vx-api
  • Introduction
  • Code base
    • Headers
    • CRT Recreation
      • CaplockString
      • CopyMemory
      • SecureStringCopy
      • StringCompare
      • StringConcat
      • StringCopy
      • StringLength
      • StringLocateChar
      • StringFindSubstring (unstable)
      • ByteArrayToCharArray
      • CharArrayToByteArray
      • CharStringToWCharString
      • WCharStringToCharString
      • StringTerminateStringAtChar
      • RtlInitAnsiString
      • RtlInitUnicodeString
      • ShlwapiCharStringToWCharString
      • ShlwapiWCharStringToCharString
      • Random Integer (NTDLL)
      • ConvertCharStringToInt (NTDLL)
      • ZeroMemory
        • ImplZeroMemory1
        • ImplZeroMemory2
  • String Hashing
    • Djb2
    • FowlerNollVoVariant1a
    • JenkinsOneAtATime32Bit
    • LoseLose
    • Murmur
    • Rotr32
    • Sdbm
    • SipHash
    • SuperFastHash
    • UnknownGenericHash1
  • Antidebugging Methods
    • CloseHandleOnInvalidAddress
    • IsDebuggerPresentEx
    • IsIntelHardwareBreakpointPresent
  • Library Loading
    • GetTeb
    • GetPeb
    • GetKUserSharedData
    • RtlLoadPeHeaders
    • LdrLoadGetProcedureAddress
    • GetRtlUserProcessParameters
    • ProxyRegisterWaitLoadLibrary
    • ProxyWorkItemLoadLibrary
    • Function Import Methods
      • GetProcAddress (Safe)
      • GetProcAddressDjb2
      • GetProcAddressFowlerNollVoVariant1a
      • GetProcAddressJenkinsOneAtATime32Bit
      • GetProcAddressLoseLose
      • GetProcAddressMurmur
      • GetProcAddressRotr32
      • GetProcAddressSdbm
      • GetProcAddressSipHash
      • GetProcAddressSuperFastHash
      • GetProcAddressUnknownGenericHash1
  • Error Handling
    • GetLastErrorFromTeb
    • GetLastNtStatusFromTeb
    • RtlNtStatusToDosErrorViaImport
    • Win32FromHResult
  • Fingerprinting
    • GetNumberOfLinkedDlls
    • PEB / TEB related
      • GetCurrentLocaleFromTeb
      • GetOsBuildNumberFromPeb
      • GetOsMajorVersionFromPeb
      • GetOsMinorVersionFromPeb
      • GetOsPlatformIdFromPeb
    • GetPidFromEnumProcesses
    • IsNvidiaGraphicsCardPresent
    • IsProcessRunning (simple)
  • Wrappers and Helpers
    • GetProcessHeapFromTeb
    • GetCurrentThread
    • IsPathValid
    • IsDllLoaded
    • GetFileSizeFromPath
    • IsRegistryKeyValid
    • GetCurrentProcess
    • GetCurrentProcessIdFromTeb
    • GetCurrentProcessIdFromOffset
    • ExecuteBinaryShellExecuteEx
    • GetProcessPathFromLoaderLoad
    • GetProcessPathFromUserProcessParameters
    • GetProcessBinaryNameFromHwnd
    • GetCurrentDirectoryFromUserProcessParameters
    • GetSystemWindowsDirectory
    • ImplGetModuleHandle
  • Process Creation Techniques
    • WindowsRHotKey
    • WindowsRHotKeyEx
    • IeFrameOpenUrl
    • INFSectionInstallString
    • INFSectionInstallString2
    • INFSetupCommand
    • CreateProcessFromMsHTML
    • CreateProcessFromPcwUtilW
    • ShdocVwOpenUrl
    • ShellExecRunDLL
    • UrlFileProtocolHandler
    • UrlOpenUrl
    • ZipfldrRouteCall
    • CreateProcessViaNtCreateUserProcess
    • CreateProcessWithCfGuard
  • Shellcode Execution
    • CreateThreadAndWaitForCompletion
    • CDefFolderMenu_Create2
    • CertEnumSystemStore
    • CertEnumSystemStoreLocation
    • ChooseColorW
    • ClusWorkerCreate
    • CreateTimerQueueTimer
    • CryptEnumOIDInfo
    • DSA_EnumCallback
    • EnumChildWindows
    • EnumDateFormatsW
    • EnumDesktopsW
    • EnumDesktopWindows
    • EnumDirTreeW
    • EnumDisplayMonitors
    • EnumerateLoadedModules64
    • EnumFontFamiliesExW
    • EnumFontsW
    • EnumLanguageGroupLocalesW
    • EnumObjects
    • EnumPwrSchemes
    • EnumResourceTypesExW
    • EnumSystemCodePagesW
    • EnumSystemGeoID
    • EnumSystemLanguageGroupsW
    • EnumSystemLocalesEx
    • EnumThreadWindows
    • EnumTimeFormatsEx
    • EnumUILanguagesW
    • EnumWindows
    • EnumWindowStationsW
    • EvtSubscribe
    • FlsAlloc
    • ImageGetDigestStream
    • ImmEnumInputContext
    • InitOnceExecuteOnce
    • K32EnumPageFilesW
    • MessageBoxIndirectW
    • SymEnumProcesses
    • SymEnumSourceFilesW
    • VerifierEnumerateResource
  • Compression
    • Lempel-Ziv
      • LzStandardDecompressBuffer
      • LzStandardCompressBuffer
      • LzMaximumDecompressBuffer
      • LzMaximumCompressBuffer
    • Xpress
      • XpressMaximumCompressBuffer
      • XpressMaximumDecompressBuffer
      • XpressStandardCompressBuffer
      • XpressStandardDecompressBuffer
    • Xpress Huff
      • XpressHuffMaximumCompressBuffer
      • XpressHuffMaximumDecompressBuffer
      • XpressHuffStandardCompressBuffer
      • XpressHuffStandardDecompressBuffer
  • Networking
    • IPv4IpAddressStructureToString
    • IPv4IpAddressUnsignedLongToString
    • IPv4StringToUnsignedLong
    • DnsGetDomainNameIPv4AddressAsString
    • DnsGetDomainNameIPv4AddressUnsignedLong
    • GetDomainNameFromIPV4AddressAsString
    • GetDomainNameFromUnsignedLongIPV4Address
    • SendIcmpEchoMessageToIPv4Host
    • UrlDownloadToFileSynchronous
  • Lsass Related
    • GetLsaPidFromNamedPipe
    • GetLsaPidFromRegistry
    • GetLsaPidFromServiceManager
  • Proxied Functions
    • CopyFileViaSetupCopyFile
    • CreateFileFromDsCopyFromSharedFile
    • DeleteDirectoryAndSubData
    • IeCreateDirectory
    • IeCreateFile
    • IsProcessRunningAsAdmin2
    • IEGetFileAttributesEx
    • IEMoveFileEx
    • IERemoveDirectory
  • Evasion
    • AmsiBypass by Patching (OLD)
    • Delay execution until monitor off
    • Unlink DLL from process
    • Sleep Obfuscation (unstable)
  • Component Object Model
    • Process Creation
      • IHxInteractiveUser
      • WmiWin32_CreateProcess
      • IHxHelpPaneServer
      • CoShellWindowExecute
      • CoShellExecute
    • IsComInitialized
    • CoGetEnvironmentVariableW
    • CoCreateIsoForMounting
    • CoXMLHTTPDownloadByteFileW
    • CoEnumUPnPDevices
  • My Projects
    • "Jeff", COM-only keylogger
    • "Russian Doll", Recursive file loader
    • "Branchy", Branchless keylogger
    • "Fever Dream" - Code executing when the Windows machine is locked
    • Creating "Ransomware" Using WinRT
Powered by GitBook
On this page
  1. Library Loading

