自实现 Psexec 的功能

imbyter

参考链接：https://payloads.online/archivers/2020-04-02/1
psexec详细用法：https://www.itprotoday.com/compute-engines/psexec

实现过程：

编写server服务程序
连接SMB共享
上传文件到共享目录
创建服务
启动服务
停止服务
删除服务
删除文件

服务server源码：

#include <stdio.h>  
#include <Windows.h>

#define SLEEP_TIME 5000				/*间隔时间*/
#define LOGFILE "C:\\1\\log.txt"	/*信息输出文件*/

SERVICE_STATUS ServiceStatus;  /*服务状态*/
SERVICE_STATUS_HANDLE hStatus; /*服务状态句柄*/

void  ServiceMain(int argc, char** argv);
void  CtrlHandler(DWORD request);
int   InitService();

int main(int argc, CHAR * argv[])
{
	WCHAR WserviceName[] = TEXT("Monitor");
	SERVICE_TABLE_ENTRY ServiceTable[2];
	ServiceTable[0].lpServiceName = WserviceName;
	ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
	ServiceTable[1].lpServiceName = NULL;
	ServiceTable[1].lpServiceProc = NULL;
	StartServiceCtrlDispatcher(ServiceTable);

	return 0;
}

int WriteToLog(const char* str)
{
	FILE* pfile;
	fopen_s(&pfile, LOGFILE, "a+");
	if (pfile == NULL)
	{
		return -1;
	}
	fprintf_s(pfile, "%s\n", str);
	fclose(pfile);

	return 0;
}

/*Service initialization*/
int InitService()
{
	CHAR Message[] = "Monitoring started.";
	OutputDebugString(TEXT("Monitoring started."));
	int result;
	result = WriteToLog(Message);

	return(result);
}

/*Control Handler*/
void CtrlHandler(DWORD request)
{
	switch (request)
	{
	case SERVICE_CONTROL_STOP:

		WriteToLog("Monitoring stopped.");
		ServiceStatus.dwWin32ExitCode = 0;
		ServiceStatus.dwCurrentState = SERVICE_STOPPED;
		SetServiceStatus(hStatus, &ServiceStatus);
		return;
	case SERVICE_CONTROL_SHUTDOWN:
		WriteToLog("Monitoring stopped.");

		ServiceStatus.dwWin32ExitCode = 0;
		ServiceStatus.dwCurrentState = SERVICE_STOPPED;
		SetServiceStatus(hStatus, &ServiceStatus);
		return;
	default:
		break;
	}
	/* Report current status  */
	SetServiceStatus(hStatus, &ServiceStatus);
	return;
}

void ServiceMain(int argc, char** argv)
{
	WCHAR WserviceName[] = TEXT("Monitor");
	int error;
	ServiceStatus.dwServiceType =
		SERVICE_WIN32;
	ServiceStatus.dwCurrentState =
		SERVICE_START_PENDING;
	/*在本例中只接受系统关机和停止服务两种控制命令*/
	ServiceStatus.dwControlsAccepted =
		SERVICE_ACCEPT_SHUTDOWN |
		SERVICE_ACCEPT_STOP;
	ServiceStatus.dwWin32ExitCode = 0;
	ServiceStatus.dwServiceSpecificExitCode = 0;
	ServiceStatus.dwCheckPoint = 0;
	ServiceStatus.dwWaitHint = 0;
	hStatus = ::RegisterServiceCtrlHandler(
		WserviceName,
		(LPHANDLER_FUNCTION)CtrlHandler);
	if (hStatus == (SERVICE_STATUS_HANDLE)0)
	{

		WriteToLog("RegisterServiceCtrlHandler failed");
		return;
	}
	WriteToLog("RegisterServiceCtrlHandler success");
	/* Initialize Service   */
	error = InitService();
	if (error)
	{
		/* Initialization failed  */
		ServiceStatus.dwCurrentState =
			SERVICE_STOPPED;
		ServiceStatus.dwWin32ExitCode = -1;
		SetServiceStatus(hStatus, &ServiceStatus);
		return;
	}
	/*向SCM 报告运行状态*/
	ServiceStatus.dwCurrentState =
		SERVICE_RUNNING;
	SetServiceStatus(hStatus, &ServiceStatus);

	/*do something you want to do in this while loop*/
	MEMORYSTATUS memstatus;
	while (ServiceStatus.dwCurrentState ==
		SERVICE_RUNNING)
	{
		char buffer[16];
		GlobalMemoryStatus(&memstatus);
		int availmb = memstatus.dwAvailPhys / 1024 / 1024;
		sprintf_s(buffer, 100, "available memory is %dMB", availmb);
		int result = WriteToLog(buffer);
		if (result)
		{
			ServiceStatus.dwCurrentState = SERVICE_STOPPED;
			ServiceStatus.dwWin32ExitCode = -1;
			SetServiceStatus(hStatus,
				&ServiceStatus);
			return;
		}
		Sleep(SLEEP_TIME);
	}
	WriteToLog("service stopped");
	return;
}

自实现psexec源码：

#include <iostream>
#include <WinSock2.h>
#include <Windows.h>
#include <winnetwk.h>

#pragma comment(lib, "ws2_32")   
#pragma comment(lib, "Mpr.lib")
#pragma comment(lib,"Advapi32.lib")

