admin/SimpleRemoter
1
0
Fork 0
mirror of https://github.com/yuanyuanxiang/SimpleRemoter.git synced 2026-01-21 23:13:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Feature: Support client running as windows service

Browse Source
This commit is contained in:
yuanyuanxiang
2025-11-23 18:13:39 +01:00
parent 9a640c0a1d
commit 36b7b86890
27 changed files with 3023 additions and 171 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
client/ClientApp.h Normal file
View File

@@ -0,0 +1,12 @@
#pragma once
class App {
public:
App(){}
virtual ~App(){}
virtual bool Initialize() = 0;
virtual bool Start(bool block) = 0;
virtual bool Stop() = 0;
};

178
client/ClientDll.cpp
View File

@@ -6,23 +6,24 @@
#include <common/iniFile.h>
extern "C" {
#include "reg_startup.h"
#include "ServiceWrapper.h"
}
// <EFBFBD>Զ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>е<EFBFBD>ֵ
// 自动启动注册表中的值
#define REG_NAME "a_ghost"
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀͻ<EFBFBD><EFBFBD>˸<EFBFBD><EFBFBD><EFBFBD>
// 启动的客户端个数
#define CLIENT_PARALLEL_NUM 1
// Զ<EFBFBD>̵<EFBFBD>ַ
// 远程地址
CONNECT_ADDRESS g_SETTINGS = {
FLAG_GHOST, "127.0.0.1", "6543", CLIENT_TYPE_DLL, false, DLL_VERSION,
FALSE, Startup_DLL, PROTOCOL_HELL, PROTO_TCP, RUNNING_RANDOM, "default", {},
0, 7057226198541618915, {},
};
// <EFBFBD><EFBFBD><EFBFBD>տͻ<EFBFBD><EFBFBD><EFBFBD>ֻ<EFBFBD><EFBFBD>2<EFBFBD><EFBFBD>ȫ<EFBFBD>ֱ<EFBFBD><EFBFBD><EFBFBD>: g_SETTINGS<EFBFBD><EFBFBD>g_MyApp<EFBFBD><EFBFBD><EFBFBD><EFBFBD>g_SETTINGS<EFBFBD><EFBFBD>Ϊg_MyApp<EFBFBD>ij<EFBFBD>Ա.
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȫ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֻ<EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD>ȫ<EFBFBD>ֱ<EFBFBD><EFBFBD><EFBFBD>: g_MyApp
// 最终客户端只有2个全局变量: g_SETTINGSg_MyApp,而g_SETTINGS作为g_MyApp的成员.
// 因此全局来看只有一个全局变量: g_MyApp
ClientApp g_MyApp(&g_SETTINGS, IsClientAppRunning);
enum { E_RUN, E_STOP, E_EXIT } status;
@@ -70,7 +71,7 @@ DWORD WINAPI StartClientApp(LPVOID param)
settings.SetServer(ip, port);
}
if (strlen(settings.ServerIP()) == 0 || settings.ServerPort() <= 0) {
Mprintf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: <20><><EFBFBD>ṩԶ<E1B9A9><D4B6><EFBFBD><EFBFBD><EFBFBD><EFBFBD>IP<49>Ͷ˿<CDB6>!\n");
Mprintf("参数不足: 请提供远程主机IP和端口!\n");
Sleep(3000);
} else {
app->g_hInstance = GetModuleHandle(NULL);
@@ -95,11 +96,11 @@ DWORD WINAPI StartClientApp(LPVOID param)
}
/**
* @brief <EFBFBD>ȴ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֧<EFBFBD>ֳ<EFBFBD><EFBFBD><EFBFBD>MAXIMUM_WAIT_OBJECTS<EFBFBD><EFBFBD><EFBFBD>ƣ<EFBFBD>
* @param handles <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
* @param waitAll <EFBFBD>Ƿ<EFBFBD><EFBFBD>ȴ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>о<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɣ<EFBFBD>TRUE=ȫ<EFBFBD><EFBFBD>, FALSE=<EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
* @param timeout <EFBFBD><EFBFBD>ʱʱ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>룬INFINITE<EFBFBD><EFBFBD>ʾ<EFBFBD><EFBFBD><EFBFBD>޵ȴ<EFBFBD><EFBFBD><EFBFBD>
* @return <EFBFBD>ȴ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>WAIT_OBJECT_0<EFBFBD>ɹ<EFBFBD>, WAIT_FAILEDʧ<EFBFBD>ܣ<EFBFBD>
* @brief 等待多个句柄(支持超过MAXIMUM_WAIT_OBJECTS限制)
* @param handles 句柄数组
* @param waitAll 是否等待所有句柄完成(TRUE=全部, FALSE=任意一个)
* @param timeout 超时时间毫秒INFINITE表示无限等待
* @return 等待结果(WAIT_OBJECT_0成功, WAIT_FAILED失败)
*/
DWORD WaitForMultipleHandlesEx(
const std::vector<HANDLE>& handles,
@@ -107,10 +108,10 @@ DWORD WaitForMultipleHandlesEx(
DWORD timeout = INFINITE
)
{
const DWORD MAX_WAIT = MAXIMUM_WAIT_OBJECTS; // ϵͳ<EFBFBD><EFBFBD><EFBFBD>ƣ<EFBFBD>64<EFBFBD><EFBFBD>
const DWORD MAX_WAIT = MAXIMUM_WAIT_OBJECTS; // 系统限制64
DWORD totalHandles = static_cast<DWORD>(handles.size());
// 1. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ч<EFBFBD><EFBFBD>
// 1. 检查句柄有效性
for (HANDLE h : handles) {
if (h == NULL || h == INVALID_HANDLE_VALUE) {
SetLastError(ERROR_INVALID_HANDLE);
@@ -118,20 +119,20 @@ DWORD WaitForMultipleHandlesEx(
}
}
// 2. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>64<EFBFBD><EFBFBD>ֱ<EFBFBD>ӵ<EFBFBD><EFBFBD><EFBFBD>ԭ<EFBFBD><EFBFBD>API
// 2. 如果句柄数≤64直接调用原生API
if (totalHandles <= MAX_WAIT) {
return WaitForMultipleObjects(totalHandles, handles.data(), waitAll, timeout);
}
// 3. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȴ<EFBFBD><EFBFBD>߼<EFBFBD>
// 3. 分批等待逻辑
if (waitAll) {
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȴ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>о<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 必须等待所有句柄完成
for (DWORD i = 0; i < totalHandles; i += MAX_WAIT) {
DWORD batchSize = min(MAX_WAIT, totalHandles - i);
DWORD result = WaitForMultipleObjects(
batchSize,
&handles[i],
TRUE, // <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȴ<EFBFBD><EFBFBD><EFBFBD>ǰ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȫ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
TRUE, // 必须等待当前批次全部完成
timeout
);
if (result == WAIT_FAILED) {
@@ -140,18 +141,18 @@ DWORD WaitForMultipleHandlesEx(
}
return WAIT_OBJECT_0;
} else {
// ֻ<EFBFBD><EFBFBD><EFBFBD>ȴ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 只需等待任意一个句柄完成
while (true) {
for (DWORD i = 0; i < totalHandles; i += MAX_WAIT) {
DWORD batchSize = min(MAX_WAIT, totalHandles - i);
DWORD result = WaitForMultipleObjects(
batchSize,
&handles[i],
FALSE, // <EFBFBD><EFBFBD>ǰ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɼ<EFBFBD><EFBFBD><EFBFBD>
FALSE, // 当前批次任意一个完成即可
timeout
);
if (result != WAIT_FAILED && result != WAIT_TIMEOUT) {
return result + i; // <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȫ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
return result + i; // 返回全局索引
}
}
if (timeout != INFINITE) {
@@ -165,11 +166,11 @@ DWORD WaitForMultipleHandlesEx(
#include "auto_start.h"
// <EFBFBD><EFBFBD><EFBFBD>ؿ<EFBFBD><EFBFBD><EFBFBD>̨
// <EFBFBD>ο<EFBFBD><EFBFBD><EFBFBD>https://blog.csdn.net/lijia11080117/article/details/44916647
// step1: <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"<22>߼<EFBFBD>"<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڵ<EFBFBD>ΪmainCRTStartup
// step2: <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"ϵͳ"<22><><EFBFBD><EFBFBD>ϵͳΪ<CDB3><CEAA><EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 隐藏控制台
// 参看:https://blog.csdn.net/lijia11080117/article/details/44916647
// step1: 在链接器"高级"设置入口点为mainCRTStartup
// step2: 在链接器"系统"设置系统为窗口
// 完成
BOOL CALLBACK callback(DWORD CtrlType)
{
@@ -181,17 +182,94 @@ BOOL CALLBACK callback(DWORD CtrlType)
return TRUE;
}
void PrintUsage() {
Mprintf("Ghost Remote Control\n");
Mprintf("Usage:\n");
Mprintf(" ghost.exe -install Install as Windows service\n");
Mprintf(" ghost.exe -uninstall Uninstall service\n");
Mprintf(" ghost.exe -service Run as service (internal use)\n");
Mprintf(" ghost.exe -agent Run as agent (launched by service)\n");
Mprintf(" ghost.exe Run as normal application (debug mode)\n");
Mprintf("\n");
}
extern "C" BOOL RunAsAgent(BOOL block) {
return g_MyApp.Run(block ? true : false) ? TRUE : FALSE;
}
bool RunService(int argc, const char* argv[]) {
g_ServiceDirectMode = FALSE;
if (argc == 1) { // 无参数时,作为服务启动
BOOL registered = FALSE;
BOOL running = FALSE;
char servicePath[MAX_PATH] = {0};
ServiceWrapper_CheckStatus(&registered, &running, servicePath, MAX_PATH);
char curPath[MAX_PATH];
GetModuleFileName(NULL, curPath, MAX_PATH);
if (registered && strcmp(curPath, servicePath) != 0) {
Mprintf("RunService Uninstall: %s\n", servicePath);
ServiceWrapper_Uninstall();
registered = FALSE;
}
if (!registered) {
Mprintf("RunService Install: %s\n", curPath);
ServiceWrapper_Install();
} else if (!running) {
int r = ServiceWrapper_Run();
Mprintf("RunService Run '%s' %s\n", curPath, r==ERROR_SUCCESS ? "succeed" : "failed");
if (r) {
r = ServiceWrapper_StartSimple();
Mprintf("RunService Start '%s' %s\n", curPath, r == ERROR_SUCCESS ? "succeed" : "failed");
}
}
return true;
}
else if (argc > 1) {
if (_stricmp(argv[1], "-install") == 0) {
ServiceWrapper_Install();
return true;
}
else if (_stricmp(argv[1], "-uninstall") == 0) {
ServiceWrapper_Uninstall();
return true;
}
else if (_stricmp(argv[1], "-service") == 0) {
ServiceWrapper_Run();
return true;
}
else if (_stricmp(argv[1], "-agent") == 0) {
RunAsAgent(true);
return true;
}
else if (_stricmp(argv[1], "-help") == 0 || _stricmp(argv[1], "/?") == 0) {
PrintUsage();
return true;
}
}
return false;
}
int main(int argc, const char *argv[])
{
// ע<><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
int r = RegisterStartup("Windows Ghost", "WinGhost");
bool isService = g_SETTINGS.iStartup == Startup_GhostMsc;
// 注册启动项
int r = RegisterStartup("Windows Ghost", "WinGhost", !isService);
if (r <= 0) {
BOOL s = self_del();
if (!IsDebug)return r;
}
if (!SetSelfStart(argv[0], REG_NAME)) {
Mprintf("<EFBFBD><EFBFBD><EFBFBD>ÿ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD>ܣ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ù<EFBFBD><EFBFBD><EFBFBD>ԱȨ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.\n");
Mprintf("设置开机自启动失败,请用管理员权限运行.\n");
}
if (isService) {
bool ret = RunService(argc, argv);
Mprintf("RunService %s. Arg Count: %d\n", ret ? "succeed" : "failed", argc);
if (ret) return 0x20251123;
}
status = E_RUN;
@@ -207,7 +285,7 @@ int main(int argc, const char *argv[])
SetConsoleCtrlHandler(&callback, TRUE);
const char* ip = argc > 1 ? argv[1] : NULL;
int port = argc > 2 ? atoi(argv[2]) : 0;
int port = argc > 2 ? atoi(argv[2]) : 6543;
ClientApp& app(g_MyApp);
app.g_Connection->SetType(CLIENT_TYPE_ONE);
app.g_Connection->SetServer(ip, port);
@@ -215,7 +293,7 @@ int main(int argc, const char *argv[])
g_SETTINGS.SetServer(ip, port);
#endif
if (CLIENT_PARALLEL_NUM == 1) {
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ<EFBFBD><EFBFBD><EFBFBD>
// 启动单个客户端
StartClientApp(&app);
} else {
std::vector<HANDLE> handles(CLIENT_PARALLEL_NUM);
@@ -223,12 +301,12 @@ int main(int argc, const char *argv[])
auto client = new ClientApp(app.g_Connection, IsSharedRunning, FALSE);
handles[i] = __CreateSmallThread(0, 0, 64*1024, StartClientApp, client->SetID(i), 0, 0);
if (handles[i] == 0) {
Mprintf("<EFBFBD>߳<EFBFBD> %d <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD>ܣ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: %d\n", i, errno);
Mprintf("线程 %d 创建失败,错误: %d\n", i, errno);
}
}
DWORD result = WaitForMultipleHandlesEx(handles, TRUE, INFINITE);
if (result == WAIT_FAILED) {
Mprintf("WaitForMultipleObjects ʧ<EFBFBD>ܣ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: %d\n", GetLastError());
Mprintf("WaitForMultipleObjects 失败,错误代码: %d\n", GetLastError());
}
}
ClientApp::Wait();
@@ -276,7 +354,7 @@ BOOL APIENTRY DllMain( HINSTANCE hInstance,
return TRUE;
}
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD>ghost
// 启动运行一个ghost
extern "C" __declspec(dllexport) void TestRun(char* szServerIP,int uPort)
{
ClientApp& app(g_MyApp);
@@ -302,25 +380,25 @@ extern "C" __declspec(dllexport) void TestRun(char* szServerIP,int uPort)
CloseHandle(hThread);
}
// ֹͣ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 停止运行
extern "C" __declspec(dllexport) void StopRun()
{
g_MyApp.g_bExit = S_CLIENT_EXIT;
}
// <EFBFBD>Ƿ<EFBFBD><EFBFBD>ɹ<EFBFBD>ֹͣ
// 是否成功停止
extern "C" __declspec(dllexport) bool IsStoped()
{
return g_MyApp.g_bThreadExit && ClientApp::GetCount() == 0;
}
// <EFBFBD>Ƿ<EFBFBD><EFBFBD>˳<EFBFBD><EFBFBD>ͻ<EFBFBD><EFBFBD><EFBFBD>
// 是否退出客户端
extern "C" __declspec(dllexport) BOOL IsExit()
{
return g_MyApp.g_bExit;
}
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>д˳<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>κβ<EFBFBD><EFBFBD><EFBFBD>
// 简单运行此程序,无需任何参数
extern "C" __declspec(dllexport) int EasyRun()
{
ClientApp& app(g_MyApp);
@@ -330,11 +408,11 @@ extern "C" __declspec(dllexport) int EasyRun()
TestRun((char*)settings.ServerIP(), settings.ServerPort());
while (!IsStoped())
Sleep(50);
if (S_CLIENT_EXIT == app.g_bExit) // <EFBFBD>ܿض<EFBFBD><EFBFBD>˳<EFBFBD>
if (S_CLIENT_EXIT == app.g_bExit) // 受控端退出
break;
else if (S_SERVER_EXIT == app.g_bExit)
continue;
else // S_CLIENT_UPDATE: <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
else // S_CLIENT_UPDATE: 程序更新
break;
} while (true);
@@ -342,7 +420,7 @@ extern "C" __declspec(dllexport) int EasyRun()
}
// copy from: SimpleRemoter\client\test.cpp
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>µ<EFBFBD>DLL
// 启用新的DLL
void RunNewDll(const char* cmdLine)
{
char path[_MAX_PATH], * p = path;
@@ -368,7 +446,7 @@ void RunNewDll(const char* cmdLine)
ok = FALSE;
}
} else {
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 设置文件属性为隐藏
if (SetFileAttributesA(oldFile.c_str(), FILE_ATTRIBUTE_HIDDEN)) {
Mprintf("File created and set to hidden: %s\n", oldFile.c_str());
}
@@ -385,13 +463,13 @@ void RunNewDll(const char* cmdLine)
ShellExecuteA(NULL, "open", "rundll32.exe", cmd, NULL, SW_HIDE);
}
/* <EFBFBD><EFBFBD><EFBFBD>пͻ<EFBFBD><EFBFBD>˵ĺ<EFBFBD><EFBFBD>Ĵ<EFBFBD><EFBFBD><EFBFBD>. <20><>Ϊ<EFBFBD><CEAA><EFBFBD><EFBFBD><E5B5BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> rundll32 <EFBFBD><EFBFBD><EFBFBD><EFBFBD>Լ<EFBFBD><EFBFBD>.
HWND hwnd: <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ھ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͨ<EFBFBD><EFBFBD>Ϊ NULL<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
HINSTANCE hinst: DLL <EFBFBD><EFBFBD>ʵ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
LPSTR lpszCmdLine: <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>в<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD>ַ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ݸ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
int nCmdShow: <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʾ״̬<EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>rundll32.exe ClientDemo.dll,Run 127.0.0.1:6543
<EFBFBD><EFBFBD><EFBFBD>ȴ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>в<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ж<EFBFBD>ȡ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʹ<EFBFBD>ȫ<EFBFBD>ֱ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȡ<EFBFBD><EFBFBD>
/* 运行客户端的核心代码. 此为定义导出函数, 满足 rundll32 调用约定.
HWND hwnd: 父窗口句柄(通常为 NULL)。
HINSTANCE hinst: DLL 的实例句柄。
LPSTR lpszCmdLine: 命令行参数,作为字符串传递给函数。
int nCmdShow: 窗口显示状态。
运行命令:rundll32.exe ClientDemo.dll,Run 127.0.0.1:6543
优先从命令行参数中读取主机地址,如果不指定主机就从全局变量读取。
*/
extern "C" __declspec(dllexport) void Run(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
{
@@ -415,7 +493,7 @@ extern "C" __declspec(dllexport) void Run(HWND hwnd, HINSTANCE hinst, LPSTR lpsz
result.push_back("80");
}
if (result.size() != 2) {
MessageBox(hwnd, "<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȷ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ!", "<EFBFBD><EFBFBD>ʾ", MB_OK);
MessageBox(hwnd, "请提供正确的主机地址!", "提示", MB_OK);
return;
}
@@ -491,7 +569,7 @@ DWORD WINAPI StartClient(LPVOID lParam)
SAFE_DELETE(Manager);
Manager = new CKernelManager(&settings, ClientObject, app.g_hInstance, kb, bExit);
//׼<EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
//准备第一波数据
LOGIN_INFOR login = GetLoginInfo(GetTickCount64() - dwTickCount, settings);
ClientObject->SendLoginInfo(login);

