When someone else enters the machine, he is most afraid to be online with the host. He will easily find you, so I am using a device that monitors the screen of the host, and can also satisfy the curious psychology of a peek. However, Radmin is too easy to get killed. Not only Radmin, but any popular monitoring program will be easily killed, and it is useless to get a lot of shells.
As a result, it took some effort to implement this function in the remote monitoring that I did a few years ago, and finally won't be killed.
My remote monitoring service is remoting, which was previously written in logs.
The advantage is that the function can be changed at any time, and the function and service are separated.
That is to say, in the service, only the account is protected, the account permission is protected, and the terminal service monitoring firewall rules are protected, without suspending itself.
An automatic check update is added.
Then there is an empty proxy class with only one code that returns the remote object and executes the remote method.
A large number of actual functions are a local DLL class library, which can be written at any time. When connecting to a remote service, the remote service calls this local DLL, then the local DLL runs to the remote memory along the remoting channel, and then the local reflection method is used to implement remote execution.
Will this DLL be transmitted every time? Yes, the advantages of. NET are embodied in the small size. There are a lot of messy things in the DLL, and the compilation is still dozens of K.
Other functions, such as processes, files, and executions, can all be operated on this DLL. This function is not applicable only to remote monitoring, because the service runs under the LocalSystem account, use or press the mouse to send the mouse to the System user instead of the Administrator.
Therefore, you must run a process under the Administrator to monitor the Administrator. How can you let the administrator run the process without knowing its password? Fortunately, there is a createprocessasuser API that runs with the user's token instead of the password, fortunately, LocalSystem can obtain the tokens of all login users for free, so O (LOGIN _ token) O
In this way, the DLL silently releases an EXE to a directory, which runs in the background without knowing its identity in the administrator. His screen is sent to me, run mouse_event keybd_event for me. Createprocessasuser has a parameter that prevents the program from running in the background.
This EXE should be a console program rather than a winform program. If it is a winform program, ALT + tab appears to be visible.
However, both the console and winform can be seen in the Process Manager. There is a method that can be hidden in the task manager, which is C #, but I don't think it is so troublesome, I started a name that looks like a Microsoft process, and it does not report any virus, and the operation does not show. Who will keep staring at the task manager, then he will find the solution.
A problem is found here. When releasing this EXE, it is best to avoid the System32 and Windows directories, because at least 360 will be reported, and do not put it under temp, some programs running in temp may trigger an alarm, so they can be released to the directory of their installation program in program files. It is recommended that svchost.exe be called, which is a "disguised Windows process ", some kill software think this is a "virus behavior", so it will trigger an alarm. In fact, there are many Windows processes. For example, if there is a tcpsrv, You can initiate a udpsrv, this will not be reported and difficult to distinguish.
This EXE must be wrapped around by try catch. Even if it exits inexplicably, it cannot be prompted with an error message. If it runs under the Administrator account, the error will be displayed on its desktop. Add try catch, and the program will not die.
Disadvantages: the efficiency of the screenshot API is not high. When it is sent back, the best of course is BMP, but it is too huge, followed by PNG, which is also very huge, I tried my desktop 1680*1050 windows special effects. The theme was the Rio adventure. The API cut this image and saved it in PNG, more than 4 MB, so save it with JPG. It's only 400 Kb and acceptable. If it's too big, you have to adjust the quality of JPG, or you can directly use GIF. gif is smaller, however, the effect is terrible. So can we compress the data or use any method to transfer changes or the like? This is too much trouble, And the CPU will not be worth the candle if it rises straight.
Some people say that the screenshot API cannot capture videos and similar floating pop-up windows, but I try to cut everything on the desktop, just like the print screen key, whether it's the video played in media player, the floating window, the transparent window, the menu of the input method, and the mouse, you can cut it off. Only DX games have never been tested, but media player is driving DX acceleration. Isn't it the same as the game? I don't know what's going on.
Radmin cannot capture the mouse or input method pop-up menu. This is so annoying. When you enter the text, you cannot see the selected list. You can only guess it. But the API can be intercepted.
Is it possible to directly capture the screen of any user in the system without running the program under the user's identity? This information is not found, and none of the information can be found on the Internet, I tried to pass the handle of getasktopwindow or getwindowdc to the process in the system under the Administrator. The screenshot is a black screen and you have to run a program under the user.
The remoting efficiency is too low. Originally, I wanted the client to only remoting the server to communicate with the DLL. The DLL communicates with the EXE, And the DLL acts as a transfer station. However, the efficiency is very low and scary, not the CPU and memory are rising, but the remoting network transmission is a part of the thing that comes back and forth many times, causing great latency. I tried this method, the server can only upload one or two images in one second.
So we need to improve the. exe file, which is reversely linked to a port of my machine, through the firewall, and through the router. The speed is up.
The machine is an intranet server, and the remoting server needs to UPnP the server, get the Internet IP address, and write it to machinename.
There is an example on the UPnP network, which is actually very simple. It is to send a broadcast and UDP, so that the vro of the same Intranet segment will return the IP address mapped to you and the port mapped to UPnP, my di-504m is port 1780, other routers are not necessarily this port, and then TCP 192.168.0.1: 1780 sends a command in the past, this command is most commonly used to add ing, delete ing, and update ing, and then accept the returned results. It is as simple as this. Communication is in a fixed XML format.
In this way, the Intranet is automatically mapped and the Intranet is changed to the Internet.
You can append the Recording and Use directsound or winmm. DLL to capture the sound. You can either intercept the microphone or the Speaker.
Camera capture? I entered a lot of machines, but now I haven't found any cameras, all of which are servers. They do not even have a sound card or close it.
Now we have done the file system operation, process operation, remote cmd, and screen monitoring, and other functions such as the registry. Please do it later, and the server does not need to be moved, just change the DLL locally. remoting is really convenient.
By the way, it is not limited to the console logon administrator. users logging on to the terminal service can also monitor the system. The same method is used to query the tokens and run them.
Radmin can be completely replaced. And the most important thing is no kill.
The interface is a bit ugly.
In fact, he has a firewall, but he has just finished upgrading and the Icon cache is a bit problematic, so it is not shown in the lower right corner.
They are located in dongjiu district, which is one hour faster than ours.