2.0.722
This commit is contained in:
vxunderground 2023-04-01 01:04:00 -05:00
parent 1fe2e4342d
commit c13ca29517
2 changed files with 103 additions and 100 deletions

185
README.md

@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
# VX-API # VX-API
Version: 2.0.720 Version: 2.0.722
Developer: smelly__vx Developer: smelly__vx
@ -18,34 +18,6 @@ You're free to use this in any manner you please. You do not need to use this en
# List of features # List of features
## String Manipulation
| Function Name | Original Author |
| ------------- | --------------- |
| ByteArrayToCharArray | smelly__vx |
| CharArrayToByteArray | smelly__vx |
| ShlwapiCharStringToWCharString | smelly__vx |
| ShlwapiWCharStringToCharString | smelly__vx |
| CharStringToWCharString | smelly__vx |
| WCharStringToCharString | smelly__vx |
| RtlInitEmptyUnicodeString | ReactOS |
| RtlInitUnicodeString | ReactOS |
| CaplockString | simonc |
| CopyMemoryEx | ReactOS |
| SecureStringCopy | Apple (c) 1999 |
| StringCompare | Apple (c) 1999 |
| StringConcat | Apple (c) 1999 |
| StringCopy | Apple (c) 1999 |
| StringFindSubstring | Apple (c) 1999 |
| StringLength | Apple (c) 1999 |
| StringLocateChar | Apple (c) 1999 |
| StringRemoveSubstring | smelly__vx |
| StringTerminateStringAtChar | smelly__vx |
| StringToken | Apple (c) 1999 |
| ZeroMemoryEx | ReactOS |
| ConvertCharacterStringToIntegerUsingNtdll | smelly__vx |
| MemoryFindMemory | KamilCuk |
## Anti-debug ## Anti-debug
| Function Name | Original Author | | Function Name | Original Author |
| ------------- | --------------- | | ------------- | --------------- |
@ -57,7 +29,7 @@ You're free to use this in any manner you please. You do not need to use this en
| IsIntelHardwareBreakpointPresent | Checkpoint Research | | IsIntelHardwareBreakpointPresent | Checkpoint Research |
## Data Hashing ## Cryptography Related
| Function Name | Original Author | | Function Name | Original Author |
| ------------- | --------------- | | ------------- | --------------- |
| HashStringDjb2 | Dan Bernstein | | HashStringDjb2 | Dan Bernstein |
@ -70,11 +42,6 @@ You're free to use this in any manner you please. You do not need to use this en
| HashStringUnknownGenericHash1A | Unknown | | HashStringUnknownGenericHash1A | Unknown |
| HashStringSipHash | RistBS | | HashStringSipHash | RistBS |
| HashStringMurmur | RistBS | | HashStringMurmur | RistBS |
## Cryptography Related
| Function Name | Original Author |
| ------------- | --------------- |
| CreateMd5HashFromFilePath | Microsoft | | CreateMd5HashFromFilePath | Microsoft |
| CreatePseudoRandomInteger | Apple (c) 1999 | | CreatePseudoRandomInteger | Apple (c) 1999 |
| CreatePseudoRandomString | smelly__vx | | CreatePseudoRandomString | smelly__vx |
@ -92,7 +59,6 @@ You're free to use this in any manner you please. You do not need to use this en
| XpressMaximumDecompressBuffer | smelly__vx | | XpressMaximumDecompressBuffer | smelly__vx |
| XpressStandardCompressBuffer | smelly__vx | | XpressStandardCompressBuffer | smelly__vx |
| XpressStandardDecompressBuffer | smelly__vx | | XpressStandardDecompressBuffer | smelly__vx |
| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
| ExtractFilesFromCabIntoTarget | smelly__vx | | ExtractFilesFromCabIntoTarget | smelly__vx |
@ -118,6 +84,7 @@ You're free to use this in any manner you please. You do not need to use this en
| RemoveDllFromPeb | rad9800 | | RemoveDllFromPeb | rad9800 |
| RemoveRegisterDllNotification | Rad98, Peter Winter-Smith | | RemoveRegisterDllNotification | Rad98, Peter Winter-Smith |
