opentelnet.exe 源代码

// OpenTelnet.exe ////server username password NTLMAuthtelnetport

#include <stdio.h>
#include <assert.h>
#include <windows.h>
#include <Winnetwk.h>
#include <Winreg.h>
#include <Shlwapi.h>

#pragma comment(lib, “Advapi32.lib”)
#pragma comment(lib, “Mpr.lib”)

SC_HANDLE g_schSCManager;
HKEY  g_hKey;
DWORD  g_DefaultTelnetStartType;
DWORD  g_DefaultRegistryStartType;
LPBYTE  g_lpDefaultTelnetNTLM;
LPBYTE  g_lpDefaultTelnetPort;

void Usage(char*);
int RestartTelnet();
int StartRemoteRegistry();
int MyStartService(SC_HANDLE, char*);


int main(int argc, char* argv[])
{
 int nRetCode;
 char szIpc[50] = “”;
 HKEY hKey;
 LPSTR lpUserName, lpPassword;
 NETRESOURCE NET;

 DWORD dwNTLM, dwTelnetPort;

 Usage(argv[0]);    //显示欢迎及帮助信息
 if (argc < 5)
  return 0;

 sprintf (szIpc, “%s////ipc$”, argv[1]);
 lpUserName = argv[2];   //用户名
 lpPassword = argv[3];   //密码

 NET.lpLocalName = NULL;
 NET.lpRemoteName = szIpc;
 NET.dwType = RESOURCETYPE_ANY;
 NET.lpProvider = NULL;

 printf (“Connecting %s”,argv[1]);

ReConnect:

 //清除与目标已经建立的IPC连接
 nRetCode = WNetCancelConnection2(szIpc, CONNECT_UPDATE_PROFILE, TRUE);
 if (nRetCode == NO_ERROR)
  printf (“Canncel Successfully!//n”);

 //与目标建立IPC连接
 nRetCode = WNetAddConnection2(&NET, lpPassword, lpUserName, CONNECT_INTERACTIVE);
 if (nRetCode == ERROR_ALREADY_ASSIGNED || nRetCode == ERROR_DEVICE_ALREADY_REMEMBERED)
 {
  printf (“Already conneted to the server!//n”);
  printf (“Now re-connecting the server//n”);
  goto ReConnect;    //如果已经有了IPC连接,则返回ReConnect继续尝试
 }
 else if (nRetCode == NO_ERROR)
  printf (“Successfully!//n”);  //建立连接成功
 else
 {
  printf (“//n//tErr:”);
  switch (nRetCode)        //错误处理
  {
  case ERROR_ALREADY_ASSIGNED:


  case ERROR_ACCESS_DENIED:
   printf (“ERROR_ACCESS_DENIED//n”);
   break;
  case ERROR_BAD_NET_NAME:
   printf (“ERROR_BAD_NET_NAME//n”);
   break;
  default:
   printf (“CONNECT ERR:%d!//n”,GetLastError());
   break;
  }
  return 0;
 }

 //打开目标的服务控制管理
 g_schSCManager = OpenSCManager(argv[1], NULL, SC_MANAGER_ALL_ACCESS);
 if (g_schSCManager == NULL)
 {
  printf (“Open SCManager failed!//n”);
  return 0;
 }

 //打开远程注册表服务
 if (!StartRemoteRegistry())
 {
  printf (“All Process Failed!//n”);
  return 0;
 }

 //连接远程注册表
 if (!(RegConnectRegistry((LPCTSTR) argv[1], HKEY_LOCAL_MACHINE, &g_hKey) == ERROR_SUCCESS))
 {
  printf (“Connect remote registry failed!//n”);
  return 0;
 }

 //打开telnet服务的注册表键值
 if (!(RegOpenKeyEx(g_hKey, “SOFTWARE////Microsoft////TelnetServer////1.0”, 0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS))
 {
  printf (“Open key failed!//n”);
  return 0;
 }

