在任意的远程桌面的session中运行指定的程序

文章作者：pt007[at]vip.sina.com .S.T.O版权所有
信息来源：易做图八进制信息安全团队(www.eviloctal.com)

代码:
//在其它session中(如远程桌面的session)运行指定的程序,需要具有system权限,可以在任意的桌面里运行指定程序

#include <windows.h>
#include <stdio.h>
#include <process.h>
#include <Tlhelp32.h>
#include <tchar.h>
#include <psapi.h>
#include <stdio.h>
#include <STDLIB.H>
#include <tlhelp32.h>
#include <WtsApi32.h>
#pragma comment(lib, "WtsApi32.lib")
#pragma comment (lib,"psapi")

// Get username from session id
bool GetSessionUserName(DWORD dwSessionId, char username[256])
{
        LPTSTR pBuffer = NULL;
        DWORD dwBufferLen;

        BOOL bRes = WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE, dwSessionId, WTSUserName, &pBuffer, &dwBufferLen);

        if (bRes == FALSE)
                return false;

        lstrcpy(username ,pBuffer);
        WTSFreeMemory(pBuffer);

        return true;
}

// Get domain name from session id
bool GetSessionDomain(DWORD dwSessionId, char domain[256])
{
        LPTSTR pBuffer = NULL;
        DWORD dwBufferLen;

        BOOL bRes = WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE, dwSessionId, WTSDomainName, &pBuffer, &dwBufferLen);

        if (bRes == FALSE)
        {
                printf("WTSQuerySessionInformation Fail! ");
                return false;
        }

        lstrcpy(domain,pBuffer);
        WTSFreeMemory(pBuffer);

        return true;
}

HANDLE GetProcessHandle(LPSTR szExeName) //遍历进程PID

{

        PROCESSENTRY32 Pc = { sizeof(PROCESSENTRY32) };

        HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);

        if(Process32First(hSnapshot, &Pc)){

                do{

                        if(!stricmp(Pc.szExeFile, szExeName)) {   //返回explorer.exe进程的PID
                                printf("explorers PID=%d ",Pc.th32ProcessID);
                                return OpenProcess(PROCESS_ALL_ACCESS, TRUE, Pc.th32ProcessID);

            }

                }while(Process32Next(hSnapshot, &Pc));

    }



        return NULL;
}

//输出帮助的典型方法:
void Usage (void)
{
        fprintf(stderr,"=============================================================== "
                " 名称：在任意的远程桌面的session中运行指定的程序,需要具有system权限 "
                " 环境：Win2003 + Visual C++ 6.0 "
                " 作者：pt007@vip.sina.com "
                " QQ：7491805 "
                " 声明：本软件由pt007原创，转载请注明出处，谢谢! "
                " "
                " 使用方法： "
                " session 1 c:\win2003\system32\svchosts.exe //在会话1里面运行程序! "
                 "============================================================= ");
}

int main(int argc, char **argv)
{

if(argc==1) //遍历所有的session

{// 函数的句柄

HMODULE hInstKernel32 = NULL;

HMODULE hInstWtsapi32 = NULL;

// 这里的代码用的是VC6，新版的SDK已经包括此函数，无需LoadLibrary了。
typedef DWORD (WINAPI *WTSGetActiveConsoleSessionIdPROC)();

WTSGetActiveConsoleSessionIdPROC WTSGetActiveConsoleSessionId = NULL;

hInstKernel32 = LoadLibrary("Kernel32.dll");

if (!hInstKernel32)

{

return FALSE;

}

WTSGetActiveConsoleSessionId = (WTSGetActiveConsoleSessionIdPROC)GetProcAddress(hInstKernel32,"WTSGetActiveConsoleSessionId");

if (!WTSGetActiveConsoleSessionId)

{

return FALSE;

}

// WTSQueryUserToken 函数，通过会话ID得到令牌

typedef BOOL (WINAPI *WTSQueryUserTokenPROC)(ULONG SessionId, PHANDLE phToken );

补充：综合编程 , 安全编程 ,