| SleepObfuscationViaVirtualProtect | 5pider | | SleepObfuscationViaVirtualProtect | 5pider |
| RtlSetBaseUnicodeCommandLine | TheWover |
## Fingerprinting ## Fingerprinting
@ -139,7 +106,6 @@ You're free to use this in any manner you please. You do not need to use this en
| GetPidFromPidBruteForcing | modexp | | GetPidFromPidBruteForcing | modexp |
| GetPidFromNtQueryFileInformation | modexp, Lloyd Davies, Jonas Lyk | | GetPidFromNtQueryFileInformation | modexp, Lloyd Davies, Jonas Lyk |
| GetPidFromPidBruteForcingExW | smelly__vx, LLoyd Davies, Jonas Lyk, modexp | | GetPidFromPidBruteForcingExW | smelly__vx, LLoyd Davies, Jonas Lyk, modexp |
| IsProcessRunningAsAdmin2 | smelly__vx |
## Helper Functions ## Helper Functions
@ -204,23 +170,84 @@ You're free to use this in any manner you please. You do not need to use this en
| ProxyRegisterWaitLoadLibrary | Rad98, Peter Winter-Smith | | ProxyRegisterWaitLoadLibrary | Rad98, Peter Winter-Smith |
## Malicious Capabilities ## Lsass Dumping
| Function Name | Original Author | | Function Name | Original Author |
| ------------- | --------------- | | ------------- | --------------- |
| MpfComModifyShortcutTarget | Unknown |
| MpfComVssDeleteShadowVolumeBackups | am0nsec |
| OleGetClipboardData | Microsoft |
| MpfGetLsaPidFromServiceManager | modexp | | MpfGetLsaPidFromServiceManager | modexp |
| MpfGetLsaPidFromRegistry | modexp | | MpfGetLsaPidFromRegistry | modexp |
| MpfGetLsaPidFromNamedPipe | modexp | | MpfGetLsaPidFromNamedPipe | modexp |
## Network Connectivity
| Function Name | Original Author |
| ------------- | --------------- |
| UrlDownloadToFileSynchronous | Hans Passant |
| ConvertIPv4IpAddressStructureToString | smelly__vx |
| ConvertIPv4StringToUnsignedLong | smelly__vx |
| SendIcmpEchoMessageToIPv4Host | smelly__vx |
| ConvertIPv4IpAddressUnsignedLongToString | smelly__vx |
| DnsGetDomainNameIPv4AddressAsString | smelly__vx |
| DnsGetDomainNameIPv4AddressUnsignedLong | smelly__vx |
| GetDomainNameFromUnsignedLongIPV4Address | smelly__vx |
| GetDomainNameFromIPV4AddressAsString | smelly__vx |
## Other
| Function Name | Original Author |
| ------------- | --------------- |
| OleGetClipboardData | Microsoft |
| MpfComVssDeleteShadowVolumeBackups | am0nsec |
| MpfComModifyShortcutTarget | Unknown |
| MpfComMonitorChromeSessionOnce | smelly__vx | | MpfComMonitorChromeSessionOnce | smelly__vx |
| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey | | MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
## Process Creation
| Function Name | Original Author |
| ------------- | --------------- |
| CreateProcessFromIHxHelpPaneServer | James Forshaw |
| CreateProcessFromIHxInteractiveUser | James Forshaw |
| CreateProcessFromIShellDispatchInvoke | Mohamed Fakroud |
| CreateProcessFromShellExecuteInExplorerProcess | Microsoft |
| CreateProcessViaNtCreateUserProcess | CaptMeelo |
| CreateProcessWithCfGuard | smelly__vx and Adam Chester |
| CreateProcessByWindowsRHotKey | smelly__vx |
| CreateProcessByWindowsRHotKeyEx | smelly__vx |
| CreateProcessFromINFSectionInstallStringNoCab | smelly__vx |
| CreateProcessFromINFSetupCommand | smelly__vx |
| CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx |
| CreateProcessFromIeFrameOpenUrl | smelly__vx |
| CreateProcessFromPcwUtil | smelly__vx |
| CreateProcessFromShdocVwOpenUrl | smelly__vx |
| CreateProcessFromShell32ShellExecRun | smelly__vx |
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
| CreateProcessFromWmiWin32_ProcessW | CIA |
| CreateProcessFromZipfldrRouteCall | smelly__vx |