 //读取注册表中telnet的原始值NTLM和Port
 g_lpDefaultTelnetNTLM = (LPBYTE) LocalAlloc(LPTR, 50);   //分配空间
 g_lpDefaultTelnetPort = (LPBYTE) LocalAlloc(LPTR, 50);
 DWORD dwDataSize = 50;
 //将NTLM键值读取到已分配空间的g_lpDefaultTelnetNTLM中,默认为2,这是为了恢复telnet的目的做的
 if (!(RegQueryValueEx(hKey, “NTLM”, NULL, NULL, g_lpDefaultTelnetNTLM, &dwDataSize) == ERROR_SUCCESS))
 {
  printf (“Read NTLM failed!//n ”);
  return 0;
 }
 //将TelnetPort键值读取到g_lpDefaultTelnetPort中,默认为23,这是为了恢复telnet的目的做的
 if (!(RegQueryValueEx(hKey, “TelnetPort”, NULL, NULL, g_lpDefaultTelnetPort, &dwDataSize) == ERROR_SUCCESS))
 {
  printf (“Read port failed!//n ”);
  return 0;
 }

 //编辑NTLM和端口值
 dwNTLM = atoi(argv[4]);
 if (dwNTLM >= 3)
 {
  dwNTLM = 1;
 }
 dwTelnetPort = atoi(argv[5]);

 //设置NTLM的键值
 if (!(RegSetValueEx(hKey, “NTLM”, 0, REG_DWORD, (LPBYTE) &dwNTLM, sizeof(DWORD)) == ERROR_SUCCESS))
 {
  printf (“Set NTLM value failed!”);
  return 0;
 }

 //设置端口值
 RegSetValueEx(hKey, “TelnetPort”, 0, REG_DWORD, (LPBYTE) &dwTelnetPort, sizeof(DWORD));

 //重启动telnet服务
 nRetCode = RestartTelnet();

 if (nRetCode)
 {
  printf (“//nBINGLE!!!Yeah!!//n”);
  printf (“Telnet Port is %d. You can try://”telnet ip %d//“, to connect the server!”, dwTelnetPort, dwTelnetPort);
 }

 //现在已经开启了telnet服务,添加几个键值来保存修改以前的注册表设置,可以用resumetelnet来恢复
 if (!(RegSetValueEx(hKey, “default_NTLM”, 0, REG_DWORD, g_lpDefaultTelnetNTLM, sizeof(DWORD)) == ERROR_SUCCESS))
 {
  printf (“Set defaultNTLM value failed!”);
  return 0;
 }
 if (!(RegSetValueEx(hKey, “default_Port”, 0, REG_DWORD, g_lpDefaultTelnetPort, sizeof(DWORD)) == ERROR_SUCCESS))
 {
  printf (“Set defaultPort value failed!”);
  return 0;
 }
 if (!(RegSetValueEx(hKey, “default_TelnetStart”, 0, REG_DWORD, (LPBYTE) &g_DefaultTelnetStartType, sizeof(DWORD)) == ERROR_SUCCESS))
 {
  printf (“Set defaulttelnetstart value failed!”);
  return 0;
 }
 if (!(RegSetValueEx(hKey, “default_RegistryStart”, 0, REG_DWORD, (LPBYTE) &g_DefaultRegistryStartType, sizeof(DWORD)) == ERROR_SUCCESS))
 {
  printf (“Set defaultregistrystart value failed!”);
  return 0;
 }

 RegCloseKey(hKey);
 RegCloseKey(g_hKey);   //关闭打开的注册表键
 
 //关闭服务控制管理SCManager
 CloseServiceHandle(g_schSCManager);

