Home

Awesome

VXUG logo managed by vx-underground | follow us on Twitter | download malware samples at the VXUG/samples page

VX-API

Version: 2.01.015

Developer: smelly__vx

The VX-API is a collection of malicious functionality to aid in malware development. It is recommended you clone and/or download this entire repo then open the Visual Studio solution file to easily explore functionality and concepts.

Some functions may be dependent on other functions present within the solution file. Using the solution file provided here will make it easier to identify which other functionality and/or header data is required.

You're free to use this in any manner you please. You do not need to use this entire solution for your malware proof-of-concepts or Red Team engagements. Strip, copy, paste, delete, or edit this projects contents as much as you'd like.

</div>

List of features

Anti-debug

Function NameOriginal Author
AdfCloseHandleOnInvalidAddressCheckpoint Research
AdfIsCreateProcessDebugEventCodeSetCheckpoint Research
AdfOpenProcessOnCsrssCheckpoint Research
CheckRemoteDebuggerPresent2ReactOS
IsDebuggerPresentExsmelly__vx
IsIntelHardwareBreakpointPresentCheckpoint Research

Cryptography Related

Function NameOriginal Author
HashStringDjb2Dan Bernstein
HashStringFowlerNollVoVariant1aGlenn Fowler, Landon Curt Noll, and Kiem-Phong Vo
HashStringJenkinsOneAtATime32BitBob Jenkins
HashStringLoseLoseBrian Kernighan and Dennis Ritchie
HashStringRotr32T. Oshiba (1972)
HashStringSdbmOzan Yigit
HashStringSuperFastHashPaul Hsieh
HashStringUnknownGenericHash1AUnknown
HashStringSipHashRistBS
HashStringMurmurRistBS
CreateMd5HashFromFilePathMicrosoft
CreatePseudoRandomIntegerApple (c) 1999
CreatePseudoRandomStringsmelly__vx
HashFileByMsiFileHashTablesmelly__vx
CreatePseudoRandomIntegerFromNtdllsmelly__vx
LzMaximumCompressBuffersmelly__vx
LzMaximumDecompressBuffersmelly__vx
LzStandardCompressBuffersmelly__vx
LzStandardDecompressBuffersmelly__vx
XpressHuffMaximumCompressBuffersmelly__vx
XpressHuffMaximumDecompressBuffersmelly__vx
XpressHuffStandardCompressBuffersmelly__vx
XpressHuffStandardDecompressBuffersmelly__vx
XpressMaximumCompressBuffersmelly__vx
XpressMaximumDecompressBuffersmelly__vx
XpressStandardCompressBuffersmelly__vx
XpressStandardDecompressBuffersmelly__vx
ExtractFilesFromCabIntoTargetsmelly__vx

Error Handling

Function NameOriginal Author
GetLastErrorFromTebsmelly__vx
GetLastNtStatusFromTebsmelly__vx
RtlNtStatusToDosErrorViaImportReactOS
GetLastErrorFromTebsmelly__vx
SetLastErrorInTebsmelly__vx
SetLastNtStatusInTebsmelly__vx
Win32FromHResultRaymond Chen

Evasion

Function NameOriginal Author
AmsiBypassViaPatternScanZeroMemoryEx
DelayedExecutionExecuteOnDisplayOffam0nsec and smelly__vx
HookEngineRestoreHeapFreerad9800
MasqueradePebAsExplorersmelly__vx
RemoveDllFromPebrad9800
RemoveRegisterDllNotificationRad98, Peter Winter-Smith
SleepObfuscationViaVirtualProtect5pider
RtlSetBaseUnicodeCommandLineTheWover

Fingerprinting

Function NameOriginal Author
GetCurrentLocaleFromTeb3xp0rt
GetNumberOfLinkedDllssmelly__vx
GetOsBuildNumberFromPebsmelly__vx
GetOsMajorVersionFromPebsmelly__vx
GetOsMinorVersionFromPebsmelly__vx
GetOsPlatformIdFromPebsmelly__vx
IsNvidiaGraphicsCardPresentsmelly__vx
IsProcessRunningsmelly__vx
IsProcessRunningAsAdminVimal Shekar
GetPidFromNtQuerySystemInformationsmelly__vx
GetPidFromWindowsTerminalServicemodexp
GetPidFromWmiComInterfaceaalimian and modexp
GetPidFromEnumProcessessmelly__vx
GetPidFromPidBruteForcingmodexp
GetPidFromNtQueryFileInformationmodexp, Lloyd Davies, Jonas Lyk
GetPidFromPidBruteForcingExWsmelly__vx, LLoyd Davies, Jonas Lyk, modexp