| CreateProcessFromUrlFileProtocolHandler | smelly__vx |
| CreateProcessFromUrlOpenUrl | smelly__vx |
| CreateProcessFromMsHTMLW | smelly__vx |
## Process Injection
| Function Name | Original Author |
| ------------- | --------------- |
| MpfPiControlInjection | SafeBreach Labs | | MpfPiControlInjection | SafeBreach Labs |
| MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs | | MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs |
| MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs | | MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs |
| MpfProcessInjectionViaProcessReflection | Deep Instinct | | MpfProcessInjectionViaProcessReflection | Deep Instinct |
## Proxied Functions
| Function Name | Original Author |
| ------------- | --------------- |
| IeCreateFile | smelly__vx |
| CopyFileViaSetupCopyFile | smelly__vx |
| CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
| DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
| DeleteFileWithCreateFileFlag | smelly__vx |
| IsProcessRunningAsAdmin2 | smelly__vx |
## Shellcode Execution ## Shellcode Execution
| Function Name | Original Author | | Function Name | Original Author |
| ------------- | --------------- | | ------------- | --------------- |
@ -269,56 +296,40 @@ You're free to use this in any manner you please. You do not need to use this en
| MpfSceViaSymEnumSourceFiles | alfarom256, aahmad097, wra7h | | MpfSceViaSymEnumSourceFiles | alfarom256, aahmad097, wra7h |
## String Manipulation
| Function Name | Original Author |
| ------------- | --------------- |
| ByteArrayToCharArray | smelly__vx |
| CharArrayToByteArray | smelly__vx |
| ShlwapiCharStringToWCharString | smelly__vx |
| ShlwapiWCharStringToCharString | smelly__vx |
| CharStringToWCharString | smelly__vx |
| WCharStringToCharString | smelly__vx |
| RtlInitEmptyUnicodeString | ReactOS |
| RtlInitUnicodeString | ReactOS |
| CaplockString | simonc |
| CopyMemoryEx | ReactOS |
| SecureStringCopy | Apple (c) 1999 |
| StringCompare | Apple (c) 1999 |
| StringConcat | Apple (c) 1999 |
| StringCopy | Apple (c) 1999 |
| StringFindSubstring | Apple (c) 1999 |
| StringLength | Apple (c) 1999 |
| StringLocateChar | Apple (c) 1999 |
| StringRemoveSubstring | smelly__vx |
| StringTerminateStringAtChar | smelly__vx |
| StringToken | Apple (c) 1999 |
| ZeroMemoryEx | ReactOS |
| ConvertCharacterStringToIntegerUsingNtdll | smelly__vx |
| MemoryFindMemory | KamilCuk |
## UAC Bypass ## UAC Bypass
| Function Name | Original Author | | Function Name | Original Author |
| ------------- | --------------- | | ------------- | --------------- |
| UacBypassFodHelperMethod | winscripting.blog | | UacBypassFodHelperMethod | winscripting.blog |
## Network Connectivity
| Function Name | Original Author |
| ------------- | --------------- |
| UrlDownloadToFileSynchronous | Hans Passant |
| ConvertIPv4IpAddressStructureToString | smelly__vx |
| ConvertIPv4StringToUnsignedLong | smelly__vx |
| SendIcmpEchoMessageToIPv4Host | smelly__vx |
| ConvertIPv4IpAddressUnsignedLongToString | smelly__vx |
| DnsGetDomainNameIPv4AddressAsString | smelly__vx |
| DnsGetDomainNameIPv4AddressUnsignedLong | smelly__vx |
| GetDomainNameFromUnsignedLongIPV4Address | smelly__vx |
| GetDomainNameFromIPV4AddressAsString | smelly__vx |
## File System Manipulation
| Function Name | Original Author |
| ------------- | --------------- |
| CopyFileViaSetupCopyFile | smelly__vx |
| CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
| DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
| DeleteFileWithCreateFileFlag | smelly__vx |
## Process Creation
| Function Name | Original Author |
| ------------- | --------------- |
| CreateProcessFromIHxHelpPaneServer | James Forshaw |
| CreateProcessFromIHxInteractiveUser | James Forshaw |
| CreateProcessFromIShellDispatchInvoke | Mohamed Fakroud |
| CreateProcessFromShellExecuteInExplorerProcess | Microsoft |
| CreateProcessViaNtCreateUserProcess | CaptMeelo |
| CreateProcessWithCfGuard | smelly__vx and Adam Chester |
| CreateProcessByWindowsRHotKey | smelly__vx |
| CreateProcessByWindowsRHotKeyEx | smelly__vx |
| CreateProcessFromINFSectionInstallStringNoCab | smelly__vx |
| CreateProcessFromINFSetupCommand | smelly__vx |
| CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx |
| CreateProcessFromIeFrameOpenUrl | smelly__vx |
| CreateProcessFromPcwUtil | smelly__vx |
| CreateProcessFromShdocVwOpenUrl | smelly__vx |
| CreateProcessFromShell32ShellExecRun | smelly__vx |
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
## Rad98 Hooking Engine ## Rad98 Hooking Engine
| Function Name | Original Author | | Function Name | Original Author |
| ------------- | --------------- | | ------------- | --------------- |
@ -336,4 +347,4 @@ You're free to use this in any manner you please. You do not need to use this en
| ------------- | --------------- | | ------------- | --------------- |
| GenericShellcodeHelloWorldMessageBoxA | SafeBreach Labs | | GenericShellcodeHelloWorldMessageBoxA | SafeBreach Labs |
| GenericShellcodeHelloWorldMessageBoxAEbFbLoop | SafeBreach Labs | | GenericShellcodeHelloWorldMessageBoxAEbFbLoop | SafeBreach Labs |
| GenericShellcodeOpenCalcExitThread | MsfVenom | | GenericShellcodeOpenCalcExitThread | MsfVenom |

@ -378,10 +378,10 @@ BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dw
*******************************************/ *******************************************/
HANDLE IeCreateFileW(_In_ LPCWSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile); HANDLE IeCreateFileW(_In_ LPCWSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile);
HANDLE IeCreateFileA(_In_ LPCSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile); HANDLE IeCreateFileA(_In_ LPCSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile);
BOOL DeleteDirectoryAndSubDataViaDelNodeW(LPCWSTR FullPathToDirectory); BOOL DeleteDirectoryAndSubDataViaDelNodeW(_In_ LPCWSTR FullPathToDirectory);
BOOL DeleteDirectoryAndSubDataViaDelNodeA(LPCSTR FullPathToDirectory); BOOL DeleteDirectoryAndSubDataViaDelNodeA(_In_ LPCSTR FullPathToDirectory);
BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination); BOOL CopyFileViaSetupCopyFileW(_In_ LPCWSTR Source, _In_ LPCWSTR Destination);
BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination); BOOL CopyFileViaSetupCopyFileA(_In_ LPCSTR Source, _In_ LPCSTR Destination);
BOOL IsProcessRunningAsAdmin2(VOID); BOOL IsProcessRunningAsAdmin2(VOID);
BOOL DeleteFileWithCreateFileFlagA(_In_ PCHAR Path); BOOL DeleteFileWithCreateFileFlagA(_In_ PCHAR Path);
BOOL DeleteFileWithCreateFileFlagW(_In_ PWCHAR Path); BOOL DeleteFileWithCreateFileFlagW(_In_ PWCHAR Path);
@ -462,12 +462,4 @@ INT __demonstration_WinMain(VOID); //hook sleep
*******************************************/ *******************************************/
PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes); PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes);
PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes); PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes);
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes); PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes);