From b9c5a7af912b90290944d48c26074730d7633bcf Mon Sep 17 00:00:00 2001
From: yuanyuanxiang <962914132@qq.com>
Date: Sat, 8 Nov 2025 23:11:34 +0800
Subject: [PATCH] feature: Add menu to load bin file to test shellcode

---
 common/obfs.h                       |  21 ++++++++
 server/2015Remote/2015Remote.rc     | Bin 103332 -> 103954 bytes
 server/2015Remote/2015RemoteDlg.cpp |  76 +++++++++++++++++++++++++---
 server/2015Remote/2015RemoteDlg.h   |   4 ++
 server/2015Remote/resource.h        | Bin 52944 -> 53696 bytes
 5 files changed, 94 insertions(+), 7 deletions(-)

diff --git a/common/obfs.h b/common/obfs.h
index 43b2d8f..916bd84 100644
--- a/common/obfs.h
+++ b/common/obfs.h
@@ -7,12 +7,20 @@
 
 class ObfsBase {
 public:
+	bool m_bGenCArray;
+	ObfsBase(bool genCArray = true) : m_bGenCArray(genCArray) { }
+	virtual ~ObfsBase() { }
+
 	// 对称混淆函数：用于加密和解密
 	virtual void ObfuscateBuffer(uint8_t* buf, size_t len, uint32_t seed) {}
 
 	// 解混淆：与加密顺序相反
 	virtual void DeobfuscateBuffer(uint8_t* buf, size_t len, uint32_t seed) {}
 
+	virtual bool WriteFile(const char* filename, uint8_t* data, size_t length, const char* arrayName) {
+		return m_bGenCArray ? WriteBinaryAsCArray(filename, data, length, arrayName) : WriteBinaryFile(filename, data, length);
+	}
+
 	// 将二进制数据以 C 数组格式写入文件
 	virtual bool WriteBinaryAsCArray(const char* filename, uint8_t* data, size_t length, const char* arrayName) {
 		FILE* file = fopen(filename, "w");
@@ -32,6 +40,17 @@ public:
 		fclose(file);
 		return true;
 	}
+
+	// 使用 "wb" 二进制写入模式
+	virtual bool WriteBinaryFile(const char* filename, const uint8_t* data, size_t length) {
+		FILE* file = fopen(filename, "wb");
+		if (!file) return false;
+
+		size_t written = fwrite(data, 1, length, file);
+		fclose(file);
+
+		return written == length;
+	}
 };
 
 class Obfs : public ObfsBase {
@@ -47,6 +66,8 @@ private:
 	}
 
 public:
+	Obfs(bool genCArray = true) : ObfsBase(genCArray) { }
+
 	// 对称混淆函数：用于加密和解密
 	virtual void ObfuscateBuffer(uint8_t* buf, size_t len, uint32_t seed) {
 		uint32_t state = seed;
diff --git a/server/2015Remote/2015Remote.rc b/server/2015Remote/2015Remote.rc
index afabec76b77c10a0f3fa306861d041119891c162..85203d03334a4203e54c4c24c2abcba40f87c703 100644
GIT binary patch
delta 364
zcmZ3ooNdw?wuUW?S;j&N47v<<3<?a+3~##`x(ZT{)J-p7VN{vEz?d;g>ZqT5sX!7;
zNfJXQLmp6Rd+IkokRm0JA}!{42B+x{g&9qSymPO1D=?s_k`rXqntnlnkxe<6!Gpn-
z!3PMP8T=Vsfb4i6+n>P^$c|?S0rG>VGa53APZ!`|l$rj^n2`&I(-c7FaZI-}VbnvY
z6~X03Ik;*mxI^V1cYe=3maENx>0k{8H3paIi9C$5U{~v6bG1K%6N4K=FfR8is544U
PcaUNf**?pJkt-emK9yLw

delta 63
zcmV-F0Kor}tOlf~27t5yYBQHG2>~{jpfdqlmoPN}3I!+tCIC;DVGIE+m(U;q2$ys<
V0WOyyCjlClKpFuQw+J@@3SUkh5N!Ye