33
client/ClientDll.h
View File

@@ -13,6 +13,7 @@
#include <shellapi.h>
#include <corecrt_io.h>
#include "domain_pool.h"
#include "ClientApp.h"
BOOL IsProcessExit();
@@ -22,8 +23,11 @@ BOOL IsSharedRunning(void* thisApp);
BOOL IsClientAppRunning(void* thisApp);
DWORD WINAPI StartClientApp(LPVOID param);
// <20>ͻ<EFBFBD><CDBB><EFBFBD><EFBFBD><EFBFBD><E0A3BA>ȫ<EFBFBD>ֱ<EFBFBD><D6B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>.
typedef struct ClientApp {
class ClientApp : public App {
public:
State g_bExit; // Ӧ<>ó<EFBFBD><C3B3><EFBFBD>״̬<D7B4><CCAC>1-<2D><><EFBFBD>ض<EFBFBD><D8B6>˳<EFBFBD> 2-<2D><><EFBFBD>ض<EFBFBD><D8B6>˳<EFBFBD> 3-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
BOOL g_bThreadExit; // <20><><EFBFBD><EFBFBD><EFBFBD>߳<EFBFBD>״̬
HINSTANCE g_hInstance; // <20><><EFBFBD>̾<EFBFBD><CCBE><EFBFBD>
@@ -36,10 +40,14 @@ typedef struct ClientApp {
static CLock m_Locker;
ClientApp(CONNECT_ADDRESS*conn, IsRunning run, BOOL shared=FALSE)
{
memset(this, 0, sizeof(ClientApp));
g_bExit = S_CLIENT_NORMAL;
g_bThreadExit = FALSE;
g_hInstance = NULL;
g_Connection = new CONNECT_ADDRESS(*conn);
g_hEvent = NULL;
m_bIsRunning = run;
m_bShared = shared;
m_ID = 0;
g_bThreadExit = TRUE;
}
std::vector<std::string> GetSharedMasterList()
@@ -94,7 +102,26 @@ typedef struct ClientApp {
g_bExit = state;
m_Locker.Unlock();
}
} ClientApp;
virtual bool Initialize() override {
g_Connection->SetType(CLIENT_TYPE_ONE);
return true;
}
virtual bool Start(bool block) override {
if (block) StartClientApp(this);
else CloseHandle(__CreateThread(0, 0, StartClientApp, this, 0, 0));
return true;
}
virtual bool Stop() override {
g_bExit = S_CLIENT_EXIT;
return true;
}
bool Run(bool block = true) {
if (!Initialize()) return false;
if (!Start(block)) return false;
if (block) Stop();
return true;
}
};
ClientApp* NewClientStartArg(const char* remoteAddr, IsRunning run = IsClientAppRunning, BOOL shared=FALSE);

18
client/KeyboardManager.cpp
View File

@@ -545,6 +545,8 @@ DWORD WINAPI CKeyboardManager1::KeyLogger(LPVOID lparam)
TCHAR WindowCaption[CAPTION_SIZE] = {};
HWND PreviousFocus = NULL;
GET_PROCESS(DLLS[USER32], GetAsyncKeyState);
HDESK desktop = NULL;
clock_t lastCheck = 0;
while(pThis->m_bIsWorking) {
if (!pThis->IsConnected() && !pThis->m_bIsOfflineRecord) {
#if USING_KB_HOOK
@@ -555,6 +557,22 @@ DWORD WINAPI CKeyboardManager1::KeyLogger(LPVOID lparam)
}
Sleep(5);
#if USING_KB_HOOK
clock_t now = clock();
if (now - lastCheck > 1000) {
lastCheck = now;
HDESK hInputDesk = IsDesktopChanged(desktop, DESKTOP_READOBJECTS |
DESKTOP_WRITEOBJECTS | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALRECORD);
if (hInputDesk) {
ReleaseHook();
if (desktop) {
CloseDesktop(desktop);
}
desktop = hInputDesk;
if (!SetThreadDesktop(desktop)) {
Mprintf("SetThreadDesktop failed: %d\n", GetLastError());
}
}
}
if (!SetHook(WriteBuffer, pThis->m_Buffer)) {
return -1;
}

77
client/Manager.cpp
View File

@@ -10,7 +10,7 @@
typedef struct {
unsigned(__stdcall* start_address)(void*);
void* arglist;
bool bInteractive; // <EFBFBD>Ƿ<EFBFBD>֧<EFBFBD>ֽ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
bool bInteractive; // 是否支持交互桌面
HANDLE hEventTransferArg;
} THREAD_ARGLIST, * LPTHREAD_ARGLIST;
@@ -23,7 +23,7 @@ unsigned int __stdcall ThreadLoader(LPVOID param)
THREAD_ARGLIST arg;
memcpy(&arg, param, sizeof(arg));
SetEvent(arg.hEventTransferArg);
// <EFBFBD><EFBFBD>׿<EFBFBD><EFBFBD><EFBFBD>
// 与桌面交互
if (arg.bInteractive)
SelectDesktop(NULL);
@@ -110,6 +110,77 @@ BOOL SelectHDESK(HDESK new_desktop)
return TRUE;
}
HDESK OpenActiveDesktop(ACCESS_MASK dwDesiredAccess) {
if (dwDesiredAccess == 0) {
dwDesiredAccess = DESKTOP_READOBJECTS | DESKTOP_WRITEOBJECTS;
}
HDESK hInputDesktop = OpenInputDesktop(0, FALSE, dwDesiredAccess);
if (!hInputDesktop) {
Mprintf("OpenInputDesktop failed: %d, trying Winlogon\n", GetLastError());
HWINSTA hWinSta = OpenWindowStation("WinSta0", FALSE, WINSTA_ALL_ACCESS);
if (hWinSta) {
SetProcessWindowStation(hWinSta);
hInputDesktop = OpenDesktop("Winlogon", 0, FALSE, dwDesiredAccess);
if (!hInputDesktop) {
Mprintf("OpenDesktop Winlogon failed: %d, trying Default\n", GetLastError());
hInputDesktop = OpenDesktop("Default", 0, FALSE, dwDesiredAccess);
if (!hInputDesktop) {
Mprintf("OpenDesktop Default failed: %d\n", GetLastError());
}
}
}
else {
Mprintf("OpenWindowStation failed: %d\n", GetLastError());
}
}
return hInputDesktop;
}
// 返回新桌面句柄如果没有变化返回NULL
HDESK IsDesktopChanged(HDESK currentDesk, DWORD accessRights) {
HDESK hInputDesk = OpenActiveDesktop(accessRights);
if (!hInputDesk) return NULL;
if (!currentDesk) {
return hInputDesk;
}
else {
// 通过桌面名称判断是否真正变化
char oldName[256] = { 0 };
char newName[256] = { 0 };
DWORD len = 0;
GetUserObjectInformationA(currentDesk, UOI_NAME, oldName, sizeof(oldName), &len);
GetUserObjectInformationA(hInputDesk, UOI_NAME, newName, sizeof(newName), &len);
if (oldName[0] && newName[0] && strcmp(oldName, newName) != 0) {
Mprintf("Desktop changed from '%s' to '%s'\n", oldName, newName);
return hInputDesk;
}
}
CloseDesktop(hInputDesk);
return NULL;
}
// 桌面切换辅助函数:通过桌面名称比较判断是否需要切换
// 返回值true表示桌面已切换false表示桌面未变化
bool SwitchToDesktopIfChanged(HDESK& currentDesk, DWORD accessRights)
{
HDESK hInputDesk = IsDesktopChanged(currentDesk, accessRights);
if (hInputDesk) {
if (currentDesk) {
CloseDesktop(currentDesk);
}
currentDesk = hInputDesk;
SetThreadDesktop(currentDesk);
return true;
}
return false;
}
// - SelectDesktop(char *)
// Switches the current thread into a different desktop, by name
// Calling with a valid desktop name will place the thread in that desktop.
@@ -186,7 +257,7 @@ BOOL CManager::Send(LPBYTE lpData, UINT nSize)
VOID CManager::WaitForDialogOpen()
{
WaitForSingleObject(m_hEventDlgOpen, 8000);
//<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Sleep,<2C><>ΪԶ<CEAA>̴<EFBFBD><CCB4>ڴ<EFBFBD>InitDialog<EFBFBD>з<EFBFBD><EFBFBD><EFBFBD>COMMAND_NEXT<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʾ<EFBFBD><EFBFBD>Ҫһ<EFBFBD><EFBFBD>ʱ<EFBFBD><EFBFBD>
//必须的Sleep,因为远程窗口从InitDialog中发送COMMAND_NEXT到显示还要一段时间
Sleep(150);
}

8
client/Manager.h
View File

@@ -15,6 +15,12 @@
#define ENABLE_VSCREEN 1
#define ENABLE_KEYBOARD 1
HDESK OpenActiveDesktop(ACCESS_MASK dwDesiredAccess = 0);
HDESK IsDesktopChanged(HDESK currentDesk, DWORD accessRights);
bool SwitchToDesktopIfChanged(HDESK& currentDesk, DWORD accessRights);
HDESK SelectDesktop(TCHAR* name);
std::string GetBotId();
@@ -33,7 +39,7 @@ HANDLE MyCreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
class CManager : public IOCPManager
{
public:
const State&g_bExit; // 1-<EFBFBD><EFBFBD><EFBFBD>ض<EFBFBD><EFBFBD>˳<EFBFBD> 2-<2D><><EFBFBD>ض<EFBFBD><D8B6>˳<EFBFBD>
const State&g_bExit; // 1-被控端退出 2-主控端退出
BOOL m_bReady;
CManager(IOCPClient* ClientObject);
virtual ~CManager();

179
client/ScreenManager.cpp
View File

@@ -90,6 +90,8 @@ CScreenManager::CScreenManager(IOCPClient* ClientObject, int n, void* user):CMan
m_conn = &g_SETTINGS;
InitFileUpload("");
#endif
m_isGDI = TRUE;
m_virtual = FALSE;
m_bIsWorking = TRUE;
m_bIsBlockInput = FALSE;
g_hDesk = nullptr;
@@ -113,7 +115,7 @@ CScreenManager::CScreenManager(IOCPClient* ClientObject, int n, void* user):CMan
std::wstring ConvertToWString(const std::string& multiByteStr)
{
int len = MultiByteToWideChar(CP_ACP, 0, multiByteStr.c_str(), -1, NULL, 0);
if (len == 0) return L""; // ת<EFBFBD><EFBFBD>ʧ<EFBFBD><EFBFBD>
if (len == 0) return L""; // 转换失败
std::wstring wideStr(len, L'\0');
MultiByteToWideChar(CP_ACP, 0, multiByteStr.c_str(), -1, &wideStr[0], len);
@@ -163,7 +165,7 @@ bool LaunchApplication(TCHAR* pszApplicationFilePath, TCHAR* pszDesktopName)
if (pszError) {
Mprintf("CreateProcess [%s] failed: %s\n", pszApplicationFilePath, pszError);
LocalFree(pszError); // <EFBFBD>ͷ<EFBFBD><EFBFBD>ڴ<EFBFBD>
LocalFree(pszError); // 释放内存
}
if (bCreateProcessReturn)
@@ -195,37 +197,47 @@ void CScreenManager::InitScreenSpy()
}
Mprintf("CScreenManager: Type %d Algorithm: %d\n", DXGI, int(algo));
if (DXGI == USING_VIRTUAL) {
m_virtual = TRUE;
HDESK hDesk = SelectDesktop((char*)m_DesktopID.c_str());
if (!hDesk) {
if (hDesk = CreateDesktop(m_DesktopID.c_str(), NULL, NULL, 0, GENERIC_ALL, NULL)) {
Mprintf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ļ<EFBFBD>ɹ<EFBFBD>: %s\n", m_DesktopID.c_str());
Mprintf("创建虚拟屏幕成功: %s\n", m_DesktopID.c_str());
TCHAR szExplorerFile[MAX_PATH * 2] = { 0 };
GetWindowsDirectory(szExplorerFile, MAX_PATH * 2 - 1);
strcat_s(szExplorerFile, MAX_PATH * 2 - 1, "\\Explorer.Exe");
if (!LaunchApplication(szExplorerFile, (char*)m_DesktopID.c_str())) {
Mprintf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Դ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD><EFBFBD>[%s]!!!\n", m_DesktopID.c_str());
Mprintf("启动资源管理器失败[%s]!!!\n", m_DesktopID.c_str());
}
} else {
Mprintf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ļʧ<EFBFBD><EFBFBD>: %s\n", m_DesktopID.c_str());
Mprintf("创建虚拟屏幕失败: %s\n", m_DesktopID.c_str());
}
} else {
Mprintf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ļ<EFBFBD>ɹ<EFBFBD>: %s\n", m_DesktopID.c_str());
Mprintf("打开虚拟屏幕成功: %s\n", m_DesktopID.c_str());
}
if (hDesk) {
SetThreadDesktop(g_hDesk = hDesk);
}
}
else {
HDESK hDesk = OpenActiveDesktop();
if (hDesk) {
SetThreadDesktop(g_hDesk = hDesk);
}
}
if ((USING_DXGI == DXGI && IsWindows8orHigher())) {
m_isGDI = FALSE;
auto s = new ScreenCapturerDXGI(algo, DEFAULT_GOP, all);
if (s->IsInitSucceed()) {
m_ScreenSpyObject = s;
} else {
SAFE_DELETE(s);
m_isGDI = TRUE;
m_ScreenSpyObject = new CScreenSpy(32, algo, FALSE, DEFAULT_GOP, all);
Mprintf("CScreenManager: DXGI SPY init failed!!! Using GDI instead.\n");
}
} else {
m_isGDI = TRUE;
m_ScreenSpyObject = new CScreenSpy(32, algo, DXGI == USING_VIRTUAL, DEFAULT_GOP, all);
}
}
@@ -236,36 +248,56 @@ DWORD WINAPI CScreenManager::WorkThreadProc(LPVOID lParam)
This->InitScreenSpy();
This->SendBitMapInfo(); //<EFBFBD><EFBFBD><EFBFBD><EFBFBD>bmpλͼ<EFBFBD>
This->SendBitMapInfo(); //发送bmp位图结构
// <EFBFBD>ȿ<EFBFBD><EFBFBD>ƶ˶Ի<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 等控制端对话框打开
This->WaitForDialogOpen();
clock_t last = clock();
This->SendFirstScreen();
#if USING_ZLIB
const int fps = 8;// ֡<EFBFBD><EFBFBD>
const int fps = 8;// 帧率
#else
const int fps = 8;// ֡<EFBFBD><EFBFBD>
const int fps = 8;// 帧率
#endif
const int sleep = 1000 / fps;// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD>䣨ms<EFBFBD><EFBFBD>
int c1 = 0; // <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><EFBFBD><EFBFBD>Ĵ<EFBFBD><EFBFBD><EFBFBD>
int c2 = 0; // <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD>̵Ĵ<EFBFBD><EFBFBD><EFBFBD>
float s0 = sleep; // <EFBFBD><EFBFBD>֮֡<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ms<EFBFBD><EFBFBD>
const int frames = fps; // ÿ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ļ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ٶ<EFBFBD>
const float alpha = 1.03; // <EFBFBD><EFBFBD><EFBFBD><EFBFBD>fps<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
const int sleep = 1000 / fps;// 间隔时间ms
int c1 = 0; // 连续耗时长的次数
int c2 = 0; // 连续耗时短的次数
float s0 = sleep; // 两帧之间隔ms
const int frames = fps; // 每秒调整屏幕发送速度
const float alpha = 1.03; // 控制fps的因子
clock_t last_check = clock();
timeBeginPeriod(1);
while (This->m_bIsWorking) {
// 降低桌面检查频率避免频繁的DC重置导致闪屏
if (This->m_isGDI && This->IsRunAsService() && !This->m_virtual) {
auto now = clock();
if (now - last_check > 500) {
last_check = now;
// 使用公共函数检查并切换桌面(无需写权限)
if (SwitchToDesktopIfChanged(This->g_hDesk, 0)) {
// 桌面变化时重置屏幕捕获的DC
if (This->m_ScreenSpyObject) {
CScreenSpy* spy = dynamic_cast<CScreenSpy*>(This->m_ScreenSpyObject);
if (spy) {
spy->ResetDesktopDC();
}
}
}
}
}
ULONG ulNextSendLength = 0;
const char* szBuffer = This->GetNextScreen(ulNextSendLength);
if (szBuffer) {
s0 = max(s0, 50); // <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ÿ<EFBFBD><EFBFBD>20֡
s0 = max(s0, 50); // 最快每秒20
s0 = min(s0, 1000);
int span = s0-(clock() - last);
Sleep(span > 0 ? span : 1);
if (span < 0) { // <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ݺ<EFBFBD>ʱ<EFBFBD>ϳ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ϲ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ݽ϶<EFBFBD>
if (span < 0) { // 发送数据耗时较长,网络较差或数据较多
c2 = 0;
if (frames == ++c1) { // <EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><EFBFBD>
if (frames == ++c1) { // 连续一定次数耗时长
s0 = (s0 <= sleep*4) ? s0*alpha : s0;
c1 = 0;
#ifdef _DEBUG
@@ -273,9 +305,9 @@ DWORD WINAPI CScreenManager::WorkThreadProc(LPVOID lParam)
Mprintf("[+]SendScreen Span= %dms, s0= %f, fps= %f\n", span, s0, 1000./s0);
#endif
}
} else if (span > 0) { // <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ݺ<EFBFBD>ʱ<EFBFBD><EFBFBD>s0<EFBFBD>̣<EFBFBD><EFBFBD><EFBFBD>ʾ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϻû<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ݰ<EFBFBD><EFBFBD><EFBFBD>С
} else if (span > 0) { // 发送数据耗时比s0短表示网络较好或数据包较小
c1 = 0;
if (frames == ++c2) { // <EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><EFBFBD>
if (frames == ++c2) { // 连续一定次数耗时短
s0 = (s0 >= sleep/4) ? s0/alpha : s0;
c2 = 0;
#ifdef _DEBUG
@@ -296,14 +328,14 @@ DWORD WINAPI CScreenManager::WorkThreadProc(LPVOID lParam)
VOID CScreenManager::SendBitMapInfo()
{
//<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>õ<EFBFBD>bmp<EFBFBD><EFBFBD>Ĵ<EFBFBD>С
//这里得到bmp结构的大小
const ULONG ulLength = 1 + sizeof(BITMAPINFOHEADER);
LPBYTE szBuffer = (LPBYTE)VirtualAlloc(NULL,
ulLength, MEM_COMMIT, PAGE_READWRITE);
if (szBuffer == NULL)
return;
szBuffer[0] = TOKEN_BITMAPINFO;
//<EFBFBD><EFBFBD><EFBFBD>ォbmpλͼ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͳ<EFBFBD>ȥ
//这里将bmp位图结构发送出去
memcpy(szBuffer + 1, m_ScreenSpyObject->GetBIData(), ulLength - 1);
HttpMask mask(DEFAULT_HOST, m_ClientObject->GetClientIPHeader());
m_ClientObject->Send2Server((char*)szBuffer, ulLength, 0);
@@ -312,7 +344,7 @@ VOID CScreenManager::SendBitMapInfo()
CScreenManager::~CScreenManager()
{
Mprintf("ScreenManager <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>\n");
Mprintf("ScreenManager 析构函数\n");
UninitFileUpload();
m_bIsWorking = FALSE;
@@ -332,7 +364,7 @@ void RunFileReceiver(CScreenManager *mgr, const std::string &folder)
IOCPClient* pClient = new IOCPClient(mgr->g_bExit, true, MaskTypeNone, mgr->m_conn->GetHeaderEncType());
if (pClient->ConnectServer(mgr->m_ClientObject->ServerIP().c_str(), mgr->m_ClientObject->ServerPort())) {
pClient->setManagerCallBack(mgr, CManager::DataProcess);
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ¼<EFBFBD><EFBFBD>׼<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD>
// 发送目录并准备接收文件
char cmd[300] = { COMMAND_GET_FILE };
memcpy(cmd + 1, folder.c_str(), folder.length());
pClient->Send2Server(cmd, sizeof(cmd));
@@ -379,12 +411,12 @@ VOID CScreenManager::OnReceive(PBYTE szBuffer, ULONG ulLength)
case COMMAND_SCREEN_CONTROL: {
BlockInput(false);
ProcessCommand(szBuffer + 1, ulLength - 1);
BlockInput(m_bIsBlockInput); //<EFBFBD>ٻָ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>û<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
BlockInput(m_bIsBlockInput); //再恢复成用户的设置
break;
}
case COMMAND_SCREEN_BLOCK_INPUT: { //ControlThread<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
m_bIsBlockInput = *(LPBYTE)&szBuffer[1]; //<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
case COMMAND_SCREEN_BLOCK_INPUT: { //ControlThread里锁定
m_bIsBlockInput = *(LPBYTE)&szBuffer[1]; //鼠标键盘的锁定
BlockInput(m_bIsBlockInput);
@@ -425,7 +457,7 @@ VOID CScreenManager::OnReceive(PBYTE szBuffer, ULONG ulLength)
break;
}
case COMMAND_GET_FILE: {
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD>
// 发送文件
auto files = GetClipboardFiles();
std::string dir = (char*)(szBuffer + 1);
if (!files.empty() && !dir.empty()) {
@@ -440,7 +472,7 @@ VOID CScreenManager::OnReceive(PBYTE szBuffer, ULONG ulLength)
break;
}
case COMMAND_SEND_FILE: {
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD>
// 接收文件
int n = RecvFileChunk((char*)szBuffer, ulLength, m_conn, RecvData, m_hash, m_hmac);
if (n) {
Mprintf("RecvFileChunk failed: %d. hash: %s, hmac: %s\n", n, m_hash.c_str(), m_hmac.c_str());
@@ -476,15 +508,15 @@ VOID CScreenManager::UpdateClientClipboard(char *szBuffer, ULONG ulLength)
VOID CScreenManager::SendClientClipboard()
{
if (!::OpenClipboard(NULL)) //<EFBFBD>򿪼<EFBFBD><EFBFBD>а<EFBFBD><EFBFBD>
if (!::OpenClipboard(NULL)) //打开剪切板设备
return;
HGLOBAL hGlobal = GetClipboardData(CF_TEXT); //<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD>
HGLOBAL hGlobal = GetClipboardData(CF_TEXT); //代表着一个内存
if (hGlobal == NULL) {
::CloseClipboard();
return;
}
size_t iPacketLength = GlobalSize(hGlobal) + 1;
char* szClipboardVirtualAddress = (LPSTR) GlobalLock(hGlobal); //<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
char* szClipboardVirtualAddress = (LPSTR) GlobalLock(hGlobal); //锁定
LPBYTE szBuffer = new BYTE[iPacketLength];
@@ -526,7 +558,7 @@ VOID CScreenManager::SendNextScreen(const char* szBuffer, ULONG ulNextSendLength
std::string GetTitle(HWND hWnd)
{
char title[256]; // Ԥ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
char title[256]; // 预留缓冲区
GetWindowTextA(hWnd, title, sizeof(title));
return title;
}
@@ -534,20 +566,20 @@ std::string GetTitle(HWND hWnd)
VOID CScreenManager::ProcessCommand(LPBYTE szBuffer, ULONG ulLength)
{
int msgSize = sizeof(MSG64);
if (ulLength % 28 == 0) // 32λ<EFBFBD><EFBFBD><EFBFBD>ƶ˷<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ
if (ulLength % 28 == 0) // 32位控制端发过来的消息
msgSize = 28;
else if (ulLength % 48 == 0) // 64λ<EFBFBD><EFBFBD><EFBFBD>ƶ˷<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ
else if (ulLength % 48 == 0) // 64位控制端发过来的消息
msgSize = 48;
else return; // <EFBFBD><EFBFBD><EFBFBD>ݰ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϸ<EFBFBD>
else return; // 数据包不合法
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 命令个数
ULONG ulMsgCount = ulLength / msgSize;
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 处理多个命令
BYTE* ptr = szBuffer;
MSG32 msg32;
MSG64 msg64;
if (g_hDesk) {
if (m_virtual) {
HWND hWnd = NULL;
BOOL mouseMsg = FALSE;
POINT lastPointCopy = {};
@@ -575,25 +607,25 @@ VOID CScreenManager::ProcessCommand(LPBYTE szBuffer, ULONG ulLength)
lastPointCopy = m_lastPoint;
m_lastPoint = m_point;
if (msg->message == WM_RBUTTONDOWN) {
// <EFBFBD><EFBFBD>¼<EFBFBD>Ҽ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 记录右键按下时的坐标
m_rmouseDown = TRUE;
m_rclickPoint = msg->pt;
} else if (msg->message == WM_RBUTTONUP) {
m_rmouseDown = FALSE;
m_rclickWnd = WindowFromPoint(m_rclickPoint);
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD>Ϊϵͳ<EFBFBD>˵<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 检查是否为系统菜单(如任务栏)
char szClass[256] = {};
GetClassNameA(m_rclickWnd, szClass, sizeof(szClass));
Mprintf("Right click on '%s' %s[%p]\n", szClass, GetTitle(hWnd).c_str(), hWnd);
if (strcmp(szClass, "Shell_TrayWnd") == 0) {
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ϵͳ<EFBFBD><EFBFBD><EFBFBD>Ҽ<EFBFBD><EFBFBD>˵<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 触发系统级右键菜单(任务栏)
PostMessage(m_rclickWnd, WM_CONTEXTMENU, (WPARAM)m_rclickWnd,
MAKELPARAM(m_rclickPoint.x, m_rclickPoint.y));
} else {
// <EFBFBD><EFBFBD>ͨ<EFBFBD><EFBFBD><EFBFBD>ڵ<EFBFBD><EFBFBD>Ҽ<EFBFBD><EFBFBD>˵<EFBFBD>
// 普通窗口的右键菜单
if (!PostMessage(m_rclickWnd, WM_RBUTTONUP, msg->wParam,
MAKELPARAM(m_rclickPoint.x, m_rclickPoint.y))) {
// <EFBFBD><EFBFBD><EFBFBD>ӣ<EFBFBD>ģ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̰<EFBFBD><EFBFBD><EFBFBD>Shift+F10<31><30><EFBFBD><EFBFBD><EFBFBD>ò˵<C3B2><CBB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʽ<EFBFBD><CABD>
// 附加模拟键盘按下Shift+F10备用菜单触发方式
keybd_event(VK_SHIFT, 0, 0, 0);
keybd_event(VK_F10, 0, 0, 0);
keybd_event(VK_F10, 0, KEYEVENTF_KEYUP, 0);
@@ -614,17 +646,17 @@ VOID CScreenManager::ProcessCommand(LPBYTE szBuffer, ULONG ulLength)
lResult = SendMessageA(hWnd, WM_NCHITTEST, NULL, msg->lParam);
break;
}
case HTCLOSE: {// <EFBFBD>رմ<EFBFBD><EFBFBD><EFBFBD>
case HTCLOSE: {// 关闭窗口
PostMessageA(hWnd, WM_CLOSE, 0, 0);
Mprintf("Close window: %s[%p]\n", GetTitle(hWnd).c_str(), hWnd);
break;
}
case HTMINBUTTON: {// <EFBFBD><EFBFBD>С<EFBFBD><EFBFBD>
case HTMINBUTTON: {// 最小化
PostMessageA(hWnd, WM_SYSCOMMAND, SC_MINIMIZE, 0);
Mprintf("Minsize window: %s[%p]\n", GetTitle(hWnd).c_str(), hWnd);
break;
}
case HTMAXBUTTON: {// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
case HTMAXBUTTON: {// 最大化
WINDOWPLACEMENT windowPlacement;
windowPlacement.length = sizeof(windowPlacement);
GetWindowPlacement(hWnd, &windowPlacement);
@@ -643,7 +675,7 @@ VOID CScreenManager::ProcessCommand(LPBYTE szBuffer, ULONG ulLength)
HWND hStartButton = FindWindowA((PCHAR)"Button", NULL);
GetWindowRect(hStartButton, &startButtonRect);
if (PtInRect(&startButtonRect, m_point)) {
PostMessageA(hStartButton, BM_CLICK, 0, 0); // ģ<EFBFBD>ʼ<EFBFBD><EFBFBD>ť<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
PostMessageA(hStartButton, BM_CLICK, 0, 0); // 模拟开始按钮点击
continue;
} else {
char windowClass[MAX_PATH] = { 0 };
@@ -744,6 +776,33 @@ VOID CScreenManager::ProcessCommand(LPBYTE szBuffer, ULONG ulLength)
}
return;
}
if (IsRunAsService()) {
// 获取当前活动桌面(带写权限,用于锁屏等安全桌面)
// 使用独立的静态变量避免与WorkThreadProc的g_hDesk并发冲突
static HDESK s_inputDesk = NULL;
static clock_t s_lastCheck = 0;
static DWORD s_lastThreadId = 0;
const int CHECK_INTERVAL = 100; // 桌面检测间隔ms快速响应锁屏/UAC切换
// 首次调用或定期检测桌面是否变化(降低频率,避免每次输入都检测)
auto now = clock();
if (!s_inputDesk || now - s_lastCheck > CHECK_INTERVAL) {
s_lastCheck = now;
if (SwitchToDesktopIfChanged(s_inputDesk, DESKTOP_WRITEOBJECTS | GENERIC_WRITE)) {
// 桌面变化时,标记需要重新设置线程桌面
s_lastThreadId = 0;
}
}
// 确保当前线程在正确的桌面上(仅首次或线程变化时设置)
if (s_inputDesk) {
DWORD currentThreadId = GetCurrentThreadId();
if (currentThreadId != s_lastThreadId) {
SetThreadDesktop(s_inputDesk);
s_lastThreadId = currentThreadId;
}
}
}
for (int i = 0; i < ulMsgCount; ++i, ptr += msgSize) {
MSG64* Msg = msgSize == 48 ? (MSG64*)ptr :
(MSG64*)msg64.Create(msg32.Create(ptr, msgSize));
@@ -773,7 +832,7 @@ VOID CScreenManager::ProcessCommand(LPBYTE szBuffer, ULONG ulLength)
break;
}
switch(Msg->message) { //<EFBFBD>˿ڷ<EFBFBD><EFBFBD>ӿ<EFBFBD><EFBFBD>ݷ<EFBFBD>
switch(Msg->message) { //端口发加快递费
case WM_LBUTTONDOWN:
mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0);
break;
@@ -805,13 +864,25 @@ VOID CScreenManager::ProcessCommand(LPBYTE szBuffer, ULONG ulLength)
GET_WHEEL_DELTA_WPARAM(Msg->wParam), 0);
break;
case WM_KEYDOWN:
case WM_SYSKEYDOWN:
keybd_event(Msg->wParam, MapVirtualKey(Msg->wParam, 0), 0, 0);
case WM_SYSKEYDOWN: {
INPUT input = { 0 };
input.type = INPUT_KEYBOARD;
input.ki.wVk = (WORD)Msg->wParam;
input.ki.wScan = MapVirtualKey(Msg->wParam, 0);
input.ki.dwFlags = 0;
SendInput(1, &input, sizeof(INPUT));
break;
}
case WM_KEYUP:
case WM_SYSKEYUP:
keybd_event(Msg->wParam, MapVirtualKey(Msg->wParam, 0), KEYEVENTF_KEYUP, 0);
case WM_SYSKEYUP: {
INPUT input = { 0 };
input.type = INPUT_KEYBOARD;
input.ki.wVk = (WORD)Msg->wParam;
input.ki.wScan = MapVirtualKey(Msg->wParam, 0);
input.ki.dwFlags = KEYEVENTF_KEYUP;
SendInput(1, &input, sizeof(INPUT));
break;
}
default:
break;
}

5
client/ScreenManager.h
View File

@@ -39,6 +39,7 @@ public:
VOID ProcessCommand(LPBYTE szBuffer, ULONG ulLength);
INT_PTR m_ptrUser;
HDESK g_hDesk;
BOOL m_isGDI;
std::string m_DesktopID;
BOOL m_bIsWorking;
BOOL m_bIsBlockInput;
@@ -52,7 +53,11 @@ public:
{
m_conn = conn;
}
bool IsRunAsService() const {
return m_conn ? m_conn->iStartup == Startup_GhostMsc : false;
}
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
BOOL m_virtual;
POINT m_point;
POINT m_lastPoint;
BOOL m_lmouseDown;

26
client/ScreenSpy.h
View File

@@ -9,7 +9,7 @@
#pragma once
#endif // _MSC_VER > 1000
#define COPY_ALL 1 // <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȫ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ļ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֿ鿽<EFBFBD><EFBFBD><EFBFBD><EFBFBD>added by yuanyuanxiang 2019-1-7<EFBFBD><EFBFBD>
#define COPY_ALL 1 // 拷贝全部屏幕,不分块拷贝(added by yuanyuanxiang 2019-1-7
#include "CursorInfo.h"
#include "ScreenCapture.h"
@@ -83,15 +83,15 @@ private:
class CScreenSpy : public ScreenCapture
{
protected:
HDC m_hDeskTopDC; // <EFBFBD><EFBFBD>Ļ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
HDC m_hFullMemDC; // <EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
HDC m_hDiffMemDC; // <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
HBITMAP m_BitmapHandle; // <EFBFBD><EFBFBD>һ֡λͼ
HBITMAP m_DiffBitmapHandle; // <EFBFBD><EFBFBD><EFBFBD><EFBFBD>֡λͼ
PVOID m_BitmapData_Full; // <EFBFBD><EFBFBD>ǰλͼ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
PVOID m_DiffBitmapData_Full; // <EFBFBD><EFBFBD><EFBFBD><EFBFBD>λͼ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
HDC m_hDeskTopDC; // 屏幕上下文
HDC m_hFullMemDC; // 上一个上下文
HDC m_hDiffMemDC; // 差异上下文
HBITMAP m_BitmapHandle; // 上一帧位图
HBITMAP m_DiffBitmapHandle; // 差异帧位图
PVOID m_BitmapData_Full; // 当前位图数据
PVOID m_DiffBitmapData_Full; // 差异位图数据
BOOL m_bVirtualPaint;// <EFBFBD>Ƿ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
BOOL m_bVirtualPaint;// 是否虚拟绘制
EnumHwndsPrintData m_data;
public:
@@ -198,6 +198,14 @@ public:
}
VOID ScanScreen(HDC hdcDest, HDC hdcSour, ULONG ulWidth, ULONG ulHeight);
// 重置桌面 DC桌面切换时调用
void ResetDesktopDC()
{
ReleaseDC(NULL, m_hDeskTopDC);
m_hDeskTopDC = GetDC(NULL);
m_data.Create(m_hDeskTopDC, m_iScreenX, m_iScreenY, m_ulFullWidth, m_ulFullHeight);
}
};
#endif // !defined(AFX_SCREENSPY_H__5F74528D_9ABD_404E_84D2_06C96A0615F4__INCLUDED_)

515
client/ServiceWrapper.c Normal file
View File

@@ -0,0 +1,515 @@
#include "ServiceWrapper.h"
#include "SessionMonitor.h"
#include <stdio.h>
#ifndef Mprintf
#ifdef _DEBUG
#define Mprintf printf
#else
#define Mprintf(format, ...)
#endif
#endif
// 外部声明
extern BOOL RunAsAgent(BOOL block);
// 静态变量
BOOL g_ServiceDirectMode = FALSE;
static SERVICE_STATUS g_ServiceStatus;
static SERVICE_STATUS_HANDLE g_StatusHandle = NULL;
static HANDLE g_StopEvent = INVALID_HANDLE_VALUE;
// 前向声明
static void WINAPI ServiceMain(DWORD argc, LPTSTR* argv);
static void WINAPI ServiceCtrlHandler(DWORD ctrlCode);
static void ServiceWriteLog(const char* message);
// 日志函数
static void ServiceWriteLog(const char* message) {
FILE* f;
SYSTEMTIME st;
f = fopen("C:\\GhostService.log", "a");
if (f) {
GetLocalTime(&st);
fprintf(f, "[%04d-%02d-%02d %02d:%02d:%02d] %s\n",
st.wYear, st.wMonth, st.wDay,
st.wHour, st.wMinute, st.wSecond,
message);
fclose(f);
}
}
BOOL ServiceWrapper_CheckStatus(BOOL* registered, BOOL* running,
char* exePath, size_t exePathSize)
{
SC_HANDLE hSCM = NULL;
SC_HANDLE hService = NULL;
BOOL result = FALSE;
SERVICE_STATUS_PROCESS ssp;
DWORD bytesNeeded = 0;
DWORD bufSize = 0;
LPQUERY_SERVICE_CONFIGA pConfig = NULL;
*registered = FALSE;
*running = FALSE;
if (exePath && exePathSize > 0) {
exePath[0] = '\0';
}
// 打开 SCM
hSCM = OpenSCManagerA(NULL, NULL, SC_MANAGER_CONNECT);
if (!hSCM) {
return FALSE;
}
// 打开服务
hService = OpenServiceA(
hSCM,
SERVICE_NAME,
SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG);
if (!hService) {
CloseServiceHandle(hSCM);
return FALSE; // 未注册
}
*registered = TRUE;
result = TRUE;
// 获取服务状态
memset(&ssp, 0, sizeof(ssp));
if (QueryServiceStatusEx(
hService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&bytesNeeded))
{
*running = (ssp.dwCurrentState == SERVICE_RUNNING);
}
// 获取 EXE 路径
if (exePath && exePathSize > 0) {
QueryServiceConfigA(hService, NULL, 0, &bufSize);
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
pConfig = (LPQUERY_SERVICE_CONFIGA)malloc(bufSize);
if (pConfig) {
if (QueryServiceConfigA(hService, pConfig, bufSize, &bufSize)) {
strncpy(exePath, pConfig->lpBinaryPathName, exePathSize - 1);
exePath[exePathSize - 1] = '\0';
}
free(pConfig);
}
}
}
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return result;
}
int ServiceWrapper_StartSimple(void)
{
SC_HANDLE hSCM = NULL;
SC_HANDLE hService = NULL;
BOOL ok;
int err;
// 打开SCM
hSCM = OpenSCManagerA(NULL, NULL, SC_MANAGER_CONNECT);
if (!hSCM) {
return (int)GetLastError();
}
// 打开服务并启动
hService = OpenServiceA(hSCM, SERVICE_NAME, SERVICE_START);
if (!hService) {
err = (int)GetLastError();
CloseServiceHandle(hSCM);
return err;
}
// 启动服务
ok = StartServiceA(hService, 0, NULL);
err = ok ? ERROR_SUCCESS : (int)GetLastError();
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return err;
}
int ServiceWrapper_Run(void)
{
DWORD err;
char buffer[256];
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = (LPSTR)SERVICE_NAME;
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
ServiceWriteLog("========================================");
ServiceWriteLog("ServiceWrapper_Run() called");
if (StartServiceCtrlDispatcher(ServiceTable) == FALSE) {
err = GetLastError();
sprintf(buffer, "StartServiceCtrlDispatcher failed: %d", (int)err);
ServiceWriteLog(buffer);
return (int)err;
}
return ERROR_SUCCESS;
}
static void WINAPI ServiceMain(DWORD argc, LPTSTR* argv)
{
HANDLE hThread;
(void)argc;
(void)argv;
ServiceWriteLog("ServiceMain() called");
g_StatusHandle = RegisterServiceCtrlHandler(
SERVICE_NAME,
ServiceCtrlHandler
);
if (g_StatusHandle == NULL) {
ServiceWriteLog("RegisterServiceCtrlHandler failed");
return;
}
ZeroMemory(&g_ServiceStatus, sizeof(g_ServiceStatus));
g_ServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
g_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
g_ServiceStatus.dwControlsAccepted = 0;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwServiceSpecificExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
g_StopEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
if (g_StopEvent == NULL) {
ServiceWriteLog("CreateEvent failed");
g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
g_ServiceStatus.dwWin32ExitCode = GetLastError();
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
return;
}
g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
ServiceWriteLog("Service is now running");
hThread = CreateThread(NULL, 0, ServiceWrapper_WorkerThread, NULL, 0, NULL);
if (hThread) {
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}
CloseHandle(g_StopEvent);
g_ServiceStatus.dwControlsAccepted = 0;
g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 3;
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
ServiceWriteLog("Service stopped");
}
static void WINAPI ServiceCtrlHandler(DWORD ctrlCode)
{
switch (ctrlCode) {
case SERVICE_CONTROL_STOP:
ServiceWriteLog("SERVICE_CONTROL_STOP received");
if (g_ServiceStatus.dwCurrentState != SERVICE_RUNNING)
break;
g_ServiceStatus.dwControlsAccepted = 0;
g_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 4;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
SetEvent(g_StopEvent);
break;
case SERVICE_CONTROL_INTERROGATE:
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
break;
default:
break;
}
}
// 服务工作线程
DWORD WINAPI ServiceWrapper_WorkerThread(LPVOID lpParam)
{
SessionMonitor monitor;
int heartbeatCount = 0;
char buf[128];
(void)lpParam; // 未使用参数
if (g_ServiceDirectMode) {
// 直接模式在服务进程中运行SYSTEM权限
ServiceWriteLog("Running in DIRECT mode (SYSTEM)");
RunAsAgent(FALSE);
WaitForSingleObject(g_StopEvent, INFINITE);
return ERROR_SUCCESS;
}
ServiceWriteLog("========================================");
ServiceWriteLog("Worker thread started");
ServiceWriteLog("Service will launch agent in user sessions");
// 初始化会话监控器
SessionMonitor_Init(&monitor);
if (!SessionMonitor_Start(&monitor)) {
ServiceWriteLog("ERROR: Failed to start session monitor");
SessionMonitor_Cleanup(&monitor);
return ERROR_SERVICE_SPECIFIC_ERROR;
}
ServiceWriteLog("Session monitor started successfully");
ServiceWriteLog("Agent will be launched automatically");
// 主循环,只等待停止信号
// SessionMonitor 会在后台自动:
// 1. 监控会话
// 2. 在用户会话中启动 agent.exe
// 3. 监视代理进程,如果退出自动重启
while (WaitForSingleObject(g_StopEvent, 10000) != WAIT_OBJECT_0) {
heartbeatCount++;
if (heartbeatCount % 6 == 0) { // 每60秒记录一次
sprintf(buf, "Service heartbeat - uptime: %d minutes", heartbeatCount);
ServiceWriteLog(buf);
}
}
ServiceWriteLog("Stop signal received");
ServiceWriteLog("Stopping session monitor...");
SessionMonitor_Stop(&monitor);
SessionMonitor_Cleanup(&monitor);
ServiceWriteLog("Worker thread exiting");
ServiceWriteLog("========================================");
return ERROR_SUCCESS;
}
void ServiceWrapper_Install(void)
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
char szPath[MAX_PATH];
SERVICE_DESCRIPTION sd;
SERVICE_STATUS status;
DWORD err;
schSCManager = OpenSCManager(
NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager == NULL) {
Mprintf("ERROR: OpenSCManager failed (%d)\n", (int)GetLastError());
Mprintf("Please run as Administrator\n");
return;
}
if (!GetModuleFileName(NULL, szPath, MAX_PATH)) {
Mprintf("ERROR: GetModuleFileName failed (%d)\n", (int)GetLastError());
CloseServiceHandle(schSCManager);
return;
}
Mprintf("Installing service...\n");
Mprintf("Executable path: %s\n", szPath);
schService = CreateService(
schSCManager,
SERVICE_NAME,
SERVICE_DISPLAY,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
szPath,
NULL, NULL, NULL, NULL, NULL
);
if (schService == NULL) {
err = GetLastError();
if (err == ERROR_SERVICE_EXISTS) {
Mprintf("INFO: Service already exists\n");
// 打开已存在的服务
schService = OpenService(schSCManager, SERVICE_NAME, SERVICE_ALL_ACCESS);
if (schService) {
Mprintf("SUCCESS: Service is already installed\n");
CloseServiceHandle(schService);
}
}
else if (err == ERROR_ACCESS_DENIED) {
Mprintf("ERROR: Access denied. Please run as Administrator\n");
}
else {
Mprintf("ERROR: CreateService failed (%d)\n", (int)err);
}
CloseServiceHandle(schSCManager);
return;
}
Mprintf("SUCCESS: Service created successfully\n");
// 设置服务描述
sd.lpDescription = (LPSTR)SERVICE_DESC;
if (ChangeServiceConfig2(schService, SERVICE_CONFIG_DESCRIPTION, &sd)) {
Mprintf("SUCCESS: Service description set\n");
}
// 立即启动服务
Mprintf("Starting service...\n");
if (StartService(schService, 0, NULL)) {
Mprintf("SUCCESS: Service started successfully\n");
// 等待服务启动
Sleep(2000);
// 检查服务状态
if (QueryServiceStatus(schService, &status)) {
if (status.dwCurrentState == SERVICE_RUNNING) {
Mprintf("SUCCESS: Service is running\n");
}
else {
Mprintf("WARNING: Service state: %d\n", (int)status.dwCurrentState);
}
}
}
else {
err = GetLastError();
if (err == ERROR_SERVICE_ALREADY_RUNNING) {
Mprintf("INFO: Service is already running\n");
}
else {
Mprintf("WARNING: StartService failed (%d)\n", (int)err);
Mprintf("You can start it manually using: net start %s\n", SERVICE_NAME);
}
}
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
Mprintf("\n=== Installation Complete ===\n");
Mprintf("Service installed successfully!\n");
Mprintf("\n");
Mprintf("IMPORTANT: This is a single-executable design.\n");
Mprintf("The service will launch '%s -agent' in user sessions.\n", szPath);
Mprintf("\n");
Mprintf("Logs will be written to:\n");
Mprintf(" - C:\\GhostService.log (service logs)\n");
Mprintf(" - C:\\SessionMonitor.log (session monitor logs)\n");
Mprintf("\n");
Mprintf("Commands:\n");
Mprintf(" To verify: sc query %s\n", SERVICE_NAME);
Mprintf(" To start: net start %s\n", SERVICE_NAME);
Mprintf(" To stop: net stop %s\n", SERVICE_NAME);
}
void ServiceWrapper_Uninstall(void)
{
SC_HANDLE schSCManager;
SC_HANDLE schService;
SERVICE_STATUS status;
int waitCount;
DWORD err;
schSCManager = OpenSCManager(
NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager == NULL) {
Mprintf("ERROR: OpenSCManager failed (%d)\n", (int)GetLastError());
Mprintf("Please run as Administrator\n");
return;
}
schService = OpenService(
schSCManager,
SERVICE_NAME,
SERVICE_STOP | DELETE
);
if (schService == NULL) {
Mprintf("ERROR: OpenService failed (%d)\n", (int)GetLastError());
Mprintf("Service may not be installed\n");
CloseServiceHandle(schSCManager);
return;
}
Mprintf("Stopping service...\n");
if (ControlService(schService, SERVICE_CONTROL_STOP, &status)) {
Mprintf("Waiting for service to stop");
Sleep(1000);
waitCount = 0;
while (QueryServiceStatus(schService, &status) && waitCount < 30) {
if (status.dwCurrentState == SERVICE_STOP_PENDING) {
Mprintf(".");
Sleep(1000);
waitCount++;
}
else {
break;
}
}
Mprintf("\n");
if (status.dwCurrentState == SERVICE_STOPPED) {
Mprintf("SUCCESS: Service stopped\n");
}
else {
Mprintf("WARNING: Service may not have stopped completely\n");
}
}
else {
err = GetLastError();
if (err == ERROR_SERVICE_NOT_ACTIVE) {
Mprintf("INFO: Service was not running\n");
}
else {
Mprintf("WARNING: Failed to stop service (%d)\n", (int)err);
}
}
Mprintf("Deleting service...\n");
if (DeleteService(schService)) {
Mprintf("SUCCESS: Service uninstalled successfully\n");
}
else {
Mprintf("ERROR: DeleteService failed (%d)\n", (int)GetLastError());
}
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
Mprintf("\n=== Uninstallation Complete ===\n");
}

63
client/ServiceWrapper.h Normal file
View File

@@ -0,0 +1,63 @@
#ifndef SERVICE_WRAPPER_H
#define SERVICE_WRAPPER_H
#include <windows.h>
#ifdef __cplusplus
extern "C" {
#endif
// 服务配置:根据需要可修改这些参数
#define SERVICE_NAME "RemoteControlService"
#define SERVICE_DISPLAY "Remote Control Service"
#define SERVICE_DESC "Provides remote desktop control functionality"
/*
# 停止服务
net stop RemoteControlService
# 查看状态(应该显示 STOPPED
sc query RemoteControlService
# 启动服务
net start RemoteControlService
# 再次查看状态(应该显示 RUNNING
sc query RemoteControlService
*/
// 直接模式标志
extern BOOL g_ServiceDirectMode;
// 检查服务状态
// 参数:
// registered - 输出参数,服务是否已注册
// running - 输出参数,服务是否正在运行
// exePath - 输出参数服务可执行文件路径可为NULL
// exePathSize - exePath缓冲区大小
// 返回: 成功返回TRUE
BOOL ServiceWrapper_CheckStatus(BOOL* registered, BOOL* running,
char* exePath, size_t exePathSize);
// 简单启动服务
// 返回: ERROR_SUCCESS 或错误码
int ServiceWrapper_StartSimple(void);
// 运行服务(作为服务主入口)
// 返回: ERROR_SUCCESS 或错误码
int ServiceWrapper_Run(void);
// 安装服务
void ServiceWrapper_Install(void);
// 卸载服务
void ServiceWrapper_Uninstall(void);
// 服务工作线程
DWORD WINAPI ServiceWrapper_WorkerThread(LPVOID lpParam);
#ifdef __cplusplus
}
#endif
#endif /* SERVICE_WRAPPER_H */

565
client/SessionMonitor.c Normal file
View File

@@ -0,0 +1,565 @@
#include "SessionMonitor.h"
#include <stdio.h>
#include <tlhelp32.h>
#include <userenv.h>
#pragma comment(lib, "userenv.lib")
// <20><>̬<EFBFBD><CCAC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD>
#define INITIAL_CAPACITY 4
// ǰ<><C7B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
static DWORD WINAPI MonitorThreadProc(LPVOID param);
static void MonitorLoop(SessionMonitor* self);
static BOOL LaunchAgentInSession(SessionMonitor* self, DWORD sessionId);
static BOOL IsAgentRunningInSession(SessionMonitor* self, DWORD sessionId);
static void TerminateAllAgents(SessionMonitor* self);
static void CleanupDeadProcesses(SessionMonitor* self);
static void SessionMonitor_WriteLog(const char* message);
// <20><>̬<EFBFBD><CCAC><EFBFBD><EFBFBD><E9B8A8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
static void AgentArray_Init(AgentProcessArray* arr);
static void AgentArray_Free(AgentProcessArray* arr);
static BOOL AgentArray_Add(AgentProcessArray* arr, const AgentProcessInfo* info);
static void AgentArray_RemoveAt(AgentProcessArray* arr, size_t index);
// ============================================
// <20><>̬<EFBFBD><CCAC><EFBFBD><EFBFBD>ʵ<EFBFBD><CAB5>
// ============================================
static void AgentArray_Init(AgentProcessArray* arr)
{
arr->items = NULL;
arr->count = 0;
arr->capacity = 0;
}
static void AgentArray_Free(AgentProcessArray* arr)
{
if (arr->items) {
free(arr->items);
arr->items = NULL;
}
arr->count = 0;
arr->capacity = 0;
}
static BOOL AgentArray_Add(AgentProcessArray* arr, const AgentProcessInfo* info)
{
size_t newCapacity;
AgentProcessInfo* newItems;
// <20><>Ҫ<EFBFBD><D2AA><EFBFBD><EFBFBD>
if (arr->count >= arr->capacity) {
newCapacity = arr->capacity == 0 ? INITIAL_CAPACITY : arr->capacity * 2;
newItems = (AgentProcessInfo*)realloc(
arr->items, newCapacity * sizeof(AgentProcessInfo));
if (!newItems) {
return FALSE;
}
arr->items = newItems;
arr->capacity = newCapacity;
}
arr->items[arr->count] = *info;
arr->count++;
return TRUE;
}
static void AgentArray_RemoveAt(AgentProcessArray* arr, size_t index)
{
size_t i;
if (index >= arr->count) {
return;
}
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ԫ<EFBFBD><D4AA>ǰ<EFBFBD><C7B0>
for (i = index; i < arr->count - 1; i++) {
arr->items[i] = arr->items[i + 1];
}
arr->count--;
}
// ============================================
// <20><>־<EFBFBD><D6BE><EFBFBD><EFBFBD>
// ============================================
static void SessionMonitor_WriteLog(const char* message)
{
FILE* f;
SYSTEMTIME st;
f = fopen("C:\\SessionMonitor.log", "a");
if (f) {
GetLocalTime(&st);
fprintf(f, "[%04d-%02d-%02d %02d:%02d:%02d] %s\n",
st.wYear, st.wMonth, st.wDay,
st.wHour, st.wMinute, st.wSecond, message);
fclose(f);
}
}
// ============================================
// <20><><EFBFBD><EFBFBD><EFBFBD>ӿ<EFBFBD>ʵ<EFBFBD><CAB5>
// ============================================
void SessionMonitor_Init(SessionMonitor* self)
{
self->monitorThread = NULL;
self->running = FALSE;
InitializeCriticalSection(&self->csProcessList);
AgentArray_Init(&self->agentProcesses);
}
void SessionMonitor_Cleanup(SessionMonitor* self)
{
SessionMonitor_Stop(self);
DeleteCriticalSection(&self->csProcessList);
AgentArray_Free(&self->agentProcesses);
}
BOOL SessionMonitor_Start(SessionMonitor* self)
{
if (self->running) {
SessionMonitor_WriteLog("Monitor already running");
return TRUE;
}
SessionMonitor_WriteLog("========================================");
SessionMonitor_WriteLog("Starting session monitor...");
self->running = TRUE;
self->monitorThread = CreateThread(NULL, 0, MonitorThreadProc, self, 0, NULL);
if (!self->monitorThread) {
SessionMonitor_WriteLog("ERROR: Failed to create monitor thread");
self->running = FALSE;
return FALSE;
}
SessionMonitor_WriteLog("Session monitor thread created");
return TRUE;
}
void SessionMonitor_Stop(SessionMonitor* self)
{
if (!self->running) {
return;
}
SessionMonitor_WriteLog("Stopping session monitor...");
self->running = FALSE;
if (self->monitorThread) {
WaitForSingleObject(self->monitorThread, 10000);
CloseHandle(self->monitorThread);
self->monitorThread = NULL;
}
// <20><>ֹ<EFBFBD><D6B9><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
SessionMonitor_WriteLog("Terminating all agent processes...");
TerminateAllAgents(self);
SessionMonitor_WriteLog("Session monitor stopped");
SessionMonitor_WriteLog("========================================");
}
// ============================================
// <20>ڲ<EFBFBD><DAB2><EFBFBD><EFBFBD><EFBFBD>ʵ<EFBFBD><CAB5>
// ============================================
static DWORD WINAPI MonitorThreadProc(LPVOID param)
{
SessionMonitor* monitor = (SessionMonitor*)param;
MonitorLoop(monitor);
return 0;
}
static void MonitorLoop(SessionMonitor* self)
{
int loopCount = 0;
PWTS_SESSION_INFO pSessionInfo = NULL;
DWORD dwCount = 0;
DWORD i;
BOOL foundActiveSession;
DWORD sessionId;
char buf[256];
int j;
SessionMonitor_WriteLog("Monitor loop started");
while (self->running) {
loopCount++;
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֹ<EFBFBD>Ľ<EFBFBD><C4BD><EFBFBD>
CleanupDeadProcesses(self);
// ö<><C3B6><EFBFBD><EFBFBD><EFBFBD>лỰ
pSessionInfo = NULL;
dwCount = 0;
if (WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1,
&pSessionInfo, &dwCount)) {
foundActiveSession = FALSE;
for (i = 0; i < dwCount; i++) {
if (pSessionInfo[i].State == WTSActive) {
sessionId = pSessionInfo[i].SessionId;
foundActiveSession = TRUE;
// <20><>¼<EFBFBD><EFBFBD><EFBFBD><E1BBB0>ÿ5<C3BF><35>ѭ<EFBFBD><D1AD><EFBFBD><EFBFBD>¼һ<C2BC>Σ<EFBFBD><CEA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>־<EFBFBD><D6BE><EFBFBD>
if (loopCount % 5 == 1) {
sprintf(buf, "Active session found: ID=%d, Name=%s",
(int)sessionId,
pSessionInfo[i].pWinStationName);
SessionMonitor_WriteLog(buf);
}
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD><C7B7>ڸûỰ<C3BB><E1BBB0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
if (!IsAgentRunningInSession(self, sessionId)) {
sprintf(buf, "Agent not running in session %d, launching...", (int)sessionId);
SessionMonitor_WriteLog(buf);
if (LaunchAgentInSession(self, sessionId)) {
SessionMonitor_WriteLog("Agent launched successfully");
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һЩʱ<D0A9><CAB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Sleep(2000);
}
else {
SessionMonitor_WriteLog("Failed to launch agent");
}
}
// ֻ<><D6BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD>
break;
}
}
if (!foundActiveSession && loopCount % 5 == 1) {
SessionMonitor_WriteLog("No active sessions found");
}
WTSFreeMemory(pSessionInfo);
}
else {
if (loopCount % 5 == 1) {
SessionMonitor_WriteLog("WTSEnumerateSessions failed");
}
}
// ÿ10<31><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>
for (j = 0; j < 100 && self->running; j++) {
Sleep(100);
}
}
SessionMonitor_WriteLog("Monitor loop exited");
}
static BOOL IsAgentRunningInSession(SessionMonitor* self, DWORD sessionId)
{
char currentExeName[MAX_PATH];
char* pFileName;
DWORD currentPID;
HANDLE hSnapshot;
PROCESSENTRY32 pe32;
BOOL found = FALSE;
DWORD procSessionId;
(void)self; // δʹ<CEB4><CAB9>
// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD>̵<EFBFBD> exe <20><><EFBFBD><EFBFBD>
if (!GetModuleFileName(NULL, currentExeName, MAX_PATH)) {
return FALSE;
}
// <20><>ȡ<EFBFBD>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD>
pFileName = strrchr(currentExeName, '\\');
if (pFileName) {
pFileName++;
}
else {
pFileName = currentExeName;
}
// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD> PID
currentPID = GetCurrentProcessId();
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̿<EFBFBD><CCBF><EFBFBD>
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
SessionMonitor_WriteLog("CreateToolhelp32Snapshot failed");
return FALSE;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
do {
// <20><><EFBFBD><EFBFBD>ͬ<EFBFBD><CDAC><EFBFBD><EFBFBD> exe<78><65>ghost.exe<78><65>
if (_stricmp(pe32.szExeFile, pFileName) == 0) {
// <20>ų<EFBFBD><C5B3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Լ<EFBFBD>
if (pe32.th32ProcessID == currentPID) {
continue;
}
// <20><>ȡ<EFBFBD><C8A1><EFBFBD>̵ĻỰID
if (ProcessIdToSessionId(pe32.th32ProcessID, &procSessionId)) {
if (procSessionId == sessionId) {
// <20>ҵ<EFBFBD><D2B5>ˣ<EFBFBD>ͬ<EFBFBD><CDAC> exe<78><65><EFBFBD><EFBFBD>ͬ PID<49><44><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><E1BBB0>
found = TRUE;
break;
}
}
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return found;
}
// <20><>ֹ<EFBFBD><D6B9><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
static void TerminateAllAgents(SessionMonitor* self)
{
char buf[256];
size_t i;
AgentProcessInfo* info;
DWORD exitCode;
EnterCriticalSection(&self->csProcessList);
sprintf(buf, "Terminating %d agent process(es)", (int)self->agentProcesses.count);
SessionMonitor_WriteLog(buf);
for (i = 0; i < self->agentProcesses.count; i++) {
info = &self->agentProcesses.items[i];
sprintf(buf, "Terminating agent PID=%d (Session %d)",
(int)info->processId, (int)info->sessionId);
SessionMonitor_WriteLog(buf);
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
if (GetExitCodeProcess(info->hProcess, &exitCode)) {
if (exitCode == STILL_ACTIVE) {
// <20><><EFBFBD>̻<EFBFBD><CCBB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>У<EFBFBD><D0A3><EFBFBD>ֹ
if (!TerminateProcess(info->hProcess, 0)) {
sprintf(buf, "WARNING: Failed to terminate PID=%d, error=%d",
(int)info->processId, (int)GetLastError());
SessionMonitor_WriteLog(buf);
}
else {
SessionMonitor_WriteLog("Agent terminated successfully");
// <20>ȴ<EFBFBD><C8B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȫ<EFBFBD>˳<EFBFBD>
WaitForSingleObject(info->hProcess, 5000);
}
}
else {
sprintf(buf, "Agent PID=%d already exited with code %d",
(int)info->processId, (int)exitCode);
SessionMonitor_WriteLog(buf);
}
}
CloseHandle(info->hProcess);
}
self->agentProcesses.count = 0; // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
LeaveCriticalSection(&self->csProcessList);
SessionMonitor_WriteLog("All agents terminated");
}
// <20><><EFBFBD><EFBFBD><EFBFBD>Ѿ<EFBFBD><D1BE><EFBFBD>ֹ<EFBFBD>Ľ<EFBFBD><C4BD><EFBFBD>
static void CleanupDeadProcesses(SessionMonitor* self)
{
size_t i;
AgentProcessInfo* info;
DWORD exitCode;
char buf[256];
EnterCriticalSection(&self->csProcessList);
i = 0;
while (i < self->agentProcesses.count) {
info = &self->agentProcesses.items[i];
if (GetExitCodeProcess(info->hProcess, &exitCode)) {
if (exitCode != STILL_ACTIVE) {
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˳<EFBFBD>
sprintf(buf, "Agent PID=%d exited with code %d, cleaning up",
(int)info->processId, (int)exitCode);
SessionMonitor_WriteLog(buf);
CloseHandle(info->hProcess);
AgentArray_RemoveAt(&self->agentProcesses, i);
continue; // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> i<><69><EFBFBD><EFBFBD>Ϊɾ<CEAA><C9BE><EFBFBD><EFBFBD>Ԫ<EFBFBD><D4AA>
}
}
else {
// <20>޷<EFBFBD><DEB7><EFBFBD>ȡ<EFBFBD>˳<EFBFBD><CBB3><EFBFBD><EFBFBD><EFBFBD><EBA3AC><EFBFBD>ܽ<EFBFBD><DCBD><EFBFBD><EFBFBD>Ѳ<EFBFBD><D1B2><EFBFBD><EFBFBD><EFBFBD>
sprintf(buf, "Cannot query agent PID=%d, removing from list",
(int)info->processId);
SessionMonitor_WriteLog(buf);
CloseHandle(info->hProcess);
AgentArray_RemoveAt(&self->agentProcesses, i);
continue;
}
i++;
}
LeaveCriticalSection(&self->csProcessList);
}
static BOOL LaunchAgentInSession(SessionMonitor* self, DWORD sessionId)
{
char buf[512];
HANDLE hToken = NULL;
HANDLE hDupToken = NULL;
HANDLE hUserToken = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
LPVOID lpEnvironment = NULL;
char exePath[MAX_PATH];
char cmdLine[MAX_PATH + 20];
DWORD fileAttr;
BOOL result;
AgentProcessInfo info;
DWORD err;
memset(&si, 0, sizeof(si));
memset(&pi, 0, sizeof(pi));
sprintf(buf, "Attempting to launch agent in session %d", (int)sessionId);
SessionMonitor_WriteLog(buf);
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = (LPSTR)"winsta0\\default"; // <20>ؼ<EFBFBD><D8BC><EFBFBD>ָ<EFBFBD><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD> SYSTEM <20><><EFBFBD><EFBFBD>
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_QUERY, &hToken)) {
sprintf(buf, "OpenProcessToken failed: %d", (int)GetLastError());
SessionMonitor_WriteLog(buf);
return FALSE;
}
// <20><><EFBFBD><EFBFBD>Ϊ<EFBFBD><CEAA><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD><DAB4><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD><CCB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,
SecurityImpersonation, TokenPrimary, &hDupToken)) {
sprintf(buf, "DuplicateTokenEx failed: %d", (int)GetLastError());
SessionMonitor_WriteLog(buf);
CloseHandle(hToken);
return FALSE;
}
// <20>޸<EFBFBD><DEB8><EFBFBD><EFBFBD>ƵĻỰ ID ΪĿ<CEAA><C4BF><EFBFBD>û<EFBFBD><C3BB>
if (!SetTokenInformation(hDupToken, TokenSessionId, &sessionId, sizeof(sessionId))) {
sprintf(buf, "SetTokenInformation failed: %d", (int)GetLastError());
SessionMonitor_WriteLog(buf);
CloseHandle(hDupToken);
CloseHandle(hToken);
return FALSE;
}
SessionMonitor_WriteLog("Token duplicated");
// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Լ<EFBFBD><D4BC><EFBFBD>
if (!GetModuleFileName(NULL, exePath, MAX_PATH)) {
SessionMonitor_WriteLog("GetModuleFileName failed");
CloseHandle(hDupToken);
CloseHandle(hToken);
return FALSE;
}
sprintf(buf, "Service path: %s", exePath);
SessionMonitor_WriteLog(buf);
// <20><><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD><EFBFBD>
fileAttr = GetFileAttributes(exePath);
if (fileAttr == INVALID_FILE_ATTRIBUTES) {
sprintf(buf, "ERROR: Executable not found at: %s", exePath);
SessionMonitor_WriteLog(buf);
CloseHandle(hDupToken);
CloseHandle(hToken);
return FALSE;
}
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>У<EFBFBD>ͬһ<CDAC><D2BB> exe<78><65> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> -agent <20><><EFBFBD><EFBFBD>
sprintf(cmdLine, "\"%s\" -agent", exePath);
sprintf(buf, "Command line: %s", cmdLine);
SessionMonitor_WriteLog(buf);
// <20><>ȡ<EFBFBD>û<EFBFBD><C3BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڻ<EFBFBD><DABB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
if (!WTSQueryUserToken(sessionId, &hUserToken)) {
sprintf(buf, "WTSQueryUserToken failed: %d", (int)GetLastError());
SessionMonitor_WriteLog(buf);
}
// ʹ<><CAB9><EFBFBD>û<EFBFBD><C3BB><EFBFBD><EFBFBD>ƴ<EFBFBD><C6B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
if (hUserToken) {
if (!CreateEnvironmentBlock(&lpEnvironment, hUserToken, FALSE)) {
SessionMonitor_WriteLog("CreateEnvironmentBlock failed");
}
CloseHandle(hUserToken);
}
// <20><><EFBFBD>û<EFBFBD><C3BB><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
result = CreateProcessAsUser(
hDupToken,
NULL, // Ӧ<>ó<EFBFBD><C3B3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>н<EFBFBD><D0BD><EFBFBD><EFBFBD><EFBFBD>
cmdLine, // <20><><EFBFBD><EFBFBD><EFBFBD>в<EFBFBD><D0B2><EFBFBD><EFBFBD><EFBFBD>ghost.exe -agent
NULL, // <20><><EFBFBD>̰<EFBFBD>ȫ<EFBFBD><C8AB><EFBFBD><EFBFBD>
NULL, // <20>̰߳<DFB3>ȫ<EFBFBD><C8AB><EFBFBD><EFBFBD>
FALSE, // <20><><EFBFBD>̳о<CCB3><D0BE><EFBFBD>
NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT, // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>־
lpEnvironment, // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
NULL, // <20><>ǰĿ¼
&si,
&pi
);
if (lpEnvironment) {
DestroyEnvironmentBlock(lpEnvironment);
}
if (result) {
sprintf(buf, "SUCCESS: Agent process created (PID=%d)", (int)pi.dwProcessId);
SessionMonitor_WriteLog(buf);
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ<EFBFBD><CFA2><EFBFBD>Ա<EFBFBD>ֹͣʱ<D6B9><CAB1><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֹ<EFBFBD><D6B9>
EnterCriticalSection(&self->csProcessList);
info.processId = pi.dwProcessId;
info.sessionId = sessionId;
info.hProcess = pi.hProcess; // <20><><EFBFBD>رվ<D8B1><D5BE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ں<EFBFBD><DABA><EFBFBD><EFBFBD><EFBFBD>ֹ
AgentArray_Add(&self->agentProcesses, &info);
LeaveCriticalSection(&self->csProcessList);
CloseHandle(pi.hThread); // <20>߳̾<DFB3><CCBE><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Թر<D4B9>
}
else {
err = GetLastError();
sprintf(buf, "CreateProcessAsUser failed: %d", (int)err);
SessionMonitor_WriteLog(buf);
// <20><EFBFBD><E1B9A9><EFBFBD><EFBFBD>ϸ<EFBFBD>Ĵ<EFBFBD><C4B4><EFBFBD><EFBFBD><EFBFBD>Ϣ
if (err == ERROR_FILE_NOT_FOUND) {
SessionMonitor_WriteLog("ERROR: ghost_agent.exe not found");
}
else if (err == ERROR_ACCESS_DENIED) {
SessionMonitor_WriteLog("ERROR: Access denied - service may not have sufficient privileges");
}
else if (err == 1314) {
SessionMonitor_WriteLog("ERROR: Service does not have SE_INCREASE_QUOTA privilege");
}
}
CloseHandle(hDupToken);
CloseHandle(hToken);
return result;
}

51
client/SessionMonitor.h Normal file
View File

@@ -0,0 +1,51 @@
#ifndef SESSION_MONITOR_H
#define SESSION_MONITOR_H
#include <windows.h>
#include <wtsapi32.h>
#ifdef __cplusplus
extern "C" {
#endif
#pragma comment(lib, "wtsapi32.lib")
// 代理进程信息
typedef struct AgentProcessInfo {
DWORD processId;
DWORD sessionId;
HANDLE hProcess;
} AgentProcessInfo;
// 代理进程数组(动态数组)
typedef struct AgentProcessArray {
AgentProcessInfo* items;
size_t count;
size_t capacity;
} AgentProcessArray;
// 会话监控器结构
typedef struct SessionMonitor {
HANDLE monitorThread;
BOOL running;
CRITICAL_SECTION csProcessList;
AgentProcessArray agentProcesses;
} SessionMonitor;
// 初始化会话监控器
void SessionMonitor_Init(SessionMonitor* self);
// 清理会话监控器资源
void SessionMonitor_Cleanup(SessionMonitor* self);
// 启动会话监控
BOOL SessionMonitor_Start(SessionMonitor* self);
// 停止会话监控
void SessionMonitor_Stop(SessionMonitor* self);
#ifdef __cplusplus
}
#endif
#endif /* SESSION_MONITOR_H */

9
client/ghost_vs2015.vcxproj
View File

@@ -95,7 +95,7 @@
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>$(SolutionDir);./;$(WindowsSdkDir_81)Include\um;$(WindowsSdkDir_81)Include\shared;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PreprocessorDefinitions>_CONSOLE;ZLIB_WINAPI;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>_CONSOLE;ZLIB_WINAPI;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MultiProcessorCompilation>true</MultiProcessorCompilation>
<MinimalRebuild>false</MinimalRebuild>
</ClCompile>
@@ -114,7 +114,7 @@
<Optimization>Disabled</Optimization>
<AdditionalIncludeDirectories>$(SolutionDir);./;$(WindowsSdkDir_81)Include\um;$(WindowsSdkDir_81)Include\shared;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<PreprocessorDefinitions>_CONSOLE;ZLIB_WINAPI;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>_CONSOLE;ZLIB_WINAPI;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<MultiProcessorCompilation>true</MultiProcessorCompilation>
<MinimalRebuild>false</MinimalRebuild>
</ClCompile>
@@ -199,6 +199,8 @@
<ClCompile Include="ScreenManager.cpp" />
<ClCompile Include="ScreenSpy.cpp" />
<ClCompile Include="ServicesManager.cpp" />
<ClCompile Include="ServiceWrapper.c" />
<ClCompile Include="SessionMonitor.c" />
<ClCompile Include="ShellManager.cpp" />
<ClCompile Include="StdAfx.cpp" />
<ClCompile Include="SystemManager.cpp" />
@@ -218,6 +220,7 @@
<ClInclude Include="auto_start.h" />
<ClInclude Include="Buffer.h" />
<ClInclude Include="CaptureVideo.h" />
<ClInclude Include="ClientApp.h" />
<ClInclude Include="clip.h" />
<ClInclude Include="Common.h" />
<ClInclude Include="CursorInfo.h" />
@@ -241,6 +244,8 @@
<ClInclude Include="ScreenManager.h" />
<ClInclude Include="ScreenSpy.h" />
<ClInclude Include="ServicesManager.h" />
<ClInclude Include="ServiceWrapper.h" />
<ClInclude Include="SessionMonitor.h" />
<ClInclude Include="ShellManager.h" />
<ClInclude Include="StdAfx.h" />
<ClInclude Include="SystemManager.h" />

5
client/reg_startup.c
View File

@@ -287,7 +287,7 @@ BOOL CreateDirectoryRecursively(const char* path)
return TRUE;
}
int RegisterStartup(const char* startupName, const char* exeName)
int RegisterStartup(const char* startupName, const char* exeName, bool lockFile)
{
#ifdef _DEBUG
return 1;
@@ -337,7 +337,8 @@ int RegisterStartup(const char* startupName, const char* exeName)
}
int status = CreateScheduledTask(startupName, dstFile, TRUE, NULL, FALSE);
Mprintf("<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ƻ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: %s!\n", status == 0 ? "<EFBFBD>ɹ<EFBFBD>" : "ʧ<EFBFBD><EFBFBD>");
CreateFileA(curFile, GENERIC_READ, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (lockFile)
CreateFileA(curFile, GENERIC_READ, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
return 1;
}

3
client/reg_startup.h
View File

@@ -1,4 +1,5 @@
#pragma once
#include <stdbool.h>
// return > 0 means to continue running else terminate.
int RegisterStartup(const char* startupName, const char* exeName);
int RegisterStartup(const char* startupName, const char* exeName, bool lockFile);

2
client/test.cpp
View File

@@ -212,7 +212,7 @@ public:
int main(int argc, const char *argv[])
{
// ע<><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
int r = RegisterStartup("Client Demo", "ClientDemo");
int r = RegisterStartup("Client Demo", "ClientDemo", true);
if (r <= 0) {
BOOL s = self_del();
if (!IsDebug)return r;

1
common/commands.h
View File

@@ -541,6 +541,7 @@ enum TestRunType {
Startup_InjDLL, // Զ<><D4B6>ע<EFBFBD><D7A2> DLL<4C><4C>ע<EFBFBD><D7A2>DLL·<4C><C2B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>DLL<4C><4C>
Startup_Shellcode, // <20><><EFBFBD><EFBFBD> Shell code <20><><EFBFBD>ڵ<EFBFBD>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD>ִ<EFBFBD><D6B4>shell code <20><>
Startup_InjSC, // Զ<><D4B6> Shell code <20><>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD><D6B4>shell code <20><>
Startup_GhostMsc, // Windows <20><><EFBFBD><EFBFBD>
};
inline int MemoryFind(const char* szBuffer, const char* Key, int iBufferSize, int iKeySize)

222
server/2015Remote/2015Remote.cpp
View File

@@ -1,5 +1,5 @@
// 2015Remote.cpp : <EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ӧ<EFBFBD>ó<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><EFBFBD>
// 2015Remote.cpp : 定义应用程序的类行为。
//
#include "stdafx.h"
@@ -10,11 +10,12 @@
#define new DEBUG_NEW
#endif
// dump<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// dump相关
#include <io.h>
#include <direct.h>
#include <DbgHelp.h>
#include "IOCPUDPServer.h"
#include "ServerServiceWrapper.h"
#pragma comment(lib, "Dbghelp.lib")
CMy2015RemoteApp* GetThisApp()
@@ -35,24 +36,38 @@ std::string GetMasterHash()
}
/**
* @brief <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>δ֪BUG<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ֹʱ<EFBFBD><EFBFBD><EFBFBD>ô˺<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
* <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ת<EFBFBD><EFBFBD>dump<EFBFBD>ļ<EFBFBD><EFBFBD><EFBFBD>dumpĿ¼.
* @brief 程序遇到未知BUG导致终止时调用此函数不弹框
* 并且转储dump文件到dump目录.
*/
long WINAPI whenbuged(_EXCEPTION_POINTERS *excp)
{
// <EFBFBD><EFBFBD>ȡdump<EFBFBD>ļ<EFBFBD><EFBFBD>У<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڣ<EFBFBD><EFBFBD>򴴽<EFBFBD>֮
char dump[_MAX_PATH], *p = dump;
GetModuleFileNameA(NULL, dump, _MAX_PATH);
while (*p) ++p;
while ('\\' != *p) --p;
strcpy(p + 1, "dump");
if (_access(dump, 0) == -1)
_mkdir(dump);
char curTime[64];// <20><>ǰdump<6D>ļ<EFBFBD>
time_t TIME(time(0));
strftime(curTime, 64, "\\YAMA_%Y-%m-%d %H%M%S.dmp", localtime(&TIME));
strcat(dump, curTime);
HANDLE hFile = ::CreateFileA(dump, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,
// 获取dump文件夹,若不存在,则创建之
char dumpDir[_MAX_PATH];
char dumpFile[_MAX_PATH + 64];
if (!GetModuleFileNameA(NULL, dumpDir, _MAX_PATH)) {
return EXCEPTION_EXECUTE_HANDLER;
}
char* p = strrchr(dumpDir, '\\');
if (p) {
strcpy_s(p + 1, _MAX_PATH - (p - dumpDir + 1), "dump");
} else {
strcpy_s(dumpDir, _MAX_PATH, "dump");
}
if (_access(dumpDir, 0) == -1)
_mkdir(dumpDir);
// 构建完整的dump文件路径
char curTime[64];
time_t TIME = time(0);
struct tm localTime;
localtime_s(&localTime, &TIME);
strftime(curTime, sizeof(curTime), "\\YAMA_%Y-%m-%d %H%M%S.dmp", &localTime);
sprintf_s(dumpFile, sizeof(dumpFile), "%s%s", dumpDir, curTime);
HANDLE hFile = ::CreateFileA(dumpFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL);
if(INVALID_HANDLE_VALUE != hFile) {
MINIDUMP_EXCEPTION_INFORMATION einfo = {::GetCurrentThreadId(), excp, FALSE};
@@ -72,15 +87,15 @@ END_MESSAGE_MAP()
std::string GetPwdHash();
// CMy2015RemoteApp <EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// CMy2015RemoteApp 构造
CMy2015RemoteApp::CMy2015RemoteApp()
{
// ֧<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 支持重新启动管理器
m_dwRestartManagerSupportFlags = AFX_RESTART_MANAGER_SUPPORT_RESTART;
// TODO: <EFBFBD>ڴ˴<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ӹ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD>ij<EFBFBD>ʼ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> InitInstance <EFBFBD><EFBFBD>
// TODO: 在此处添加构造代码,
// 将所有重要的初始化放置在 InitInstance
m_Mutex = NULL;
#ifdef _DEBUG
std::string masterHash(GetMasterHash());
@@ -93,15 +108,126 @@ CMy2015RemoteApp::CMy2015RemoteApp()
}
// Ψһ<EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD> CMy2015RemoteApp <EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 唯一的一个 CMy2015RemoteApp 对象
CMy2015RemoteApp theApp;
// CMy2015RemoteApp <20><>ʼ<EFBFBD><CABC>
// 从服务路径中提取可执行文件路径(去除引号和参数)
static void ExtractExePathFromServicePath(const char* servicePath, char* exePath, size_t exePathSize)
{
if (!servicePath || !exePath || exePathSize == 0) {
if (exePath && exePathSize > 0) exePath[0] = '\0';
return;
}
const char* src = servicePath;
char* dst = exePath;
size_t remaining = exePathSize - 1;
// 跳过前导空格
while (*src == ' ') src++;
if (*src == '"') {
// 带引号的路径:提取引号内的内容
src++; // 跳过开始引号
while (*src && *src != '"' && remaining > 0) {
*dst++ = *src++;
remaining--;
}
} else {
// 不带引号的路径:提取到空格或结束
while (*src && *src != ' ' && remaining > 0) {
*dst++ = *src++;
remaining--;
}
}
*dst = '\0';
}
// 处理服务相关的命令行参数
// 返回值: TRUE 表示已处理服务命令程序应退出FALSE 表示继续正常启动
static BOOL HandleServiceCommandLine()
{
CString cmdLine = ::GetCommandLine();
cmdLine.MakeLower();
// -service: 作为服务运行
if (cmdLine.Find(_T("-service")) != -1) {
ServerService_Run();
return TRUE;
}
// -install: 安装服务
if (cmdLine.Find(_T("-install")) != -1) {
ServerService_Install();
return TRUE;
}
// -uninstall: 卸载服务
if (cmdLine.Find(_T("-uninstall")) != -1) {
ServerService_Uninstall();
return TRUE;
}
// -agent: 由服务启动的GUI代理模式
// 此模式下正常运行GUI但使用不同的互斥量名称避免冲突
if (cmdLine.Find(_T("-agent")) != -1) {
// 继续正常启动GUI但标记为代理模式
return FALSE;
}
// 无参数时,作为服务启动
BOOL registered = FALSE;
BOOL running = FALSE;
char servicePath[MAX_PATH] = { 0 };
ServerService_CheckStatus(&registered, &running, servicePath, MAX_PATH);
char curPath[MAX_PATH];
GetModuleFileNameA(NULL, curPath, MAX_PATH);
// 从服务路径中提取纯可执行文件路径(去除引号和参数)
char serviceExePath[MAX_PATH] = { 0 };
ExtractExePathFromServicePath(servicePath, serviceExePath, MAX_PATH);
if (registered && _stricmp(curPath, serviceExePath) != 0) {
Mprintf("ServerService Uninstall: %s\n", servicePath);
ServerService_Uninstall();
registered = FALSE;
}
if (!registered) {
Mprintf("ServerService Install: %s\n", curPath);
return ServerService_Install();
}
else if (!running) {
int r = ServerService_Run();
Mprintf("ServerService Run '%s' %s\n", curPath, r == ERROR_SUCCESS ? "succeed" : "failed");
if (r) {
r = ServerService_StartSimple();
Mprintf("ServerService Start '%s' %s\n", curPath, r == ERROR_SUCCESS ? "succeed" : "failed");
return r == ERROR_SUCCESS;
}
return FALSE;
}
return TRUE;
}
// 检查是否以代理模式运行
static BOOL IsAgentMode()
{
CString cmdLine = ::GetCommandLine();
cmdLine.MakeLower();
return cmdLine.Find(_T("-agent")) != -1;
}
// CMy2015RemoteApp 初始化
BOOL CMy2015RemoteApp::InitInstance()
{
// 首先处理服务命令行参数
if (HandleServiceCommandLine()) {
return FALSE; // 服务命令已处理,退出
}
std::string masterHash(GetMasterHash());
std::string mu = GetPwdHash()==masterHash ? "MASTER.EXE" : "YAMA.EXE";
#ifndef _DEBUG
@@ -110,7 +236,8 @@ BOOL CMy2015RemoteApp::InitInstance()
if (ERROR_ALREADY_EXISTS == GetLastError()) {
CloseHandle(m_Mutex);
m_Mutex = NULL;
MessageBoxA(NULL, "һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>س<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ѿ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>У<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>", "<EFBFBD><EFBFBD>ʾ", MB_ICONINFORMATION);
MessageBoxA(NULL, "A master program is already running, please check Task Manager.",
"Info", MB_ICONINFORMATION);
return FALSE;
}
}
@@ -124,13 +251,13 @@ BOOL CMy2015RemoteApp::InitInstance()
hImageList = (HIMAGELIST)SHGetFileInfo((LPCTSTR)_T(""), 0, &sfi, sizeof(SHFILEINFO), SHGFI_SMALLICON | SHGFI_SYSICONINDEX);
m_pImageList_Small.Attach(hImageList);
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Windows XP <20>ϵ<EFBFBD>Ӧ<EFBFBD>ó<EFBFBD><C3B3><EFBFBD><EFBFBD>嵥ָ<E5B5A5><D6B8>Ҫ
// ʹ<EFBFBD><EFBFBD> ComCtl32.dll <EFBFBD> 6 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>߰汾<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ÿ<EFBFBD><EFBFBD>ӻ<EFBFBD><EFBFBD><EFBFBD>ʽ<EFBFBD><EFBFBD>
//<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ InitCommonControlsEx()<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>򣬽<EFBFBD><EFBFBD>޷<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڡ<EFBFBD>
// 如果一个运行在 Windows XP 上的应用程序清单指定要
// 使用 ComCtl32.dll 版本 6 或更高版本来启用可视化方式,
//则需要 InitCommonControlsEx()。否则,将无法创建窗口。
INITCOMMONCONTROLSEX InitCtrls;
InitCtrls.dwSize = sizeof(InitCtrls);
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><EFBFBD>Ӧ<EFBFBD>ó<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʹ<EFBFBD>õ<EFBFBD>
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ؼ<EFBFBD><EFBFBD>
// 将它设置为包括所有要在应用程序中使用的
// 公共控件类。
InitCtrls.dwICC = ICC_WIN95_CLASSES;
InitCommonControlsEx(&InitCtrls);
@@ -138,37 +265,37 @@ BOOL CMy2015RemoteApp::InitInstance()
AfxEnableControlContainer();
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD> shell <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Է<EFBFBD><EFBFBD>Ի<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <EFBFBD>κ<EFBFBD> shell <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ<EFBFBD>ؼ<EFBFBD><EFBFBD><EFBFBD> shell <20>б<EFBFBD><D0B1><EFBFBD>ͼ<EFBFBD>ؼ<EFBFBD><D8BC><EFBFBD>
// 创建 shell 管理器,以防对话框包含
// 任何 shell 树视图控件或 shell 列表视图控件。
CShellManager *pShellManager = new CShellManager;
// <EFBFBD><EFBFBD>׼<EFBFBD><EFBFBD>ʼ<EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>δʹ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Щ<EFBFBD><EFBFBD><EFBFBD>ܲ<EFBFBD>ϣ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>С
// <EFBFBD><EFBFBD><EFBFBD>տ<EFBFBD>ִ<EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><EFBFBD>Ĵ<EFBFBD>С<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ӧ<EFBFBD>Ƴ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><EFBFBD><EFBFBD>ض<EFBFBD><EFBFBD><EFBFBD>ʼ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڴ洢<EFBFBD><EFBFBD><EFBFBD>õ<EFBFBD>ע<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// TODO: Ӧ<EFBFBD>ʵ<EFBFBD><EFBFBD>޸ĸ<EFBFBD><EFBFBD>ַ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>޸<EFBFBD>Ϊ<EFBFBD><EFBFBD>˾<EFBFBD><EFBFBD><EFBFBD><EFBFBD>֯<EFBFBD><EFBFBD>
// 标准初始化
// 如果未使用这些功能并希望减小
// 最终可执行文件的大小,则应移除下列
// 不需要的特定初始化例程
// 更改用于存储设置的注册表项
// TODO: 应适当修改该字符串,
// 例如修改为公司或组织名
SetRegistryKey(_T("YAMA"));
CMy2015RemoteDlg dlg(nullptr);
m_pMainWnd = &dlg;
INT_PTR nResponse = dlg.DoModal();
if (nResponse == IDOK) {
// TODO: <EFBFBD>ڴ˷<EFBFBD><EFBFBD>ô<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD>ȷ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>رնԻ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ĵ<EFBFBD><EFBFBD><EFBFBD>
// TODO: 在此放置处理何时用
// “确定”来关闭对话框的代码
} else if (nResponse == IDCANCEL) {
// TODO: <EFBFBD>ڴ˷<EFBFBD><EFBFBD>ô<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD>ȡ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>رնԻ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ĵ<EFBFBD><EFBFBD><EFBFBD>
// TODO: 在此放置处理何时用
// “取消”来关闭对话框的代码
}
// ɾ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> shell <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
// 删除上面创建的 shell 管理器。
if (pShellManager != NULL) {
delete pShellManager;
}
// <EFBFBD><EFBFBD><EFBFBD>ڶԻ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ѹرգ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Խ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> FALSE <20>Ա<EFBFBD><D4B1>˳<EFBFBD>Ӧ<EFBFBD>ó<EFBFBD><C3B3><EFBFBD><EFBFBD><EFBFBD>
// <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ӧ<EFBFBD>ó<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ<EFBFBD>á<EFBFBD>
// 由于对话框已关闭,所以将返回 FALSE 以便退出应用程序,
// 而不是启动应用程序的消息泵。
return FALSE;
}
@@ -186,5 +313,10 @@ int CMy2015RemoteApp::ExitInstance()
SAFE_DELETE(m_iniFile);
// 只有在代理模式退出时才停止服务
if (IsAgentMode()) {
ServerService_Stop();
}
return CWinApp::ExitInstance();
}

BIN
server/2015Remote/2015Remote.rc
View File

Binary file not shown.

