0
可以使用WINRM推送遠程主機窗口上的二進制文件。 如果沒有,還有其他機制允許我在遠程主機上推送二進制文件。使用WINRM在遠程主機上推送二進制文件
可以使用WINRM推送遠程主機窗口上的二進制文件。 如果沒有,還有其他機制允許我在遠程主機上推送二進制文件。使用WINRM在遠程主機上推送二進制文件
我想我找到了解決方案。
#include <windows.h>
#include <tchar.h>
#define SIZEOF_BUFFER 0x100
// Remote Parameters
LPCTSTR lpszMachine = NULL;
LPCTSTR lpszPassword = NULL;
LPCTSTR lpszUser = NULL;
LPCTSTR lpszDomain = NULL;
LPCTSTR lpszCommandExe = NULL;
LPCTSTR lpszLocalIP = _T("\\\\127.0.0.1");
char szThisMachine[SIZEOF_BUFFER] = "";
char szPassword[SIZEOF_BUFFER] = "";
LPCTSTR GetParamValue(LPCTSTR lpszParam)
{
DWORD dwParamLength = _tcslen(lpszParam);
for (int i = 1; i < __argc; i++)
if (__targv[i][0] == _T('\\') || __targv[i][0] == _T('.'))
continue;
else
if (__targv[i][0] == _T('/') || __targv[i][0] == _T('-'))
{
if (_tcsnicmp(__targv[i] + 1, lpszParam, dwParamLength) == 0)
return __targv[i] + dwParamLength + 1;
}
else
return NULL;
return NULL;
}
LPCTSTR GetNthParameter(DWORD n, DWORD& argvIndex)
{
DWORD index = 0;
for(int i = 1; i < __argc; i++)
{
if (__targv[i][0] != _T('/') && __targv[i][0] != _T('-'))
index++;
if (index == n)
{
argvIndex = i;
return __targv[i];
}
}
return NULL;
}
BOOL SetConnectionCredentials()
{
lpszPassword = GetParamValue(_T("pwd:"));
lpszUser = GetParamValue(_T("user:"));
return TRUE;
}
LPCTSTR GetRemoteMachineName()
{
DWORD dwIndex = 0;
LPCTSTR lpszMachine = GetNthParameter(1, dwIndex);
if (lpszMachine == NULL)
// return NULL;
return lpszLocalIP;
if (_tcsnicmp(lpszMachine, _T(" "), 2) == 0)
return lpszLocalIP;
if (_tcsnicmp(lpszMachine, _T("\\\\"), 2) == 0)
return lpszMachine;
// If a dot is entered we take it as localhost
if (_tcsnicmp(lpszMachine, _T("."), 2) == 0)
return lpszLocalIP;
return NULL;
}
// Establish Connection to Remote Machine
BOOL EstablishConnection(LPCTSTR lpszRemote, LPCTSTR lpszResource, BOOL bEstablish)
{
TCHAR szRemoteResource[_MAX_PATH];
DWORD rc;
_stprintf(szRemoteResource, _T("%s\\%s"), lpszRemote, lpszResource);
NETRESOURCE nr;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = (LPTSTR)&szRemoteResource;
nr.lpProvider = NULL;
//Establish connection (using username/pwd)
rc = WNetAddConnection2(&nr, lpszPassword, lpszUser, FALSE);
if (rc == NO_ERROR)
return TRUE; // indicate success
return FALSE;
}
BOOL CopyBinaryToRemoteSystem()
{
TCHAR drive[_MAX_DRIVE];
TCHAR dir[_MAX_DIR];
TCHAR fname[_MAX_FNAME];
TCHAR ext[_MAX_EXT];
TCHAR szRemoteResource[_MAX_PATH];
// Gets the file name and extension
_tsplitpath(lpszCommandExe, drive, dir, fname, ext);
_stprintf(szRemoteResource, _T("%s\\ADMIN$\\System32\\%s%s"), lpszMachine, fname, ext);
// Copy the Command's exe file to \\remote\ADMIN$\System32
return CopyFile(lpszCommandExe, szRemoteResource, FALSE);
}
int _tmain(DWORD, TCHAR**, TCHAR**)
{
int rc = 0;
DWORD dwIndex = 0;
lpszMachine = GetRemoteMachineName();
lpszCommandExe = GetNthParameter(2, dwIndex);
SetConnectionCredentials();
if (!EstablishConnection(lpszMachine, _T("ADMIN$"), TRUE))
{
rc = -2;
}
if (!CopyBinaryToRemoteSystem())
{
}
return 0;
}