2025-11-23 18:13:39 +01:00
|
|
|
|
#include "SessionMonitor.h"
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
|
#include <tlhelp32.h>
|
|
|
|
|
|
#include <userenv.h>
|
|
|
|
|
|
|
|
|
|
|
|
#pragma comment(lib, "userenv.lib")
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>̬<EFBFBD><CCAC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD>
|
|
|
|
|
|
#define INITIAL_CAPACITY 4
|
2025-12-11 11:00:52 +01:00
|
|
|
|
#define Mprintf(format, ...) MyLog(__FILE__, __LINE__, format, __VA_ARGS__)
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
2025-12-11 11:00:52 +01:00
|
|
|
|
extern void MyLog(const char* file, int line, const char* format, ...);
|
2025-12-02 21:45:43 +01:00
|
|
|
|
|
2025-11-23 18:13:39 +01:00
|
|
|
|
// ǰ<><C7B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
static DWORD WINAPI MonitorThreadProc(LPVOID param);
|
|
|
|
|
|
static void MonitorLoop(SessionMonitor* self);
|
|
|
|
|
|
static BOOL LaunchAgentInSession(SessionMonitor* self, DWORD sessionId);
|
|
|
|
|
|
static BOOL IsAgentRunningInSession(SessionMonitor* self, DWORD sessionId);
|
|
|
|
|
|
static void TerminateAllAgents(SessionMonitor* self);
|
|
|
|
|
|
static void CleanupDeadProcesses(SessionMonitor* self);
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>̬<EFBFBD><CCAC><EFBFBD>鸨<EFBFBD><E9B8A8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
static void AgentArray_Init(AgentProcessArray* arr);
|
|
|
|
|
|
static void AgentArray_Free(AgentProcessArray* arr);
|
|
|
|
|
|
static BOOL AgentArray_Add(AgentProcessArray* arr, const AgentProcessInfo* info);
|
|
|
|
|
|
static void AgentArray_RemoveAt(AgentProcessArray* arr, size_t index);
|
|
|
|
|
|
|
|
|
|
|
|
// ============================================
|
|
|
|
|
|
// <20><>̬<EFBFBD><CCAC><EFBFBD><EFBFBD>ʵ<EFBFBD><CAB5>
|
|
|
|
|
|
// ============================================
|
|
|
|
|
|
|
|
|
|
|
|
static void AgentArray_Init(AgentProcessArray* arr)
|
|
|
|
|
|
{
|
|
|
|
|
|
arr->items = NULL;
|
|
|
|
|
|
arr->count = 0;
|
|
|
|
|
|
arr->capacity = 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void AgentArray_Free(AgentProcessArray* arr)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (arr->items) {
|
|
|
|
|
|
free(arr->items);
|
|
|
|
|
|
arr->items = NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
arr->count = 0;
|
|
|
|
|
|
arr->capacity = 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static BOOL AgentArray_Add(AgentProcessArray* arr, const AgentProcessInfo* info)
|
|
|
|
|
|
{
|
|
|
|
|
|
size_t newCapacity;
|
|
|
|
|
|
AgentProcessInfo* newItems;
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>Ҫ<EFBFBD><D2AA><EFBFBD><EFBFBD>
|
|
|
|
|
|
if (arr->count >= arr->capacity) {
|
|
|
|
|
|
newCapacity = arr->capacity == 0 ? INITIAL_CAPACITY : arr->capacity * 2;
|
|
|
|
|
|
newItems = (AgentProcessInfo*)realloc(
|
2025-11-29 23:22:55 +01:00
|
|
|
|
arr->items, newCapacity * sizeof(AgentProcessInfo));
|
2025-11-23 18:13:39 +01:00
|
|
|
|
if (!newItems) {
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
arr->items = newItems;
|
|
|
|
|
|
arr->capacity = newCapacity;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
arr->items[arr->count] = *info;
|
|
|
|
|
|
arr->count++;
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void AgentArray_RemoveAt(AgentProcessArray* arr, size_t index)
|
|
|
|
|
|
{
|
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
|
|
if (index >= arr->count) {
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ԫ<EFBFBD><D4AA>ǰ<EFBFBD><C7B0>
|
|
|
|
|
|
for (i = index; i < arr->count - 1; i++) {
|
|
|
|
|
|
arr->items[i] = arr->items[i + 1];
|
|
|
|
|
|
}
|
|
|
|
|
|
arr->count--;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ============================================
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD>ӿ<EFBFBD>ʵ<EFBFBD><CAB5>
|
|
|
|
|
|
// ============================================
|
|
|
|
|
|
|
|
|
|
|
|
void SessionMonitor_Init(SessionMonitor* self)
|
|
|
|
|
|
{
|
|
|
|
|
|
self->monitorThread = NULL;
|
|
|
|
|
|
self->running = FALSE;
|
|
|
|
|
|
InitializeCriticalSection(&self->csProcessList);
|
|
|
|
|
|
AgentArray_Init(&self->agentProcesses);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void SessionMonitor_Cleanup(SessionMonitor* self)
|
|
|
|
|
|
{
|
|
|
|
|
|
SessionMonitor_Stop(self);
|
|
|
|
|
|
DeleteCriticalSection(&self->csProcessList);
|
|
|
|
|
|
AgentArray_Free(&self->agentProcesses);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
BOOL SessionMonitor_Start(SessionMonitor* self)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (self->running) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Monitor already running");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
return TRUE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("========================================");
|
|
|
|
|
|
Mprintf("Starting session monitor...");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
self->running = TRUE;
|
|
|
|
|
|
self->monitorThread = CreateThread(NULL, 0, MonitorThreadProc, self, 0, NULL);
|
|
|
|
|
|
|
|
|
|
|
|
if (!self->monitorThread) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("ERROR: Failed to create monitor thread");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
self->running = FALSE;
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Session monitor thread created");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
return TRUE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void SessionMonitor_Stop(SessionMonitor* self)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (!self->running) {
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Stopping session monitor...");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
self->running = FALSE;
|
|
|
|
|
|
|
|
|
|
|
|
if (self->monitorThread) {
|
|
|
|
|
|
WaitForSingleObject(self->monitorThread, 10000);
|
|
|
|
|
|
CloseHandle(self->monitorThread);
|
|
|
|
|
|
self->monitorThread = NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>ֹ<EFBFBD><D6B9><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Terminating all agent processes...");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
TerminateAllAgents(self);
|
|
|
|
|
|
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Session monitor stopped");
|
|
|
|
|
|
Mprintf("========================================");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ============================================
|
|
|
|
|
|
// <20>ڲ<EFBFBD><DAB2><EFBFBD><EFBFBD><EFBFBD>ʵ<EFBFBD><CAB5>
|
|
|
|
|
|
// ============================================
|
|
|
|
|
|
|
|
|
|
|
|
static DWORD WINAPI MonitorThreadProc(LPVOID param)
|
|
|
|
|
|
{
|
|
|
|
|
|
SessionMonitor* monitor = (SessionMonitor*)param;
|
|
|
|
|
|
MonitorLoop(monitor);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void MonitorLoop(SessionMonitor* self)
|
|
|
|
|
|
{
|
|
|
|
|
|
int loopCount = 0;
|
|
|
|
|
|
PWTS_SESSION_INFO pSessionInfo = NULL;
|
|
|
|
|
|
DWORD dwCount = 0;
|
|
|
|
|
|
DWORD i;
|
|
|
|
|
|
BOOL foundActiveSession;
|
|
|
|
|
|
DWORD sessionId;
|
|
|
|
|
|
char buf[256];
|
|
|
|
|
|
int j;
|
|
|
|
|
|
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Monitor loop started");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
while (self->running) {
|
|
|
|
|
|
loopCount++;
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֹ<EFBFBD>Ľ<EFBFBD><C4BD><EFBFBD>
|
|
|
|
|
|
CleanupDeadProcesses(self);
|
|
|
|
|
|
|
|
|
|
|
|
// ö<><C3B6><EFBFBD><EFBFBD><EFBFBD>лỰ
|
|
|
|
|
|
pSessionInfo = NULL;
|
|
|
|
|
|
dwCount = 0;
|
|
|
|
|
|
|
|
|
|
|
|
if (WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1,
|
2025-11-29 23:22:55 +01:00
|
|
|
|
&pSessionInfo, &dwCount)) {
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
foundActiveSession = FALSE;
|
|
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < dwCount; i++) {
|
|
|
|
|
|
if (pSessionInfo[i].State == WTSActive) {
|
|
|
|
|
|
sessionId = pSessionInfo[i].SessionId;
|
|
|
|
|
|
foundActiveSession = TRUE;
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>¼<EFBFBD><EFBFBD>Ự<EFBFBD><E1BBB0>ÿ5<C3BF><35>ѭ<EFBFBD><D1AD><EFBFBD><EFBFBD>¼һ<C2BC>Σ<EFBFBD><CEA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>־<EFBFBD><D6BE><EFBFBD>ࣩ
|
|
|
|
|
|
if (loopCount % 5 == 1) {
|
|
|
|
|
|
sprintf(buf, "Active session found: ID=%d, Name=%s",
|
2025-11-29 23:22:55 +01:00
|
|
|
|
(int)sessionId,
|
|
|
|
|
|
pSessionInfo[i].pWinStationName);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD><C7B7>ڸûỰ<C3BB><E1BBB0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
if (!IsAgentRunningInSession(self, sessionId)) {
|
|
|
|
|
|
sprintf(buf, "Agent not running in session %d, launching...", (int)sessionId);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
if (LaunchAgentInSession(self, sessionId)) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Agent launched successfully");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һЩʱ<D0A9><CAB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
Sleep(2000);
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Failed to launch agent");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ֻ<><D6BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD>Ự
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!foundActiveSession && loopCount % 5 == 1) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("No active sessions found");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
WTSFreeMemory(pSessionInfo);
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else {
|
2025-11-23 18:13:39 +01:00
|
|
|
|
if (loopCount % 5 == 1) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("WTSEnumerateSessions failed");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ÿ10<31><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>
|
|
|
|
|
|
for (j = 0; j < 100 && self->running; j++) {
|
|
|
|
|
|
Sleep(100);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Monitor loop exited");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static BOOL IsAgentRunningInSession(SessionMonitor* self, DWORD sessionId)
|
|
|
|
|
|
{
|
|
|
|
|
|
char currentExeName[MAX_PATH];
|
|
|
|
|
|
char* pFileName;
|
|
|
|
|
|
DWORD currentPID;
|
|
|
|
|
|
HANDLE hSnapshot;
|
|
|
|
|
|
PROCESSENTRY32 pe32;
|
|
|
|
|
|
BOOL found = FALSE;
|
|
|
|
|
|
DWORD procSessionId;
|
|
|
|
|
|
|
|
|
|
|
|
(void)self; // δʹ<CEB4><CAB9>
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD>̵<EFBFBD> exe <20><><EFBFBD><EFBFBD>
|
|
|
|
|
|
if (!GetModuleFileName(NULL, currentExeName, MAX_PATH)) {
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>ȡ<EFBFBD>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD>
|
|
|
|
|
|
pFileName = strrchr(currentExeName, '\\');
|
|
|
|
|
|
if (pFileName) {
|
|
|
|
|
|
pFileName++;
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else {
|
2025-11-23 18:13:39 +01:00
|
|
|
|
pFileName = currentExeName;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD> PID
|
|
|
|
|
|
currentPID = GetCurrentProcessId();
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̿<EFBFBD><CCBF><EFBFBD>
|
|
|
|
|
|
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
|
|
|
|
|
if (hSnapshot == INVALID_HANDLE_VALUE) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("CreateToolhelp32Snapshot failed");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
pe32.dwSize = sizeof(PROCESSENTRY32);
|
|
|
|
|
|
|
|
|
|
|
|
if (Process32First(hSnapshot, &pe32)) {
|
|
|
|
|
|
do {
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD>ͬ<EFBFBD><CDAC><EFBFBD><EFBFBD> exe<78><65>ghost.exe<78><65>
|
|
|
|
|
|
if (_stricmp(pe32.szExeFile, pFileName) == 0) {
|
|
|
|
|
|
// <20>ų<EFBFBD><C5B3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Լ<EFBFBD>