Helper Functions

Function NameOriginal Author
CreateLocalAppDataObjectPathsmelly__vx
CreateWindowsObjectPathsmelly__vx
GetCurrentDirectoryFromUserProcessParameterssmelly__vx
GetCurrentProcessIdFromTebReactOS
GetCurrentUserSidGiovanni Dicanio
GetCurrentWindowTextFromUserProcessParametersmelly__vx
GetFileSizeFromPathsmelly__vx
GetProcessHeapFromTebsmelly__vx
GetProcessPathFromLoaderLoadModulesmelly__vx
GetProcessPathFromUserProcessParameterssmelly__vx
GetSystemWindowsDirectoryGeoff Chappell
IsPathValidsmelly__vx
RecursiveFindFileLuke
SetProcessPrivilegeTokenMicrosoft
IsDllLoadedsmelly__vx
TryLoadDllMultiMethodsmelly__vx
CreateThreadAndWaitForCompletionsmelly__vx
GetProcessBinaryNameFromHwndWsmelly__vx
GetByteArrayFromFilesmelly__vx
Ex_GetHandleOnDeviceHttpCommunicationx86matthew
IsRegistryKeyValidsmelly__vx
FastcallExecuteBinaryShellExecuteExsmelly__vx
GetCurrentProcessIdFromOffsetRistBS
GetPeBaseAddresssmelly__vx
LdrLoadGetProcedureAddressc5pider
IsPeSectionsmelly__vx
AddSectionToPeFilesmelly__vx
WriteDataToPeSectionsmelly__vx
GetPeSectionSizeInBytesmelly__vx
ReadDataFromPeSectionsmelly__vx
GetCurrentProcessNoForwardReactOS
GetCurrentThreadNoForwardReactOS

Library Loading

Function NameOriginal Author
GetKUserSharedDataGeoff Chappell
GetModuleHandleEx2smelly__vx
GetPeb29a
GetPebFromTebReactOS
GetProcAddress29a Volume 2, c5pider
GetProcAddressDjb2smelly__vx
GetProcAddressFowlerNollVoVariant1asmelly__vx
GetProcAddressJenkinsOneAtATime32Bitsmelly__vx
GetProcAddressLoseLosesmelly__vx
GetProcAddressRotr32smelly__vx
GetProcAddressSdbmsmelly__vx
GetProcAddressSuperFastHashsmelly__vx
GetProcAddressUnknownGenericHash1smelly__vx
GetProcAddressSipHashRistBS
GetProcAddressMurmurRistBS
GetRtlUserProcessParametersReactOS
GetTebReactOS
RtlLoadPeHeaderssmelly__vx
ProxyWorkItemLoadLibraryRad98, Peter Winter-Smith
ProxyRegisterWaitLoadLibraryRad98, Peter Winter-Smith

Lsass Dumping

Function NameOriginal Author
MpfGetLsaPidFromServiceManagermodexp
MpfGetLsaPidFromRegistrymodexp
MpfGetLsaPidFromNamedPipemodexp

Network Connectivity

Function NameOriginal Author
UrlDownloadToFileSynchronousHans Passant
ConvertIPv4IpAddressStructureToStringsmelly__vx
ConvertIPv4StringToUnsignedLongsmelly__vx
SendIcmpEchoMessageToIPv4Hostsmelly__vx
ConvertIPv4IpAddressUnsignedLongToStringsmelly__vx
DnsGetDomainNameIPv4AddressAsStringsmelly__vx
DnsGetDomainNameIPv4AddressUnsignedLongsmelly__vx
GetDomainNameFromUnsignedLongIPV4Addresssmelly__vx
GetDomainNameFromIPV4AddressAsStringsmelly__vx

