sesoff.cpp

Cracker终结者——提供最优秀的软件保护技术

#define _WIN32_WINNT 0x500
#define WIN32_LEAN_AND_MEAN
//#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>


DWORD WINAPI FindUserProcess(LONG SessionId, LPCTSTR WellKnownProcesses[]) {
  DWORD PID = PW_MEMERROR;
  TCHAR SesProcName[127];
  for(DWORD i=0; WellKnownProcesses[i]; i++) {
    _stprintf(SesProcName, _T("%02u/%s"), SessionId, WellKnownProcesses[i]);
    if((PID = (DWORD)ProcessName2PID(SesProcName)) < PW_SESERROR)
      break;
  }
  return(PID);
}

void _tmain(int argc, TCHAR** argv) {
  if(argc != 2)
    _tprintf(_T("Usage: SesOff <SessionId>"));
  else {
     
    TCHAR TSessionId[16];
    ExpandEnvironmentStrings(argv[1], TSessionId, 16);
    LONG SessionId = -1;
    _stscanf(TSessionId, _T("%u"), &SessionId);  

    //to do: find any non-system process in session
    //here's just an approximation: finding WKP
    LPCTSTR WKP[4] = {_T("explorer.exe"), _T("cmd.exe"), _T("taskmgr.exe"), NULL};
    DWORD PID = FindUserProcess(SessionId, WKP);
    if(PID >= PW_SESERROR)
      _tprintf(_T("Can't find user process in session %u!"), SessionId);
    else {
      DWORD Parms[2] = {EWX_LOGOFF | ((UCHAR)GetVersion() > 4 ? EWX_FORCEIFHUNG : 0), 0xE1C2};
      DWORD LACresult = LoadAndCall(NULL, _T("USER32.dll"), PID, 5000, 1, _T("ExitWindowsEx"), 2, Parms);
      _tprintf(_T("ExitWindowsEx returned 0x%.8X."), LACresult); 
    }  
  }
  //Sleep(1500);
}