|
|
|
|
|
|
if (pe32.th32ProcessID == currentPID) {
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>ȡ<EFBFBD><C8A1><EFBFBD>̵ĻỰID
|
|
|
|
|
|
if (ProcessIdToSessionId(pe32.th32ProcessID, &procSessionId)) {
|
|
|
|
|
|
if (procSessionId == sessionId) {
|
|
|
|
|
|
// <20>ҵ<EFBFBD><D2B5>ˣ<EFBFBD>ͬ<EFBFBD><CDAC> exe<78><65><EFBFBD><EFBFBD>ͬ PID<49><44><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD>Ự<EFBFBD><E1BBB0>
|
|
|
|
|
|
found = TRUE;
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
} while (Process32Next(hSnapshot, &pe32));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
CloseHandle(hSnapshot);
|
|
|
|
|
|
return found;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>ֹ<EFBFBD><D6B9><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
static void TerminateAllAgents(SessionMonitor* self)
|
|
|
|
|
|
{
|
|
|
|
|
|
char buf[256];
|
|
|
|
|
|
size_t i;
|
|
|
|
|
|
AgentProcessInfo* info;
|
|
|
|
|
|
DWORD exitCode;
|
|
|
|
|
|
|
|
|
|
|
|
EnterCriticalSection(&self->csProcessList);
|
|
|
|
|
|
|
|
|
|
|
|
sprintf(buf, "Terminating %d agent process(es)", (int)self->agentProcesses.count);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < self->agentProcesses.count; i++) {
|
|
|
|
|
|
info = &self->agentProcesses.items[i];
|
|
|
|
|
|
|
|
|
|
|
|
sprintf(buf, "Terminating agent PID=%d (Session %d)",
|
2025-11-29 23:22:55 +01:00
|
|
|
|
(int)info->processId, (int)info->sessionId);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
if (GetExitCodeProcess(info->hProcess, &exitCode)) {
|
|
|
|
|
|
if (exitCode == STILL_ACTIVE) {
|
|
|
|
|
|
// <20><><EFBFBD>̻<EFBFBD><CCBB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>У<EFBFBD><D0A3><EFBFBD>ֹ
|
|
|
|
|
|
if (!TerminateProcess(info->hProcess, 0)) {
|
|
|
|
|
|
sprintf(buf, "WARNING: Failed to terminate PID=%d, error=%d",
|
2025-11-29 23:22:55 +01:00
|
|
|
|
(int)info->processId, (int)GetLastError());
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Agent terminated successfully");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
// <20>ȴ<EFBFBD><C8B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȫ<EFBFBD>˳<EFBFBD>
|
|
|
|
|
|
WaitForSingleObject(info->hProcess, 5000);
|
|
|
|
|
|
}
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else {
|
2025-11-23 18:13:39 +01:00
|
|
|
|
sprintf(buf, "Agent PID=%d already exited with code %d",
|
2025-11-29 23:22:55 +01:00
|
|
|
|
(int)info->processId, (int)exitCode);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
CloseHandle(info->hProcess);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
self->agentProcesses.count = 0; // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
|
|
|
|
|
|
LeaveCriticalSection(&self->csProcessList);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("All agents terminated");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD>Ѿ<EFBFBD><D1BE><EFBFBD>ֹ<EFBFBD>Ľ<EFBFBD><C4BD><EFBFBD>
|
|
|
|
|
|
static void CleanupDeadProcesses(SessionMonitor* self)
|
|
|
|
|
|
{
|
|
|
|
|
|
size_t i;
|
|
|
|
|
|
AgentProcessInfo* info;
|
|
|
|
|
|
DWORD exitCode;
|
|
|
|
|
|
char buf[256];
|
|
|
|
|
|
|
|
|
|
|
|
EnterCriticalSection(&self->csProcessList);
|
|
|
|
|
|
|
|
|
|
|
|
i = 0;
|
|
|
|
|
|
while (i < self->agentProcesses.count) {
|
|
|
|
|
|
info = &self->agentProcesses.items[i];
|
|
|
|
|
|
|
|
|
|
|
|
if (GetExitCodeProcess(info->hProcess, &exitCode)) {
|
|
|
|
|
|
if (exitCode != STILL_ACTIVE) {
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˳<EFBFBD>
|
|
|
|
|
|
sprintf(buf, "Agent PID=%d exited with code %d, cleaning up",
|
2025-11-29 23:22:55 +01:00
|
|
|
|
(int)info->processId, (int)exitCode);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
CloseHandle(info->hProcess);
|
|
|
|
|
|
AgentArray_RemoveAt(&self->agentProcesses, i);
|
|
|
|
|
|
continue; // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> i<><69><EFBFBD><EFBFBD>Ϊɾ<CEAA><C9BE><EFBFBD><EFBFBD>Ԫ<EFBFBD><D4AA>
