从零构建自己的远控•用匿名管道执行powershell&cmd(9)

#include <stdio.h>
#include <windows.h>

//读缓冲区
HANDLE  m_hReadPipeHandle = NULL;
//写缓冲区
HANDLE m_hWritePipeHandle = NULL;
HANDLE  m_hReadPipeShell = NULL;
HANDLE m_hWritePipeShell = NULL;

DWORD WINAPI ReadPipeThread(LPVOID lparam)
{
    unsigned long   BytesRead = 0;
    char    ReadBuff[1024];
    DWORD    TotalBytesAvail;
    while (1)
    {
        Sleep(100);
        //检查管道是否有数据
        while (PeekNamedPipe(m_hReadPipeHandle, ReadBuff, sizeof(ReadBuff), &BytesRead, &TotalBytesAvail, NULL))
        {
            if (BytesRead <= 0)
                break;
            memset(ReadBuff, 0, sizeof(ReadBuff));
            LPBYTE lpBuffer = (LPBYTE)LocalAlloc(LPTR, TotalBytesAvail);
            //读取管道数据
            ReadFile(m_hReadPipeHandle, lpBuffer, TotalBytesAvail, &BytesRead, NULL);
            //把读到的数据发送当前窗口
            puts((char *)lpBuffer);
            LocalFree(lpBuffer);
            //主控端的处理函数
        }
    }
    return 0;
}

void main()
{
    SECURITY_ATTRIBUTES  sa = { 0 };
    STARTUPINFO          si = { 0 };
    PROCESS_INFORMATION  pi = { 0 };
    char  strShellPath[MAX_PATH] = { 0 };


    sa.nLength = sizeof(sa);
    sa.lpSecurityDescriptor = NULL;
    sa.bInheritHandle = TRUE;

    //创建管道
    if (!CreatePipe(&m_hReadPipeHandle, &m_hWritePipeShell, &sa, 0))
    {
        if (m_hReadPipeHandle != NULL)    CloseHandle(m_hReadPipeHandle);
        if (m_hWritePipeShell != NULL)    CloseHandle(m_hWritePipeShell);
        return;
    }

    if (!CreatePipe(&m_hReadPipeShell, &m_hWritePipeHandle, &sa, 0))
    {
        if (m_hWritePipeHandle != NULL)    CloseHandle(m_hWritePipeHandle);
        if (m_hReadPipeShell != NULL)    CloseHandle(m_hReadPipeShell);
        return;
    }

    memset((void*)&si, 0, sizeof(si));
    memset((void*)&pi, 0, sizeof(pi));

    GetStartupInfo(&si);
    si.cb = sizeof(STARTUPINFO);
    //标志wShowWindow，hStdInput，hStdOutput成员
    si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;//隐藏
    si.hStdInput = m_hReadPipeShell;//写入
    si.hStdOutput = si.hStdError = m_hWritePipeShell; //写出

    GetSystemDirectory(strShellPath, MAX_PATH);
    //strcat(strShellPath, "\cmd.exe");//cmd 命令执行
    strcat(strShellPath, "\WindowsPowerShell\v1.0\powershell.exe");
    //创建cmd 进入 并指定管道  继承父进程
    if (!CreateProcess(strShellPath, NULL, NULL, NULL, TRUE,
        NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi))
    {
        CloseHandle(m_hReadPipeHandle);
        CloseHandle(m_hWritePipeHandle);
        CloseHandle(m_hReadPipeShell);
        CloseHandle(m_hWritePipeShell);
        return;
    }
    HANDLE m_hProcessHandle = pi.hProcess;
    HANDLE m_hThreadHandle = pi.hThread;

    //接收消息
    HANDLE m_hThreadRead = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ReadPipeThread, NULL, 0, NULL);
   
    while (true)
    {
        DWORD    TotalBytesAvail;
        char  buffer[1024];
        unsigned long    ByteWrite;
        scanf_s("%s", buffer, 1024);
        int szlen = strlen(buffer);
        buffer[szlen] = '
';
        buffer[szlen + 1] = '';
        WriteFile(m_hWritePipeHandle, (LPCVOID)buffer, strlen(buffer), &ByteWrite, NULL);
    }
    return ;
}