在任意的远程桌面的session中运行指定的程序
文章作者:pt007[at]vip.sina.com .S.T.O版权所有
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
代码:
//在其它session中(如远程桌面的session)运行指定的程序,需要具有system权限,可以在任意的桌面里运行指定程序
#include <windows.h>
#include <stdio.h>
#include <process.h>
#include <Tlhelp32.h>
#include <tchar.h>
#include <psapi.h>
#include <stdio.h>
#include <STDLIB.H>
#include <tlhelp32.h>
#include <WtsApi32.h>
#pragma comment(lib, "WtsApi32.lib")
#pragma comment (lib,"psapi")
// Get username from session id
bool GetSessionUserName(DWORD dwSessionId, char username[256])
{
LPTSTR pBuffer = NULL;
DWORD dwBufferLen;
BOOL bRes = WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE, dwSessionId, WTSUserName, &pBuffer, &dwBufferLen);
if (bRes == FALSE)
return false;
lstrcpy(username ,pBuffer);
WTSFreeMemory(pBuffer);
return true;
}
// Get domain name from session id
bool GetSessionDomain(DWORD dwSessionId, char domain[256])
{
LPTSTR pBuffer = NULL;
DWORD dwBufferLen;
BOOL bRes = WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE, dwSessionId, WTSDomainName, &pBuffer, &dwBufferLen);
if (bRes == FALSE)
{
printf("WTSQuerySessionInformation Fail!
");
return false;
}
lstrcpy(domain,pBuffer);
WTSFreeMemory(pBuffer);
return true;
}
HANDLE GetProcessHandle(LPSTR szExeName) //遍历进程PID
{
PROCESSENTRY32 Pc = { sizeof(PROCESSENTRY32) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
if(Process32First(hSnapshot, &Pc)){
do{
if(!stricmp(Pc.szExeFile, szExeName)) { //返回explorer.exe进程的PID
printf("explorers PID=%d
",Pc.th32ProcessID);
return OpenProcess(PROCESS_ALL_ACCESS, TRUE, Pc.th32ProcessID);
}
}while(Process32Next(hSnapshot, &Pc));
}
return NULL;
}
//输出帮助的典型方法:
void Usage (void)
{
fprintf(stderr,"===============================================================
"
" 名称:在任意的远程桌面的session中运行指定的程序,需要具有system权限
"
" 环境:Win2003 + Visual C++ 6.0
"
" 作者:pt007@vip.sina.com
"
" QQ:7491805
"
" 声明:本软件由pt007原创,转载请注明出处,谢谢!
"
"
"
" 使用方法:
"
" session 1 c:\win2003\system32\svchosts.exe //在会话1里面运行程序!
"
"=============================================================
");
}
int main(int argc, char **argv)
{
if(argc==1) //遍历所有的session
{// 函数的句柄
HMODULE hInstKernel32 = NULL;
HMODULE hInstWtsapi32 = NULL;
// 这里的代码用的是VC6,新版的SDK已经包括此函数,无需LoadLibrary了。
typedef DWORD (WINAPI *WTSGetActiveConsoleSessionIdPROC)();
WTSGetActiveConsoleSessionIdPROC WTSGetActiveConsoleSessionId = NULL;
hInstKernel32 = LoadLibrary("Kernel32.dll");
if (!hInstKernel32)
{
return FALSE;
}
WTSGetActiveConsoleSessionId = (WTSGetActiveConsoleSessionIdPROC)GetProcAddress(hInstKernel32,"WTSGetActiveConsoleSessionId");
if (!WTSGetActiveConsoleSessionId)
{
return FALSE;
}
// WTSQueryUserToken 函数,通过会话ID得到令牌
typedef BOOL (WINAPI *WTSQueryUserTokenPROC)(ULONG SessionId, PHANDLE phToken );
&n
补充:综合编程 , 安全编程 ,