DWORD ConnectSMBServer(LPCWSTR lpwsHost, LPCWSTR lpwsUser, LPCWSTR lpwsPassword);
BOOL UploadFileBySMB(LPCWSTR lpwsSrcPath, LPCWSTR lpwsDstPath);
BOOL CreateServiceWithSCM(LPCWSTR lpwsSCMServer, LPCWSTR lpwsServiceName, LPCWSTR lpwsServicePath);

int wmain(int argc, wchar_t* argv[])
{
	LPCWSTR lpwsHost = TEXT("192.168.100.20");		// 目标机器地址
	LPCWSTR lpwsUserName = TEXT("Administrator");	// 账号
	LPCWSTR lpwsPassword = TEXT("123456");			// 密码
	LPCWSTR lpwsSrcPath = TEXT("D:\\server.exe");	// 本地文件路径
	LPCWSTR lpwsDstPath = TEXT("\\\\192.168.100.20\\admin$\\NewPsexec.exe"); // 远程文件路径
	LPCWSTR lpwsServiceName = TEXT("NewPsexec");	// 服务名称
	LPCWSTR lpwsServicePath = TEXT("%SystemRoot%\\NewPsexec.exe");			// 目标机器落地位置

	if (ConnectSMBServer(lpwsHost, lpwsUserName, lpwsPassword) == 0) {
		BOOL bRetVal = FALSE;
		bRetVal = UploadFileBySMB(lpwsSrcPath, lpwsDstPath);
		if (bRetVal) {
			std::cout << "Upload Success !" << std::endl;
			// 如果上传成功即可创建服务
			CreateServiceWithSCM(lpwsHost, lpwsServiceName, lpwsServicePath);
		}
		else {
			std::cout << "Upload Failed ! Error : " << GetLastError() << std::endl;
			return GetLastError();
		}
	}
}

DWORD ConnectSMBServer(LPCWSTR lpwsHost, LPCWSTR lpwsUserName, LPCWSTR lpwsPassword)
{
	// 用于存放SMB共享资源格式
	PWCHAR lpwsIPC = new WCHAR[MAX_PATH];
	DWORD dwRetVal; // 函数返回值
	NETRESOURCE nr; // 连接的详细信息
	DWORD dwFlags; // 连接选项

	ZeroMemory(&nr, sizeof(NETRESOURCE));
	swprintf(lpwsIPC, MAX_PATH, TEXT("\\\\%s\\admin$"), lpwsHost);
	nr.dwType = RESOURCETYPE_ANY; // 枚举所有资源
	nr.lpLocalName = NULL;
	nr.lpRemoteName = lpwsIPC; // 资源的网络名
	nr.lpProvider = NULL;

	// 如果设置了此位标志，则操作系统将在用户登录时自动尝试恢复连接。
	dwFlags = CONNECT_UPDATE_PROFILE;

	dwRetVal = WNetAddConnection2(&nr, lpwsPassword, lpwsUserName, dwFlags);
	if (dwRetVal == NO_ERROR) {
		// 返回NO_ERROR则成功
		wprintf(L"Connection added to %s\n", nr.lpRemoteName);
		return dwRetVal;
	}

	wprintf(L"WNetAddConnection2 failed with error: %u\n", dwRetVal);
	return -1;
}

BOOL UploadFileBySMB(LPCWSTR lpwsSrcPath, LPCWSTR lpwsDstPath)
{
	DWORD dwRetVal;
	dwRetVal = CopyFile(lpwsSrcPath, lpwsDstPath, FALSE);
	return dwRetVal > 0 ? TRUE : FALSE;
}

BOOL CreateServiceWithSCM(LPCWSTR lpwsSCMServer, LPCWSTR lpwsServiceName, LPCWSTR lpwsServicePath)
{
	std::wcout << TEXT("Will Create Service ") << lpwsServiceName << std::endl;
	SC_HANDLE hSCM;
	SC_HANDLE hService;
	SERVICE_STATUS ss;
	// GENERIC_WRITE = STANDARD_RIGHTS_WRITE | SC_MANAGER_CREATE_SERVICE | SC_MANAGER_MODIFY_BOOT_CONFIG
	hSCM = OpenSCManager(lpwsSCMServer, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);
	if (hSCM == NULL) {
		std::cout << "OpenSCManager Error: " << GetLastError() << std::endl;
		return -1;
	}

	hService = CreateService(
		hSCM, // 服务控制管理器数据库的句柄
		lpwsServiceName, // 要安装的服务的名称
		lpwsServiceName, // 用户界面程序用来标识服务的显示名称
		GENERIC_ALL, // 访问权限
		SERVICE_WIN32_OWN_PROCESS, // 与一个或多个其他服务共享一个流程的服务
		SERVICE_DEMAND_START, // 当进程调用StartService函数时，由服务控制管理器启动的服务 。
		SERVICE_ERROR_IGNORE, // 启动程序将忽略该错误并继续启动操作
		lpwsServicePath, // 服务二进制文件的标准路径
		NULL,
		NULL,
		NULL,
		NULL,
		NULL);
	if (hService == NULL) {
		std::cout << "CreateService Error: " << GetLastError() << std::endl;
		return -1;
	}
	std::wcout << TEXT("Create Service Success : ") << lpwsServicePath << std::endl;
	hService = OpenService(hSCM, lpwsServiceName, GENERIC_ALL);
	if (hService == NULL) {
		std::cout << "OpenService Error: " << GetLastError() << std::endl;
		return -1;
	}
	std::cout << "OpenService Success!" << std::endl;

	StartService(hService, NULL, NULL);

	return 0;
}