|
|
|
|
|
|
}
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else {
|
2025-11-23 18:13:39 +01:00
|
|
|
|
// <20><EFBFBD><DEB7><EFBFBD>ȡ<EFBFBD>˳<EFBFBD><CBB3><EFBFBD><EFBFBD>룬<EFBFBD><EBA3AC><EFBFBD>ܽ<EFBFBD><DCBD><EFBFBD><EFBFBD>Ѳ<EFBFBD><D1B2><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
sprintf(buf, "Cannot query agent PID=%d, removing from list",
|
2025-11-29 23:22:55 +01:00
|
|
|
|
(int)info->processId);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
CloseHandle(info->hProcess);
|
|
|
|
|
|
AgentArray_RemoveAt(&self->agentProcesses, i);
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
i++;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
LeaveCriticalSection(&self->csProcessList);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static BOOL LaunchAgentInSession(SessionMonitor* self, DWORD sessionId)
|
|
|
|
|
|
{
|
|
|
|
|
|
char buf[512];
|
|
|
|
|
|
HANDLE hToken = NULL;
|
|
|
|
|
|
HANDLE hDupToken = NULL;
|
|
|
|
|
|
HANDLE hUserToken = NULL;
|
|
|
|
|
|
STARTUPINFO si;
|
|
|
|
|
|
PROCESS_INFORMATION pi;
|
|
|
|
|
|
LPVOID lpEnvironment = NULL;
|
|
|
|
|
|
char exePath[MAX_PATH];
|
|
|
|
|
|
char cmdLine[MAX_PATH + 20];
|
|
|
|
|
|
DWORD fileAttr;
|
|
|
|
|
|
BOOL result;
|
|
|
|
|
|
AgentProcessInfo info;
|
|
|
|
|
|
DWORD err;
|
|
|
|
|
|
|
|
|
|
|
|
memset(&si, 0, sizeof(si));
|
|
|
|
|
|
memset(&pi, 0, sizeof(pi));
|
|
|
|
|
|
|
|
|
|
|
|
sprintf(buf, "Attempting to launch agent in session %d", (int)sessionId);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
si.cb = sizeof(STARTUPINFO);
|
|
|
|
|
|
si.lpDesktop = (LPSTR)"winsta0\\default"; // <20>ؼ<EFBFBD><D8BC><EFBFBD>ָ<EFBFBD><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
|
|
|
|
|
|
// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD> SYSTEM <20><><EFBFBD><EFBFBD>
|
|
|
|
|
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_QUERY, &hToken)) {
|
|
|
|
|
|
sprintf(buf, "OpenProcessToken failed: %d", (int)GetLastError());
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD>Ϊ<EFBFBD><CEAA><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD><CCB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,
|
2025-11-29 23:22:55 +01:00
|
|
|
|
SecurityImpersonation, TokenPrimary, &hDupToken)) {
|
2025-11-23 18:13:39 +01:00
|
|
|
|
sprintf(buf, "DuplicateTokenEx failed: %d", (int)GetLastError());
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
CloseHandle(hToken);
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><EFBFBD><DEB8><EFBFBD><EFBFBD>ƵĻỰ ID ΪĿ<CEAA><C4BF><EFBFBD>û<EFBFBD><C3BB>Ự
|
|
|
|
|
|
if (!SetTokenInformation(hDupToken, TokenSessionId, &sessionId, sizeof(sessionId))) {
|
|
|
|
|
|
sprintf(buf, "SetTokenInformation failed: %d", (int)GetLastError());
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
CloseHandle(hDupToken);
|
|
|
|
|
|
CloseHandle(hToken);
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("Token duplicated");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Լ<EFBFBD><D4BC><EFBFBD>
|
|
|
|
|
|
if (!GetModuleFileName(NULL, exePath, MAX_PATH)) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("GetModuleFileName failed");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
CloseHandle(hDupToken);
|
|
|
|
|
|
CloseHandle(hToken);
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
sprintf(buf, "Service path: %s", exePath);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
fileAttr = GetFileAttributes(exePath);
|
|
|
|
|
|
if (fileAttr == INVALID_FILE_ATTRIBUTES) {
|
|
|
|
|
|
sprintf(buf, "ERROR: Executable not found at: %s", exePath);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
CloseHandle(hDupToken);
|
|
|
|
|
|
CloseHandle(hToken);
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>У<EFBFBD>ͬһ<CDAC><D2BB> exe<78><65> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> -agent <20><><EFBFBD><EFBFBD>
|
|
|
|
|
|
