mirror of https://github.com/vxunderground/VX-API
parent
d5ed074515
commit
9c1c612c73
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.439
|
||||
Version: 2.0.460
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -122,11 +122,12 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| FastcallExecuteBinaryShellExecuteEx | smelly__vx | Helper Functions |
|
||||
| GetCurrentProcessIdFromOffset | RistBS | Helper Functions |
|
||||
| GetPeBaseAddress | smelly__vx | Helper Functions |
|
||||
| LdrLoadGetProcedureAddress | c5pider | Helper Functions |
|
||||
| GetKUserSharedData | Geoff Chappell | Library Loading |
|
||||
| GetModuleHandleEx2 | smelly__vx | Library Loading |
|
||||
| GetPeb | 29a | Library Loading |
|
||||
| GetPebFromTeb | ReactOS | Library Loading |
|
||||
| GetProcAddress | 29a Volume 2 | Library Loading |
|
||||
| GetProcAddress | 29a Volume 2, c5pider | Library Loading |
|
||||
| GetProcAddressDjb2 | smelly__vx | Library Loading |
|
||||
| GetProcAddressFowlerNollVoVariant1a | smelly__vx | Library Loading |
|
||||
| GetProcAddressJenkinsOneAtATime32Bit | smelly__vx | Library Loading |
|
||||
|
|
|
@ -32,6 +32,7 @@ typedef NTSTATUS(NTAPI* RTLQUEUEWORKITEM)(PRTL_WORK_ITEM_ROUTINE, PVOID, ULONG);
|
|||
typedef NTSTATUS(NTAPI* RTLREGISTERWAIT)(PHANDLE, HANDLE, WORKERCALLBACKFUNC, PVOID, ULONG, ULONG);
|
||||
typedef NTSTATUS(NTAPI* RTLDEREGISTERWAITEX)(HANDLE, HANDLE);
|
||||
typedef NTSTATUS(NTAPI* NTCONTINUE)(PCONTEXT, BOOL);
|
||||
typedef NTSTATUS(NTAPI* LDRGETPROCEDUREADDRESS)(HMODULE, PANSI_STRING, WORD, PVOID);
|
||||
|
||||
|
||||
|
||||
|
@ -68,5 +69,4 @@ typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
|||
/*******************************************
|
||||
ADVAPI32 IMPORT
|
||||
*******************************************/
|
||||
|
||||
typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcNam
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -18,8 +23,23 @@ DWORD64 __stdcall GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcNam
|
|||
for (DWORD dwX = 0; dwX < ExportTable->NumberOfNames; dwX++)
|
||||
{
|
||||
pFunctionName = FunctionNameAddressArray[dwX] + (PBYTE)ModuleBase;
|
||||
|
||||
if (StringCompareA((PCHAR)pFunctionName, lpProcName) == 0)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
@ -32,6 +52,11 @@ DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcNa
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -49,7 +74,21 @@ DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcNa
|
|||
break;
|
||||
|
||||
if (StringCompareW(wFunctionName, lpProcName) == 0)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
|
|||
|
||||
DWORD dwFunctionHash = HashStringDjb2A((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD64 LdrLoadGetProcedureAddress(VOID)
|
||||
{
|
||||
PBYTE pFunctionName = NULL;
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
return 0;
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&hModule);
|
||||
|
||||
IMAGE_EXPORT_DIRECTORY* ExportTable = (PIMAGE_EXPORT_DIRECTORY)((DWORD64)hModule + Optional->DataDirectory[0].VirtualAddress);
|
||||
PDWORD FunctionNameAddressArray = (PDWORD)((LPBYTE)(DWORD64)hModule + ExportTable->AddressOfNames);
|
||||
PDWORD FunctionAddressArray = (PDWORD)((LPBYTE)(DWORD64)hModule + ExportTable->AddressOfFunctions);
|
||||
PWORD FunctionOrdinalAddressArray = (PWORD)((LPBYTE)(DWORD64)hModule + ExportTable->AddressOfNameOrdinals);
|
||||
|
||||
for (DWORD dwX = 0; dwX < ExportTable->NumberOfNames; dwX++)
|
||||
{
|
||||
pFunctionName = FunctionNameAddressArray[dwX] + (PBYTE)hModule;
|
||||
|
||||
if (StringCompareA((PCHAR)pFunctionName, "LdrGetProcedureAddress") == 0)
|
||||
return ((DWORD64)hModule + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -27,12 +27,12 @@ BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In
|
|||
if (hNtdll == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hAdvapi32 = TryLoadDllMultiMethodW((PWCHAR)L"cryptsp.dll");
|
||||
hAdvapi32 = TryLoadDllMultiMethodW((PWCHAR)L"advapi32.dll");
|
||||
if (hAdvapi32 == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtContinue = (NTCONTINUE)GetProcAddressA((DWORD64)hNtdll, "NtContinue");
|
||||
SystemFunction032 = (SYSTEMFUNCTION032)GetProcAddressA((DWORD64)hAdvapi32, "SystemFunction032");
|
||||
SystemFunction032 = (SYSTEMFUNCTION032)GetProcAddressW((DWORD64)hAdvapi32, L"SystemFunction032");
|
||||
|
||||
if (!NtContinue || !SystemFunction032)
|
||||
goto EXIT_ROUTINE;
|
||||
|
|
|
@ -230,6 +230,7 @@
|
|||
<ClCompile Include="IsProcessRunning.cpp" />
|
||||
<ClCompile Include="IsProcessRunningAsAdmin.cpp" />
|
||||
<ClCompile Include="IsRegistryKeyValid.cpp" />
|
||||
<ClCompile Include="LdrLoadGetProcedureAddress.cpp" />
|
||||
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp" />
|
||||
<ClCompile Include="Main.cpp" />
|
||||
<ClCompile Include="ManualResourceDataFetching.cpp" />
|
||||
|
|
|
@ -519,6 +519,9 @@
|
|||
<ClCompile Include="GetPeFileBaseAddress.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="LdrLoadGetProcedureAddress.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -253,6 +253,7 @@ BOOL FastcallExecuteBinaryShellExecuteExW(_In_ PWCHAR FullPathToBinary, _In_ PWC
|
|||
BOOL FastcallExecuteBinaryShellExecuteExA(_In_ PCHAR FullPathToBinary, _In_ PCHAR OptionalParameters);
|
||||
DWORD GetCurrentProcessIdFromOffset(VOID);
|
||||
HMODULE GetPeFileBaseAddress(VOID);
|
||||
DWORD64 LdrLoadGetProcedureAddress(VOID);
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue