Feature Summary:
A remote control system based on gh0st, supporting terminal management, process management, window management, desktop control, file transfer, audio/video streaming, service control, registry viewing, keylogging, SOCKS proxy, virtual desktop, code execution, and more.

If you are passionate about researching control programs and find this project useful, you're welcome to star, fork, watch the repository, submit issues, or contribute via pull requests. The author will address issues depending on spare time availability.

This program is for educational and technical research purposes only. Users are fully responsible for any consequences arising from its usage.

Initial Release Date: January 1, 2019

Compilation Method:
This project is developed and maintained using VS2019, but it can also be successfully compiled with the latest VS2022 compiler. For details, see #171.

The main control program may display garbled text on non-Chinese systems. For solutions, refer to #157.

Source code style：

for /R %F in (*.cpp *.h *.c) do astyle --style=linux "%F"

2. Legal Disclaimer

This project is a research-oriented implementation of remote control technology and is intended solely for legal and educational use.
Strictly prohibited: any illegal access, control, or monitoring of others' devices.

This software is provided "as is" without any warranties. Use of this software is at your own risk.
We are not liable for any illegal or malicious use of this software.
Users must comply with applicable laws and use the software responsibly.
The developer assumes no responsibility for any damages caused by use of this software.

3. System Architecture

Since version v1.1.1, the system adopts a two-tier architecture:

(1) A superuser distributes and manages multiple master controllers.
(2) Each master controller manages its own set of controlled clients.

Key characteristics of this architecture:

Superusers can control any client in the system via the subordinate masters as relays.
Cross-communication between hosts managed by different masters is disallowed—each master can only control its own clients.
Superuser authorization is required to manage master controllers.

Important: Unauthorized control of other users' devices is strictly prohibited.

3.1 Master Controller

The master controller executable is YAMA.exe. It serves as the Server side, using IOCP for communication, and supports tens of thousands of clients online concurrently.

Thanks to the layered architecture, the supported number of hosts increases exponentially.
For example, if one superuser manages 10 masters, and each master handles 10,000 clients, the system can control up to 100,000 clients.

All features are available and stable in the UI. Some operations require the client to run with administrator privileges.

The main UI displays all connected clients.
You can select a host to perform remote actions such as renaming, proxy mapping, or executing commands.

The terminal module allows you to execute remote commands in a command-line interface.
A minimal Linux version is also available for research and development.

Displays the running processes on the controlled host. You can start or stop normal processes (not system-level ones).

Displays and allows manipulation of open windows on the controlled machine, including hide/show functionality.

Desktop management provides a full remote desktop experience. You can configure the capture method (GDI, DXGI, or VIRTUAL) and compression options (grayscale, screen diff, H264).
The VIRTUAL option allows headless remote control for improved performance.
It also supports reporting active windows and detecting specific applications.

File management allows file transfer between your machine and the client device.

Enables audio monitoring and voice transmission, provided the target machine has audio devices.

Opens the client’s webcam. Camera detection is enabled by default and indicated in the host list.

Allows viewing and managing services on the target machine (start/stop), subject to permissions.

Enables viewing (read-only) the client’s registry.

About Licensing:
Since version v1.0.8, using the master controller requires authorization. New builds have a 14-day trial, after which a "serial number" is needed to request an unlock code.
To remove this logic, refer to the OnOnlineBuildClient function and recompile the software. See:
#91

The unlock code includes a validity period and is tied to the machine ID. The system checks for system time tampering. Generating a valid unlock code requires a password.

As of v1.1.1, the precompiled version is no longer authorized. All users must build the software themselves.
Otherwise, after 10 minutes of use, a dialog will prompt for an unlock code.
This prevents misuse by non-technical users.
If you only want to try out the program, version v1.0.7 or earlier is sufficient as core functionality is unchanged.
If you're interested in the technology, you're encouraged to compile it yourself.

3.2 Controlled Client

The controlled client is the Client-side application, available in two formats:

A single executable: ghost.exe
A launcher + DLL: TestRun.exe with ServerDll.dll

The first form is self-contained.
Since v1.0.8, TestRun.exe loads the DLL into memory, allowing dynamic updates from the master.

3.3 Linux Client

A Linux version is included in v1.0.8, currently only supporting terminal access.

Compile the client on a Linux system. Then, in the master build dialog, select the compiled binary and set the desired connection address to generate a valid Linux client.

4. Deployment Methods

4.1 Intranet Deployment

This means the master and clients are within the same local network. The client can directly reach the master’s IP and port.
This is the simplest form—just enter the master’s local IP and port when building the client.

