Mirrors
/
vxug-VXAPI
mirror of https://github.com/vxunderground/VX-API
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

2.0.460 

2.0.460
This commit is contained in:
vxunderground 2022-12-14 08:21:43 -06:00
parent d5ed074515
commit 9c1c612c73
9 changed files with 104 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
# VX-API
Version: 2.0.439
Version: 2.0.460
Developer: smelly__vx
@ -122,11 +122,12 @@ You're free to use this in any manner you please. You do not need to use this en
| FastcallExecuteBinaryShellExecuteEx | smelly__vx | Helper Functions |
| GetCurrentProcessIdFromOffset | RistBS | Helper Functions |
| GetPeBaseAddress | smelly__vx | Helper Functions |
| LdrLoadGetProcedureAddress | c5pider | Helper Functions |
| GetKUserSharedData | Geoff Chappell | Library Loading |
| GetModuleHandleEx2 | smelly__vx | Library Loading |
| GetPeb | 29a | Library Loading |
| GetPebFromTeb | ReactOS | Library Loading |
| GetProcAddress | 29a Volume 2 | Library Loading |
| GetProcAddress | 29a Volume 2, c5pider | Library Loading |
| GetProcAddressDjb2 | smelly__vx | Library Loading |
| GetProcAddressFowlerNollVoVariant1a | smelly__vx | Library Loading |
| GetProcAddressJenkinsOneAtATime32Bit | smelly__vx | Library Loading |

2
VX-API/FunctionDeclaration.h
View File

@ -32,6 +32,7 @@ typedef NTSTATUS(NTAPI* RTLQUEUEWORKITEM)(PRTL_WORK_ITEM_ROUTINE, PVOID, ULONG);
typedef NTSTATUS(NTAPI* RTLREGISTERWAIT)(PHANDLE, HANDLE, WORKERCALLBACKFUNC, PVOID, ULONG, ULONG);
typedef NTSTATUS(NTAPI* RTLDEREGISTERWAITEX)(HANDLE, HANDLE);
typedef NTSTATUS(NTAPI* NTCONTINUE)(PCONTEXT, BOOL);
typedef NTSTATUS(NTAPI* LDRGETPROCEDUREADDRESS)(HMODULE, PANSI_STRING, WORD, PVOID);
@ -68,5 +69,4 @@ typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
/*******************************************
ADVAPI32 IMPORT
*******************************************/
typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);

43
VX-API/GetProcAddress.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcNam
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -18,8 +23,23 @@ DWORD64 __stdcall GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcNam
for (DWORD dwX = 0; dwX < ExportTable->NumberOfNames; dwX++)
{
pFunctionName = FunctionNameAddressArray[dwX] + (PBYTE)ModuleBase;
if (StringCompareA((PCHAR)pFunctionName, lpProcName) == 0)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;
@ -32,6 +52,11 @@ DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcNa
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -49,7 +74,21 @@ DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcNa
break;
if (StringCompareW(wFunctionName, lpProcName) == 0)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

21
VX-API/GetProcAddressDjb2.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
DWORD dwFunctionHash = HashStringDjb2A((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

32
VX-API/LdrLoadGetProcedureAddress.cpp Normal file
View File

@ -0,0 +1,32 @@
#include "Win32Helper.h"
DWORD64 LdrLoadGetProcedureAddress(VOID)
{
PBYTE pFunctionName = NULL;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
HMODULE hModule = NULL;
hModule = GetModuleHandleEx2W(L"ntdll.dll");
if (hModule == NULL)
return 0;
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&hModule);
IMAGE_EXPORT_DIRECTORY* ExportTable = (PIMAGE_EXPORT_DIRECTORY)((DWORD64)hModule + Optional->DataDirectory[0].VirtualAddress);
PDWORD FunctionNameAddressArray = (PDWORD)((LPBYTE)(DWORD64)hModule + ExportTable->AddressOfNames);
PDWORD FunctionAddressArray = (PDWORD)((LPBYTE)(DWORD64)hModule + ExportTable->AddressOfFunctions);
PWORD FunctionOrdinalAddressArray = (PWORD)((LPBYTE)(DWORD64)hModule + ExportTable->AddressOfNameOrdinals);
for (DWORD dwX = 0; dwX < ExportTable->NumberOfNames; dwX++)
{
pFunctionName = FunctionNameAddressArray[dwX] + (PBYTE)hModule;
if (StringCompareA((PCHAR)pFunctionName, "LdrGetProcedureAddress") == 0)
return ((DWORD64)hModule + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
}
return 0;
}

4
VX-API/SleepObfuscationViaVirtualProtect.cpp
View File

@ -27,12 +27,12 @@ BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In
if (hNtdll == NULL)
goto EXIT_ROUTINE;
hAdvapi32 = TryLoadDllMultiMethodW((PWCHAR)L"cryptsp.dll");
hAdvapi32 = TryLoadDllMultiMethodW((PWCHAR)L"advapi32.dll");
if (hAdvapi32 == NULL)
goto EXIT_ROUTINE;
NtContinue = (NTCONTINUE)GetProcAddressA((DWORD64)hNtdll, "NtContinue");
SystemFunction032 = (SYSTEMFUNCTION032)GetProcAddressA((DWORD64)hAdvapi32, "SystemFunction032");
SystemFunction032 = (SYSTEMFUNCTION032)GetProcAddressW((DWORD64)hAdvapi32, L"SystemFunction032");
if (!NtContinue || !SystemFunction032)
goto EXIT_ROUTINE;

1
VX-API/VX-API.vcxproj
View File

@ -230,6 +230,7 @@
<ClCompile Include="IsProcessRunning.cpp" />
<ClCompile Include="IsProcessRunningAsAdmin.cpp" />
<ClCompile Include="IsRegistryKeyValid.cpp" />
<ClCompile Include="LdrLoadGetProcedureAddress.cpp" />
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp" />
<ClCompile Include="Main.cpp" />
<ClCompile Include="ManualResourceDataFetching.cpp" />

3
VX-API/VX-API.vcxproj.filters
View File

@ -519,6 +519,9 @@
<ClCompile Include="GetPeFileBaseAddress.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="LdrLoadGetProcedureAddress.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Internal.h">

1
VX-API/Win32Helper.h
View File

@ -253,6 +253,7 @@ BOOL FastcallExecuteBinaryShellExecuteExW(_In_ PWCHAR FullPathToBinary, _In_ PWC
BOOL FastcallExecuteBinaryShellExecuteExA(_In_ PCHAR FullPathToBinary, _In_ PCHAR OptionalParameters);
DWORD GetCurrentProcessIdFromOffset(VOID);
HMODULE GetPeFileBaseAddress(VOID);
DWORD64 LdrLoadGetProcedureAddress(VOID);