2.0.722

2024-06-16 03:48:34 +00:00 · 2023-04-01 01:04:00 -05:00 · 2023-04-01 01:04:00 -05:00 · c13ca29517
commit c13ca29517
parent 1fe2e4342d
2 changed files with 103 additions and 100 deletions
--- a/README.md
+++ b/README.md
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
 # VX-API
-Version: 2.0.720
+Version: 2.0.722
 Developer: smelly__vx
@ -18,34 +18,6 @@ You're free to use this in any manner you please. You do not need to use this en
 # List of features
 ## String Manipulation
 | Function Name | Original Author |
 | ------------- | --------------- |
 | ByteArrayToCharArray | smelly__vx |
 | CharArrayToByteArray | smelly__vx |
 | ShlwapiCharStringToWCharString | smelly__vx |
 | ShlwapiWCharStringToCharString | smelly__vx |
 | CharStringToWCharString | smelly__vx |
 | WCharStringToCharString | smelly__vx |
 | RtlInitEmptyUnicodeString | ReactOS |
 | RtlInitUnicodeString | ReactOS |
 | CaplockString | simonc |
 | CopyMemoryEx | ReactOS |
 | SecureStringCopy | Apple (c) 1999 |
 | StringCompare | Apple (c) 1999 |
 | StringConcat | Apple (c) 1999 |
 | StringCopy | Apple (c) 1999 |
 | StringFindSubstring | Apple (c) 1999 |
 | StringLength | Apple (c) 1999 |
 | StringLocateChar | Apple (c) 1999 |
 | StringRemoveSubstring | smelly__vx |
 | StringTerminateStringAtChar | smelly__vx |
 | StringToken | Apple (c) 1999 |
 | ZeroMemoryEx | ReactOS |
 | ConvertCharacterStringToIntegerUsingNtdll | smelly__vx |
 | MemoryFindMemory | KamilCuk |
 ## Anti-debug
 | Function Name | Original Author |
 | ------------- | --------------- |
@ -57,7 +29,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | IsIntelHardwareBreakpointPresent | Checkpoint Research |
-## Data Hashing
+## Cryptography Related
 | Function Name | Original Author |
 | ------------- | --------------- |
 | HashStringDjb2 | Dan Bernstein |
@ -70,11 +42,6 @@ You're free to use this in any manner you please. You do not need to use this en
 | HashStringUnknownGenericHash1A | Unknown |
 | HashStringSipHash | RistBS | 
 | HashStringMurmur | RistBS | 
 ## Cryptography Related
 | Function Name | Original Author |
 | ------------- | --------------- |
 | CreateMd5HashFromFilePath | Microsoft |
 | CreatePseudoRandomInteger | Apple (c) 1999 |
 | CreatePseudoRandomString | smelly__vx |
@ -92,7 +59,6 @@ You're free to use this in any manner you please. You do not need to use this en
 | XpressMaximumDecompressBuffer | smelly__vx |
 | XpressStandardCompressBuffer | smelly__vx |
 | XpressStandardDecompressBuffer | smelly__vx |
 | MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
 | ExtractFilesFromCabIntoTarget | smelly__vx |
@ -118,6 +84,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | RemoveDllFromPeb | rad9800 |
 | RemoveRegisterDllNotification | Rad98, Peter Winter-Smith |
 | SleepObfuscationViaVirtualProtect | 5pider |
 | RtlSetBaseUnicodeCommandLine | TheWover |
 ## Fingerprinting
@ -139,7 +106,6 @@ You're free to use this in any manner you please. You do not need to use this en
 | GetPidFromPidBruteForcing | modexp |
 | GetPidFromNtQueryFileInformation | modexp, Lloyd Davies, Jonas Lyk |
 | GetPidFromPidBruteForcingExW | smelly__vx, LLoyd Davies, Jonas Lyk, modexp |
 | IsProcessRunningAsAdmin2 | smelly__vx |
 ## Helper Functions
@ -204,23 +170,84 @@ You're free to use this in any manner you please. You do not need to use this en
 | ProxyRegisterWaitLoadLibrary | Rad98, Peter Winter-Smith |
-## Malicious Capabilities
+## Lsass Dumping
 | Function Name | Original Author |
 | ------------- | --------------- |
 | MpfComModifyShortcutTarget | Unknown |
 | MpfComVssDeleteShadowVolumeBackups | am0nsec |
 | OleGetClipboardData | Microsoft |
 | MpfGetLsaPidFromServiceManager | modexp |
 | MpfGetLsaPidFromRegistry | modexp |
 | MpfGetLsaPidFromNamedPipe | modexp |
 ## Network Connectivity
 | Function Name | Original Author |
 | ------------- | --------------- |
 | UrlDownloadToFileSynchronous | Hans Passant |
 | ConvertIPv4IpAddressStructureToString | smelly__vx |