4
server/2015Remote/2015Remote_vs2015.vcxproj
View File

@@ -316,6 +316,8 @@
<ClInclude Include="VideoDlg.h" />
<ClInclude Include="zconf.h" />
<ClInclude Include="zlib.h" />
<ClInclude Include="ServerServiceWrapper.h" />
<ClInclude Include="ServerSessionMonitor.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="..\..\client\Audio.cpp" />
@@ -398,6 +400,8 @@
<ClCompile Include="TalkDlg.cpp" />
<ClCompile Include="TrueColorToolBar.cpp" />
<ClCompile Include="VideoDlg.cpp" />
<ClCompile Include="ServerServiceWrapper.cpp" />
<ClCompile Include="ServerSessionMonitor.cpp" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="2015Remote.rc" />

8
server/2015Remote/BuildDlg.cpp
View File

@@ -18,6 +18,7 @@ enum Index {
IndexGhost,
IndexServerDll,
IndexTinyRun,
IndexGhostMsc,
OTHER_ITEM
};
@@ -192,6 +193,12 @@ void CBuildDlg::OnBnClickedOk()
typ = CLIENT_TYPE_ONE;
szBuffer = ReadResource(is64bit ? IDR_GHOST_X64 : IDR_GHOST_X86, dwFileSize);
break;
case IndexGhostMsc:
file = "ghost.exe";
typ = CLIENT_TYPE_ONE;
startup = Startup_GhostMsc,
szBuffer = ReadResource(is64bit ? IDR_GHOST_X64 : IDR_GHOST_X86, dwFileSize);
break;
case IndexServerDll:
file = "ServerDll.dll";
typ = CLIENT_TYPE_DLL;
@@ -374,6 +381,7 @@ BOOL CBuildDlg::OnInitDialog()
m_ComboExe.InsertString(IndexGhost, "ghost.exe");
m_ComboExe.InsertString(IndexServerDll, "ServerDll.dll");
m_ComboExe.InsertString(IndexTinyRun, "TinyRun.dll");
m_ComboExe.InsertString(IndexGhostMsc, "ghost.exe - Windows <20><><EFBFBD><EFBFBD>");
m_ComboExe.InsertString(OTHER_ITEM, CString("ѡ<EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD>"));
m_ComboExe.SetCurSel(IndexTestRun_MemDLL);

2
server/2015Remote/ScreenSpyDlg.cpp
View File

@@ -288,6 +288,7 @@ VOID CScreenSpyDlg::OnClose()
VOID CScreenSpyDlg::OnReceiveComplete()
{
if (m_bIsClosed) return;
assert (m_ContextObject);
auto cmd = m_ContextObject->InDeCompressedBuffer.GetBYTE(0);
LPBYTE szBuffer = m_ContextObject->InDeCompressedBuffer.GetBuffer();
@@ -357,6 +358,7 @@ VOID CScreenSpyDlg::DrawNextScreenDiff(bool keyFrame)
m_FrameID++;
#endif
LPVOID FirstScreenData = m_BitmapData_Full;
if (FirstScreenData == NULL) return;
LPVOID NextScreenData = m_ContextObject->InDeCompressedBuffer.GetBuffer(ulHeadLength);
ULONG NextScreenLength = m_ContextObject->InDeCompressedBuffer.GetBufferLength() - ulHeadLength;

523
server/2015Remote/ServerServiceWrapper.cpp Normal file
View File

@@ -0,0 +1,523 @@
#include "stdafx.h"
#include "ServerServiceWrapper.h"
#include "ServerSessionMonitor.h"
#include <stdio.h>
#include <winsvc.h>
// 静态变量
static SERVICE_STATUS g_ServiceStatus;
static SERVICE_STATUS_HANDLE g_StatusHandle = NULL;
static HANDLE g_StopEvent = INVALID_HANDLE_VALUE;
// 前向声明
static void WINAPI ServiceMain(DWORD argc, LPTSTR* argv);
static void WINAPI ServiceCtrlHandler(DWORD ctrlCode);
static void ServiceWriteLog(const char* message);
// 获取日志文件路径(程序所在目录)
static void GetServiceLogPath(char* logPath, size_t size)
{
char exePath[MAX_PATH];
if (GetModuleFileNameA(NULL, exePath, MAX_PATH)) {
char* lastSlash = strrchr(exePath, '\\');
if (lastSlash) {
*lastSlash = '\0';
sprintf_s(logPath, size, "%s\\YamaService.log", exePath);
return;
}
}
// 备用路径Windows临时目录
char tempPath[MAX_PATH];
if (GetTempPathA(MAX_PATH, tempPath)) {
sprintf_s(logPath, size, "%sYamaService.log", tempPath);
} else {
strncpy_s(logPath, size, "YamaService.log", _TRUNCATE);
}
}
// 日志函数
static void ServiceWriteLog(const char* message)
{
char logPath[MAX_PATH];
GetServiceLogPath(logPath, sizeof(logPath));
FILE* f = fopen(logPath, "a");
if (f) {
SYSTEMTIME st;
GetLocalTime(&st);
fprintf(f, "[%04d-%02d-%02d %02d:%02d:%02d] %s\n",
st.wYear, st.wMonth, st.wDay,
st.wHour, st.wMinute, st.wSecond,
message);
fclose(f);
}
}
BOOL ServerService_CheckStatus(BOOL* registered, BOOL* running,
char* exePath, size_t exePathSize)
{
*registered = FALSE;
*running = FALSE;
if (exePath && exePathSize > 0) {
exePath[0] = '\0';
}
// 打开 SCM
SC_HANDLE hSCM = OpenSCManagerA(NULL, NULL, SC_MANAGER_CONNECT);
if (!hSCM) {
return FALSE;
}
// 打开服务
SC_HANDLE hService = OpenServiceA(
hSCM,
SERVER_SERVICE_NAME,
SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG);
if (!hService) {
CloseServiceHandle(hSCM);
return FALSE; // 未注册
}
*registered = TRUE;
// 获取服务状态
SERVICE_STATUS_PROCESS ssp;
DWORD bytesNeeded = 0;
memset(&ssp, 0, sizeof(ssp));
if (QueryServiceStatusEx(
hService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&bytesNeeded))
{
*running = (ssp.dwCurrentState == SERVICE_RUNNING);
}
// 获取 EXE 路径
if (exePath && exePathSize > 0) {
DWORD bufSize = 0;
QueryServiceConfigA(hService, NULL, 0, &bufSize);
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
LPQUERY_SERVICE_CONFIGA pConfig = (LPQUERY_SERVICE_CONFIGA)malloc(bufSize);
if (pConfig) {
if (QueryServiceConfigA(hService, pConfig, bufSize, &bufSize)) {
strncpy_s(exePath, exePathSize, pConfig->lpBinaryPathName, _TRUNCATE);
}
free(pConfig);
}
}
}
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return TRUE;
}
int ServerService_StartSimple(void)
{
// 打开SCM
SC_HANDLE hSCM = OpenSCManagerA(NULL, NULL, SC_MANAGER_CONNECT);
if (!hSCM) {
return (int)GetLastError();
}
// 打开服务并启动
SC_HANDLE hService = OpenServiceA(hSCM, SERVER_SERVICE_NAME, SERVICE_START);
if (!hService) {
int err = (int)GetLastError();
CloseServiceHandle(hSCM);
return err;
}
// 启动服务
BOOL ok = StartServiceA(hService, 0, NULL);
int err = ok ? ERROR_SUCCESS : (int)GetLastError();
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return err;
}
int ServerService_Run(void)
{
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = (LPSTR)SERVER_SERVICE_NAME;
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
ServiceWriteLog("========================================");
ServiceWriteLog("ServerService_Run() called");
if (StartServiceCtrlDispatcher(ServiceTable) == FALSE) {
DWORD err = GetLastError();
char buffer[256];
sprintf_s(buffer, sizeof(buffer), "StartServiceCtrlDispatcher failed: %d", (int)err);
ServiceWriteLog(buffer);
return (int)err;
}
return ERROR_SUCCESS;
}
int ServerService_Stop(void)
{
// 打开SCM
SC_HANDLE hSCM = OpenSCManagerA(NULL, NULL, SC_MANAGER_CONNECT);
if (!hSCM) {
return (int)GetLastError();
}
// 打开服务
SC_HANDLE hService = OpenServiceA(hSCM, SERVER_SERVICE_NAME, SERVICE_STOP | SERVICE_QUERY_STATUS);
if (!hService) {
int err = (int)GetLastError();
CloseServiceHandle(hSCM);
return err;
}
// 查询当前状态
SERVICE_STATUS status;
if (!QueryServiceStatus(hService, &status)) {
int err = (int)GetLastError();
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return err;
}
// 如果服务未运行,直接返回成功
if (status.dwCurrentState == SERVICE_STOPPED) {
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return ERROR_SUCCESS;
}
// 发送停止控制命令
if (!ControlService(hService, SERVICE_CONTROL_STOP, &status)) {
DWORD err = GetLastError();
if (err != ERROR_SERVICE_NOT_ACTIVE) {
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return (int)err;
}
}
// 等待服务停止最多30秒
int waitCount = 0;
while (status.dwCurrentState != SERVICE_STOPPED && waitCount < 30) {
Sleep(1000);
waitCount++;
if (!QueryServiceStatus(hService, &status)) {
break;
}
}
int result = (status.dwCurrentState == SERVICE_STOPPED) ? ERROR_SUCCESS : ERROR_TIMEOUT;
CloseServiceHandle(hService);
CloseServiceHandle(hSCM);
return result;
}
static void WINAPI ServiceMain(DWORD argc, LPTSTR* argv)
{
(void)argc;
(void)argv;
ServiceWriteLog("ServiceMain() called");
g_StatusHandle = RegisterServiceCtrlHandler(
SERVER_SERVICE_NAME,
ServiceCtrlHandler
);
if (g_StatusHandle == NULL) {
ServiceWriteLog("RegisterServiceCtrlHandler failed");
return;
}
ZeroMemory(&g_ServiceStatus, sizeof(g_ServiceStatus));
g_ServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
g_ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
g_ServiceStatus.dwControlsAccepted = 0;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwServiceSpecificExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
g_StopEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
if (g_StopEvent == NULL) {
ServiceWriteLog("CreateEvent failed");
g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
g_ServiceStatus.dwWin32ExitCode = GetLastError();
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
return;
}
g_ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
g_ServiceStatus.dwCurrentState = SERVICE_RUNNING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 0;
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
ServiceWriteLog("Service is now running");
HANDLE hThread = CreateThread(NULL, 0, ServerService_WorkerThread, NULL, 0, NULL);
if (hThread) {
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}
CloseHandle(g_StopEvent);
g_ServiceStatus.dwControlsAccepted = 0;
g_ServiceStatus.dwCurrentState = SERVICE_STOPPED;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 3;
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
ServiceWriteLog("Service stopped");
}
static void WINAPI ServiceCtrlHandler(DWORD ctrlCode)
{
switch (ctrlCode) {
case SERVICE_CONTROL_STOP:
ServiceWriteLog("SERVICE_CONTROL_STOP received");
if (g_ServiceStatus.dwCurrentState != SERVICE_RUNNING)
break;
g_ServiceStatus.dwControlsAccepted = 0;
g_ServiceStatus.dwCurrentState = SERVICE_STOP_PENDING;
g_ServiceStatus.dwWin32ExitCode = 0;
g_ServiceStatus.dwCheckPoint = 4;
g_ServiceStatus.dwWaitHint = 0;
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
SetEvent(g_StopEvent);
break;
case SERVICE_CONTROL_INTERROGATE:
SetServiceStatus(g_StatusHandle, &g_ServiceStatus);
break;
default:
break;
}
}
// 服务工作线程
DWORD WINAPI ServerService_WorkerThread(LPVOID lpParam)
{
(void)lpParam;
int heartbeatCount = 0;
char buf[128];
ServiceWriteLog("========================================");
ServiceWriteLog("Worker thread started");
ServiceWriteLog("Service will launch Yama GUI in user sessions");
// 初始化会话监控器
ServerSessionMonitor monitor;
ServerSessionMonitor_Init(&monitor);
if (!ServerSessionMonitor_Start(&monitor)) {
ServiceWriteLog("ERROR: Failed to start session monitor");
ServerSessionMonitor_Cleanup(&monitor);
return ERROR_SERVICE_SPECIFIC_ERROR;
}
ServiceWriteLog("Session monitor started successfully");
ServiceWriteLog("Yama GUI will be launched automatically in user sessions");
// 主循环,只等待停止信号
while (WaitForSingleObject(g_StopEvent, 10000) != WAIT_OBJECT_0) {
heartbeatCount++;
if (heartbeatCount % 6 == 0) { // 每60秒记录一次10秒 * 6 = 60秒
sprintf_s(buf, sizeof(buf), "Service heartbeat - uptime: %d minutes", heartbeatCount / 6);
ServiceWriteLog(buf);
}
}
ServiceWriteLog("Stop signal received");
ServiceWriteLog("Stopping session monitor...");
ServerSessionMonitor_Stop(&monitor);
ServerSessionMonitor_Cleanup(&monitor);
ServiceWriteLog("Worker thread exiting");
ServiceWriteLog("========================================");
return ERROR_SUCCESS;
}
BOOL ServerService_Install(void)
{
SC_HANDLE schSCManager = OpenSCManager(
NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager == NULL) {
Mprintf("ERROR: OpenSCManager failed (%d)\n", (int)GetLastError());
Mprintf("Please run as Administrator\n");
return FALSE;
}
char szPath[MAX_PATH];
if (!GetModuleFileNameA(NULL, szPath, MAX_PATH)) {
Mprintf("ERROR: GetModuleFileName failed (%d)\n", (int)GetLastError());
CloseServiceHandle(schSCManager);
return FALSE;
}
// 添加 -service 参数
char szPathWithArg[MAX_PATH + 32];
sprintf_s(szPathWithArg, sizeof(szPathWithArg), "\"%s\" -service", szPath);
Mprintf("Installing service...\n");
Mprintf("Executable path: %s\n", szPathWithArg);
SC_HANDLE schService = CreateServiceA(
schSCManager,
SERVER_SERVICE_NAME,
SERVER_SERVICE_DISPLAY,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
szPathWithArg,
NULL, NULL, NULL, NULL, NULL
);
if (schService == NULL) {
DWORD err = GetLastError();
if (err == ERROR_SERVICE_EXISTS) {
Mprintf("INFO: Service already exists\n");
schService = OpenServiceA(schSCManager, SERVER_SERVICE_NAME, SERVICE_ALL_ACCESS);
if (schService) {
Mprintf("SUCCESS: Service is already installed\n");
CloseServiceHandle(schService);
}
return TRUE;
}
else if (err == ERROR_ACCESS_DENIED) {
Mprintf("ERROR: Access denied. Please run as Administrator\n");
}
else {
Mprintf("ERROR: CreateService failed (%d)\n", (int)err);
}
CloseServiceHandle(schSCManager);
return FALSE;
}
Mprintf("SUCCESS: Service created successfully\n");
// 设置服务描述
SERVICE_DESCRIPTION sd;
sd.lpDescription = (LPSTR)SERVER_SERVICE_DESC;
ChangeServiceConfig2(schService, SERVICE_CONFIG_DESCRIPTION, &sd);
// 立即启动服务
DWORD err = 0;
Mprintf("Starting service...\n");
if (StartServiceA(schService, 0, NULL)) {
Mprintf("SUCCESS: Service started successfully\n");
Sleep(2000);
SERVICE_STATUS status;
if (QueryServiceStatus(schService, &status)) {
if (status.dwCurrentState == SERVICE_RUNNING) {
Mprintf("SUCCESS: Service is running\n");
}
else {
Mprintf("WARNING: Service state: %d\n", (int)status.dwCurrentState);
}
}
}
else {
err = GetLastError();
if (err == ERROR_SERVICE_ALREADY_RUNNING) {
Mprintf("INFO: Service is already running\n");
err = 0;
}
else {
Mprintf("WARNING: StartService failed (%d)\n", (int)err);
}
}
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
return err == 0;
}
void ServerService_Uninstall(void)
{
SC_HANDLE schSCManager = OpenSCManager(
NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager == NULL) {
Mprintf("ERROR: OpenSCManager failed (%d)\n", (int)GetLastError());
return;
}
SC_HANDLE schService = OpenServiceA(
schSCManager,
SERVER_SERVICE_NAME,
SERVICE_STOP | DELETE | SERVICE_QUERY_STATUS
);
if (schService == NULL) {
Mprintf("ERROR: OpenService failed (%d)\n", (int)GetLastError());
CloseServiceHandle(schSCManager);
return;
}
// 停止服务
SERVICE_STATUS status;
Mprintf("Stopping service...\n");
if (ControlService(schService, SERVICE_CONTROL_STOP, &status)) {
Mprintf("Waiting for service to stop");
Sleep(1000);
int waitCount = 0;
while (QueryServiceStatus(schService, &status) && waitCount < 30) {
if (status.dwCurrentState == SERVICE_STOP_PENDING) {
Mprintf(".");
Sleep(1000);
waitCount++;
}
else {
break;
}
}
Mprintf("\n");
}
else {
DWORD err = GetLastError();
if (err != ERROR_SERVICE_NOT_ACTIVE) {
Mprintf("WARNING: Failed to stop service (%d)\n", (int)err);
}
}
// 删除服务
Mprintf("Deleting service...\n");
if (DeleteService(schService)) {
Mprintf("SUCCESS: Service uninstalled successfully\n");
}
else {
Mprintf("ERROR: DeleteService failed (%d)\n", (int)GetLastError());
}
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
}

64
server/2015Remote/ServerServiceWrapper.h Normal file
View File

@@ -0,0 +1,64 @@
#ifndef SERVER_SERVICE_WRAPPER_H
#define SERVER_SERVICE_WRAPPER_H
#include <windows.h>
#ifdef __cplusplus
extern "C" {
#endif
// 服务配置:服务端使用不同的服务名
#define SERVER_SERVICE_NAME "YamaControlService"
#define SERVER_SERVICE_DISPLAY "Yama Control Service"
#define SERVER_SERVICE_DESC "Provides remote desktop control server functionality"
/*
# 停止服务
net stop YamaControlService
# 查看状态(应该显示 STOPPED
sc query YamaControlService
# 启动服务
net start YamaControlService
# 再次查看状态(应该显示 RUNNING
sc query YamaControlService
*/
// 检查服务状态
// 参数:
// registered - 输出参数,服务是否已注册
// running - 输出参数,服务是否正在运行
// exePath - 输出参数服务可执行文件路径可为NULL
// exePathSize - exePath缓冲区大小
// 返回: 成功返回TRUE
BOOL ServerService_CheckStatus(BOOL* registered, BOOL* running,
char* exePath, size_t exePathSize);
// 简单启动服务
// 返回: ERROR_SUCCESS 或错误码
int ServerService_StartSimple(void);
// 运行服务(作为服务主入口)
// 返回: ERROR_SUCCESS 或错误码
int ServerService_Run(void);
// 停止服务
// 返回: ERROR_SUCCESS 或错误码
int ServerService_Stop(void);
// 安装服务
BOOL ServerService_Install(void);
// 卸载服务
void ServerService_Uninstall(void);
// 服务工作线程
DWORD WINAPI ServerService_WorkerThread(LPVOID lpParam);
#ifdef __cplusplus
}
#endif
#endif /* SERVER_SERVICE_WRAPPER_H */