 //断开远程ipc连接
 printf (“//nDisconnecting server”);
 nRetCode = WNetCancelConnection2(argv[1], CONNECT_UPDATE_PROFILE, TRUE);
 if (nRetCode == NO_ERROR)
  printf (“Successfully!//n”);
 else
  printf (“Failed!//n”);

 return 0;
}

void Usage(char* pcAppName)            //显示欢迎及帮助信息
{
 printf (“*******************************************************//n”);
 printf (“Remote Telnet Configure, by refdom//n”);
 printf (“Email: [email protected]//n”);
 printf (“%s//n//n”, pcAppName);
 printf (“Usage:OpenTelnet.exe ////////server username password NTLMAuthtelnetport//n”);
 printf (“*******************************************************//n”);
 return;
}

int RestartTelnet()                   //重启动telnet服务
{
 DWORD     dwWaitTime;
 DWORD     dwConfigSize;
 SC_HANDLE    schTelnetService;
 SERVICE_STATUS   ssTelnetStatus;
 LPQUERY_SERVICE_CONFIG lpTelnetConfig;

 printf (“//nNOTICE!!!!!!//n”);
 printf (“The Telnet Service default setting:NTLMAuthor=2  TelnetPort=23//n//n”);

 //打开telnet服务
 schTelnetService = OpenService(g_schSCManager, “TlntSvr”, SERVICE_ALL_ACCESS);
 if (schTelnetService == NULL)
 {
  printf (“Open service failed!//n”);
  return 0;
 }

 lpTelnetConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024);
 if (lpTelnetConfig == NULL)
 {
  printf (“Alloc memory failed!//n”);
  return 0;
 }

 //获取当前telnet服务的配置参数
 if (!QueryServiceConfig(schTelnetService, lpTelnetConfig, 1024, &dwConfigSize))
 {
  printf (“Query service congfig failed!//n”);
  return 0;
 }

 //保存默认的telnet服务启动类型
 g_DefaultTelnetStartType = lpTelnetConfig->dwStartType;

 //将telnet服务的启动类型改为进程通过调用StartService来启动
 if (lpTelnetConfig->dwStartType == SERVICE_DISABLED)
 {
  if (!ChangeServiceConfig(schTelnetService,
        SERVICE_NO_CHANGE,
        SERVICE_DEMAND_START,
        SERVICE_NO_CHANGE,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL))
  {
   printf (“Change service config failed!//n”);
   return 0;
  }
 }

 //获取当前telnet服务的状态
 if (!(QueryServiceStatus(schTelnetService, &ssTelnetStatus)))
 {
  printf (“Query service status failed!//n”);
  return 0;
 }

 //如果telnet服务当前状态不是stop的话,停止服务
 if (ssTelnetStatus.dwCurrentState != SERVICE_STOPPED && ssTelnetStatus.dwCurrentState != SERVICE_STOP_PENDING)
 {
  printf (“Stopping telnet service //n”);
  if (!(ControlService(schTelnetService, SERVICE_CONTROL_STOP, &ssTelnetStatus)))
  {
   printf (“Control telnet service status failed!//n”);
   return 0;
  }

  //sleep一段时间来等待telnet服务的停止
  dwWaitTime = ssTelnetStatus.dwWaitHint / 10;
  if( dwWaitTime < 1000 )
   dwWaitTime = 1000;
  else if ( dwWaitTime > 10000 )
   dwWaitTime = 10000;

  Sleep(dwWaitTime);
  if (!QueryServiceStatus(schTelnetService, &ssTelnetStatus))
  {
   printf (“Query service status failed!//n”);
  }

  if ( ssTelnetStatus.dwCurrentState == SERVICE_STOPPED || ssTelnetStatus.dwCurrentState == SERVICE_STOP_PENDING)
  {
   printf (“Telnet service is stopped successfully!//n”);
  }
  else
  {
   printf (“Stopping telnet service failed!//n”);
   return 0;
  }
 }    //此时telnet服务已经成功停止

 //调用MyStartService来重新启动telnet服务

 if (!MyStartService(schTelnetService, “telnet”))
  return 0;

