mirror of https://github.com/vxunderground/VX-API
parent
a623af12b7
commit
2742be2f3c
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CheckRemoteDebuggerPresentEx(HANDLE hHandle, PBOOL pbDebuggerPresent)
|
||||
BOOL CheckRemoteDebuggerPresent2(_In_ HANDLE hHandle, _Inout_ PBOOL pbDebuggerPresent)
|
||||
{
|
||||
typedef enum _PROCESSINFOCLASS
|
||||
{
|
||||
|
@ -24,7 +24,7 @@ BOOL CheckRemoteDebuggerPresentEx(HANDLE hHandle, PBOOL pbDebuggerPresent)
|
|||
if (hModule == NULL)
|
||||
return FALSE;
|
||||
|
||||
NtQueryInformationProcess = (NTQUERYINFORMATIONPROCESS)GetProcAddressW((DWORD64)hModule, L"NtQueryInformationProcess");
|
||||
NtQueryInformationProcess = (NTQUERYINFORMATIONPROCESS)GetProcAddressA((DWORD64)hModule, "NtQueryInformationProcess");
|
||||
if (!NtQueryInformationProcess)
|
||||
return FALSE;
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL CreateFileFromDsCopyFromSharedFileW(PWCHAR NewFileName, PWCHAR FileToClone)
|
||||
BOOL CreateFileFromDsCopyFromSharedFileW(_In_ PWCHAR NewFileName, _In_ PWCHAR FileToClone)
|
||||
{
|
||||
typedef struct __DATA_SHARE_SCOPE_ENTRY {
|
||||
INT ScopeType;
|
||||
|
@ -73,7 +73,7 @@ EXIT_ROUTINE:
|
|||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateFileFromDsCopyFromSharedFileA(PCHAR NewFileName, PCHAR FileToClone)
|
||||
BOOL CreateFileFromDsCopyFromSharedFileA(_In_ PCHAR NewFileName, _In_ PCHAR FileToClone)
|
||||
{
|
||||
typedef struct __DATA_SHARE_SCOPE_ENTRY {
|
||||
INT ScopeType;
|
||||
|
|
|
@ -21,7 +21,7 @@ HRESULT CoInitializeIHxHelpIds(LPGUID Clsid, LPGUID Iid)
|
|||
return Result;
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerW(PWCHAR UriFile)
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerW(_In_ PWCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxHelpPaneServer;
|
||||
|
@ -48,7 +48,7 @@ HRESULT CreateProcessFromIHxHelpPaneServerW(PWCHAR UriFile)
|
|||
return Win32FromHResult(Result);
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerA(PCHAR UriFile)
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerA(_In_ PCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxHelpPaneServer;
|
||||
|
|
|
@ -18,7 +18,7 @@ HRESULT CoInitializeIHxInteractiveUserIds(LPGUID Clsid, LPGUID Iid)
|
|||
return Result;
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxInteractiveUserW(PWCHAR UriFile)
|
||||
HRESULT CreateProcessFromIHxInteractiveUserW(_In_ PWCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxInteractiveUser;
|
||||
|
@ -44,7 +44,7 @@ HRESULT CreateProcessFromIHxInteractiveUserW(PWCHAR UriFile)
|
|||
return Win32FromHResult(Result);
|
||||
}
|
||||
|
||||
HRESULT CreateProcessFromIHxInteractiveUserA(PCHAR UriFile)
|
||||
HRESULT CreateProcessFromIHxInteractiveUserA(_In_ PCHAR UriFile)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
GUID CLSID_IHxInteractiveUser;
|
||||
|
|
|
@ -67,7 +67,7 @@ VOID UnusedSubroutineUpdateProcThreadAttribute(LPPROC_THREAD_ATTRIBUTE_LIST Attr
|
|||
return;
|
||||
}
|
||||
|
||||
BOOL CreateProcessWithCfGuardW(PPROCESS_INFORMATION Pi, PWCHAR Path)
|
||||
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
PPROC_THREAD_ATTRIBUTE_LIST ThreadAttributes = NULL;
|
||||
|
@ -108,7 +108,7 @@ EXIT_ROUTINE:
|
|||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL CreateProcessWithCfGuardA(PPROCESS_INFORMATION Pi, PCHAR Path)
|
||||
BOOL CreateProcessWithCfGuardA(_Inout_ PPROCESS_INFORMATION Pi, PCHAR Path)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
PPROC_THREAD_ATTRIBUTE_LIST ThreadAttributes = NULL;