Other

Function NameOriginal Author
OleGetClipboardDataMicrosoft
MpfComVssDeleteShadowVolumeBackupsam0nsec
MpfComModifyShortcutTargetUnknown
MpfComMonitorChromeSessionOncesmelly__vx
MpfExtractMaliciousPayloadFromZipFileNoPasswordCodu

Process Creation

Function NameOriginal Author
CreateProcessFromIHxHelpPaneServerJames Forshaw
CreateProcessFromIHxInteractiveUserJames Forshaw
CreateProcessFromIShellDispatchInvokeMohamed Fakroud
CreateProcessFromShellExecuteInExplorerProcessMicrosoft
CreateProcessViaNtCreateUserProcessCaptMeelo
CreateProcessWithCfGuardsmelly__vx and Adam Chester
CreateProcessByWindowsRHotKeysmelly__vx
CreateProcessByWindowsRHotKeyExsmelly__vx
CreateProcessFromINFSectionInstallStringNoCabsmelly__vx
CreateProcessFromINFSetupCommandsmelly__vx
CreateProcessFromINFSectionInstallStringNoCab2smelly__vx
CreateProcessFromIeFrameOpenUrlsmelly__vx
CreateProcessFromPcwUtilsmelly__vx
CreateProcessFromShdocVwOpenUrlsmelly__vx
CreateProcessFromShell32ShellExecRunsmelly__vx
MpfExecute64bitPeBinaryInMemoryFromByteArrayNoRelocaaaddress1
CreateProcessFromWmiWin32_ProcessWCIA
CreateProcessFromZipfldrRouteCallsmelly__vx
CreateProcessFromUrlFileProtocolHandlersmelly__vx
CreateProcessFromUrlOpenUrlsmelly__vx
CreateProcessFromMsHTMLWsmelly__vx

Process Injection

Function NameOriginal Author
MpfPiControlInjectionSafeBreach Labs
MpfPiQueueUserAPCViaAtomBombSafeBreach Labs
MpfPiWriteProcessMemoryCreateRemoteThreadSafeBreach Labs
MpfProcessInjectionViaProcessReflectionDeep Instinct

Proxied Functions

Function NameOriginal Author
IeCreateFilesmelly__vx
CopyFileViaSetupCopyFilesmelly__vx
CreateFileFromDsCopyFromSharedFileJonas Lyk
DeleteDirectoryAndSubDataViaDelNodesmelly__vx
DeleteFileWithCreateFileFlagsmelly__vx
IsProcessRunningAsAdmin2smelly__vx
IeCreateDirectorysmelly__vx
IeDeleteFilesmelly__vx
IeFindFirstFilesmelly__vx
IEGetFileAttributesExsmelly__vx
IeMoveFileExsmelly__vx
IeRemoveDirectorysmelly__vx

