2.0.371

2.0.371

README.md

@@ -112,6 +112,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | CreateThreadAndWaitForCompletion | smelly__vx | Helper Functions |
 | GetProcessBinaryNameFromHwndW | smelly__vx | Helper Functions |
 | GetByteArrayFromFile | smelly__vx | Helper Functions |
+| Ex_GetHandleOnDeviceHttpCommunication | x86matthew | Helper Functions |
 | GetKUserSharedData | Geoff Chappell | Library Loading |
 | GetModuleHandleEx2 | smelly__vx | Library Loading |
 | GetPeb | 29a | Library Loading |

VX-API/Ex_GetHandleOnDeviceHttpCommunication.cpp

@@ -0,0 +1,47 @@
+#include "Win32Helper.h"
+
+BOOL Ex_GetHandleOnDeviceHttpCommunication(_Out_ PHANDLE Handle)
+{
+	typedef struct HTTPCOMMUNICATIONEXTENDEDATTRIBUTES {
+		DWORD dwUnknown1;
+		WORD wUnknown2;
+		WORD wUnknown3;
+		BYTE bStr[16];
+		WORD wVersionMajor;
+		WORD wVersionMinor;
+		DWORD dwFlags;
+		QWORD qwCommsHandle;
+		BYTE bUnknown4[3];
+	}HTTPCOMMUNICATIONEXTENDEDATTRIBUTES, * PHTTPCOMMUNICATIONEXTENDEDATTRIBUTES;
+
+	NTCREATEFILE NtCreateFile = NULL;
+	HMODULE hModule = NULL;
+	HTTPCOMMUNICATIONEXTENDEDATTRIBUTES Http = { 0 };
+	UNICODE_STRING ObjectFilePath = { 0 };
+	OBJECT_ATTRIBUTES Attributes = { 0 };
+	IO_STATUS_BLOCK IoBlock = { 0 };
+	NTSTATUS Status = ERROR_SUCCESS;
+	HANDLE hHandle = NULL;
+
+	*Handle = NULL;
+
+	hModule = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hModule == NULL)
+		return FALSE;
+
+	NtCreateFile = (NTCREATEFILE)GetProcAddressA((DWORD64)hModule, "NtCreateFile");
+	if (!NtCreateFile)
+		return FALSE;
+
+	Http.wUnknown2 = 0xF00;
+	Http.wUnknown3 = 0x10;
+	StringCopyA((PCHAR)Http.bStr, (PCHAR)"UlOpenPacket000");
+	Http.wVersionMajor = 2;
+
+	RtlInitUnicodeString(&ObjectFilePath, L"\\Device\\Http\\Communication");
+	InitializeObjectAttributes(&Attributes, &ObjectFilePath, OBJ_CASE_INSENSITIVE, 0, NULL);
+
+	Status = NtCreateFile(Handle, 0xC0100000, &Attributes, &IoBlock, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 2, 0, &Http, 0x2b);
+
+	if (NT_SUCCESS(Status)) return TRUE; else return FALSE;
+}

VX-API/Main.cpp

@@ -1,12 +1,5 @@
 #include "Win32Helper.h"
 
-/*
-TODO:
-	- Ping with 'IcmpSendEcho2Ex'
-	- https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767757(v=vs.85)
-*/
-
-
 int main(VOID)
 {
 	DWORD dwError = ERROR_SUCCESS;
@@ -40,11 +33,8 @@ int main(VOID)
 	SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
 	Sei.Payload = GlobalOpenCalcPayload;
 	Sei.dwLengthOfPayloadInBytes = 277;
-	Sei.MethodEnum = E_ENUMERATELOADEDMODULES;
-	WCHAR IpAddress[32] = { 0 };
+	Sei.MethodEnum = E_DNSQUERYEX;
 
-	DnsGetDomainNameIPv4AddressAsStringW((PWCHAR)L"google.com", (PWCHAR)IpAddress);
-	
 	//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
 
 	return dwError;

VX-API/ShellcodeExecutionViaFunctionCallbackMain.cpp

@@ -199,6 +199,26 @@ DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
 			break;
 		}
 
+		case E_DNSQUERYEX:
+		{
+			//needs to be debugged
+
+			/*
+			DNS_QUERY_REQUEST Request = { 0 };
+			DNS_QUERY_RESULT Result = { 0 };
+			
+			Request.Version = DNS_QUERY_REQUEST_VERSION1;
+			Request.QueryName = NULL;
+			Request.QueryType = DNS_TYPE_A;
+			Request.QueryOptions = DNS_QUERY_STANDARD;
+			Request.InterfaceIndex = 0;
+			Request.pQueryCompletionCallback = (PDNS_QUERY_COMPLETION_ROUTINE)BinAddress;
+
+			DnsQueryEx(&Request, &Result, NULL);
+			*/
+
+		}
+
 		default:
 			goto EXIT_ROUTINE;
 

VX-API/VX-API.vcxproj

@@ -156,6 +156,7 @@
     <ClCompile Include="DeleteFileWithCreateFileFlag.cpp" />
     <ClCompile Include="DnsGetDomainNameIPv4AddressAsString.cpp" />
     <ClCompile Include="DnsGetDomainNameIPv4AddressUnsignedLong.cpp" />
+    <ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp" />
     <ClCompile Include="GetByteArrayFromFile.cpp" />
     <ClCompile Include="GetCurrentDirectoryFromUserProcessParameters.cpp" />
     <ClCompile Include="GetCurrentLocaleFromTeb.cpp" />

VX-API/VX-API.vcxproj.filters

@@ -432,6 +432,9 @@
     <ClCompile Include="DnsGetDomainNameIPv4AddressUnsignedLong.cpp">
       <Filter>Source Files\Windows API Helper Functions\Network Connectivity</Filter>
     </ClCompile>
+    <ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Internal.h">

VX-API/Win32Helper.h

@@ -84,7 +84,8 @@ typedef enum SHELLCODE_EXECUTION_METHOD {
     E_MINIDUMPWRITEDUMP, //29 UNSTABLE, FAILS
     E_ENUMERATELOADEDMODULES, //30
     E_ENUMPAGEFILESW, //31
-    E_ENUMPWRSCHEMES //32
+    E_ENUMPWRSCHEMES, //32
+    E_DNSQUERYEX //33
 }SHELLCODE_EXECUTION_METHOD, *PSHELLCODE_EXECUTION_METHOD;
 
 typedef struct __SHELLCODE_EXECUTION_INFORMATION {
@@ -198,6 +199,7 @@ BOOL GetProcessBinaryNameFromHwndW(_In_ HWND ProcessHwnd, _Inout_ PWCHAR BinaryN
 BOOL GetProcessBinaryNameFromHwndA(_In_ HWND ProcessHwnd, _Inout_ PCHAR BinaryName, _In_ DWORD BufferSize);
 BOOL GetByteArrayFromFileW(_Inout_ PBYTE Buffer, _In_ PWCHAR Path, _In_ ULONGLONG BytesToRead);
 BOOL GetByteArrayFromFileA(_Inout_ PBYTE Buffer, _In_ PCHAR Path, _In_ ULONGLONG BytesToRead);
+BOOL Ex_GetHandleOnDeviceHttpCommunication(_Out_ PHANDLE Handle);