 | ConvertIPv4StringToUnsignedLong | smelly__vx |
 | SendIcmpEchoMessageToIPv4Host | smelly__vx |
 | ConvertIPv4IpAddressUnsignedLongToString | smelly__vx |
 | DnsGetDomainNameIPv4AddressAsString | smelly__vx |
 | DnsGetDomainNameIPv4AddressUnsignedLong | smelly__vx |
 | GetDomainNameFromUnsignedLongIPV4Address | smelly__vx |
 | GetDomainNameFromIPV4AddressAsString | smelly__vx | 
 ## Other
 | Function Name | Original Author |
 | ------------- | --------------- |
 | OleGetClipboardData | Microsoft |
 | MpfComVssDeleteShadowVolumeBackups | am0nsec |
 | MpfComModifyShortcutTarget | Unknown |
 | MpfComMonitorChromeSessionOnce | smelly__vx |
-| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey |
+| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu |
 ## Process Creation
 | Function Name | Original Author |
 | ------------- | --------------- |
 | CreateProcessFromIHxHelpPaneServer | James Forshaw |
 | CreateProcessFromIHxInteractiveUser | James Forshaw |
 | CreateProcessFromIShellDispatchInvoke | Mohamed Fakroud |
 | CreateProcessFromShellExecuteInExplorerProcess | Microsoft |
 | CreateProcessViaNtCreateUserProcess | CaptMeelo |
 | CreateProcessWithCfGuard | smelly__vx and Adam Chester |
 | CreateProcessByWindowsRHotKey | smelly__vx |
 | CreateProcessByWindowsRHotKeyEx | smelly__vx |
 | CreateProcessFromINFSectionInstallStringNoCab | smelly__vx |
 | CreateProcessFromINFSetupCommand | smelly__vx |
 | CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx |
 | CreateProcessFromIeFrameOpenUrl | smelly__vx |
 | CreateProcessFromPcwUtil | smelly__vx |
 | CreateProcessFromShdocVwOpenUrl | smelly__vx |
 | CreateProcessFromShell32ShellExecRun | smelly__vx |
 | MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
 | CreateProcessFromWmiWin32_ProcessW | CIA |
 | CreateProcessFromZipfldrRouteCall | smelly__vx |
 | CreateProcessFromUrlFileProtocolHandler | smelly__vx | 
 | CreateProcessFromUrlOpenUrl | smelly__vx |
 | CreateProcessFromMsHTMLW | smelly__vx |
 ## Process Injection
 | Function Name | Original Author |
 | ------------- | --------------- |
 | MpfPiControlInjection | SafeBreach Labs |
 | MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs |
 | MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs |
 | MpfProcessInjectionViaProcessReflection | Deep Instinct |
 ## Proxied Functions
 | Function Name | Original Author |
 | ------------- | --------------- |
 | IeCreateFile | smelly__vx |
 | CopyFileViaSetupCopyFile | smelly__vx |
 | CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
 | DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
 | DeleteFileWithCreateFileFlag | smelly__vx |
 | IsProcessRunningAsAdmin2 | smelly__vx |
 ## Shellcode Execution
 | Function Name | Original Author |
 | ------------- | --------------- |
@ -269,56 +296,40 @@ You're free to use this in any manner you please. You do not need to use this en
 | MpfSceViaSymEnumSourceFiles | alfarom256, aahmad097, wra7h |
 ## String Manipulation
 | Function Name | Original Author |
 | ------------- | --------------- |
 | ByteArrayToCharArray | smelly__vx |
 | CharArrayToByteArray | smelly__vx |
 | ShlwapiCharStringToWCharString | smelly__vx |
 | ShlwapiWCharStringToCharString | smelly__vx |
 | CharStringToWCharString | smelly__vx |
 | WCharStringToCharString | smelly__vx |
 | RtlInitEmptyUnicodeString | ReactOS |
 | RtlInitUnicodeString | ReactOS |
 | CaplockString | simonc |
 | CopyMemoryEx | ReactOS |
 | SecureStringCopy | Apple (c) 1999 |
 | StringCompare | Apple (c) 1999 |
 | StringConcat | Apple (c) 1999 |
 | StringCopy | Apple (c) 1999 |
 | StringFindSubstring | Apple (c) 1999 |
 | StringLength | Apple (c) 1999 |
 | StringLocateChar | Apple (c) 1999 |
 | StringRemoveSubstring | smelly__vx |
 | StringTerminateStringAtChar | smelly__vx |
 | StringToken | Apple (c) 1999 |
 | ZeroMemoryEx | ReactOS |
 | ConvertCharacterStringToIntegerUsingNtdll | smelly__vx |
 | MemoryFindMemory | KamilCuk |
 ## UAC Bypass
 | Function Name | Original Author |
 | ------------- | --------------- |
