mirror of https://github.com/vxunderground/VX-API
parent
9c1c612c73
commit
d8e545407d
|
@ -81,6 +81,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| HookEngineRestoreHeapFree | rad9800 | Evasion |
|
||||
| HookEngineUnhookHeapFree | rad9800 | Evasion |
|
||||
| SleepObfuscationViaVirtualProtect | 5pider | Evasion |
|
||||
| RemoveRegisterDllNotification | Rad98, Peter Winter-Smith | Evasion |
|
||||
| GetCurrentLocaleFromTeb | 3xp0rt | Fingerprinting |
|
||||
| GetNumberOfLinkedDlls | smelly__vx | Fingerprinting |
|
||||
| GetOsBuildNumberFromPeb | smelly__vx | Fingerprinting |
|
||||
|
@ -180,8 +181,6 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| IcmpSendEcho2Ex | N/A | N/A |
|
||||
| WQL Win32_Ping | Martin Friedrich | N/A |
|
||||
| Process Injection | N/A | N/A |
|
||||
| More String Manipulation code | N/A | Continuous Improvement |
|
||||
| More hashing algorithms | N/A | Continuous Improvement |
|
||||
|
||||
# Notes
|
||||
| Function Name | Note | Fixed |
|
||||
|
|
|
@ -33,6 +33,8 @@ typedef NTSTATUS(NTAPI* RTLREGISTERWAIT)(PHANDLE, HANDLE, WORKERCALLBACKFUNC, PV
|
|||
typedef NTSTATUS(NTAPI* RTLDEREGISTERWAITEX)(HANDLE, HANDLE);
|
||||
typedef NTSTATUS(NTAPI* NTCONTINUE)(PCONTEXT, BOOL);
|
||||
typedef NTSTATUS(NTAPI* LDRGETPROCEDUREADDRESS)(HMODULE, PANSI_STRING, WORD, PVOID);
|
||||
typedef NTSTATUS(NTAPI* LDRREGISTERDLLNOTIFICATION)(ULONG, LDR_DLL_NOTIFICATION_FUNCTION*, PVOID, PVOID);
|
||||
typedef NTSTATUS(NTAPI* LDRUNREGISTERDLLNOTIFICATION)(PVOID);
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _
|
|||
|
||||
DWORD dwFunctionHash = HashStringFowlerNollVoVariant1aA((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase,
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase,
|
|||
|
||||
DWORD dwFunctionHash = HashStringJenkinsOneAtATime32BitA((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 H
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 H
|
|||
|
||||
DWORD dwFunctionHash = HashStringLoseLoseA((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
|
|||
|
||||
DWORD dwFunctionHash = HashStringMurmurA((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,12 @@ DWORD64 __stdcall GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +27,21 @@ DWORD64 __stdcall GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
|
|||
|
||||
DWORD dwFunctionHash = HashStringRotr32A((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
|
|||
|
||||
DWORD dwFunctionHash = HashStringSdbmA((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Ha
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Ha
|
|||
|
||||
DWORD dwFunctionHash = HashStringSipHashA((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWOR
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWOR
|
|||
|
||||
DWORD dwFunctionHash = HashStringSuperFastHashA((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -7,6 +7,11 @@ DWORD64 __stdcall GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In
|
|||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
LDRGETPROCEDUREADDRESS LdrGetProcedureAddress = NULL;
|
||||
DWORD64 FunctionAddress = ERROR_SUCCESS;
|
||||
ANSI_STRING ForwardFunctionString = { 0 };
|
||||
|
||||
LdrGetProcedureAddress = (LDRGETPROCEDUREADDRESS)LdrLoadGetProcedureAddress();
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, (PBYTE*)&ModuleBase);
|
||||
|
||||
|
@ -21,7 +26,21 @@ DWORD64 __stdcall GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In