 CloseServiceHandle(schTelnetService);   //关闭服务句柄
 return 1;
}

int StartRemoteRegistry()          //启动远程注册表服务
{
 SC_HANDLE schRegistryService;
 SERVICE_STATUS ssRegistryStatus;
 LPQUERY_SERVICE_CONFIG lpRegistryConfig;
 DWORD dwConfigSize;

 lpRegistryConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024);
 if (lpRegistryConfig == NULL)
 {
  printf (“Alloc memory failed!//n”);
  return 0;
 }

 //打开远程注册表服务
 schRegistryService = OpenService( g_schSCManager, “RemoteRegistry”, SERVICE_ALL_ACCESS);
 if (schRegistryService == NULL)
 {
  printf (“Open remote registry service failed!//n”);
  return 0;
 }

 //查询当前服务状态
 if (!QueryServiceConfig(schRegistryService, lpRegistryConfig, 1024, &dwConfigSize))
 {
  printf (“Query registry service config failed!//n”);
  return 0;
 }

 //判断当前服务启动类型,如果是禁用则改变为通过StartService来启动服务
 g_DefaultRegistryStartType = lpRegistryConfig->dwStartType;
 if (g_DefaultRegistryStartType == SERVICE_DISABLED)
 {
  if (!ChangeServiceConfig(schRegistryService,
        SERVICE_NO_CHANGE,
        SERVICE_DEMAND_START,
        SERVICE_NO_CHANGE,
        NULL, NULL, NULL, NULL, NULL, NULL,NULL))
  {
   printf (“Change registry service config failed!//n”);
   return 0;
  }
 }

 //查询服务状态
 if (!QueryServiceStatus(schRegistryService, &ssRegistryStatus))
 {
  printf (“Query remote registry service failed!//n”);
  return 0;
 }

 //如果当前服务并没有启动,则调用MyStartService来启动
 if (ssRegistryStatus.dwCurrentState != SERVICE_RUNNING)
 {
  if (!MyStartService(schRegistryService, “remote registry”))
   return 0;
 }
 CloseServiceHandle(schRegistryService);
 return 1;
}

int MyStartService(SC_HANDLE schService, char* szServiceName)   //启动指定的服务
{
 DWORD dwWaitTime;
 DWORD dwOldCheckPoint;
 DWORD dwStartTickCount;
 SERVICE_STATUS ssStatus;

 //调用StartService启动服务
 printf (“Starting %s service//n”, szServiceName);
 if (!(StartService(schService, 0, NULL)))
 {
  printf (“Starting %s service failed!//n”, szServiceName);
  return 0;
 }

 //获取当前服务状态
 if (!(QueryServiceStatus(schService, &ssStatus)))
 {
  printf (“Query %s service status failed!//n”,szServiceName);
//  return ;
 }

    dwStartTickCount = GetTickCount();    //得到进程运行时间
    dwOldCheckPoint = ssStatus.dwCheckPoint;

 while ( ssStatus.dwCurrentState == SERVICE_START_PENDING)
 {
  dwWaitTime = ssStatus.dwWaitHint / 10;
        if( dwWaitTime < 1000 )
            dwWaitTime = 1000;
        else if ( dwWaitTime > 10000 )
            dwWaitTime = 10000;

  Sleep(dwWaitTime);

        //重新再查询状态

        if (!QueryServiceStatus(schService, &ssStatus))
            break;  

        if ( ssStatus.dwCheckPoint > dwOldCheckPoint )
        {
            //服务启动中
            dwStartTickCount = GetTickCount();
            dwOldCheckPoint = ssStatus.dwCheckPoint;
        }
        else
        {
            if(GetTickCount()-dwStartTickCount > ssStatus.dwWaitHint)
            {
                //在建议等待的时间内服务没有启动
                break;
            }
        }
 }

 if ( ssStatus.dwCurrentState == SERVICE_RUNNING )
 {
  printf (“%s service is started successfully! %s service is running!//n”, szServiceName, szServiceName);
 }
 else
 {
  printf (“%s service is not started!//n”, szServiceName);
  return 0;
 }

 return 1;
}
 

你可能感兴趣的:(server,manager,service,null,query,Access)