 | UacBypassFodHelperMethod | winscripting.blog |
 ## Network Connectivity
 | Function Name | Original Author |
 | ------------- | --------------- |
 | UrlDownloadToFileSynchronous | Hans Passant |
 | ConvertIPv4IpAddressStructureToString | smelly__vx |
 | ConvertIPv4StringToUnsignedLong | smelly__vx |
 | SendIcmpEchoMessageToIPv4Host | smelly__vx |
 | ConvertIPv4IpAddressUnsignedLongToString | smelly__vx |
 | DnsGetDomainNameIPv4AddressAsString | smelly__vx |
 | DnsGetDomainNameIPv4AddressUnsignedLong | smelly__vx |
 | GetDomainNameFromUnsignedLongIPV4Address | smelly__vx |
 | GetDomainNameFromIPV4AddressAsString | smelly__vx | 
 ## File System Manipulation
 | Function Name | Original Author |
 | ------------- | --------------- |
 | CopyFileViaSetupCopyFile | smelly__vx |
 | CreateFileFromDsCopyFromSharedFile | Jonas Lyk |
 | DeleteDirectoryAndSubDataViaDelNode | smelly__vx |
 | DeleteFileWithCreateFileFlag | smelly__vx |
 ## Process Creation
 | Function Name | Original Author |
 | ------------- | --------------- |
 | CreateProcessFromIHxHelpPaneServer | James Forshaw |
 | CreateProcessFromIHxInteractiveUser | James Forshaw |
 | CreateProcessFromIShellDispatchInvoke | Mohamed Fakroud |
 | CreateProcessFromShellExecuteInExplorerProcess | Microsoft |
 | CreateProcessViaNtCreateUserProcess | CaptMeelo |
 | CreateProcessWithCfGuard | smelly__vx and Adam Chester |
 | CreateProcessByWindowsRHotKey | smelly__vx |
 | CreateProcessByWindowsRHotKeyEx | smelly__vx |
 | CreateProcessFromINFSectionInstallStringNoCab | smelly__vx |
 | CreateProcessFromINFSetupCommand | smelly__vx |
 | CreateProcessFromINFSectionInstallStringNoCab2 | smelly__vx |
 | CreateProcessFromIeFrameOpenUrl | smelly__vx |
 | CreateProcessFromPcwUtil | smelly__vx |
 | CreateProcessFromShdocVwOpenUrl | smelly__vx |
 | CreateProcessFromShell32ShellExecRun | smelly__vx |
 | MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 |
 ## Rad98 Hooking Engine
 | Function Name | Original Author |
 | ------------- | --------------- |
@ -336,4 +347,4 @@ You're free to use this in any manner you please. You do not need to use this en
 | ------------- | --------------- |
 | GenericShellcodeHelloWorldMessageBoxA | SafeBreach Labs |
 | GenericShellcodeHelloWorldMessageBoxAEbFbLoop | SafeBreach Labs |
-| GenericShellcodeOpenCalcExitThread | MsfVenom |
+| GenericShellcodeOpenCalcExitThread | MsfVenom |
--- a/VX-API/Win32Helper.h
+++ b/VX-API/Win32Helper.h
@ -378,10 +378,10 @@ BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dw
 *******************************************/
 HANDLE IeCreateFileW(_In_ LPCWSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile);
 HANDLE IeCreateFileA(_In_ LPCSTR lpFileName, _In_ DWORD dwDesiredAccess, _In_ DWORD dwShareMode, _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, _In_ DWORD dwCreationDisposition, _In_ DWORD dwFlagsAndAttributes, _In_opt_ HANDLE hTemplateFile);
-BOOL DeleteDirectoryAndSubDataViaDelNodeW(LPCWSTR FullPathToDirectory);
+BOOL DeleteDirectoryAndSubDataViaDelNodeW(_In_ LPCWSTR FullPathToDirectory);
-BOOL DeleteDirectoryAndSubDataViaDelNodeA(LPCSTR FullPathToDirectory);
+BOOL DeleteDirectoryAndSubDataViaDelNodeA(_In_ LPCSTR FullPathToDirectory);
-BOOL CopyFileViaSetupCopyFileW(LPCWSTR Source, LPCWSTR Destination);
+BOOL CopyFileViaSetupCopyFileW(_In_ LPCWSTR Source, _In_ LPCWSTR Destination);
-BOOL CopyFileViaSetupCopyFileA(LPCSTR Source, LPCSTR Destination);
+BOOL CopyFileViaSetupCopyFileA(_In_ LPCSTR Source, _In_ LPCSTR Destination);
 BOOL IsProcessRunningAsAdmin2(VOID);
 BOOL DeleteFileWithCreateFileFlagA(_In_ PCHAR Path);
 BOOL DeleteFileWithCreateFileFlagW(_In_ PWCHAR Path);
@ -462,12 +462,4 @@ INT __demonstration_WinMain(VOID); //hook sleep
 *******************************************/
 PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes);
 PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes);
-PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes);
+PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes);