├── display.gif ├── README.md ├── MyPsExec.vcxproj.filters ├── PsExecService ├── PsExecService.vcxproj.filters ├── PsExecService.vcxproj └── PsExecService.cpp ├── MyPsExec.sln ├── .gitattributes ├── MyPsExec.vcxproj ├── .gitignore └── PsExec.cpp /display.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zesiar0/MyPsExec/HEAD/display.gif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MyPsExec 2 | 3 | MyPsExec是根据[Sysinternal Suite](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)中的PsExec提供的功能实现的demo，仅供学习参考。 4 | 5 | PsExec原理以及实现过程可以参考： 6 | 7 | http://a3bz.top/2022-8-8-psexec%E5%8E%9F%E7%90%86%E5%88%86%E6%9E%90%E5%92%8C%E5%AE%9E%E7%8E%B0/ 8 | 9 | # USAGE 10 | ``` 11 | MyPsExec.exe [host] [username] [password] [service path] 12 | ``` 13 | 14 | **Note** 15 | 16 | 编译的时候需要Release版本，否则启动服务会失败。 17 | 18 | ![](display.gif) 19 | 20 | ## TODO LIST 21 | 22 | - [x] 明文密码登录 23 | - [x] 交互执行命令 24 | - [x] 多线程实现命名管道 25 | - [x] 分段读取超出缓冲区的数据 26 | - [ ] NTLM-Hash登录 27 | -------------------------------------------------------------------------------- /MyPsExec.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /PsExecService/PsExecService.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /MyPsExec.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.2.32630.192 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyPsExec", "MyPsExec.vcxproj", "{7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PsExecService", "PsExecService\PsExecService.vcxproj", "{1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}.Debug|x64.ActiveCfg = Debug|x64 19 | {7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}.Debug|x64.Build.0 = Debug|x64 20 | {7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}.Debug|x86.ActiveCfg = Debug|Win32 21 | {7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}.Debug|x86.Build.0 = Debug|Win32 22 | {7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}.Release|x64.ActiveCfg = Release|x64 23 | {7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}.Release|x64.Build.0 = Release|x64 24 | {7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}.Release|x86.ActiveCfg = Release|Win32 25 | {7D03BA15-D39B-41F4-9D3C-20BB96C7F26A}.Release|x86.Build.0 = Release|Win32 26 | {1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}.Debug|x64.ActiveCfg = Debug|x64 27 | {1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}.Debug|x64.Build.0 = Debug|x64 28 | {1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}.Debug|x86.ActiveCfg = Debug|Win32 29 | {1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}.Debug|x86.Build.0 = Debug|Win32 30 | {1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}.Release|x64.ActiveCfg = Release|x64 31 | {1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}.Release|x64.Build.0 = Release|x64 32 | {1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}.Release|x86.ActiveCfg = Release|Win32 33 | {1A3FA0AB-B6C7-40F1-93E0-877A22FD827F}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | GlobalSection(ExtensibilityGlobals) = postSolution 39 | SolutionGuid = {6E171CE7-80B1-4757-A7FF-392F96D523A4} 40 | EndGlobalSection 41 | EndGlobal 42 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /MyPsExec.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {7d03ba15-d39b-41f4-9d3c-20bb96c7f26a} 25 | MyPsExec 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | false 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | -------------------------------------------------------------------------------- /PsExecService/PsExecService.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {1a3fa0ab-b6c7-40f1-93e0-877a22fd827f} 25 | PsExecService 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | false 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /PsExecService/PsExecService.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUFSIZE 20480 7 | #define SERVICE_NAME L"PsExec" 8 | #define SLEEP_TIME 500 9 | #define LOGFILE "C:\\log.txt" 10 | 11 | SERVICE_STATUS_HANDLE svcStatusHandle; 12 | SERVICE_STATUS svcStatus; 13 | 14 | BOOL CreateStdNamedPipe(LPHANDLE, LPCTSTR); 15 | VOID OutputError(LPCTSTR, DWORD); 16 | BOOL ExecuteClientCommand(); 17 | 18 | void ServiceMain(int argc, char** argv); 19 | void ServiceControlHandler(DWORD request); 20 | int InitService(); 21 | int WriteToLog(LPCTSTR str); 22 | 23 | int main(int argc, CHAR* argv[]) { 24 | LPTSTR ServiceName = (LPTSTR)SERVICE_NAME; 25 | SERVICE_TABLE_ENTRY DispatchTable[2]; 26 | 27 | 28 | DispatchTable[0].lpServiceName = ServiceName; 29 | DispatchTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain; 30 | 31 | // the last element of DispatchTable must be NULL. 32 | DispatchTable[1].lpServiceName = NULL; 33 | DispatchTable[1].lpServiceProc = NULL; 34 | 35 | // connect to the SCM 36 | StartServiceCtrlDispatcher(DispatchTable); 37 | return 0; 38 | } 39 | 40 | void ServiceMain(int argc, char** argv) { 41 | // set the fundamental information of current service. 42 | svcStatus.dwServiceType = SERVICE_WIN32; 43 | svcStatus.dwCurrentState = SERVICE_START_PENDING; 44 | svcStatus.dwControlsAccepted = SERVICE_ACCEPT_SHUTDOWN | SERVICE_ACCEPT_STOP; 45 | svcStatus.dwWin32ExitCode = 0; 46 | svcStatus.dwCheckPoint = 0; 47 | svcStatus.dwWaitHint = 0; 48 | 49 | // register SCP and return service status handle. 50 | svcStatusHandle = RegisterServiceCtrlHandler(SERVICE_NAME, (LPHANDLER_FUNCTION)ServiceControlHandler); 51 | if (svcStatusHandle == 0) { 52 | WriteToLog(L"RegisterServiceCtrHandler failed."); 53 | return; 54 | } 55 | 56 | WriteToLog(L"RegisterServiceCtrHandler success."); 57 | // Initialize Service 58 | int error = InitService(); 59 | if (error) { 60 | // Initialization failed. 61 | svcStatus.dwCurrentState = SERVICE_STOPPED; 62 | svcStatus.dwWin32ExitCode = -1; 63 | SetServiceStatus(svcStatusHandle, &svcStatus); 64 | return; 65 | } 66 | 67 | // report to the SCM 68 | svcStatus.dwCurrentState = SERVICE_RUNNING; 69 | SetServiceStatus(svcStatusHandle, &svcStatus); 70 | 71 | // modify current state to `running`, so that current program can accept control info from SCM. 72 | 73 | // do something you want to do in this while loop 74 | 75 | if (!ExecuteClientCommand()) { 76 | svcStatus.dwCurrentState = SERVICE_STOPPED; 77 | svcStatus.dwWin32ExitCode = -1; 78 | SetServiceStatus(svcStatusHandle, &svcStatus); 79 | return; 80 | } 81 | 82 | return; 83 | } 84 | 85 | BOOL CreateStdNamedPipe(PHANDLE lpPipe, LPCTSTR lpPipeName) { 86 | *lpPipe = CreateNamedPipe( 87 | lpPipeName, 88 | PIPE_ACCESS_DUPLEX, 89 | PIPE_TYPE_MESSAGE | 90 | PIPE_READMODE_MESSAGE | 91 | PIPE_WAIT, 92 | PIPE_UNLIMITED_INSTANCES, 93 | BUFSIZE, 94 | BUFSIZE, 95 | 0, 96 | NULL); 97 | 98 | return !(*lpPipe == INVALID_HANDLE_VALUE); 99 | } 100 | 101 | VOID OutputError(LPCTSTR functionName, DWORD errCode) { 102 | _tprintf(TEXT("[!] %s error, GLE=%d"), functionName, errCode); 103 | } 104 | 105 | BOOL ExecuteClientCommand() { 106 | BOOL fSuccess = FALSE; 107 | HANDLE hStdoutPipe = INVALID_HANDLE_VALUE; 108 | HANDLE hReadPipe = INVALID_HANDLE_VALUE; 109 | HANDLE hWritePipe = INVALID_HANDLE_VALUE; 110 | HANDLE hHeap = GetProcessHeap(); 111 | LPCTSTR lpszStdoutPipeName = TEXT("\\\\.\\pipe\\PSEXEC"); 112 | LPSTR pWriteBuffer = (LPSTR)HeapAlloc(hHeap, 0, BUFSIZE * sizeof(LPSTR)); 113 | LPTSTR pReadBuffer = (LPTSTR)HeapAlloc(hHeap, 0, BUFSIZE * sizeof(LPTSTR) / 10); 114 | LPTSTR lpCommandLine = (LPTSTR)HeapAlloc(hHeap, 0, BUFSIZE * sizeof(LPTSTR)); 115 | LPTSTR message = (LPTSTR)HeapAlloc(hHeap, 0, BUFSIZE * sizeof(LPTSTR) / 10); 116 | DWORD cbToWritten = 0; 117 | STARTUPINFO si; 118 | PROCESS_INFORMATION pi; 119 | 120 | if (lpCommandLine == NULL || pWriteBuffer == NULL || pReadBuffer == NULL || message == NULL) { 121 | WriteToLog(L"Malloc Failed.\n"); 122 | HeapFree(hHeap, 0, pReadBuffer); 123 | HeapFree(hHeap, 0, pWriteBuffer); 124 | HeapFree(hHeap, 0, lpCommandLine); 125 | HeapFree(hHeap, 0, message); 126 | return FALSE; 127 | } 128 | 129 | if (!CreateStdNamedPipe(&hStdoutPipe, lpszStdoutPipeName)) { 130 | OutputError(TEXT("CreateStdNamedPipe PSEXEC"), GetLastError()); 131 | } 132 | WriteToLog(L"[*] CreateNamedPipe successfully!\n"); 133 | 134 | if (!ConnectNamedPipe(hStdoutPipe, NULL) ? TRUE : (GetLastError() == ERROR_PIPE_CONNECTED)) { 135 | OutputError(L"ConnectNamePipe PSEXEC", GetLastError()); 136 | 137 | CloseHandle(hStdoutPipe); 138 | return -1; 139 | } 140 | WriteToLog(L"[*] ConnectNamedPipe sucessfully!\n"); 141 | 142 | SECURITY_ATTRIBUTES sa; 143 | sa.nLength = sizeof(sa); 144 | sa.lpSecurityDescriptor = NULL; 145 | sa.bInheritHandle = TRUE; 146 | 147 | if (!CreatePipe(&hReadPipe, &hWritePipe, &sa, 0)) { 148 | OutputError(L"CreatePipe", GetLastError()); 149 | } 150 | WriteToLog(L"[*] CreatePipe successfully!