Secure FTP plugin (by Marek)

[wesmar]

Hello everyone. I have rewritten the plugin for modern C++ VS 2026 with toolset v145. If anyone wants to test its stability and performance, I am releasing the x64 version. Once I have refined it, the code will be available on my GitHub.
Best regards, Marek
========================================
06.03.2026 - UPDATE!!!
========================================

Image: https://kvc.pl/user/pages/04.repositories/15.sftpplug/images/sftplug.jpg

Secure FTP plugin (SFTP/SCP) - technical status update

I am replacing the first post with a clear technical overview of what is already implemented and stable.

Download and full technical documentation

Please use the project page as the primary source:
https://kvc.pl/repositories/sftpplug

There is a Download sftpplug.zip button at the top of that page.
The same page also contains the full technical description, architecture notes, and current refactor status.

Why this route:

• Direct forum/browser downloads can sometimes trigger false-positive reputation flags in AV/EDR or browser security mechanisms.
• Using the official project page as the canonical entry point reduces confusion and keeps release + documentation in one place.

1) Feature inventory

Transfer and file operations

• Native SFTP and SCP support.
• Download/upload with resume logic in SFTP path.
• Shell transfer fallback for restricted hosts (when SFTP subsystem is blocked and SCP is limited/unavailable).
• Remote permissions/time operations (`chmod`, `touch`) including shell-assisted paths in SCP mode.
• Remote checksum support (MD5/SHA1/SHA256/SHA512) with parsed command output.

Authentication

• Password authentication.
• Keyboard-interactive authentication.
• Public key authentication (`.pem`, `.ppk`, optional `.pub`).
• Pageant agent support.
• Native PPK v2/v3 conversion path (without external puttygen dependency in normal flow).

Session management

• Session import from PuTTY: `HKCU\Software\SimonTatham\PuTTY\Sessions`
• Session import from WinSCP: `HKCU\Software\Martin Prikryl\WinSCP 2\Sessions`
• Imported sessions are converted into plugin INI entries.
• Proxy support: HTTP CONNECT / SOCKS4 / SOCKS4a / SOCKS5.
• IPv4 / IPv6 modes.

2) Security model for saved passwords

• If "Protect password with password manager" is enabled, password is stored via TC master-password API (`CryptProc`) and INI contains marker: `

  Code: Select all

  password=!

  `.
• If that mode is not used, plugin stores password with Windows DPAPI (`dpapi:` prefix).
• Legacy XOR is kept read-only for backward compatibility with old INI entries.

3) Shell transfer fallback (technical details)

This path is intended for shell-only/restricted servers.

Download

• Primary shell read path: `cat`.
• Fallback read path: `base64` stream decode.
• Implemented as streaming/on-the-fly processing (no full file buffering in RAM).

Upload

• Chunked `base64` upload via shell command pipeline.
• Current safe default chunk size is conservative to avoid command-line truncation on restrictive shells.
• Data is appended server-side in chunks and reconstructed without external tools.

4) Current architecture work (ongoing refactor)

• libssh2 calls are isolated behind backend/session/channel abstractions.
• Resource handling is being moved to RAII patterns (`unique_ptr`, handle wrappers).
• Long legacy functions are being split into smaller units.
• UI coupling is being reduced incrementally.

5) Notes

• The plugin now targets modern x64 build flow.
• Main focus remains: stability first, then cleanup of legacy C-style sections.
• Shell fallback is intentionally optional and only used when enabled/needed.

If needed, I can post a separate developer changelog with file-level details (module by module).

[white]

Moderator message from: white » 2026-03-03, 10:40 UTC

Thread split from New SFTP plugin available now by Mr. Ghisler.

It seemed better to create separate threads for each fork. I hope that is alright, Marek. You can always edit the first post of your thread and change the title and contents.

[wesmar]

Thanks a lot! I'll make the adjustments once I'm done. Both the x86 and x64 versions work, but I want to get the most out of stability, transfer, and unusual situations. It's a matter of days, max 2 weeks.
Later, I'll rewrite the post and provide detailed technical documentation. I only test on OVH servers myself.
Best regards, Marek

[Spine]

2wesmar, libcrypto-3-x64.dll missing

[wesmar]

Update 03/06/2026
There are no dependencies on any external libraries. Only the sftpplug.wfx64 plugin itself. Technically, it is a DLL (PE) library. I switched to WinAPI (bcrypt, schannel...).
====
original, outdated response
====
The plugin itself loads only libssh2.dll directly. If someone gets "libcrypto-3-x64.dll missing", that dependency comes from their specific libssh2 build (dynamic OpenSSL), not from plugin code directly. I use libssh2.dll 1.11.1 copied from the latest PHP 8.5.x VS17 NTS package. It works in my environment, likely because required OpenSSL DLLs are already in PATH. If needed, they should place matching libcrypto/libssl DLLs next to libssh2.dll or in PATH. Right now I’m focused on code quality/performance/security (RAII, threading); broader compatibility testing will come after the refactor is finalized

[wesmar]

1. LoadDllAdv now uses LoadLibraryExA(..., LOAD_WITH_ALTERED_SEARCH_PATH) (with fallback),
2. I added preloading of modern dependencies:

- libcrypto-3-x64.dll
- libssl-3-x64.dll
- libcrypto-3.dll
- libssl-3.dll

3. I also left the legacy preload (libeay32, ssleay32, zlib*) so as not to break older sets.

Result:

- The loader should correctly resolve dependencies from the plugin directory (...\sftpplug\64).

4. The “64” folder now contains the latest libraries
libcrypto-3-x64.dll
libssh2.dll
====
same link, package replaced

[white]

Browsers may flag it as a dangerous tool due to the SSL/Crypto libraries it contains, so to download it, you can use PowerShell and the following command:

Shift-drag link to Total Commander?

[wesmar]

Currently, the ZIP functionality is 1:1 with the original. Alongside SCP/SFTP/Shell-Base64, I'm implementing a transfer method based on a custom-injected PHP agent — a "mathematically perfect" approach. This will once and for all eliminate issues with hardened or crippled servers (e.g., those with disabled exec, missing SCP, or restricted shells).

Furthermore, I’m adding a proprietary P2P bridge (a custom SMB-style implementation) to instantly establish encrypted tunnels between any two machines. No more "Home vs. Pro" networking nightmares, credential hell, or flaky Network Discovery. The nodes will perform automatic NAT traversal and discovery, with client/server roles switchable via a single click in the GUI.

To squeeze every last drop of performance, I’m completely bypassing the system's network stack overhead and the bottleneck of Windows Defender’s real-time inspection. The entire core will rely on a low-level assembly trampoline (direct-to-buffer memory mapping, bypassing standard I/O). By making the traffic transparent to OS-level overhead, we can finally achieve transfer speeds hitting the physical line rate of the network interface.