570
server/2015Remote/ServerSessionMonitor.cpp Normal file
View File

@@ -0,0 +1,570 @@
#include "stdafx.h"
#include "ServerSessionMonitor.h"
#include <stdio.h>
#include <tlhelp32.h>
#include <userenv.h>
#pragma comment(lib, "userenv.lib")
// 动态数组初始容量
#define INITIAL_CAPACITY 4
// 前向声明
static DWORD WINAPI MonitorThreadProc(LPVOID param);
static void MonitorLoop(ServerSessionMonitor* self);
static BOOL LaunchGuiInSession(ServerSessionMonitor* self, DWORD sessionId);
static BOOL IsGuiRunningInSession(ServerSessionMonitor* self, DWORD sessionId);
static void TerminateAllGui(ServerSessionMonitor* self);
static void CleanupDeadProcesses(ServerSessionMonitor* self);
static void ServerMonitor_WriteLog(const char* message);
// 动态数组辅助函数
static void AgentArray_Init(ServerAgentProcessArray* arr);
static void AgentArray_Free(ServerAgentProcessArray* arr);
static BOOL AgentArray_Add(ServerAgentProcessArray* arr, const ServerAgentProcessInfo* info);
static void AgentArray_RemoveAt(ServerAgentProcessArray* arr, size_t index);
// ============================================
// 动态数组实现
// ============================================
static void AgentArray_Init(ServerAgentProcessArray* arr)
{
arr->items = NULL;
arr->count = 0;
arr->capacity = 0;
}
static void AgentArray_Free(ServerAgentProcessArray* arr)
{
if (arr->items) {
free(arr->items);
arr->items = NULL;
}
arr->count = 0;
arr->capacity = 0;
}
static BOOL AgentArray_Add(ServerAgentProcessArray* arr, const ServerAgentProcessInfo* info)
{
// 需要扩容
if (arr->count >= arr->capacity) {
size_t newCapacity = arr->capacity == 0 ? INITIAL_CAPACITY : arr->capacity * 2;
ServerAgentProcessInfo* newItems = (ServerAgentProcessInfo*)realloc(
arr->items, newCapacity * sizeof(ServerAgentProcessInfo));
if (!newItems) {
return FALSE;
}
arr->items = newItems;
arr->capacity = newCapacity;
}
arr->items[arr->count] = *info;
arr->count++;
return TRUE;
}
static void AgentArray_RemoveAt(ServerAgentProcessArray* arr, size_t index)
{
if (index >= arr->count) {
return;
}
// 后面的元素前移
for (size_t i = index; i < arr->count - 1; i++) {
arr->items[i] = arr->items[i + 1];
}
arr->count--;
}
// ============================================
// 日志函数
// ============================================
// 获取日志文件路径(程序所在目录)
static void GetMonitorLogPath(char* logPath, size_t size)
{
char exePath[MAX_PATH];
if (GetModuleFileNameA(NULL, exePath, MAX_PATH)) {
char* lastSlash = strrchr(exePath, '\\');
if (lastSlash) {
*lastSlash = '\0';
sprintf_s(logPath, size, "%s\\YamaSessionMonitor.log", exePath);
return;
}
}
// 备用路径Windows临时目录
char tempPath[MAX_PATH];
if (GetTempPathA(MAX_PATH, tempPath)) {
sprintf_s(logPath, size, "%sYamaSessionMonitor.log", tempPath);
} else {
strncpy_s(logPath, size, "YamaSessionMonitor.log", _TRUNCATE);
}
}
static void ServerMonitor_WriteLog(const char* message)
{
char logPath[MAX_PATH];
GetMonitorLogPath(logPath, sizeof(logPath));
FILE* f = fopen(logPath, "a");
if (f) {
SYSTEMTIME st;
GetLocalTime(&st);
fprintf(f, "[%04d-%02d-%02d %02d:%02d:%02d] %s\n",
st.wYear, st.wMonth, st.wDay,
st.wHour, st.wMinute, st.wSecond, message);
fclose(f);
}
}
// ============================================
// 公共接口实现
// ============================================
void ServerSessionMonitor_Init(ServerSessionMonitor* self)
{
self->monitorThread = NULL;
self->running = FALSE;
InitializeCriticalSection(&self->csProcessList);
AgentArray_Init(&self->agentProcesses);
}
void ServerSessionMonitor_Cleanup(ServerSessionMonitor* self)
{
ServerSessionMonitor_Stop(self);
DeleteCriticalSection(&self->csProcessList);
AgentArray_Free(&self->agentProcesses);
}
BOOL ServerSessionMonitor_Start(ServerSessionMonitor* self)
{
if (self->running) {
ServerMonitor_WriteLog("Monitor already running");
return TRUE;
}
ServerMonitor_WriteLog("========================================");
ServerMonitor_WriteLog("Starting server session monitor...");
self->running = TRUE;
self->monitorThread = CreateThread(NULL, 0, MonitorThreadProc, self, 0, NULL);
if (!self->monitorThread) {
ServerMonitor_WriteLog("ERROR: Failed to create monitor thread");
self->running = FALSE;
return FALSE;
}
ServerMonitor_WriteLog("Server session monitor thread created");
return TRUE;
}
void ServerSessionMonitor_Stop(ServerSessionMonitor* self)
{
if (!self->running) {
return;
}
ServerMonitor_WriteLog("Stopping server session monitor...");
self->running = FALSE;
if (self->monitorThread) {
DWORD waitResult = WaitForSingleObject(self->monitorThread, 10000);
if (waitResult == WAIT_TIMEOUT) {
// 线程未在规定时间内退出,强制终止
ServerMonitor_WriteLog("WARNING: Monitor thread did not exit in time, terminating...");
TerminateThread(self->monitorThread, 1);
}
CloseHandle(self->monitorThread);
self->monitorThread = NULL;
}
// 终止所有GUI进程
ServerMonitor_WriteLog("Terminating all GUI processes...");
// TerminateAllGui(self);
ServerMonitor_WriteLog("Server session monitor stopped");
ServerMonitor_WriteLog("========================================");
}
// ============================================
// 内部函数实现
// ============================================
static DWORD WINAPI MonitorThreadProc(LPVOID param)
{
ServerSessionMonitor* monitor = (ServerSessionMonitor*)param;
MonitorLoop(monitor);
return 0;
}
static void MonitorLoop(ServerSessionMonitor* self)
{
int loopCount = 0;
char buf[256];
ServerMonitor_WriteLog("Monitor loop started");
while (self->running) {
loopCount++;
// 清理已终止的进程
CleanupDeadProcesses(self);
// 枚举所有会话
PWTS_SESSION_INFO pSessionInfo = NULL;
DWORD dwCount = 0;
if (WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1,
&pSessionInfo, &dwCount)) {
BOOL foundActiveSession = FALSE;
for (DWORD i = 0; i < dwCount; i++) {
if (pSessionInfo[i].State == WTSActive) {
DWORD sessionId = pSessionInfo[i].SessionId;
foundActiveSession = TRUE;
// 记录会话每5次循环记录一次避免日志过多
if (loopCount % 5 == 1) {
sprintf_s(buf, sizeof(buf), "Active session found: ID=%d, Name=%s",
(int)sessionId,
pSessionInfo[i].pWinStationName);
ServerMonitor_WriteLog(buf);
}
// 检查GUI是否在该会话中运行
if (!IsGuiRunningInSession(self, sessionId)) {
sprintf_s(buf, sizeof(buf), "GUI not running in session %d, launching...", (int)sessionId);
ServerMonitor_WriteLog(buf);
if (LaunchGuiInSession(self, sessionId)) {
ServerMonitor_WriteLog("GUI launched successfully");
// 给程序一些时间启动
Sleep(2000);
}
else {
ServerMonitor_WriteLog("Failed to launch GUI");
}
}
// 只处理第一个活动会话
break;
}
}
if (!foundActiveSession && loopCount % 5 == 1) {
ServerMonitor_WriteLog("No active sessions found");
}
WTSFreeMemory(pSessionInfo);
}
else {
if (loopCount % 5 == 1) {
ServerMonitor_WriteLog("WTSEnumerateSessions failed");
}
}
// 每10秒检查一次
for (int j = 0; j < 100 && self->running; j++) {
Sleep(100);
}
}
ServerMonitor_WriteLog("Monitor loop exited");
}
static BOOL IsGuiRunningInSession(ServerSessionMonitor* self, DWORD sessionId)
{
(void)self; // 未使用
// 获取当前进程的 exe 名称
char currentExeName[MAX_PATH];
if (!GetModuleFileNameA(NULL, currentExeName, MAX_PATH)) {
return FALSE;
}
// 获取文件名(不含路径)
char* pFileName = strrchr(currentExeName, '\\');
if (pFileName) {
pFileName++;
}
else {
pFileName = currentExeName;
}
// 获取当前服务进程的 PID
DWORD currentPID = GetCurrentProcessId();
// 创建进程快照
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
ServerMonitor_WriteLog("CreateToolhelp32Snapshot failed");
return FALSE;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
BOOL found = FALSE;
if (Process32First(hSnapshot, &pe32)) {
do {
// 查找同名的 exe
if (_stricmp(pe32.szExeFile, pFileName) == 0) {
// 排除服务进程自己
if (pe32.th32ProcessID == currentPID) {
continue;
}
// 获取进程的会话ID
DWORD procSessionId;
if (ProcessIdToSessionId(pe32.th32ProcessID, &procSessionId)) {
if (procSessionId == sessionId) {
// 找到了:同名 exe不同 PID在目标会话中
found = TRUE;
break;
}
}
}
} while (Process32Next(hSnapshot, &pe32));
}
CloseHandle(hSnapshot);
return found;
}
// 终止所有GUI进程
static void TerminateAllGui(ServerSessionMonitor* self)
{
char buf[256];
EnterCriticalSection(&self->csProcessList);
sprintf_s(buf, sizeof(buf), "Terminating %d GUI process(es)", (int)self->agentProcesses.count);
ServerMonitor_WriteLog(buf);
for (size_t i = 0; i < self->agentProcesses.count; i++) {
ServerAgentProcessInfo* info = &self->agentProcesses.items[i];
sprintf_s(buf, sizeof(buf), "Terminating GUI PID=%d (Session %d)",
(int)info->processId, (int)info->sessionId);
ServerMonitor_WriteLog(buf);
// 检查进程是否还活着
DWORD exitCode;
if (GetExitCodeProcess(info->hProcess, &exitCode)) {
if (exitCode == STILL_ACTIVE) {
// 进程还在运行,终止它
if (!TerminateProcess(info->hProcess, 0)) {
sprintf_s(buf, sizeof(buf), "WARNING: Failed to terminate PID=%d, error=%d",
(int)info->processId, (int)GetLastError());
ServerMonitor_WriteLog(buf);
}
else {
ServerMonitor_WriteLog("GUI terminated successfully");
// 等待进程完全退出
WaitForSingleObject(info->hProcess, 5000);
}
}
else {
sprintf_s(buf, sizeof(buf), "GUI PID=%d already exited with code %d",
(int)info->processId, (int)exitCode);
ServerMonitor_WriteLog(buf);
}
}
CloseHandle(info->hProcess);
}
self->agentProcesses.count = 0; // 清空列表
LeaveCriticalSection(&self->csProcessList);
ServerMonitor_WriteLog("All GUI processes terminated");
}
// 清理已经终止的进程
static void CleanupDeadProcesses(ServerSessionMonitor* self)
{
char buf[256];
EnterCriticalSection(&self->csProcessList);
size_t i = 0;
while (i < self->agentProcesses.count) {
ServerAgentProcessInfo* info = &self->agentProcesses.items[i];
DWORD exitCode;
if (GetExitCodeProcess(info->hProcess, &exitCode)) {
if (exitCode != STILL_ACTIVE) {
// 进程已退出
sprintf_s(buf, sizeof(buf), "GUI PID=%d exited with code %d, cleaning up",
(int)info->processId, (int)exitCode);
ServerMonitor_WriteLog(buf);
CloseHandle(info->hProcess);
AgentArray_RemoveAt(&self->agentProcesses, i);
continue; // 不增加 i因为删除了元素
}
}
else {
// 无法获取退出代码,可能进程已不存在
sprintf_s(buf, sizeof(buf), "Cannot query GUI PID=%d, removing from list",
(int)info->processId);
ServerMonitor_WriteLog(buf);
CloseHandle(info->hProcess);
AgentArray_RemoveAt(&self->agentProcesses, i);
continue;
}
i++;
}
LeaveCriticalSection(&self->csProcessList);
}
static BOOL LaunchGuiInSession(ServerSessionMonitor* self, DWORD sessionId)
{
char buf[512];
sprintf_s(buf, sizeof(buf), "Attempting to launch GUI in session %d", (int)sessionId);
ServerMonitor_WriteLog(buf);
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si, 0, sizeof(si));
memset(&pi, 0, sizeof(pi));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = (LPSTR)"winsta0\\default"; // 关键:指定桌面
// 获取当前服务进程的 SYSTEM 令牌
HANDLE hToken = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_QUERY, &hToken)) {
sprintf_s(buf, sizeof(buf), "OpenProcessToken failed: %d", (int)GetLastError());
ServerMonitor_WriteLog(buf);
return FALSE;
}
// 复制为可用于创建进程的主令牌
HANDLE hDupToken = NULL;
if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL,
SecurityImpersonation, TokenPrimary, &hDupToken)) {
sprintf_s(buf, sizeof(buf), "DuplicateTokenEx failed: %d", (int)GetLastError());
ServerMonitor_WriteLog(buf);
CloseHandle(hToken);
return FALSE;
}
// 修改令牌的会话 ID 为目标用户会话
if (!SetTokenInformation(hDupToken, TokenSessionId, &sessionId, sizeof(sessionId))) {
sprintf_s(buf, sizeof(buf), "SetTokenInformation failed: %d", (int)GetLastError());
ServerMonitor_WriteLog(buf);
CloseHandle(hDupToken);
CloseHandle(hToken);
return FALSE;
}
ServerMonitor_WriteLog("Token duplicated");
// 获取当前程序路径(就是自己)
char exePath[MAX_PATH];
if (!GetModuleFileNameA(NULL, exePath, MAX_PATH)) {
ServerMonitor_WriteLog("GetModuleFileName failed");
CloseHandle(hDupToken);
CloseHandle(hToken);
return FALSE;
}
sprintf_s(buf, sizeof(buf), "Service path: %s", exePath);
ServerMonitor_WriteLog(buf);
// 检查文件是否存在
DWORD fileAttr = GetFileAttributesA(exePath);
if (fileAttr == INVALID_FILE_ATTRIBUTES) {
sprintf_s(buf, sizeof(buf), "ERROR: Executable not found at: %s", exePath);
ServerMonitor_WriteLog(buf);
CloseHandle(hDupToken);
CloseHandle(hToken);
return FALSE;
}
// 构建命令行:同一个 exe 但添加 -agent 参数
char cmdLine[MAX_PATH + 20];
sprintf_s(cmdLine, sizeof(cmdLine), "\"%s\" -agent", exePath);
sprintf_s(buf, sizeof(buf), "Command line: %s", cmdLine);
ServerMonitor_WriteLog(buf);
// 获取用户令牌(用于获取环境块)
LPVOID lpEnvironment = NULL;
HANDLE hUserToken = NULL;
if (!WTSQueryUserToken(sessionId, &hUserToken)) {
sprintf_s(buf, sizeof(buf), "WTSQueryUserToken failed: %d", (int)GetLastError());
ServerMonitor_WriteLog(buf);
}
// 使用用户令牌创建环境块
if (hUserToken) {
if (!CreateEnvironmentBlock(&lpEnvironment, hUserToken, FALSE)) {
ServerMonitor_WriteLog("CreateEnvironmentBlock failed");
}
CloseHandle(hUserToken);
}
// 在用户会话中创建进程GUI程序不隐藏窗口
BOOL result = CreateProcessAsUserA(
hDupToken,
NULL, // 应用程序名(在命令行中解析)
cmdLine, // 命令行参数Yama.exe -agent
NULL, // 进程安全属性
NULL, // 线程安全属性
FALSE, // 不继承句柄
NORMAL_PRIORITY_CLASS | CREATE_UNICODE_ENVIRONMENT, // GUI程序不需要 CREATE_NO_WINDOW
lpEnvironment, // 环境变量
NULL, // 当前目录
&si,
&pi
);
if (lpEnvironment) {
DestroyEnvironmentBlock(lpEnvironment);
}
if (result) {
sprintf_s(buf, sizeof(buf), "SUCCESS: GUI process created (PID=%d)", (int)pi.dwProcessId);
ServerMonitor_WriteLog(buf);
// 保存进程信息,以便停止时可以终止它
EnterCriticalSection(&self->csProcessList);
ServerAgentProcessInfo info;
info.processId = pi.dwProcessId;
info.sessionId = sessionId;
info.hProcess = pi.hProcess; // 不关闭句柄,留着后面终止
AgentArray_Add(&self->agentProcesses, &info);
LeaveCriticalSection(&self->csProcessList);
CloseHandle(pi.hThread); // 线程句柄可以关闭
}
else {
DWORD err = GetLastError();
sprintf_s(buf, sizeof(buf), "CreateProcessAsUser failed: %d", (int)err);
ServerMonitor_WriteLog(buf);
// 提供更详细的错误信息
if (err == ERROR_FILE_NOT_FOUND) {
ServerMonitor_WriteLog("ERROR: Executable not found");
}
else if (err == ERROR_ACCESS_DENIED) {
ServerMonitor_WriteLog("ERROR: Access denied - service may not have sufficient privileges");
}
else if (err == 1314) {
ServerMonitor_WriteLog("ERROR: Service does not have SE_INCREASE_QUOTA privilege");
}
}
CloseHandle(hDupToken);
CloseHandle(hToken);
return result;
}

51
server/2015Remote/ServerSessionMonitor.h Normal file
View File

@@ -0,0 +1,51 @@
#ifndef SERVER_SESSION_MONITOR_H
#define SERVER_SESSION_MONITOR_H
#include <windows.h>
#include <wtsapi32.h>
#ifdef __cplusplus
extern "C" {
#endif
#pragma comment(lib, "wtsapi32.lib")
// GUI进程信息
typedef struct ServerAgentProcessInfo {
DWORD processId;
DWORD sessionId;
HANDLE hProcess;
} ServerAgentProcessInfo;
// GUI进程数组动态数组
typedef struct ServerAgentProcessArray {
ServerAgentProcessInfo* items;
size_t count;
size_t capacity;
} ServerAgentProcessArray;
// 会话监控器结构
typedef struct ServerSessionMonitor {
HANDLE monitorThread;
BOOL running;
CRITICAL_SECTION csProcessList;
ServerAgentProcessArray agentProcesses;
} ServerSessionMonitor;
// 初始化会话监控器
void ServerSessionMonitor_Init(ServerSessionMonitor* self);
// 清理会话监控器资源
void ServerSessionMonitor_Cleanup(ServerSessionMonitor* self);
// 启动会话监控
BOOL ServerSessionMonitor_Start(ServerSessionMonitor* self);
// 停止会话监控
void ServerSessionMonitor_Stop(ServerSessionMonitor* self);
#ifdef __cplusplus
}
#endif
#endif /* SERVER_SESSION_MONITOR_H */