sprintf(cmdLine, "\"%s\" -agent", exePath);
|
|
|
|
|
|
|
|
|
|
|
|
sprintf(buf, "Command line: %s", cmdLine);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
// <20><>ȡ<EFBFBD>û<EFBFBD><C3BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڻ<EFBFBD><DABB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
if (!WTSQueryUserToken(sessionId, &hUserToken)) {
|
|
|
|
|
|
sprintf(buf, "WTSQueryUserToken failed: %d", (int)GetLastError());
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ʹ<><CAB9><EFBFBD>û<EFBFBD><C3BB><EFBFBD><EFBFBD>ƴ<EFBFBD><C6B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
if (hUserToken) {
|
|
|
|
|
|
if (!CreateEnvironmentBlock(&lpEnvironment, hUserToken, FALSE)) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("CreateEnvironmentBlock failed");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
CloseHandle(hUserToken);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD>û<EFBFBD><C3BB>Ự<EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
result = CreateProcessAsUser(
|
2025-11-29 23:22:55 +01:00
|
|
|
|
hDupToken,
|
|
|
|
|
|
NULL, // Ӧ<>ó<EFBFBD><C3B3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>н<EFBFBD><D0BD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
cmdLine, // <20><><EFBFBD><EFBFBD><EFBFBD>в<EFBFBD><D0B2><EFBFBD><EFBFBD><EFBFBD>ghost.exe -agent
|
|
|
|
|
|
NULL, // <20><><EFBFBD>̰<EFBFBD>ȫ<EFBFBD><C8AB><EFBFBD><EFBFBD>
|
|
|
|
|
|
NULL, // <20>̰߳<DFB3>ȫ<EFBFBD><C8AB><EFBFBD><EFBFBD>
|
|
|
|
|
|
FALSE, // <20><><EFBFBD>̳о<CCB3><D0BE><EFBFBD>
|
|
|
|
|
|
NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT, // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>־
|
|
|
|
|
|
lpEnvironment, // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|
|
|
|
|
NULL, // <20><>ǰĿ¼
|
|
|
|
|
|
&si,
|
|
|
|
|
|
&pi
|
|
|
|
|
|
);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
if (lpEnvironment) {
|
|
|
|
|
|
DestroyEnvironmentBlock(lpEnvironment);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (result) {
|
|
|
|
|
|
sprintf(buf, "SUCCESS: Agent process created (PID=%d)", (int)pi.dwProcessId);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ<EFBFBD><CFA2><EFBFBD>Ա<EFBFBD>ֹͣʱ<D6B9><CAB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֹ<EFBFBD><D6B9>
|
|
|
|
|
|
EnterCriticalSection(&self->csProcessList);
|
|
|
|
|
|
info.processId = pi.dwProcessId;
|
|
|
|
|
|
info.sessionId = sessionId;
|
|
|
|
|
|
info.hProcess = pi.hProcess; // <20><><EFBFBD>رվ<D8B1><D5BE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ں<EFBFBD><DABA><EFBFBD><EFBFBD><EFBFBD>ֹ
|
|
|
|
|
|
AgentArray_Add(&self->agentProcesses, &info);
|
|
|
|
|
|
LeaveCriticalSection(&self->csProcessList);
|
|
|
|
|
|
|
|
|
|
|
|
CloseHandle(pi.hThread); // <20>߳̾<DFB3><CCBE><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Թر<D4B9>
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else {
|
2025-11-23 18:13:39 +01:00
|
|
|
|
err = GetLastError();
|
|
|
|
|
|
sprintf(buf, "CreateProcessAsUser failed: %d", (int)err);
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf(buf);
|
2025-11-23 18:13:39 +01:00
|
|
|
|
|
|
|
|
|
|
// <20>ṩ<EFBFBD><E1B9A9><EFBFBD><EFBFBD>ϸ<EFBFBD>Ĵ<EFBFBD><C4B4><EFBFBD><EFBFBD><EFBFBD>Ϣ
|
|
|
|
|
|
if (err == ERROR_FILE_NOT_FOUND) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("ERROR: agent executable file not found");
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else if (err == ERROR_ACCESS_DENIED) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("ERROR: Access denied - service may not have sufficient privileges");
|
2025-11-29 23:22:55 +01:00
|
|
|
|
} else if (err == 1314) {
|
2025-12-11 11:00:52 +01:00
|
|
|
|
Mprintf("ERROR: Service does not have SE_INCREASE_QUOTA privilege");
|
2025-11-23 18:13:39 +01:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
CloseHandle(hDupToken);
|
|
|
|
|
|
CloseHandle(hToken);
|
|
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
|
}
|
