCESS;
}
DWORD CreateProcessByWindowsRHotKeyExA(_In_ PCHAR FullPathToBinary)
{
HWND RunWindow = NULL;
HWND EditWindow = NULL;
HWND TopWindowForChildElement = NULL;
INPUT ExecuteHotkey[4] = { 0 };
UINT Result = ERROR_SUCCESS;
ExecuteHotkey[0].type = INPUT_KEYBOARD;
ExecuteHotkey[0].ki.wVk = VK_LWIN;
ExecuteHotkey[1].type = INPUT_KEYBOARD;
ExecuteHotkey[1].ki.wVk = 0x52;
ExecuteHotkey[2].type = INPUT_KEYBOARD;
ExecuteHotkey[2].ki.wVk = 0x52;
ExecuteHotkey[2].ki.dwFlags = KEYEVENTF_KEYUP;
ExecuteHotkey[3].type = INPUT_KEYBOARD;
ExecuteHotkey[3].ki.wVk = VK_LWIN;
ExecuteHotkey[3].ki.dwFlags = KEYEVENTF_KEYUP;
Result = SendInput(ARRAYSIZE(ExecuteHotkey), ExecuteHotkey, sizeof(INPUT));
if (Result != ARRAYSIZE(ExecuteHotkey))
return Win32FromHResult(Result);
Sleep(100);
RunWindow = FindWindowW(NULL, L"Run");
if (RunWindow == NULL)
return GetLastErrorFromTeb();
if (!AttachThreadInput(GetCurrentThreadId(), GetWindowThreadProcessId(GetAncestor(RunWindow, GA_ROOT), NULL), TRUE))
return GetLastErrorFromTeb();
TopWindowForChildElement = FindWindowExA(RunWindow, NULL, "ComboBox", NULL);
if (TopWindowForChildElement == NULL)
return GetLastErrorFromTeb();
EditWindow = FindWindowExA(TopWindowForChildElement, NULL, "Edit", NULL);
if (EditWindow == NULL)
return GetLastErrorFromTeb();
if (SetFocus(RunWindow) == NULL)
return GetLastErrorFromTeb();
for (DWORD dwX = 0; dwX < StringLengthA(FullPathToBinary); dwX++)
{
PostMessageA(EditWindow, WM_CHAR, (CHAR)FullPathToBinary[dwX], 0);
}
PostMessageW(RunWindow, WM_KEYDOWN, VK_RETURN, NULL);
return ERROR_SUCCESS;
}

17
VX-API/CreatePseudoRandomIntegerFromNtdll.cpp Normal file
View File

@ -0,0 +1,17 @@
#include "Win32Helper.h"
ULONG CreatePseudoRandomIntegerFromNtdll(_In_ ULONG Seed)
{
RTLUNIFORM RtlUniform = NULL;
HMODULE hModule = NULL;
hModule = GetModuleHandleEx2W(L"ntdll.dll");
if (hModule == NULL)
return 0;
RtlUniform = (RTLUNIFORM)GetProcAddressA((DWORD64)hModule, "RtlUniform");
if (!RtlUniform)
return 0;
return RtlUniform(&Seed);
}

2
VX-API/FunctionDeclaration.h
View File

@ -35,6 +35,8 @@ typedef NTSTATUS(NTAPI* NTCONTINUE)(PCONTEXT, BOOL);
typedef NTSTATUS(NTAPI* LDRGETPROCEDUREADDRESS)(HMODULE, PANSI_STRING, WORD, PVOID);
typedef NTSTATUS(NTAPI* LDRREGISTERDLLNOTIFICATION)(ULONG, LDR_DLL_NOTIFICATION_FUNCTION*, PVOID, PVOID);
typedef NTSTATUS(NTAPI* LDRUNREGISTERDLLNOTIFICATION)(PVOID);
typedef NTSTATUS(NTAPI* RTLCHARTOINTEGER)(PCHAR, ULONG, PULONG);
typedef ULONG(NTAPI* RTLUNIFORM)(PULONG);

1
VX-API/Main.cpp
View File

@ -34,6 +34,7 @@ int main(VOID)
Sei.Payload = GlobalOpenCalcPayload;
Sei.dwLengthOfPayloadInBytes = 277;
Sei.MethodEnum = E_RTLUSERFIBERSTART;
DWORD dwX = 0;
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);