ProxyWorkItemLoadLibrary

typedef NTSTATUS(NTAPI* NTWAITFORSINGLEOBJECT)(HANDLE, BOOL, PLARGE_INTEGER);
typedef NTSTATUS(NTAPI* RTLQUEUEWORKITEM)(PRTL_WORK_ITEM_ROUTINE, PVOID, ULONG);

HMODULE ProxyWorkItemLoadLibraryW(_In_ LPCWSTR lpModuleName)
{
	NTWAITFORSINGLEOBJECT NtWaitForSingleObject = NULL;
	RTLQUEUEWORKITEM RtlQueueWorkItem = NULL;
	NTSTATUS Status = STATUS_SUCCESS;
	LARGE_INTEGER Timeout = { 0 };

	NtWaitForSingleObject = (NTWAITFORSINGLEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWaitForSingleObject");
	RtlQueueWorkItem = (RTLQUEUEWORKITEM)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlQueueWorkItem");

	if (!NtWaitForSingleObject || !RtlQueueWorkItem)
		return NULL;

	if(RtlQueueWorkItem((PRTL_WORK_ITEM_ROUTINE)&LoadLibraryW, (PVOID)lpModuleName, WT_EXECUTEDEFAULT) != STATUS_SUCCESS)
		return NULL;

	Timeout.QuadPart = -500000;

	NtWaitForSingleObject(GetCurrentProcessNoForward(), FALSE, &Timeout);

	return GetModuleHandleW(lpModuleName);
}

HMODULE ProxyWorkItemLoadLibraryA(_In_ LPCSTR lpModuleName)
{
	NTWAITFORSINGLEOBJECT NtWaitForSingleObject = NULL;
	RTLQUEUEWORKITEM RtlQueueWorkItem = NULL;
	NTSTATUS Status = STATUS_SUCCESS;
	LARGE_INTEGER Timeout = { 0 };

	NtWaitForSingleObject = (NTWAITFORSINGLEOBJECT)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWaitForSingleObject");
	RtlQueueWorkItem = (RTLQUEUEWORKITEM)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlQueueWorkItem");

	if (!NtWaitForSingleObject || !RtlQueueWorkItem)
		return NULL;

	if(RtlQueueWorkItem((PRTL_WORK_ITEM_ROUTINE)&LoadLibraryA, (PVOID)lpModuleName, WT_EXECUTEDEFAULT) != STATUS_SUCCESS)
		return NULL;

	Timeout.QuadPart = -500000;

	NtWaitForSingleObject(GetCurrentProcessNoForward(), FALSE, &Timeout);

	return GetModuleHandleA(lpModuleName);
}

PreviousProxyRegisterWaitLoadLibraryNextFunction Import Methods

Last updated 29 days ago