2.0.342

2022-11-03 14:49:05 -05:00 · 2022-11-03 14:49:05 -05:00 · 83ea0dc52a
parent 44160f79d4
commit 83ea0dc52a
9 changed files with 282 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
  
 # VX-API

-Version: 2.0.332
+Version: 2.0.342

 Developer: smelly__vx
  
@ -107,7 +107,6 @@ You're free to use this in any manner you please. You do not need to use this en
 | IsPathValid | smelly__vx | Helper Functions |
 | RecursiveFindFile | Luke | Helper Functions |
 | SetProcessPrivilegeToken | Microsoft | Helper Functions |
-| UrlDownloadToFileSynchronous | Hans Passant | Helper Functions |
 | IsDllLoaded | smelly__vx | Helper Functions | 
 | TryLoadDllMultiMethod | smelly__vx | Helper Functions |
 | CreateThreadAndWaitForCompletion | smelly__vx | Helper Functions |
@ -138,6 +137,10 @@ You're free to use this in any manner you please. You do not need to use this en
 | ShellcodeExecutionViaFunctionCallbackMain | alfarom256, aahmad097| Malicious Capability |
 | MpfComMonitorChromeSessionOnce | smelly__vx | Malicious Capability |
 | MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 | Malicious Capability |
+| UrlDownloadToFileSynchronous | Hans Passant | Network Connectivity |
+| ConvertIPv4IpAddressStructureToString | smelly__vx | Network Connectivity |
+| ConvertIPv4StringToUnsignedLong | smelly__vx | Network Connectivity |
+| SendIcmpEchoMessageToIPv4Host | smelly__vx | Network Connectivity |