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD GetOSIdentificationData(DWORD Id)
|
||||
{
|
||||
PPEB Peb = GetPeb();
|
||||
|
||||
switch (Id)
|
||||
{
|
||||
case 0:
|
||||
return Peb->OSMajorVersion;
|
||||
|
||||
case 1:
|
||||
return Peb->OSMinorVersion;
|
||||
|
||||
case 2:
|
||||
return Peb->OSBuildNumber;
|
||||
|
||||
case 3:
|
||||
return Peb->OSPlatformId;
|
||||
|
||||
default:
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
ULONG GetOsBuildNumberFromPeb(VOID)
|
||||
{
|
||||
return GetPeb()->OSBuildNumber;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
ULONG GetOsMajorVersionFromPeb(VOID)
|
||||
{
|
||||
return GetPeb()->OSMajorVersion;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
ULONG GetOsMinorVersionFromPeb(VOID)
|
||||
{
|
||||
return GetPeb()->OSMinorVersion;
|
||||
}
|
|
@ -0,0 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
ULONG GetOsPlatformIdFromPeb(VOID)
|
||||
{
|
||||
return GetPeb()->OSPlatformId;
|
||||
}
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
#include <psapi.h>
|
||||
|
||||
BOOL IsProcessRunningA(PCHAR ProcessNameWithExtension, BOOL IsCaseSensitive)
|
||||
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
||||
|
@ -53,7 +53,7 @@ BOOL IsProcessRunningA(PCHAR ProcessNameWithExtension, BOOL IsCaseSensitive)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL IsProcessRunningW(PWCHAR ProcessNameWithExtension, BOOL IsCaseSensitive)
|
||||
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive)
|
||||
{
|
||||
HANDLE hProcess = NULL;
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
#include <shobjidl_core.h>
|
||||
#include <shlguid.h>
|
||||
|
||||
BOOL MpfComModifyShortcutTargetW(PWCHAR LnkPath, PWCHAR LnkExecutionProperty)
|
||||
BOOL MpfComModifyShortcutTargetW(_In_ PWCHAR LnkPath, _In_ PWCHAR LnkExecutionProperty)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
IShellLinkW* Shell = NULL;
|
||||
|
@ -56,7 +56,7 @@ EXIT_ROUTINE:
|
|||
return bFlag;
|
||||
}
|
||||
|
||||
BOOL MpfComModifyShortcutTargetA(PCHAR LnkPath, PCHAR LnkExecutionProperty)
|
||||
BOOL MpfComModifyShortcutTargetA(_In_ PCHAR LnkPath, _In_ PCHAR LnkExecutionProperty)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
IShellLinkW* Shell = NULL;
|
||||
|
|
|
@ -157,7 +157,7 @@ EXIT_ROUTINE:
|
|||
return Win32FromHResult(Result);
|
||||
}
|
||||
|
||||
DWORD MpfComVssDeleteShadowVolumeBackups(BOOL CoUninitializeAfterCompletion)
|
||||
DWORD MpfComVssDeleteShadowVolumeBackups(_In_ BOOL CoUninitializeAfterCompletion)
|
||||
{
|
||||
HRESULT Result = S_OK;
|
||||
IVssCoordinator* VssCoordinator = NULL;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD OleGetClipboardDataA(PCHAR Buffer)
|
||||
DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
HRESULT Result = S_OK;
|
||||
|
@ -53,7 +53,7 @@ EXIT_ROUTINE:
|
|||
return dwError;
|
||||
}
|
||||
|
||||
DWORD OleGetClipboardDataW(PWCHAR Buffer)
|
||||
DWORD OleGetClipboardDataW(_Inout_ PWCHAR Buffer)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
HRESULT Result = S_OK;
|
||||
|
|
|
@ -21,7 +21,7 @@ EXIT_ROUTINE:
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
BOOL UacBypassFodHelperMethodW(PWCHAR PathToBinaryToExecute, PPROCESS_INFORMATION Pi)
|
||||
BOOL UacBypassFodHelperMethodW(_In_ PWCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi)
|
||||
{
|
||||
HKEY hKey = HKEY_CURRENT_USER, hkResult;
|
||||
WCHAR pvData[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
@ -75,7 +75,7 @@ EXIT_ROUTINE:
|
|||
return dwError;
|
||||
}
|
||||
|
||||
BOOL UacBypassFodHelperMethodA(PCHAR PathToBinaryToExecute, PPROCESS_INFORMATION Pi)
|
||||
BOOL UacBypassFodHelperMethodA(_In_ PCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi)
|
||||
{
|
||||
HKEY hKey = HKEY_CURRENT_USER, hkResult;
|
||||
CHAR pvData[MAX_PATH] = { 0 };
|
||||
|
|
|
@ -160,7 +160,10 @@
|
|||
<ClCompile Include="GetLastNtStatusEx.cpp" />
|
||||
<ClCompile Include="GetNumberOfLinkedDlls.cpp" />
|
||||
<ClCompile Include="GetModuleHandleEx2.cpp" />
|
||||
<ClCompile Include="GetOSIdentificationData.cpp" />
|
||||
<ClCompile Include="GetOsBuildNumberFromPeb.cpp" />
|
||||
<ClCompile Include="GetOsMajorVersionFromPeb.cpp" />
|
||||
<ClCompile Include="GetOsMinorVersionFromPeb.cpp" />
|
||||
<ClCompile Include="GetOsPlatformIdFromPeb.cpp" />
|
||||
<ClCompile Include="GetPeb.cpp" />
|
||||
<ClCompile Include="GetProcAddress.cpp" />
|
||||
<ClCompile Include="GetProcAddressDjb2.cpp" />
|
||||
|
|
|
@ -249,15 +249,9 @@
|
|||
<ClCompile Include="IsProcessRunning.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetOSIdentificationData.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="IsProcessRunningAsAdmin.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="RemoveDllFromPeb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="SetProcessPrivilegeToken.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
|
@ -333,6 +327,21 @@
|
|||
<ClCompile Include="CreateProcessViaNtCreateUserProcess.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetOsMajorVersionFromPeb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetOsMinorVersionFromPeb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetOsBuildNumberFromPeb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetOsPlatformIdFromPeb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="RemoveDllFromPeb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -92,40 +92,41 @@ DWORD GetCurrentWindowTextFromUserProcessParametersA(_In_ DWORD nBufferLength, _
|
|||
DWORD GetCurrentWindowTextFromUserProcessParametersW(_In_ DWORD nBufferLength, _Inout_ PWCHAR lpBuffer);
|
||||
LONGLONG GetFileSizeFromPathW(_In_ PWCHAR Path, _In_ DWORD dwFlagsAndAttributes);
|
||||
LONGLONG GetFileSizeFromPathA(_In_ PCHAR Path, _In_ DWORD dwFlagsAndAttributes);
|
||||
BOOL RemoveDllFromPebA(_In_ LPCSTR lpModuleName);
|
||||
BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);
|
||||
DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath);
|
||||
DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath);
|
||||
BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum);
|
||||
|
||||
//fingerprinting
|
||||
DWORD GetNumberOfLinkedDlls(VOID);
|
||||
DWORD GetOSIdentificationData(DWORD Id);
|
||||
BOOL IsNvidiaGraphicsCardPresentA(VOID);
|
||||
BOOL IsNvidiaGraphicsCardPresentW(VOID);
|
||||
BOOL IsProcessRunningA(PCHAR ProcessNameWithExtension, BOOL IsCaseSensitive);
|
||||
BOOL IsProcessRunningW(PWCHAR ProcessNameWithExtension, BOOL IsCaseSensitive);
|
||||
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive);
|
||||
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension, _In_ BOOL IsCaseSensitive);
|
||||
BOOL IsProcessRunningAsAdmin(VOID);
|
||||
ULONG GetOsMajorVersionFromPeb(VOID);
|
||||
ULONG GetOsMinorVersionFromPeb(VOID);
|
||||
ULONG GetOsBuildNumberFromPeb(VOID);
|
||||
ULONG GetOsPlatformIdFromPeb(VOID);
|
||||
|
||||
//malicious capabilities
|
||||
DWORD OleGetClipboardDataA(PCHAR Buffer);
|
||||
DWORD OleGetClipboardDataW(PWCHAR Buffer);