Shellcode Execution

Function NameOriginal Author
MpfSceViaImmEnumInputContextalfarom256, aahmad097
MpfSceViaCertFindChainInStorealfarom256, aahmad097
MpfSceViaEnumPropsExWalfarom256, aahmad097
MpfSceViaCreateThreadpoolWaitalfarom256, aahmad097
MpfSceViaCryptEnumOIDInfoalfarom256, aahmad097
MpfSceViaDSA_EnumCallbackalfarom256, aahmad097
MpfSceViaCreateTimerQueueTimeralfarom256, aahmad097
MpfSceViaEvtSubscribealfarom256, aahmad097
MpfSceViaFlsAllocalfarom256, aahmad097
MpfSceViaInitOnceExecuteOncealfarom256, aahmad097
MpfSceViaEnumChildWindowsalfarom256, aahmad097, wra7h
MpfSceViaCDefFolderMenu_Create2alfarom256, aahmad097, wra7h
MpfSceViaCertEnumSystemStorealfarom256, aahmad097, wra7h
MpfSceViaCertEnumSystemStoreLocationalfarom256, aahmad097, wra7h
MpfSceViaEnumDateFormatsWalfarom256, aahmad097, wra7h
MpfSceViaEnumDesktopWindowsalfarom256, aahmad097, wra7h
MpfSceViaEnumDesktopsWalfarom256, aahmad097, wra7h
MpfSceViaEnumDirTreeWalfarom256, aahmad097, wra7h
MpfSceViaEnumDisplayMonitorsalfarom256, aahmad097, wra7h
MpfSceViaEnumFontFamiliesExWalfarom256, aahmad097, wra7h
MpfSceViaEnumFontsWalfarom256, aahmad097, wra7h
MpfSceViaEnumLanguageGroupLocalesWalfarom256, aahmad097, wra7h
MpfSceViaEnumObjectsalfarom256, aahmad097, wra7h
MpfSceViaEnumResourceTypesExWalfarom256, aahmad097, wra7h
MpfSceViaEnumSystemCodePagesWalfarom256, aahmad097, wra7h
MpfSceViaEnumSystemGeoIDalfarom256, aahmad097, wra7h
MpfSceViaEnumSystemLanguageGroupsWalfarom256, aahmad097, wra7h
MpfSceViaEnumSystemLocalesExalfarom256, aahmad097, wra7h
MpfSceViaEnumThreadWindowsalfarom256, aahmad097, wra7h
MpfSceViaEnumTimeFormatsExalfarom256, aahmad097, wra7h
MpfSceViaEnumUILanguagesWalfarom256, aahmad097, wra7h
MpfSceViaEnumWindowStationsWalfarom256, aahmad097, wra7h
MpfSceViaEnumWindowsalfarom256, aahmad097, wra7h
MpfSceViaEnumerateLoadedModules64alfarom256, aahmad097, wra7h
MpfSceViaK32EnumPageFilesWalfarom256, aahmad097, wra7h
MpfSceViaEnumPwrSchemesalfarom256, aahmad097, wra7h
MpfSceViaMessageBoxIndirectWalfarom256, aahmad097, wra7h
MpfSceViaChooseColorWalfarom256, aahmad097, wra7h
MpfSceViaClusWorkerCreatealfarom256, aahmad097, wra7h
MpfSceViaSymEnumProcessesalfarom256, aahmad097, wra7h
MpfSceViaImageGetDigestStreamalfarom256, aahmad097, wra7h
MpfSceViaVerifierEnumerateResourcealfarom256, aahmad097, wra7h
MpfSceViaSymEnumSourceFilesalfarom256, aahmad097, wra7h

String Manipulation

Function NameOriginal Author
ByteArrayToCharArraysmelly__vx
CharArrayToByteArraysmelly__vx
ShlwapiCharStringToWCharStringsmelly__vx
ShlwapiWCharStringToCharStringsmelly__vx
CharStringToWCharStringsmelly__vx
WCharStringToCharStringsmelly__vx
RtlInitEmptyUnicodeStringReactOS
RtlInitUnicodeStringReactOS
CaplockStringsimonc
CopyMemoryExReactOS
SecureStringCopyApple (c) 1999
StringCompareApple (c) 1999
StringConcatApple (c) 1999
StringCopyApple (c) 1999
StringFindSubstringApple (c) 1999
StringLengthApple (c) 1999
StringLocateCharApple (c) 1999
StringRemoveSubstringsmelly__vx
StringTerminateStringAtCharsmelly__vx
StringTokenApple (c) 1999
ZeroMemoryExReactOS
ConvertCharacterStringToIntegerUsingNtdllsmelly__vx
MemoryFindMemoryKamilCuk

UAC Bypass

Function NameOriginal Author
UacBypassFodHelperMethodwinscripting.blog

Rad98 Hooking Engine

Function NameOriginal Author
InitHardwareBreakpointEnginerad98
ShutdownHardwareBreakpointEnginerad98
ExceptionHandlerCallbackRoutinerad98
SetHardwareBreakpointrad98
InsertDescriptorEntryrad98
RemoveDescriptorEntryrad98
SnapshotInsertHardwareBreakpointHookIntoTargetThreadrad98

Generic Shellcode

Function NameOriginal Author
GenericShellcodeHelloWorldMessageBoxASafeBreach Labs
GenericShellcodeHelloWorldMessageBoxAEbFbLoopSafeBreach Labs
GenericShellcodeOpenCalcExitThreadMsfVenom