diff --git a/server/2015Remote/2015RemoteDlg.cpp b/server/2015Remote/2015RemoteDlg.cpp
index b572532..e57608d 100644
--- a/server/2015Remote/2015RemoteDlg.cpp
+++ b/server/2015Remote/2015RemoteDlg.cpp
@@ -497,6 +497,10 @@ BEGIN_MESSAGE_MAP(CMy2015RemoteDlg, CDialogEx)
     ON_COMMAND(ID_MACHINE_LOGOUT, &CMy2015RemoteDlg::OnMachineLogout)
     ON_WM_DESTROY()
     ON_MESSAGE(WM_SESSION_ACTIVATED, &CMy2015RemoteDlg::OnSessionActivatedMsg)
+    ON_COMMAND(ID_TOOL_GEN_SHELLCODE_BIN, &CMy2015RemoteDlg::OnToolGenShellcodeBin)
+    ON_COMMAND(ID_SHELLCODE_LOAD_TEST, &CMy2015RemoteDlg::OnShellcodeLoadTest)
+    ON_COMMAND(ID_SHELLCODE_OBFS_LOAD_TEST, &CMy2015RemoteDlg::OnShellcodeObfsLoadTest)
+    ON_COMMAND(ID_OBFS_SHELLCODE_BIN, &CMy2015RemoteDlg::OnObfsShellcodeBin)
 END_MESSAGE_MAP()
 
 
@@ -3153,6 +3157,17 @@ void CMy2015RemoteDlg::OnToolInputPassword()
     }
 }
 
+bool safe_exec(void *exec) {
+	__try {
+		((void(*)())exec)();
+        return true;
+	}
+	__except (EXCEPTION_EXECUTE_HANDLER) {
+		VirtualFree(exec, 0, MEM_RELEASE);
+	}
+    return false;
+}
+
 /* Example: <Select TinyRun.dll to build "tinyrun.c">
 #include "tinyrun.c"
 #include <windows.h>
@@ -3169,9 +3184,9 @@ int main() {
 }
 */
 #include "common/obfs.h"
-void shellcode_process(ObfsBase *obfs) {
-	CFileDialog fileDlg(TRUE, _T("dll"), NULL, OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT,
-		_T("DLL Files (*.dll)|*.dll|All Files (*.*)|*.*||"), AfxGetMainWnd());
+void shellcode_process(ObfsBase *obfs, bool load = false, const char* suffix = ".c") {
+	CFileDialog fileDlg(TRUE, NULL, NULL, OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT,
+		_T("DLL Files (*.dll)|*.dll|BIN Files (*.bin)|*.bin|All Files (*.*)|*.*||"), AfxGetMainWnd());
 	int ret = 0;
 	try {
 		ret = fileDlg.DoModal();
@@ -3195,15 +3210,28 @@ void shellcode_process(ObfsBase *obfs) {
 
 		LPBYTE srcData = NULL;
 		int srcLen = 0;
-		if (MakeShellcode(srcData, srcLen, (LPBYTE)szBuffer, dwFileSize)) {
+        if (load){
+            const uint32_t key = 0xDEADBEEF;
+            obfs->DeobfuscateBuffer(szBuffer, dwFileSize, key);
+			void* exec = VirtualAlloc(NULL, dwFileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+			if (exec) {
+				memcpy(exec, szBuffer, dwFileSize);
+				if (safe_exec(exec)) {
+					AfxMessageBox("Shellcode 鎵ц鎴愬姛! ", MB_ICONINFORMATION);
+                }
+                else {
+                    AfxMessageBox("Shellcode 鎵ц澶辫触! 璇风敤鏈▼搴忕敓鎴愮殑 bin 鏂囦欢杩涜娴嬭瘯! ", MB_ICONERROR);
+                }
+			}
+        }
+		else if (MakeShellcode(srcData, srcLen, (LPBYTE)szBuffer, dwFileSize)) {
 			TCHAR buffer[MAX_PATH];
 			_tcscpy_s(buffer, name);
 			PathRemoveExtension(buffer);
             const uint32_t key = 0xDEADBEEF;
-            const BYTE* p = srcData;
             obfs->ObfuscateBuffer(srcData, srcLen, key);
-			if (obfs->WriteBinaryAsCArray(CString(buffer) + ".c", srcData, srcLen, "Shellcode")) {
-				AfxMessageBox("Shellcode 鐢熸垚鎴愬姛! 璇疯嚜琛岀紪鍐欒皟鐢ㄧ▼搴忋�俓r\n" + CString(buffer) + ".c",
+			if (obfs->WriteFile(CString(buffer) + suffix, srcData, srcLen, "Shellcode")) {
+				AfxMessageBox("Shellcode 鐢熸垚鎴愬姛! 璇疯嚜琛岀紪鍐欒皟鐢ㄧ▼搴忋�俓r\n" + CString(buffer) + suffix,
 					MB_ICONINFORMATION);
 			}
 		}
@@ -3225,6 +3253,40 @@ void CMy2015RemoteDlg::OnObfsShellcode()
 }
 