4
VX-API/StringManipulation.h
View File

@ -34,4 +34,6 @@ SIZE_T WCharStringToCharString(_Inout_ PCHAR Destination, _In_ PWCHAR Source, _I
VOID ByteArrayToCharArrayA(_Inout_ PCHAR Destination, _In_ PBYTE Source, _In_ DWORD Length);
VOID ByteArrayToCharArrayW(_Inout_ PWCHAR Destination, _In_ PBYTE Source, _In_ DWORD Length);
INT ShlwapiCharStringToWCharString(_In_ PCHAR InString, _Inout_ PWCHAR OutString, _In_ INT BufferSize);
INT ShlwapiWCharStringToCharString(_In_ PWCHAR InString, _Inout_ PCHAR OutString, _In_ INT BufferSize);
INT ShlwapiWCharStringToCharString(_In_ PWCHAR InString, _Inout_ PCHAR OutString, _In_ INT BufferSize);
ULONG ConvertCharacterStringToIntegerUsingNtdllA(_In_ PCHAR InString);
ULONG ConvertCharacterStringToIntegerUsingNtdllW(_In_ PWCHAR InString);

4
VX-API/VX-API.vcxproj
View File

@ -137,6 +137,7 @@
<ClCompile Include="CharArrayToByteArray.cpp" />
<ClCompile Include="CharStringToWCharString.cpp" />
<ClCompile Include="CheckRemoteDebuggerPresentEx.cpp" />
<ClCompile Include="ConvertCharacterStringToIntegerUsingNtdll.cpp" />
<ClCompile Include="ConvertIPv4IpAddressStructureToString.cpp" />
<ClCompile Include="ConvertIPv4IpAddressUnsignedLongToString.cpp" />
<ClCompile Include="ConvertIPv4StringToUnsignedLong.cpp" />
@ -144,6 +145,8 @@
<ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp" />
<ClCompile Include="CreateLocalAppDataObjectPath.cpp" />
<ClCompile Include="CreateMd5HashFromFilePath.cpp" />
<ClCompile Include="CreateProcessByWindowsRHotKey.cpp" />
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp" />
<ClCompile Include="CreateProcessFromIHxHelpPaneServer.cpp" />
<ClCompile Include="CreateProcessFromIHxInteractiveUser.cpp" />
<ClCompile Include="CreateProcessFromIShellDispatchInvoke.cpp" />
@ -151,6 +154,7 @@
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp" />
<ClCompile Include="CreateProcessWithCfGuard.cpp" />
<ClCompile Include="CreatePseudoRandomInteger.cpp" />
<ClCompile Include="CreatePseudoRandomIntegerFromNtdll.cpp" />
<ClCompile Include="CreatePseudoRandomString.cpp" />
<ClCompile Include="CreateThreadAndWaitForCompletion.cpp" />
<ClCompile Include="CreateWindowsObjectPath.cpp" />

12
VX-API/VX-API.vcxproj.filters
View File

@ -525,6 +525,18 @@
<ClCompile Include="RemoveRegisterDllNotification.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="ConvertCharacterStringToIntegerUsingNtdll.cpp">
<Filter>Source Files\String Manipulation\String Conversion</Filter>
</ClCompile>
<ClCompile Include="CreatePseudoRandomIntegerFromNtdll.cpp">
<Filter>Source Files\Windows API Helper Functions\Cryptography Related</Filter>
</ClCompile>
<ClCompile Include="CreateProcessByWindowsRHotKey.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
<ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Internal.h">

5
VX-API/Win32Helper.h
View File

@ -175,6 +175,7 @@ PWCHAR CreatePseudoRandomStringW(_In_ SIZE_T dwLength, _In_ ULONG Seed);
PCHAR CreatePseudoRandomStringA(_In_ SIZE_T dwLength, _In_ ULONG Seed);
BOOL HashFileByMsiFileHashTableW(_In_ PWCHAR Path, _Inout_ PULONG FileHash);
BOOL HashFileByMsiFileHashTableA(_In_ PCHAR Path, _Inout_ PULONG FileHash);
ULONG CreatePseudoRandomIntegerFromNtdll(_In_ ULONG Seed);
@ -336,6 +337,10 @@ BOOL HookEngineUnhookHeapFree(_In_ BOOL StartEngine);
BOOL HookEngineRestoreHeapFree(_In_ BOOL ShutdownEngine);
BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key);
BOOL RemoveRegisterDllNotification(VOID);
DWORD CreateProcessByWindowsRHotKeyW(_In_ PWCHAR FullPathToBinary);
DWORD CreateProcessByWindowsRHotKeyA(_In_ PCHAR FullPathToBinary);
DWORD CreateProcessByWindowsRHotKeyExW(_In_ PWCHAR FullPathToBinary);
DWORD CreateProcessByWindowsRHotKeyExA(_In_ PCHAR FullPathToBinary);