4.2 Internet Deployment

In this case, the master and clients are on different networks, and the master lacks a public IP.
Clients cannot directly connect. To bridge this, a "middleman" is required to forward traffic.

One method is using Peanuthull, but here we focus on a second method, which works similarly:

Client → VPS → Master

A VPS (Virtual Private Server) is used as a relay to control remote clients.
A physical server can also be used, but VPS is more cost-effective.
Usually, you need to rent one and set up port forwarding using FRP (Fast Reverse Proxy).

During client generation, use the VPS IP (or domain, if available).
The FRP server runs on the VPS, while the FRP client runs on your local machine.
Once a client connects to the VPS, the relay will forward traffic to your local machine, completing the control loop.

5. Changelog

For changes before 2025, see: history

2025.01.12
Fixed two potential remote desktop issues (#28, #29).
Added sorting for the controller’s list windows (#26, #27), making it easier to locate windows, services, or processes.

Released version v1.0.6, noted for high stability.
This version does not support older Windows XP systems
(note: VS2019 and later have dropped support for XP toolchains; use older Visual Studio versions if needed).
Download the latest release from GitHub or clone the repo.
If antivirus software flags it as a virus, this is expected due to the nature of the software — feel free to compile it yourself for verification.

2025.02.01
Inspired by Gh0st, added keylogging support, implemented by copying four core files:

KeyboardManager.h、KeyboardManager.cpp、KeyBoardDlg.h、KeyBoardDlg.cpp

2025.04.05

Release v1.0.7, mainly fix or add new feature:

Update third-party libraries and switch zlib to zstd, old version v1.0.6 is compatible;
Support compile with Win64;
Fix buges and make the program more stable;
Improve remote control efficiency and support more bitmap compressing method;
Some code reorganization.

2025.04.12

Since v1.0.7 released in April 5:

Improvement: Make sure that the input command is always at the end of Shelldlg, and build a simple Linux client;
Fix bugs: #62, #74, #75 ;
Change the flag 0x1234567 to a more readable string; and improve building service and allow chosing other files to build;
Showing the user's activities and monitoring specified software;
Clean up global variables and make it easy to create multiple clients in one program, which is useful for testing the master's capacity;
Implement loading DLL in memory, make it easy to update client program;

2025.04.21

Release v1.0.8:

Support to share online host with other masters;
Implement service-generated authorization capability, and add a serial number generation menu;
Add HPSocket libraries which may be used in the future, and add static ffmpeg libraries to build Win64 master;
Implement a memory DLL runner: the TestRun program request DLL from master and execute in memory.

2025.04.30

Release v1.0.9：

Update client building feature / All in one; The master will only accept the clients built by itself.
Improve authorization feature.

2025.06.01

Release v1.1.0:

fix: IOCPClient clear buffer when disconnect
Implement SOCKS proxy feature
Add menus and modify list style, add log
feature: Add a C program to execute shell code
feature: Encrypt for server address
feat: Support virtual remote desktop monitoring
feature: Add command to execute DLL

2025.06.21

Release v1.1.1:

Starting from this version, the controller program requires authorization and will automatically connect to the authorization server. You may contact the author to request authorization. If you have concerns about this, please use an earlier version (prior to v1.0.8). Modifying and compiling the program yourself can also resolve this issue.

fix: remote desktop algorithm doesn't take effort
Add some menus for operating online client
Plugin: Add remote chat feature
Plugin: Add browser decryption feature
Plugin: Add host management feature
Plugin: Add virtual desktop feature
Improve: #48 Support sorting in file management dialog
Feature: Support WinOS RAT client
Improve authorization logic: Support authorize master online
feature: Support random or multi connection
Improvement: Add a popup window to show details
Improve client stability

2025.07.07

Release v1.1.2:

Fix the problem with the keylogging feature
Security: Improve the authorization of plugins
fix: Memory leak when release CMachineDlg object
fix: Showing wrong IP while using Reverse Proxy (#147)
Add a menu redirects to the authorization guide page
Plugin: Add another file management module
Improve: Reduce master program redundant code
fix: Prevent crash when closing window during background data processing
Improve: Remove redundant code for reading the registry
layout: Reorganize TCP client/server code; Refactor the socket server code
feature: Support listening on multiple ports simultaneously
feature: Support client connections over UDP; Add client protocol option TCP/UDP
Plugin: #145 Support remote drawing board
Plugin: Add remote desktop privacy screen feature

2025.07.19

Release v1.1.3

Add encrypt and decrypt functions
Modify the popup message to be triggered by NM_DBLCLK
Improve: Save DLL data to registry
Feature: Support HTTP protocol and add building option
Feature: Add encryption option for client building
Improvement: Reduce transmit mouse move message
fix: Lost control when operating high permission windows
Improve client stability by handling exceptions
feature: Remote desktop support multi monitor
Improve: Support authorizing the online host quantity
fix：#159 Authorization doesn't work under TestRun injection

2025.07.29

Release v1.1.4

fix: Limit the online host number which uses UDP
Feature: Implement KCP protocol - based on UDP
Improve: Add random protocol option for building client
Feature: Support remote desktop adaptive to window size
Feature: Add a menu item to build shellcode
Feature: support assigning client to another master
Feature: Support adding client to watch list
Improve: Avoid client computer going to sleep
fix: #170 Remove the dependency of VCOMP140.dll
Improve: Showing the client application version
fix: Refresh client public IP every one week

2025.08.08

Release v1.1.5

This version focuses on improving the remote control experience (especially multi-monitor support and UI behavior), enhancing integration and permission handling, and resolving several critical bugs.

Feature: Add run client program as admin feature
Feature: Integrate frp client with master program
Improve: Showing inactive locked client status
Clean up: Remove old history releases
fix: #176 #177 Desktop control does not work properly
Improve: Enter full screen on the current monitor
fix: Showing the correct cursor status on window
Improve: Support multiple screen desktop monitoring
fix: Virtual desktop control support multiple monitor
fix: Avoid opening w web page when press F1

2025.09.11

Release v1.1.6

This update adds client compression and build options, supports multiple displays (video wall), improves performance (e.g., multi-threaded compression and RTT), and fixes protocol and injection issues.

Feature: Support compression option when building client
fix: #182 First command using HTTP protocol
Improve: Enable zstd multi-thread compression for client
Improve: Master using ZSTD_DCtx and using new RTT
fix: Improve creating registry and injecting shellcode
Improve: getPublicIP may fail and block mater program
Feature: Support setting the client building flag
Feature: Add client shellcode building option
Feature: Supports multiple remote displays (video wall)

2025.10.12

Release v1.1.7

This version adds new tools, auto client deletion, IP fix, and private remote desktop code.

Feature: Add digital coin hack feature (research only)
Feature: #193 Automatically delete client after first running
Feature: Add tool menu for changing exe file icon
fix: #195 Client get public IP failed
Feature: Add a menu to uninstall client program
Feature: Add private remote desktop source code

2025.11.15

Release v1.1.8

This update fixes several stability and security issues, enhances clipboard and file operations in remote control, and adds a plugin example.

fix: #204 Change socket connecting to non-blocking mode
style: Format source code and support grouping client
fix: Save shellcode in registry and use it when possible
Feature: Add machine logout, shutdown and reboot cmd
fix: UpdateClientClipboard may lost the last letter
Feature: Support copy text from remote with Ctrl+V
fix: #210 Stack for saving decoded buffer overflow
fix: #212 Undefined behavior on printf
fix #185 and fix #214
Feature: File copy/paste support in remote control
Feature&fix: Show username on master program
Improve: Generate HMAC while generating pass code
feature: Add menu to load bin file to test shellcode
fix: No need to restart client to update wallet address
Feature: Add menu to build and test AES encrypted shellcode
Feature: Support converting PE using pe_to_shellcode
plugin: Add an example plugin project for reference
Feature: Add shellcode injection feature for process management

HoldingHands: A remote control program with a fully English interface and a different architectural design.
BGW RAT: A fully featured remote access tool, also known as Big Grey Wolf 9.5.
Gh0st: Another remote controller based on the original Gh0st RAT.

7. Feedback & Communication

QQ: 962914132

Contact: Telegram, Email, LinkedIn

Issue Reporting: Issues

Contributions welcome: Merge requests

Sponsorship

This project stems from technical exploration and personal interest. Updates are made on a non-regular basis, depending on available spare time.
If you find this project useful, please consider supporting it via the sponsor icon.
If you'd prefer to sponsor using other methods (e.g., WeChat, Alipay or PayPal), please click
here.

Description

A remote control program based on Gh0st: 实现了终端管理、进程管理、窗口管理、远程桌面、文件管理、语音管理、视频管理、服务管理、注册表管理等功能，优化全部代码及整理排版，修复内存泄漏缺陷，程序运行稳定。项目代码仅限于学习和交流用途。

management-system monitoring-tool remote remote-control remote-work

Readme 346 MiB

ReadMe_EN.md Unescape Escape

🌐 Language | 语言

📚 Table of Contents

1. Project Overview