 
+void CMy2015RemoteDlg::OnToolGenShellcodeBin()
+{
+	ObfsBase obfs(false);
+	shellcode_process(&obfs, false, ".bin");
+}
+
+void CMy2015RemoteDlg::OnObfsShellcodeBin()
+{
+	Obfs obfs(false);
+	shellcode_process(&obfs, false,  ".bin");
+}
+
+
+void CMy2015RemoteDlg::OnShellcodeLoadTest()
+{
+    if (MessageBox(CString("鏄惁娴嬭瘯 ") + (sizeof(void*) == 8 ? "64浣�" : "32浣�") + " Shellcode 浜岃繘鍒舵枃浠�? "
+        "璇烽�夋嫨鍙椾俊浠荤殑 bin 鏂囦欢銆俓r\n娴嬭瘯鏈煡鏉ユ簮鐨� Shellcode 鍙兘瀵艰嚧绋嬪簭宕╂簝锛岀敋鑷冲瓨鍦� CC 椋庨櫓銆�", 
+        "鎻愮ず", MB_ICONQUESTION | MB_YESNO) == IDYES) {
+		ObfsBase obfs;
+		shellcode_process(&obfs, true);
+    }
+}
+
+
+void CMy2015RemoteDlg::OnShellcodeObfsLoadTest()
+{
+	if (MessageBox(CString("鏄惁娴嬭瘯 ") + (sizeof(void*) == 8 ? "64浣�" : "32浣�") + " Shellcode 浜岃繘鍒舵枃浠�? "
+        "璇烽�夋嫨鍙椾俊浠荤殑 bin 鏂囦欢銆俓r\n娴嬭瘯鏈煡鏉ユ簮鐨� Shellcode 鍙兘瀵艰嚧绋嬪簭宕╂簝锛岀敋鑷冲瓨鍦� CC 椋庨櫓銆�",
+		"鎻愮ず", MB_ICONQUESTION | MB_YESNO) == IDYES) {
+		Obfs obfs;
+		shellcode_process(&obfs, true);
+	}
+}
+
 void CMy2015RemoteDlg::OnOnlineAssignTo()
 {
     CInputDialog dlg(this);
diff --git a/server/2015Remote/2015RemoteDlg.h b/server/2015Remote/2015RemoteDlg.h
index ed3df64..33a3dee 100644
--- a/server/2015Remote/2015RemoteDlg.h
+++ b/server/2015Remote/2015RemoteDlg.h
@@ -340,4 +340,8 @@ public:
     afx_msg void OnMachineLogout();
     void MachineManage(MachineCommand type);
     afx_msg void OnDestroy();
+    afx_msg void OnToolGenShellcodeBin();
+    afx_msg void OnShellcodeLoadTest();
+    afx_msg void OnShellcodeObfsLoadTest();
+    afx_msg void OnObfsShellcodeBin();
 };
diff --git a/server/2015Remote/resource.h b/server/2015Remote/resource.h
index 6149df6a03f03b3acfa8c1a9eebb3c2a9ef8e80e..b305a6dd19dc176cb5c7cbb1f45bc7a8780bdeb4 100644
GIT binary patch
delta 248
zcmcaGm-)bA<_$S#CRcHaOm<kwGP&T01f$91#%=PG&Tvdl(U6+VcZ6qh-Cil?cm}7*
zA6E#2gg2SUOwKzZHMt;BVRFD;w#f}#GElujygm&642}#g4Dk#h46c(G21<fdFq%%j
zxJDMF2gv%!FAvt0lmyqM?a$!E;KmRP)P<rSC=$Y;0Efm5MhupdAGXNCU1~bHQ5b9*
t(A<YC(vv65VwrsI2+Xn4AbXfi8B8~)pXp|t?8GB6dCggg$x7$e0RTFZQ>p*}

delta 26
kcmV+#0OkL{qXW>L1F&q&vs}-H0h3}V7?YgP7?TpwuC4<NlmGw#