|
||||
DWORD MpfComVssDeleteShadowVolumeBackups(BOOL CoUninitializeAfterCompletion);
|
||||
BOOL MpfComModifyShortcutTargetW(PWCHAR LnkPath, PWCHAR LnkExecutionProperty);
|
||||
BOOL MpfComModifyShortcutTargetA(PCHAR LnkPath, PCHAR LnkExecutionProperty);
|
||||
DWORD OleGetClipboardDataA(_Inout_ PCHAR Buffer);
|
||||
DWORD OleGetClipboardDataW(_Inout_ PWCHAR Buffer);
|
||||
DWORD MpfComVssDeleteShadowVolumeBackups(_In_ BOOL CoUninitializeAfterCompletion);
|
||||
BOOL MpfComModifyShortcutTargetW(_In_ PWCHAR LnkPath, _In_ PWCHAR LnkExecutionProperty);
|
||||
BOOL MpfComModifyShortcutTargetA(_In_ PCHAR LnkPath, _In_ PCHAR LnkExecutionProperty);
|
||||
BOOL UacBypassFodHelperMethodA(_In_ PCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi);
|
||||
BOOL UacBypassFodHelperMethodW(_In_ PWCHAR PathToBinaryToExecute, _Inout_ PPROCESS_INFORMATION Pi);
|
||||
|
||||
//evasion
|
||||
BOOL CreateProcessWithCfGuardW(PPROCESS_INFORMATION Pi, PWCHAR Path);
|
||||
BOOL CreateProcessWithCfGuardA(PPROCESS_INFORMATION Pi, PCHAR Path);
|
||||
HRESULT CreateProcessFromIHxInteractiveUserW(PWCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxInteractiveUserA(PCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerW(PWCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerA(PCHAR UriFile);
|
||||
BOOL CreateProcessWithCfGuardW(_Inout_ PPROCESS_INFORMATION Pi, _In_ PWCHAR Path);
|
||||
BOOL CreateProcessWithCfGuardA(_Inout_ PPROCESS_INFORMATION Pi, _In_ PCHAR Path);
|
||||
HRESULT CreateProcessFromIHxInteractiveUserW(_In_ PWCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxInteractiveUserA(_In_ PCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerW(_In_ PWCHAR UriFile);
|
||||
HRESULT CreateProcessFromIHxHelpPaneServerA(_In_ PCHAR UriFile);
|
||||
BOOL MasqueradePebAsExplorer(VOID);
|
||||
BOOL CreateFileFromDsCopyFromSharedFileW(PWCHAR NewFileName, PWCHAR FileToClone);
|
||||
BOOL CreateFileFromDsCopyFromSharedFileA(PCHAR NewFileName, PCHAR FileToClone);
|
||||
BOOL UacBypassFodHelperMethodA(PCHAR PathToBinaryToExecute, PPROCESS_INFORMATION Pi);
|
||||
BOOL UacBypassFodHelperMethodW(PWCHAR PathToBinaryToExecute, PPROCESS_INFORMATION Pi);
|
||||
BOOL CreateFileFromDsCopyFromSharedFileW(_In_ PWCHAR NewFileName, _In_ PWCHAR FileToClone);
|
||||
BOOL CreateFileFromDsCopyFromSharedFileA(_In_ PCHAR NewFileName, _In_ PCHAR FileToClone);
|
||||
BOOL DelayedExecutionExecuteOnDisplayOff(VOID);
|
||||
DWORD CreateProcessFromShellExecuteInExplorerProcessW(_In_ PWCHAR BinaryPath);
|
||||
DWORD CreateProcessFromShellExecuteInExplorerProcessA(_In_ PCHAR BinaryPath);
|
||||
|
@ -133,11 +134,13 @@ DWORD CreateProcessFromIShellDispatchInvokeW(_In_ PWCHAR BinaryPath);
|
|||
DWORD CreateProcessFromIShellDispatchInvokeA(_In_ PCHAR BinaryPath);
|
||||
DWORD CreateProcessViaNtCreateUserProcessW(PWCHAR FullBinaryPath);
|
||||
DWORD CreateProcessViaNtCreateUserProcessA(PCHAR FullBinaryPath);
|
||||
BOOL RemoveDllFromPebA(_In_ LPCSTR lpModuleName);
|
||||
BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);
|
||||
|
||||
//antidebug
|
||||
BOOL AdfCloseHandleOnInvalidAddress(VOID);
|
||||
BOOL AdfIsCreateProcessDebugEventCodeSet(VOID);
|
||||
BOOL AdfOpenProcessOnCsrss(VOID);
|
||||
BOOL IsIntelHardwareBreakpointPresent(VOID);
|
||||
BOOL CheckRemoteDebuggerPresentEx(HANDLE hHandle, PBOOL pbDebuggerPresent);
|
||||
BOOL CheckRemoteDebuggerPresent2(_In_ HANDLE hHandle, _Inout_ PBOOL pbDebuggerPresent);
|
||||
BOOL IsDebuggerPresentEx(VOID);
|
Loading…
Reference in New Issue