|
|||
|
||||
DWORD dwFunctionHash = HashStringUnknownGenericHash1A((PCHAR)pFunctionName);
|
||||
if (Hash == dwFunctionHash)
|
||||
return ((DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
|
||||
{
|
||||
FunctionAddress = (DWORD64)ModuleBase + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]];
|
||||
if (FunctionAddress >= (ModuleBase + Optional->DataDirectory[0].VirtualAddress) &&
|
||||
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
|
||||
{
|
||||
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
|
||||
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
|
||||
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
|
||||
|
||||
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
|
||||
return 0;
|
||||
}
|
||||
|
||||
return FunctionAddress;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
|
|
@ -1131,3 +1131,27 @@ typedef struct AMBIGUOUS_STRING {
|
|||
DWORD MaximumLength;
|
||||
PUCHAR Buffer;
|
||||
}AB_STRING, * PAB_STRING;
|
||||
|
||||
typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
|
||||
ULONG Flags;
|
||||
PUNICODE_STRING FullDllName;
|
||||
PUNICODE_STRING BaseDllName;
|
||||
PVOID DllBase;
|
||||
ULONG SizeOfImage;
|
||||
} LDR_DLL_UNLOADED_NOTIFICATION_DATA, * PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
|
||||
|
||||
typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
|
||||
ULONG Flags;
|
||||
PUNICODE_STRING FullDllName;
|
||||
PUNICODE_STRING BaseDllName;
|
||||
PVOID DllBase;
|
||||
ULONG SizeOfImage;
|
||||
} LDR_DLL_LOADED_NOTIFICATION_DATA, * PLDR_DLL_LOADED_NOTIFICATION_DATA;
|
||||
|
||||
typedef union _LDR_DLL_NOTIFICATION_DATA {
|
||||
LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
|
||||
LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
|
||||
} LDR_DLL_NOTIFICATION_DATA, * PLDR_DLL_NOTIFICATION_DATA;
|
||||
|
||||
typedef VOID(CALLBACK* LDR_DLL_NOTIFICATION_FUNCTION)(ULONG, CONST PLDR_DLL_NOTIFICATION_DATA, PVOID);
|
||||
|
||||
|
|
|
@ -37,11 +37,6 @@ int main(VOID)
|
|||
|
||||
//ShellcodeExecutionViaFunctionCallbackMain(&Sei);
|
||||
|
||||
//hasha(NtMapViewOfSection);
|
||||
UCHAR KeyBuf[17] = { 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x00};
|
||||
|
||||
SleepObfuscationViaVirtualProtect(4000, KeyBuf);
|
||||
|
||||
return dwError;
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,102 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
VOID DllLoadCallbackRoutine(ULONG NotificationReason, PLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
PLIST_ENTRY UnusedSubroutineGetDllNotification(VOID)
|
||||
{
|
||||
LDRREGISTERDLLNOTIFICATION LdrRegisterDllNotification = NULL;
|
||||
LDRUNREGISTERDLLNOTIFICATION LdrUnregisterDllNotification = NULL;
|
||||
PVOID Cookie = NULL;
|
||||
HMODULE hNtdll = NULL; PBYTE pbNtdll = NULL;;
|
||||
PLIST_ENTRY LdrDllNotificationList = NULL;
|
||||
PIMAGE_DOS_HEADER Dos = NULL;
|
||||
PIMAGE_NT_HEADERS Nt = NULL;
|
||||
PIMAGE_FILE_HEADER File = NULL;
|
||||
PIMAGE_OPTIONAL_HEADER Optional = NULL;
|
||||
PIMAGE_SECTION_HEADER Section = NULL;
|
||||
|
||||
hNtdll = GetModuleHandleEx2W(L"ntdll.dll");
|
||||
if (hNtdll == NULL)
|
||||
return NULL;
|
||||
else
|
||||
pbNtdll = (PBYTE)hNtdll;
|
||||
|
||||
LdrRegisterDllNotification = (LDRREGISTERDLLNOTIFICATION)GetProcAddressA((DWORD64)hNtdll, "LdrRegisterDllNotification");
|
||||
LdrUnregisterDllNotification = (LDRUNREGISTERDLLNOTIFICATION)GetProcAddressA((DWORD64)hNtdll, "LdrUnregisterDllNotification");
|
||||
|
||||
if (!LdrRegisterDllNotification || !LdrUnregisterDllNotification)
|
||||
return NULL;
|
||||
|
||||
if (LdrRegisterDllNotification(0, (LDR_DLL_NOTIFICATION_FUNCTION*)DllLoadCallbackRoutine, NULL, &Cookie) != STATUS_SUCCESS)
|
||||
return NULL;
|
||||
else
|
||||
LdrDllNotificationList = (PLIST_ENTRY)Cookie;
|
||||
|
||||
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &pbNtdll);
|
||||
|
||||
Section = IMAGE_FIRST_SECTION(Nt);
|
||||
for (DWORD dwX = ERROR_SUCCESS; dwX < File->NumberOfSections; dwX++)
|
||||
{
|
||||
if (StringCompareA(".data", (PCHAR)Section->Name) == ERROR_SUCCESS)
|
||||
{
|
||||
PLIST_ENTRY LdrDllNotificationListNext = NULL;
|
||||
PVOID BaseAddress = NULL, BaseAddressEnd = NULL;
|
||||
|
||||
BaseAddress = pbNtdll + Section->VirtualAddress;
|
||||
BaseAddressEnd = (PVOID)((PULONG)BaseAddress + Section->Misc.VirtualSize);
|
||||
|
||||
LdrDllNotificationListNext = LdrDllNotificationList->Flink;
|
||||
|
||||
while (LdrDllNotificationListNext != LdrDllNotificationList)
|
||||
{
|
||||
if (LdrDllNotificationListNext >= BaseAddress && LdrDllNotificationListNext <= BaseAddressEnd)
|
||||
{
|
||||
if (LdrUnregisterDllNotification(Cookie) != STATUS_SUCCESS)
|
||||
return NULL;
|
||||
else
|
||||
return LdrDllNotificationListNext;
|
||||
}
|
||||
|
||||
LdrDllNotificationListNext = LdrDllNotificationListNext->Flink;
|
||||
}
|
||||
}
|
||||
|
||||
Section++;
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
BOOL RemoveRegisterDllNotification(VOID)
|
||||
{
|
||||
PLIST_ENTRY DllNotifictionList = NULL;
|
||||
PLIST_ENTRY Head = NULL, Next = NULL;
|
||||
|
||||
DllNotifictionList = UnusedSubroutineGetDllNotification();
|
||||
if (DllNotifictionList == NULL)
|
||||
return FALSE;
|
||||
|
||||
Head = DllNotifictionList;
|
||||
Next = DllNotifictionList->Flink;
|
||||
|
||||
while (Next != Head)
|
||||
{
|
||||
PLIST_ENTRY PreviousFlink = NULL, PreviousBlink = NULL;
|
||||
|
||||
PreviousFlink = Next->Flink;
|
||||
PreviousBlink = Next->Blink;
|
||||
|
||||
PreviousFlink->Blink = PreviousBlink;
|
||||
PreviousBlink->Flink = PreviousFlink;
|
||||
|
||||
Next->Flink = NULL;
|
||||
Next->Blink = NULL;
|
||||
|
||||
Next = PreviousFlink;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
|
@ -245,6 +245,7 @@
|
|||
<ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
|
||||
<ClCompile Include="ProxyWorkItemLoadLibrary.cpp" />
|
||||
<ClCompile Include="RemoveDescriptorEntry.cpp" />
|
||||
<ClCompile Include="RemoveRegisterDllNotification.cpp" />
|
||||
<ClCompile Include="SetHardwareBreakpoint.cpp" />
|
||||
<ClCompile Include="ShutdownHardwareBreakpointEngine.cpp" />
|
||||
<ClCompile Include="SleepObfuscationViaVirtualProtect.cpp" />
|
||||
|
|
|
@ -522,6 +522,9 @@
|
|||
<ClCompile Include="LdrLoadGetProcedureAddress.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="RemoveRegisterDllNotification.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Evasion</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -335,6 +335,7 @@ BOOL RemoveDllFromPebW(_In_ LPCWSTR lpModuleName);
|
|||
BOOL HookEngineUnhookHeapFree(_In_ BOOL StartEngine);
|
||||
BOOL HookEngineRestoreHeapFree(_In_ BOOL ShutdownEngine);
|
||||
BOOL SleepObfuscationViaVirtualProtect(_In_ DWORD dwSleepTimeInMilliseconds, _In_ PUCHAR Key);
|
||||
BOOL RemoveRegisterDllNotification(VOID);
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue