mirror of
https://github.com/vxunderground/VX-API
synced 2024-06-16 03:48:34 +00:00
2.0.722
2.0.722
This commit is contained in:
parent
1fe2e4342d
commit
c13ca29517
185
README.md
185
README.md
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||||||
|
|
||||||
# VX-API
|
# VX-API
|
||||||
|
|
||||||
Version: 2.0.720
|
Version: 2.0.722
|
||||||
|
|
||||||
Developer: smelly__vx
|
Developer: smelly__vx
|
||||||
|
|
||||||
@ -18,34 +18,6 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
|
|
||||||
# List of features
|
# List of features
|
||||||
|
|
||||||
## String Manipulation
|
|
||||||
| Function Name | Original Author |
|
|
||||||
| ------------- | --------------- |
|
|
||||||
| ByteArrayToCharArray | smelly__vx |
|
|
||||||
| CharArrayToByteArray | smelly__vx |
|
|
||||||
| ShlwapiCharStringToWCharString | smelly__vx |
|
|
||||||
| ShlwapiWCharStringToCharString | smelly__vx |
|
|
||||||
| CharStringToWCharString | smelly__vx |
|
|
||||||
| WCharStringToCharString | smelly__vx |
|
|
||||||
| RtlInitEmptyUnicodeString | ReactOS |
|
|
||||||
| RtlInitUnicodeString | ReactOS |
|
|
||||||
| CaplockString | simonc |
|
|
||||||
| CopyMemoryEx | ReactOS |
|
|
||||||
| SecureStringCopy | Apple (c) 1999 |
|
|
||||||
| StringCompare | Apple (c) 1999 |
|
|
||||||
| StringConcat | Apple (c) 1999 |
|
|
||||||
| StringCopy | Apple (c) 1999 |
|
|
||||||
| StringFindSubstring | Apple (c) 1999 |
|
|
||||||
| StringLength | Apple (c) 1999 |
|
|
||||||
| StringLocateChar | Apple (c) 1999 |
|
|
||||||
| StringRemoveSubstring | smelly__vx |
|
|
||||||
| StringTerminateStringAtChar | smelly__vx |
|
|
||||||
| StringToken | Apple (c) 1999 |
|
|
||||||
| ZeroMemoryEx | ReactOS |
|
|
||||||
| ConvertCharacterStringToIntegerUsingNtdll | smelly__vx |
|
|
||||||
| MemoryFindMemory | KamilCuk |
|
|
||||||
|
|
||||||
|
|
||||||
## Anti-debug
|
## Anti-debug
|
||||||
| Function Name | Original Author |
|
| Function Name | Original Author |
|
||||||
| ------------- | --------------- |
|
| ------------- | --------------- |
|
||||||
@ -57,7 +29,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
| IsIntelHardwareBreakpointPresent | Checkpoint Research |
|
| IsIntelHardwareBreakpointPresent | Checkpoint Research |
|
||||||
|
|
||||||
|
|
||||||
## Data Hashing
|
## Cryptography Related
|
||||||
| Function Name | Original Author |
|
| Function Name | Original Author |
|
||||||
| ------------- | --------------- |
|
| ------------- | --------------- |
|
||||||
| HashStringDjb2 | Dan Bernstein |
|
| HashStringDjb2 | Dan Bernstein |
|
||||||
@ -70,11 +42,6 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
| HashStringUnknownGenericHash1A | Unknown |
|
| HashStringUnknownGenericHash1A | Unknown |
|
||||||
| HashStringSipHash | RistBS |
|
| HashStringSipHash | RistBS |
|
||||||
| HashStringMurmur | RistBS |
|
| HashStringMurmur | RistBS |
|
||||||
|
|
||||||
|
|
||||||
## Cryptography Related
|
|
||||||
| Function Name | Original Author |
|
|
||||||
| ------------- | --------------- |
|
|
||||||
| CreateMd5HashFromFilePath | Microsoft |
|
| CreateMd5HashFromFilePath | Microsoft |
|
||||||
| CreatePseudoRandomInteger | Apple (c) 1999 |
|
| CreatePseudoRandomInteger | Apple (c) 1999 |
|
||||||
| CreatePseudoRandomString | smelly__vx |
|
| CreatePseudoRandomString | smelly__vx |
|
||||||
@ -92,7 +59,6 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
| XpressMaximumDecompressBuffer | smelly__vx |
|
| XpressMaximumDecompressBuffer | smelly__vx |
|
||||||
| XpressStandardCompressBuffer | smelly__vx |
|
| XpressStandardCompressBuffer | smelly__vx |
|
||||||
| XpressStandardDecompressBuffer | smelly__vx |
|
| XpressStandardDecompressBuffer | smelly__vx |
|
||||||
| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
|
|
||||||
| ExtractFilesFromCabIntoTarget | smelly__vx |
|
| ExtractFilesFromCabIntoTarget | smelly__vx |
|
||||||
|
|
||||||
|
|
||||||
@ -118,6 +84,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
| RemoveDllFromPeb | rad9800 |
|
| RemoveDllFromPeb | rad9800 |
|
||||||
| RemoveRegisterDllNotification | Rad98, Peter Winter-Smith |
|
| RemoveRegisterDllNotification | Rad98, Peter Winter-Smith |
|
||||||
| SleepObfuscationViaVirtualProtect | 5pider |
|
| SleepObfuscationViaVirtualProtect | 5pider |
|
||||||
|
| RtlSetBaseUnicodeCommandLine | TheWover |
|
||||||
|
|
||||||
|
|
||||||
## Fingerprinting
|
## Fingerprinting
|
||||||
@ -139,7 +106,6 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
| GetPidFromPidBruteForcing | modexp |
|
| GetPidFromPidBruteForcing | modexp |
|
||||||
| GetPidFromNtQueryFileInformation | modexp, Lloyd Davies, Jonas Lyk |
|
| GetPidFromNtQueryFileInformation | modexp, Lloyd Davies, Jonas Lyk |
|
||||||
| GetPidFromPidBruteForcingExW | smelly__vx, LLoyd Davies, Jonas Lyk, modexp |
|
| GetPidFromPidBruteForcingExW | smelly__vx, LLoyd Davies, Jonas Lyk, modexp |
|
||||||
| IsProcessRunningAsAdmin2 | smelly__vx |
|
|
||||||
|
|
||||||
|
|
||||||
## Helper Functions
|
## Helper Functions
|
||||||
@ -204,23 +170,84 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
| ProxyRegisterWaitLoadLibrary | Rad98, Peter Winter-Smith |
|
| ProxyRegisterWaitLoadLibrary | Rad98, Peter Winter-Smith |
|
||||||
|
|
||||||
|
|
||||||
## Malicious Capabilities
|
## Lsass Dumping
|
||||||
| Function Name | Original Author |
|
| Function Name | Original Author |
|
||||||
| ------------- | --------------- |
|
| ------------- | --------------- |
|
||||||
| MpfComModifyShortcutTarget | Unknown |
|
|
||||||
| MpfComVssDeleteShadowVolumeBackups | am0nsec |
|
|
||||||
| OleGetClipboardData | Microsoft |
|
|
||||||
| MpfGetLsaPidFromServiceManager | modexp |
|
| MpfGetLsaPidFromServiceManager | modexp |
|
||||||
| MpfGetLsaPidFromRegistry | modexp |
|
| MpfGetLsaPidFromRegistry | modexp |
|
||||||
| MpfGetLsaPidFromNamedPipe | modexp |
|
| MpfGetLsaPidFromNamedPipe | modexp |
|
||||||
|
|
||||||
|
|
||||||
|
## Network Connectivity
|
||||||
|
| Function Name | Original Author |
|
||||||
|
| ------------- | --------------- |
|
||||||
|
| UrlDownloadToFileSynchronous | Hans Passant |
|
||||||
|
| ConvertIPv4IpAddressStructureToString | smelly__vx |
|
||||||
|
| ConvertIPv4StringToUnsignedLong | smelly__vx |
|
||||||
|
| SendIcmpEchoMessageToIPv4Host | smelly__vx |
|
||||||
|
| ConvertIPv4IpAddressUnsignedLongToString | smelly__vx |
|
||||||
|
| DnsGetDomainNameIPv4AddressAsString | smelly__vx |
|
||||||
|
| DnsGetDomainNameIPv4AddressUnsignedLong | smelly__vx |
|
||||||
|
| GetDomainNameFromUnsignedLongIPV4Address | smelly__vx |
|
||||||
|
| GetDomainNameFromIPV4AddressAsString | smelly__vx |
|
||||||
|
|
||||||
|
|
||||||
|
## Other
|
||||||
|
| Function Name | Original Author |
|
||||||
|
| ------------- | --------------- |
|
||||||
|
| OleGetClipboardData | Microsoft |
|
||||||
|
| MpfComVssDeleteShadowVolumeBackups | am0nsec |
|
||||||
|
| MpfComModifyShortcutTarget | Unknown |
|
||||||
| MpfComMonitorChromeSessionOnce | smelly__vx |
|
| MpfComMonitorChromeSessionOnce | smelly__vx |
|
||||||
| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey |
|
| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
|
||||||
|
|
||||||
|
|
||||||
|
## Process Creation
|
||||||
|
| Function Name | Original Author |
|
||||||
|
| ------------- | --------------- |
|
||||||
|
| CreateProcessFromIHxHelpPaneServer | James Forshaw |
|
||||||
|
| CreateProcessFromIHxInteractiveUser | James Forshaw |
|
||||||
|
| CreateProcessFromIShellDispatchInvoke | Mohamed Fakroud |
|
||||||
|
| CreateProcessFromShellExecuteInExplorerProcess | Microsoft |
|
||||||
|
| CreateProcessViaNtCreateUserProcess | CaptMeelo |
|
||||||
|
| CreateProcessWithCfGuard | smelly__vx and Adam Chester |
|
||||||
|
| CreateProcessByWindowsRHotKey | smelly__vx |
|
||||||
|
| CreateProcessByWindowsRHotKeyEx | smelly__vx |
|
||||||
|
| CreateProcessFromINFSectionInstallStringNoCab | smelly__vx |
|
||||||
|
| CreateProcessFromINFSetupCommand | smelly__vx |
|
||||||
|
| CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx |
|
||||||
|
| CreateProcessFromIeFrameOpenUrl | smelly__vx |
|
||||||
|
| CreateProcessFromPcwUtil | smelly__vx |
|
||||||
|
| CreateProcessFromShdocVwOpenUrl | smelly__vx |
|
||||||
|
| CreateProcessFromShell32ShellExecRun | smelly__vx |
|
||||||
|
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
|
||||||
|
| CreateProcessFromWmiWin32_ProcessW | CIA |
|
||||||
|
| CreateProcessFromZipfldrRouteCall | smelly__vx |
|
||||||
|
| CreateProcessFromUrlFileProtocolHandler | smelly__vx |
|
||||||
|
| CreateProcessFromUrlOpenUrl | smelly__vx |
|
||||||
|
| CreateProcessFromMsHTMLW | smelly__vx |
|
||||||
|
|
||||||
|
|
||||||
|
## Process Injection
|
||||||
|
| Function Name | Original Author |
|
||||||
|
| ------------- | --------------- |
|
||||||
| MpfPiControlInjection | SafeBreach Labs |
|
| MpfPiControlInjection | SafeBreach Labs |
|
||||||
| MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs |
|
| MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs |
|
||||||
| MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs |
|
| MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs |
|
||||||
| MpfProcessInjectionViaProcessReflection | Deep Instinct |
|
| MpfProcessInjectionViaProcessReflection | Deep Instinct |
|
||||||
|
|
||||||
|
|
||||||
|
## Proxied Functions
|
||||||
|
| Function Name | Original Author |
|
||||||
|
| ------------- | --------------- |
|
||||||
|
| IeCreateFile | smelly__vx |
|
||||||
|
| CopyFileViaSetupCopyFile | smelly__vx |
|
||||||
|
| CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
|
||||||
|
| DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
|
||||||
|
| DeleteFileWithCreateFileFlag | smelly__vx |
|
||||||
|
| IsProcessRunningAsAdmin2 | smelly__vx |
|
||||||
|
|
||||||
|
|
||||||
## Shellcode Execution
|
## Shellcode Execution
|
||||||
| Function Name | Original Author |
|
| Function Name | Original Author |
|
||||||
| ------------- | --------------- |
|
| ------------- | --------------- |
|
||||||
@ -269,56 +296,40 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
| MpfSceViaSymEnumSourceFiles | alfarom256, aahmad097, wra7h |
|
| MpfSceViaSymEnumSourceFiles | alfarom256, aahmad097, wra7h |
|
||||||
|
|
||||||
|
|
||||||
|
## String Manipulation
|
||||||
|
| Function Name | Original Author |
|
||||||
|
| ------------- | --------------- |
|
||||||
|
| ByteArrayToCharArray | smelly__vx |
|
||||||
|
| CharArrayToByteArray | smelly__vx |
|
||||||
|
| ShlwapiCharStringToWCharString | smelly__vx |
|
||||||
|
| ShlwapiWCharStringToCharString | smelly__vx |
|
||||||
|
| CharStringToWCharString | smelly__vx |
|
||||||
|
| WCharStringToCharString | smelly__vx |
|
||||||
|
| RtlInitEmptyUnicodeString | ReactOS |
|
||||||
|
| RtlInitUnicodeString | ReactOS |
|
||||||
|
| CaplockString | simonc |
|
||||||
|
| CopyMemoryEx | ReactOS |
|
||||||
|
| SecureStringCopy | Apple (c) 1999 |
|
||||||
|
| StringCompare | Apple (c) 1999 |
|
||||||
|
| StringConcat | Apple (c) 1999 |
|
||||||
|
| StringCopy | Apple (c) 1999 |
|
||||||
|
| StringFindSubstring | Apple (c) 1999 |
|
||||||
|
| StringLength | Apple (c) 1999 |
|
||||||
|
| StringLocateChar | Apple (c) 1999 |
|
||||||
|
| StringRemoveSubstring | smelly__vx |
|
||||||
|
| StringTerminateStringAtChar | smelly__vx |
|
||||||
|
| StringToken | Apple (c) 1999 |
|
||||||
|
| ZeroMemoryEx | ReactOS |
|
||||||
|
| ConvertCharacterStringToIntegerUsingNtdll | smelly__vx |
|
||||||
|
| MemoryFindMemory | KamilCuk |
|
||||||
|
|
||||||
|
|
||||||
## UAC Bypass
|
## UAC Bypass
|
||||||
| Function Name | Original Author |
|
| Function Name | Original Author |
|
||||||
| ------------- | --------------- |
|
| ------------- | --------------- |
|
||||||
| UacBypassFodHelperMethod | winscripting.blog |
|
| UacBypassFodHelperMethod | winscripting.blog |
|
||||||
|
|
||||||
|
|
||||||
## Network Connectivity
|
|
||||||
| Function Name | Original Author |
|
|
||||||
| ------------- | --------------- |
|
|
||||||
| UrlDownloadToFileSynchronous | Hans Passant |
|
|
||||||
| ConvertIPv4IpAddressStructureToString | smelly__vx |
|
|
||||||
| ConvertIPv4StringToUnsignedLong | smelly__vx |
|
|
||||||
| SendIcmpEchoMessageToIPv4Host | smelly__vx |
|
|
||||||
| ConvertIPv4IpAddressUnsignedLongToString | smelly__vx |
|
|
||||||
| DnsGetDomainNameIPv4AddressAsString | smelly__vx |
|
|
||||||
| DnsGetDomainNameIPv4AddressUnsignedLong | smelly__vx |
|
|
||||||
| GetDomainNameFromUnsignedLongIPV4Address | smelly__vx |
|
|
||||||
| GetDomainNameFromIPV4AddressAsString | smelly__vx |
|
|
||||||
|
|
||||||
|
|
||||||
## File System Manipulation
|
|
||||||
| Function Name | Original Author |
|
|
||||||
| ------------- | --------------- |
|
|
||||||
| CopyFileViaSetupCopyFile | smelly__vx |
|
|
||||||
| CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
|
|
||||||
| DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
|
|
||||||
| DeleteFileWithCreateFileFlag | smelly__vx |
|
|
||||||
|
|
||||||
|
|
||||||
## Process Creation
|
|
||||||
| Function Name | Original Author |
|
|
||||||
| ------------- | --------------- |
|
|
||||||
| CreateProcessFromIHxHelpPaneServer | James Forshaw |
|
|
||||||
| CreateProcessFromIHxInteractiveUser | James Forshaw |
|
|
||||||
| CreateProcessFromIShellDispatchInvoke | Mohamed Fakroud |
|
|
||||||
| CreateProcessFromShellExecuteInExplorerProcess | Microsoft |
|
|
||||||
| CreateProcessViaNtCreateUserProcess | CaptMeelo |
|
|
||||||
| CreateProcessWithCfGuard | smelly__vx and Adam Chester |
|
|
||||||
| CreateProcessByWindowsRHotKey | smelly__vx |
|
|
||||||
| CreateProcessByWindowsRHotKeyEx | smelly__vx |
|
|
||||||
| CreateProcessFromINFSectionInstallStringNoCab | smelly__vx |
|
|
||||||
| CreateProcessFromINFSetupCommand | smelly__vx |
|
|
||||||
| CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx |
|
|
||||||
| CreateProcessFromIeFrameOpenUrl | smelly__vx |
|
|
||||||
| CreateProcessFromPcwUtil | smelly__vx |
|
|
||||||
| CreateProcessFromShdocVwOpenUrl | smelly__vx |
|
|
||||||
| CreateProcessFromShell32ShellExecRun | smelly__vx |
|
|
||||||
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
|
|
||||||
|
|
||||||
|
|
||||||
## Rad98 Hooking Engine
|
## Rad98 Hooking Engine
|
||||||
| Function Name | Original Author |
|
| Function Name | Original Author |
|
||||||
| ------------- | --------------- |
|
| ------------- | --------------- |
|
||||||
@ -336,4 +347,4 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||||||
| ------------- | --------------- |
|
| ------------- | --------------- |
|
||||||
| GenericShellcodeHelloWorldMessageBoxA | SafeBreach Labs |
|
| GenericShellcodeHelloWorldMessageBoxA | SafeBreach Labs |
|
||||||
| GenericShellcodeHelloWorldMessageBoxAEbFbLoop | SafeBreach Labs |
|
| GenericShellcodeHelloWorldMessageBoxAEbFbLoop | SafeBreach Labs |
|
||||||
| GenericShellcodeOpenCalcExitThread | MsfVenom |
|
| GenericShellcodeOpenCalcExitThread | MsfVenom |
|
@ -378,10 +378,10 @@ BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dw
|
|||||||
*******************************************/
|
*******************************************/
|
||||||
HANDLE IeCreateFileW(_In_ LPCWSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile);
|
HANDLE IeCreateFileW(_In_ LPCWSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile);
|
||||||
HANDLE IeCreateFileA(_In_ LPCSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile);
|
HANDLE IeCreateFileA(_In_ LPCSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile);
|
||||||
BOOL DeleteDirectoryAndSubDataViaDelNodeW(LPCWSTR FullPathToDirectory);
|
BOOL DeleteDirectoryAndSubDataViaDelNodeW(_In_ LPCWSTR FullPathToDirectory);
|
||||||
BOOL DeleteDirectoryAndSubDataViaDelNodeA(LPCSTR FullPathToDirectory);
|
BOOL DeleteDirectoryAndSubDataViaDelNodeA(_In_ LPCSTR FullPathToDirectory);
|
||||||
BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination);
|
BOOL CopyFileViaSetupCopyFileW(_In_ LPCWSTR Source, _In_ LPCWSTR Destination);
|
||||||
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination);
|
BOOL CopyFileViaSetupCopyFileA(_In_ LPCSTR Source, _In_ LPCSTR Destination);
|
||||||
BOOL IsProcessRunningAsAdmin2(VOID);
|
BOOL IsProcessRunningAsAdmin2(VOID);
|
||||||
BOOL DeleteFileWithCreateFileFlagA(_In_ PCHAR Path);
|
BOOL DeleteFileWithCreateFileFlagA(_In_ PCHAR Path);
|
||||||
BOOL DeleteFileWithCreateFileFlagW(_In_ PWCHAR Path);
|
BOOL DeleteFileWithCreateFileFlagW(_In_ PWCHAR Path);
|
||||||
@ -462,12 +462,4 @@ INT __demonstration_WinMain(VOID); //hook sleep
|
|||||||
*******************************************/
|
*******************************************/
|
||||||
PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes);
|
PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||||
PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes);
|
PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||||
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes);
|
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user