 # Todo list
@ -145,7 +148,6 @@ You're free to use this in any manner you please. You do not need to use this en
 | ------------- | ------ | ---- |
 | NtMapViewOfSection lsass | modexp | NtMapViewOfSection |
 | Run PE In Memory with Reloc | N/A | N/A |
-| IcmpSendEcho | N/A | Sync PING |
 | IcmpSendEcho2Ex | N/A | Async PING w/ APC |
 | WMI PING | N/A | Sync/Async PING with COM |
 | Process Injection | N/A | N/A |
--- a/VX-API/ConvertIPv4IpAddressStructureToString.cpp
+++ b/VX-API/ConvertIPv4IpAddressStructureToString.cpp
@ -0,0 +1,55 @@
+#include "Win32Helper.h"
+
+#pragma warning( push )
+#pragma warning( disable : 6101)
+BOOL ConvertIPv4IpAddressStructureToStringW(_In_ PIN_ADDR Address, _Out_ PWCHAR Buffer)
+{
+#pragma warning( pop ) 
+	RTLIPV4ADDRESSTOSTRINGW RtlIpv4AddressToStringW = NULL;
+	HMODULE hModule = NULL;
+	WCHAR DisposeableObject[32] = { 0 };
+
+	if (Buffer == NULL)
+		return FALSE;
+
+	hModule = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hModule == NULL)
+		return FALSE;
+
+	RtlIpv4AddressToStringW = (RTLIPV4ADDRESSTOSTRINGW)GetProcAddressA((DWORD64)hModule, "RtlIpv4AddressToStringW");
+	if (!RtlIpv4AddressToStringW)
+		return FALSE;
+
+	RtlIpv4AddressToStringW(Address, Buffer);
+
+	RtlIpv4AddressToStringW = NULL;
+
+	return TRUE;
+}
+
+#pragma warning( push )
+#pragma warning( disable : 6101)
+BOOL ConvertIPv4IpAddressStructureToStringA(_In_ PIN_ADDR Address, _Out_ PCHAR Buffer)
+{
+#pragma warning( pop ) 
+	RTLIPV4ADDRESSTOSTRINGA RtlIpv4AddressToStringA = NULL;
+	HMODULE hModule = NULL;
+	WCHAR DisposeableObject[32] = { 0 };
+
+	if (Buffer == NULL)
+		return FALSE;
+
+	hModule = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hModule == NULL)
+		return FALSE;
+
+	RtlIpv4AddressToStringA = (RTLIPV4ADDRESSTOSTRINGA)GetProcAddressA((DWORD64)hModule, "RtlIpv4AddressToStringA");
+	if (!RtlIpv4AddressToStringA)
+		return FALSE;
+
+	RtlIpv4AddressToStringA(Address, Buffer);
+
+	RtlIpv4AddressToStringA = NULL;
+
+	return TRUE;
+}
--- a/VX-API/ConvertIPv4StringToUnsignedLong.cpp
+++ b/VX-API/ConvertIPv4StringToUnsignedLong.cpp
@ -0,0 +1,47 @@
+#include "Win32Helper.h"
+
+ULONG ConvertIPv4StringToUnsignedLongW(_In_ PWCHAR IpAddress)
+{
+	RTLIPV4STRINGTOADDRESSW RtlIpv4StringToAddressW = NULL;
+	HMODULE hModule = NULL;
+	IN_ADDR IpAddressObject = { 0 };
+	LPCWSTR TerminatorObject = NULL;
+
+	hModule = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hModule == NULL)
+		return 0;
+
+	RtlIpv4StringToAddressW = (RTLIPV4STRINGTOADDRESSW)GetProcAddressA((DWORD64)hModule, "RtlIpv4StringToAddressW");
+	if (!RtlIpv4StringToAddressW)
+		return 0;
+
+	if (RtlIpv4StringToAddressW(IpAddress, FALSE, &TerminatorObject, &IpAddressObject) != ERROR_SUCCESS)
+		return FALSE;
+
+	RtlIpv4StringToAddressW = NULL;
+
+	return IpAddressObject.S_un.S_addr;
+}
+
+ULONG ConvertIPv4StringToUnsignedLongA(_In_ PCHAR IpAddress)
+{
+	RTLIPV4STRINGTOADDRESSA RtlIpv4StringToAddressA = NULL;
+	HMODULE hModule = NULL;
+	IN_ADDR IpAddressObject = { 0 };
+	LPCSTR TerminatorObject = NULL;
+
+	hModule = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hModule == NULL)
+		return 0;
+
+	RtlIpv4StringToAddressA = (RTLIPV4STRINGTOADDRESSA)GetProcAddressA((DWORD64)hModule, "RtlIpv4StringToAddressA");
+	if (!RtlIpv4StringToAddressA)
+		return 0;
+
+	if (RtlIpv4StringToAddressA(IpAddress, FALSE, &TerminatorObject, &IpAddressObject) != ERROR_SUCCESS)
+		return FALSE;
+
+	RtlIpv4StringToAddressA = NULL;
+
+	return IpAddressObject.S_un.S_addr;
+}
--- a/VX-API/FunctionDeclaration.h
+++ b/VX-API/FunctionDeclaration.h
@ -22,6 +22,10 @@ typedef NTSTATUS(NTAPI* NTCREATEFILE)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,
 typedef NTSTATUS(NTAPI* NTFSCONTROLFILE)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
 typedef NTSTATUS(NTAPI* NTDEVICEIOCONTROLFILE)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
 typedef NTSTATUS(NTAPI* NTUNMAPVIEWOFSECTION)(HANDLE, PVOID);
+typedef NTSTATUS(NTAPI* RTLIPV4STRINGTOADDRESSW)(PCWSTR, BOOL, LPCWSTR*, PIN_ADDR);
+typedef NTSTATUS(NTAPI* RTLIPV4STRINGTOADDRESSA)(PCSTR, BOOL, LPCSTR*, PIN_ADDR);
+typedef PWSTR(NTAPI* RTLIPV4ADDRESSTOSTRINGW)(PIN_ADDR, PWSTR);
+typedef PSTR(NTAPI* RTLIPV4ADDRESSTOSTRINGA)(PIN_ADDR, PSTR);



--- a/VX-API/Main.cpp
+++ b/VX-API/Main.cpp
@ -45,7 +45,8 @@ int main(VOID)
 	Sei.dwLengthOfPayloadInBytes = 277;
 	Sei.MethodEnum = E_ENUMERATELOADEDMODULES;
 	
-	ShellcodeExecutionViaFunctionCallbackMain(&Sei);
+	//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
+
 	
 	return dwError;
 }
--- a/VX-API/SendIcmpEchoMessageToIPv4Host.cpp
+++ b/VX-API/SendIcmpEchoMessageToIPv4Host.cpp
@ -0,0 +1,127 @@
+#include "Win32Helper.h"
+
+BOOL SendIcmpEchoMessageToIPv4HostW(
+	_In_ PWCHAR IpAddress,					// IP address to ping
+	_Inout_ PDWORD Status,					// Returns Status of ping, OPTIONAL
+	_Inout_ PDWORD RoundTripTime,			// Returns Roundtrip time, OPTIONAL
+	_Inout_ PWCHAR EchoReplyAddress)		// IP address that responded, must be 32 char long, OPTIONAL
+{
+	HANDLE IcmpHandle = NULL;
+	ULONG IpAddressValue = ERROR_SUCCESS, dwReturnValue = ERROR_SUCCESS, ReplySize = ERROR_SUCCESS;
+	BOOL bFlag = FALSE;
+	CHAR IcmpMessage[32] = "Message";
+	LPVOID IcmpResponseMessage = NULL;
+	PICMP_ECHO_REPLY EchoReplyObject = NULL;
+	IN_ADDR ReplyAddressInformation = { 0 };
+
+	if (IpAddress == NULL)
+		goto EXIT_ROUTINE;
+
+	IpAddressValue = ConvertIPv4StringToUnsignedLongW(IpAddress);
+	if (IpAddressValue == 0)
+		goto EXIT_ROUTINE;
+
+	IcmpHandle = IcmpCreateFile();
+	if (IcmpHandle == INVALID_HANDLE_VALUE)
+		goto EXIT_ROUTINE;
+	
+	ReplySize = sizeof(ICMP_ECHO_REPLY) + sizeof(IcmpMessage);
+	IcmpResponseMessage = HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, ReplySize);
+	if (IcmpResponseMessage == NULL)
+		goto EXIT_ROUTINE;
+
+#pragma warning( push )
+#pragma warning( disable : 28020)
+	if(IcmpSendEcho(IcmpHandle, IpAddressValue, IcmpMessage, sizeof(IcmpMessage), NULL, IcmpResponseMessage, ReplySize, 1000))
+	{
+#pragma warning( pop ) 
+		EchoReplyObject = (PICMP_ECHO_REPLY)IcmpResponseMessage;
+
+		if(Status)
+			*Status = EchoReplyObject->Status;
+
+		if (RoundTripTime)
+			*RoundTripTime = EchoReplyObject->RoundTripTime;
+
+		if (EchoReplyAddress)
+		{
+			ReplyAddressInformation.S_un.S_addr = EchoReplyObject->Address;
+			ConvertIPv4IpAddressStructureToStringW(&ReplyAddressInformation, EchoReplyAddress);
+		}
+
+		bFlag = TRUE;
+	}
+
+EXIT_ROUTINE:
+
+	if (IcmpHandle)
+		IcmpCloseHandle(IcmpHandle);
+
+	if (IcmpResponseMessage)
+		HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, IcmpResponseMessage);
+
+	return bFlag;
+}
+
+BOOL SendIcmpEchoMessageToIPv4HostA(
+	_In_ PCHAR IpAddress,					// IP address to ping
+	_Inout_ PDWORD Status,					// Returns Status of ping, OPTIONAL
+	_Inout_ PDWORD RoundTripTime,			// Returns Roundtrip time, OPTIONAL
+	_Inout_ PCHAR EchoReplyAddress)		// IP address that responded, must be 32 char long, OPTIONAL
+{
+	HANDLE IcmpHandle = NULL;
+	ULONG IpAddressValue = ERROR_SUCCESS, dwReturnValue = ERROR_SUCCESS, ReplySize = ERROR_SUCCESS;
+	BOOL bFlag = FALSE;
+	CHAR IcmpMessage[32] = "Message";
+	LPVOID IcmpResponseMessage = NULL;
+	PICMP_ECHO_REPLY EchoReplyObject = NULL;
+	IN_ADDR ReplyAddressInformation = { 0 };
+
+	if (IpAddress == NULL)
+		goto EXIT_ROUTINE;
+
+	IpAddressValue = ConvertIPv4StringToUnsignedLongA(IpAddress);
+	if (IpAddressValue == 0)
+		goto EXIT_ROUTINE;
+
+	IcmpHandle = IcmpCreateFile();
+	if (IcmpHandle == INVALID_HANDLE_VALUE)
+		goto EXIT_ROUTINE;
+
+	ReplySize = sizeof(ICMP_ECHO_REPLY) + sizeof(IcmpMessage);
+	IcmpResponseMessage = HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, ReplySize);
+	if (IcmpResponseMessage == NULL)
+		goto EXIT_ROUTINE;
+
+#pragma warning( push )
+#pragma warning( disable : 28020)
+	if (IcmpSendEcho(IcmpHandle, IpAddressValue, IcmpMessage, sizeof(IcmpMessage), NULL, IcmpResponseMessage, ReplySize, 1000))
+	{
+#pragma warning( pop ) 
+		EchoReplyObject = (PICMP_ECHO_REPLY)IcmpResponseMessage;
+
+		if (Status)
+			*Status = EchoReplyObject->Status;
+
+		if (RoundTripTime)
+			*RoundTripTime = EchoReplyObject->RoundTripTime;
+
+		if (EchoReplyAddress)
+		{
+			ReplyAddressInformation.S_un.S_addr = EchoReplyObject->Address;
+			ConvertIPv4IpAddressStructureToStringA(&ReplyAddressInformation, EchoReplyAddress);
+		}
+
+		bFlag = TRUE;
+	}
+
+EXIT_ROUTINE:
+
+	if (IcmpHandle)
+		IcmpCloseHandle(IcmpHandle);
+
+	if (IcmpResponseMessage)
+		HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, IcmpResponseMessage);
+
+	return bFlag;
+}
--- a/VX-API/VX-API.vcxproj
+++ b/VX-API/VX-API.vcxproj
@ -135,6 +135,8 @@
    <ClCompile Include="CharArrayToByteArray.cpp" />
    <ClCompile Include="CharStringToWCharString.cpp" />
    <ClCompile Include="CheckRemoteDebuggerPresentEx.cpp" />
+    <ClCompile Include="ConvertIPv4IpAddressStructureToString.cpp" />
+    <ClCompile Include="ConvertIPv4StringToUnsignedLong.cpp" />
    <ClCompile Include="CopyMemoryEx.cpp" />
    <ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp" />
    <ClCompile Include="CreateLocalAppDataObjectPath.cpp" />
@ -207,6 +209,7 @@
    <ClCompile Include="IsProcessRunning.cpp" />
    <ClCompile Include="IsProcessRunningAsAdmin.cpp" />
    <ClCompile Include="Main.cpp" />
+    <ClCompile Include="ManualResourceDataFetching.cpp" />
    <ClCompile Include="MasqueradePebAsExplorer.cpp" />
    <ClCompile Include="MpfComModifyShortcutTarget.cpp" />
    <ClCompile Include="MpfComMonitorChromeSessionOnce.cpp" />
@ -215,6 +218,7 @@
    <ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
    <ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
    <ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
+    <ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
    <ClCompile Include="OleGetClipboardData.cpp" />
    <ClCompile Include="RecursiveFindFile.cpp" />
    <ClCompile Include="RemoveDllFromPeb.cpp" />
--- a/VX-API/VX-API.vcxproj.filters
+++ b/VX-API/VX-API.vcxproj.filters
@ -52,6 +52,9 @@
    <Filter Include="Source Files\Windows API Helper Functions\Antidebug">
      <UniqueIdentifier>{5c518d5a-a7b5-448a-8872-577693d1ccca}</UniqueIdentifier>
    </Filter>
+    <Filter Include="Source Files\Windows API Helper Functions\Network Connectivity">
+      <UniqueIdentifier>{71e7ff3a-c576-49b0-96e2-0b4479a5fa5f}</UniqueIdentifier>
+    </Filter>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="Main.cpp">
@ -258,9 +261,6 @@
    <ClCompile Include="RecursiveFindFile.cpp">
      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
    </ClCompile>
-    <ClCompile Include="UrlDownloadToFileSynchronous.cpp">
-      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
-    </ClCompile>
    <ClCompile Include="GetNumberOfLinkedDlls.cpp">
      <Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
    </ClCompile>
@ -405,6 +405,21 @@
    <ClCompile Include="MpfExecutePeBinaryInMemoryFromByteArray.cpp">
      <Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
    </ClCompile>
+    <ClCompile Include="ManualResourceDataFetching.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
+    </ClCompile>
+    <ClCompile Include="UrlDownloadToFileSynchronous.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
+    </ClCompile>
+    <ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
+    </ClCompile>
+    <ClCompile Include="ConvertIPv4StringToUnsignedLong.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
+    </ClCompile>
+    <ClCompile Include="ConvertIPv4IpAddressStructureToString.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="Internal.h">
--- a/VX-API/Win32Helper.h
+++ b/VX-API/Win32Helper.h
@ -10,13 +10,18 @@
 #include <wtsapi32.h>
 #include <psapi.h>
 #include <powrprof.h>
+#include <Iphlpapi.h>
+#include <icmpapi.h>

+
+#pragma comment(lib, "Iphlpapi.lib")
 #pragma comment(lib, "Crypt32.lib")
 #pragma comment(lib, "Dbghelp.lib")
 #pragma comment(lib, "Wtsapi32.lib")
 #pragma comment(lib, "Urlmon.lib")
 #pragma comment(lib, "PowrProf.lib")

+
 #ifndef NT_SUCCESS
 #define NT_SUCCESS(x) ((x)>=0)
 #define STATUS_SUCCESS ((NTSTATUS)0)
@ -87,7 +92,6 @@ typedef struct __SHELLCODE_EXECUTION_INFORMATION {
 }SHELLCODE_EXECUTION_INFORMATION, * PSHELLCODE_EXECUTION_INFORMATION;


-
 /*******************************************
 ERROR HANDLING
 *******************************************/
@ -182,8 +186,6 @@ DWORD GetCurrentWindowTextFromUserProcessParametersA(_In_ DWORD nBufferLength, _
 DWORD GetCurrentWindowTextFromUserProcessParametersW(_In_ DWORD nBufferLength, _Inout_ PWCHAR lpBuffer);
 LONGLONG GetFileSizeFromPathW(_In_ PWCHAR Path, _In_ DWORD dwFlagsAndAttributes);
 LONGLONG GetFileSizeFromPathA(_In_ PCHAR Path, _In_ DWORD dwFlagsAndAttributes);
-DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath);
-DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath);
 BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum);
 BOOL IsDllLoadedW(_In_ LPCWSTR DllName);
 BOOL IsDllLoadedA(_In_ LPCSTR DllName);
@ -269,7 +271,6 @@ BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);



-
 /*******************************************
 ANTI-DEBUGGING
 *******************************************/
@ -278,4 +279,18 @@ BOOL AdfIsCreateProcessDebugEventCodeSet(VOID);
 BOOL AdfOpenProcessOnCsrss(VOID);
 BOOL IsIntelHardwareBreakpointPresent(VOID);
 BOOL CheckRemoteDebuggerPresent2(_In_ HANDLE hHandle, _Inout_ PBOOL pbDebuggerPresent);
-BOOL IsDebuggerPresentEx(VOID);
+BOOL IsDebuggerPresentEx(VOID);
+
+
+
+/*******************************************
+ NETWORK CONNECTIVITY
+*******************************************/
+DWORD UrlDownloadToFileSynchronousW(_In_ PWCHAR Url, _In_ PWCHAR SavePath);
+DWORD UrlDownloadToFileSynchronousA(_In_ PCHAR Url, _In_ PCHAR SavePath);
+BOOL SendIcmpEchoMessageToIPv4HostW(_In_ PWCHAR IpAddress, _Inout_ PDWORD Status, _Inout_ PDWORD RoundTripTime, _Inout_ PWCHAR EchoReplyAddress);
+BOOL SendIcmpEchoMessageToIPv4HostA(_In_ PCHAR IpAddress, _Inout_ PDWORD Status, _Inout_ PDWORD RoundTripTime, _Inout_ PCHAR EchoReplyAddress);
+ULONG ConvertIPv4StringToUnsignedLongW(_In_ PWCHAR IpAddress);
+ULONG ConvertIPv4StringToUnsignedLongA(_In_ PCHAR IpAddress);
+BOOL ConvertIPv4IpAddressStructureToStringW(_In_ PIN_ADDR Address, _Out_ PWCHAR Buffer);
+BOOL ConvertIPv4IpAddressStructureToStringA(_In_ PIN_ADDR Address, _Out_ PCHAR Buffer);