\n"); 151 | 152 | ZeroMemory(&si, sizeof(STARTUPINFO)); 153 | ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); 154 | si.cb = sizeof(STARTUPINFO); 155 | si.dwFlags |= STARTF_USESHOWWINDOW; 156 | si.dwFlags |= STARTF_USESTDHANDLES; 157 | si.wShowWindow = SW_HIDE; 158 | si.hStdInput = NULL; 159 | si.hStdOutput = hWritePipe; 160 | si.hStdError = hWritePipe; 161 | 162 | 163 | while (true) { 164 | DWORD ExitCode = 0; 165 | DWORD RSize = 0; 166 | 167 | ZeroMemory(pReadBuffer, sizeof(TCHAR) * BUFSIZE / 10); 168 | // Read message from client. 169 | WriteToLog(L"Start to read message from client.\n"); 170 | if (!ReadFile(hStdoutPipe, pReadBuffer, BUFSIZE * sizeof(LPTSTR) / 10, &RSize, NULL)) { 171 | OutputError(L"[!] ReadFile from client failed!\n", GetLastError()); 172 | return -1; 173 | } 174 | 175 | ZeroMemory(message, BUFSIZE * sizeof(LPTSTR) / 10); 176 | if (message == NULL) { 177 | return FALSE; 178 | } 179 | 180 | StringCchPrintf(message, MAX_PATH, L"[*] ReadFile from client successfully. length = %d, message = %s\n", RSize, pReadBuffer); 181 | WriteToLog(message); 182 | 183 | /* subprocess */ 184 | StringCchPrintf(lpCommandLine, MAX_PATH, L"cmd.exe /c \"%s\" && exit", pReadBuffer); 185 | 186 | if (!CreateProcess( 187 | NULL, 188 | lpCommandLine, 189 | NULL, 190 | NULL, 191 | TRUE, 192 | CREATE_NO_WINDOW, 193 | NULL, 194 | NULL, 195 | &si, 196 | &pi 197 | )) { 198 | OutputError(L"CreateProcess", GetLastError()); 199 | return -1; 200 | } 201 | 202 | WriteToLog(L"\nCreateProcess Successfully.\n"); 203 | WaitForSingleObject(pi.hProcess, 20000); 204 | 205 | ZeroMemory(pWriteBuffer, sizeof(pWriteBuffer) * BUFSIZE); 206 | fSuccess = ReadFile(hReadPipe, pWriteBuffer, BUFSIZE * sizeof(CHAR), &RSize, NULL); 207 | if (!fSuccess && GetLastError() != ERROR_MORE_DATA) { 208 | break; 209 | } 210 | 211 | // Send result to client. 212 | cbToWritten = (strlen(pWriteBuffer) + 1) * sizeof(TCHAR); 213 | if (!WriteFile(hStdoutPipe, pWriteBuffer, RSize, &cbToWritten, NULL)) { 214 | OutputError(L"WriteFile", GetLastError()); 215 | return -1; 216 | } 217 | /*WriteToLog(pWriteBuffer);*/ 218 | WriteToLog(L"[*] WriteFile to client successfully!\n"); 219 | 220 | } 221 | 222 | // WaitForSingleObject(pi.hProcess, INFINITE); 223 | WriteToLog(L"Subprocess exits.\n"); 224 | 225 | CloseHandle(pi.hProcess); 226 | CloseHandle(pi.hThread); 227 | 228 | HeapFree(hHeap, 0, pReadBuffer); 229 | HeapFree(hHeap, 0, pWriteBuffer); 230 | HeapFree(hHeap, 0, lpCommandLine); 231 | 232 | 233 | return 0; 234 | } 235 | 236 | void ServiceControlHandler(DWORD request) { 237 | switch (request) 238 | { 239 | case SERVICE_CONTROL_STOP: 240 | WriteToLog(L"Service stopped."); 241 | svcStatus.dwWin32ExitCode = 0; 242 | svcStatus.dwCurrentState = SERVICE_STOPPED; 243 | SetServiceStatus(svcStatusHandle, &svcStatus); 244 | return; 245 | case SERVICE_CONTROL_SHUTDOWN: 246 | WriteToLog(L"Service stopped."); 247 | svcStatus.dwCurrentState = 0; 248 | svcStatus.dwCurrentState = SERVICE_STOPPED; 249 | SetServiceStatus(svcStatusHandle, &svcStatus); 250 | return; 251 | default: 252 | break; 253 | } 254 | 255 | SetServiceStatus(svcStatusHandle, &svcStatus); 256 | return; 257 | } 258 | 259 | int InitService() { 260 | TCHAR Message[] = L"Service started."; 261 | OutputDebugString(TEXT("Service started.")); 262 | int result; 263 | result = WriteToLog(Message); 264 | 265 | return result; 266 | } 267 | 268 | int WriteToLog(LPCTSTR str) { 269 | FILE* pFile; 270 | fopen_s(&pFile, LOGFILE, "a+"); 271 | if (pFile == NULL) { 272 | return -1; 273 | } 274 | fprintf_s(pFile, "%ws\n", str); 275 | fclose(pFile); 276 | 277 | return 0; 278 | } -------------------------------------------------------------------------------- /PsExec.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #pragma comment(lib, "ws2_32") 9 | #pragma comment(lib, "Mpr.lib") 10 | #pragma comment(lib,"Advapi32.lib") 11 | 12 | #define BUFSIZE 512 13 | #define SLEEP_TIME 500 14 | 15 | DWORD WINAPI StdinThread(HANDLE hStdoutPipe); 16 | DWORD WINAPI StdoutThread(HANDLE hStdinPipe); 17 | DWORD ConnectSMBServer(LPCTSTR lpwsHost, LPCTSTR lpwsUserName, LPCTSTR lpwsPassword); 18 | BOOL UploadFileBySMB(LPCTSTR lpwsSrcPath, LPCTSTR lpwsDstPath); 19 | BOOL CreateServiceWithSCM(LPCTSTR lpwsSCMServer, LPCTSTR lpwsServiceName, LPCTSTR lpwsServicePath); 20 | BOOL CreateStdNamedPipe(LPHANDLE, LPCTSTR); 21 | VOID OutputError(LPCTSTR, DWORD); 22 | BOOL ExecuteCommand(LPTSTR lpwsHost); 23 | 24 | HANDLE hStdoutSemaphore; 25 | HANDLE hStdinSemaphore; 26 | HANDLE hStdoutPipe = INVALID_HANDLE_VALUE; 27 | HANDLE hStdinPipe = INVALID_HANDLE_VALUE; 28 | HANDLE hStdoutThread = INVALID_HANDLE_VALUE; 29 | HANDLE hStdinThread = INVALID_HANDLE_VALUE; 30 | DWORD cbRead = 0; 31 | DWORD cbToRead = 0; 32 | DWORD dwStdoutThreadId = 0; 33 | DWORD dwStdinThreadId = 0; 34 | 35 | int wmain(int argc, wchar_t* argv[]) { 36 | LPTSTR lpwsHost = argv[1]; 37 | LPTSTR lpwsUsername = argv[2]; 38 | LPTSTR lpwsPassword = argv[3]; 39 | LPTSTR lpwsSrcPath = argv[4]; 40 | LPTSTR lpwsDstPath = NULL; 41 | LPCTSTR lpwsServiceName = L"PSEXEC"; 42 | LPCTSTR lpwsServicePath = L"%SystemRoot%\\PsExecService.exe"; 43 | 44 | lpwsDstPath = (LPWSTR)malloc(MAX_PATH * sizeof(WCHAR)); 45 | if (!lpwsDstPath) { 46 | return NULL; 47 | } 48 | StringCchPrintf(lpwsDstPath, MAX_PATH, TEXT("\\\\%s\\admin$\\PsExecService.exe"), lpwsHost); 49 | 50 | if (!ConnectSMBServer(lpwsHost, lpwsUsername, lpwsPassword)) { 51 | 52 | if (UploadFileBySMB(lpwsSrcPath, lpwsDstPath)) { 53 | wprintf(L"[*] Upload Successfully!\n"); 54 | CreateServiceWithSCM(lpwsHost, lpwsServiceName, lpwsServicePath); 55 | } 56 | else { 57 | wprintf(L"[!] Upload Failed! Error: %d\n", GetLastError()); 58 | return GetLastError(); 59 | } 60 | } 61 | 62 | Sleep(SLEEP_TIME); 63 | if (!ExecuteCommand(lpwsHost)) { 64 | wprintf(L"[!] ExecuteCommand error! ending...\n"); 65 | return GetLastError(); 66 | } 67 | wprintf(L"[*] All successfully!"); 68 | 69 | return 0; 70 | } 71 | 72 | DWORD ConnectSMBServer(LPCTSTR lpwsHost, LPCTSTR lpwsUserName, LPCTSTR lpwsPassword) { 73 | // SMB shared resource. 74 | PTCHAR lpwsIPC = new TCHAR[MAX_PATH]; 75 | // Return value 76 | DWORD dwRetVal; 77 | // Detailed network information 78 | NETRESOURCE nr; 79 | // Connection flags 80 | DWORD dwFlags; 81 | 82 | ZeroMemory(&nr, sizeof(NETRESOURCE)); 83 | StringCchPrintf(lpwsIPC, 100, TEXT("\\\\%s\\admin$"), lpwsHost); 84 | 85 | nr.dwType = RESOURCETYPE_ANY; 86 | nr.lpLocalName = NULL; 87 | nr.lpRemoteName = lpwsIPC; 88 | nr.lpProvider = NULL; 89 | 90 | dwFlags = CONNECT_UPDATE_PROFILE; 91 | 92 | dwRetVal = WNetAddConnection2(&nr, lpwsPassword, lpwsUserName, dwFlags); 93 | if (dwRetVal == NO_ERROR) { 94 | // success 95 | wprintf(L"[*] Connect added to %s\n", nr.lpRemoteName); 96 | return dwRetVal; 97 | } 98 | 99 | 100 | wprintf(L"[!] WNetAddConnection2 failed with error: %d\n", dwRetVal); 101 | return -1; 102 | } 103 | 104 | BOOL UploadFileBySMB(LPCTSTR lpwsSrcPath, LPCTSTR lpwsDstPath) { 105 | DWORD dwRetVal; 106 | dwRetVal = CopyFile(lpwsSrcPath, lpwsDstPath, FALSE); 107 | return dwRetVal > 0 ? TRUE : FALSE; 108 | } 109 | 110 | BOOL CreateServiceWithSCM(LPCTSTR lpwsSCMServer, LPCTSTR lpwsServiceName, LPCTSTR lpwsServicePath) { 111 | wprintf(L"[*] Create Service %s\n", lpwsServiceName); 112 | 113 | SC_HANDLE hSCM; 114 | SC_HANDLE hService; 115 | 116 | hSCM = OpenSCManager(lpwsSCMServer, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS); 117 | if (hSCM == NULL) { 118 | wprintf(L"[!] OpenSCManager Error: %d", GetLastError()); 119 | return -1; 120 | } 121 | 122 | hService = CreateService( 123 | hSCM, 124 | lpwsServiceName, 125 | lpwsServiceName, 126 | GENERIC_ALL, 127 | SERVICE_WIN32_OWN_PROCESS, 128 | SERVICE_DEMAND_START, 129 | SERVICE_ERROR_IGNORE, 130 | lpwsServicePath, 131 | NULL, 132 | NULL, 133 | NULL, 134 | NULL, 135 | NULL); 136 | 137 | if (hService == NULL) { 138 | wprintf(L"[!] CreateService Error: %d", GetLastError()); 139 | return -1; 140 | } 141 | wprintf(L"[*] Create Service Success: %s\n", lpwsServicePath); 142 | 143 | hService = OpenService(hSCM, lpwsServiceName, GENERIC_ALL); 144 | if (hService == NULL) { 145 | wprintf(L"[!] OpenService Error: %d\n", GetLastError()); 146 | return -1; 147 | } 148 | wprintf(L"[*] OpenService Success!\n"); 149 | 150 | if (!StartService(hService, NULL, NULL)) { 151 | wprintf(L"[!] StartService Fail! Error: %d\n", GetLastError()); 152 | } 153 | wprintf(L"[*] StartService Successfully!\n"); 154 | 155 | return 0; 156 | } 157 | 158 | VOID OutputError(LPCTSTR functionName, DWORD errCode) { 159 | _tprintf(TEXT("[!] %s error, GLE=%d"), functionName, errCode); 160 | } 161 | 162 | BOOL CreateStdNamedPipe(PHANDLE lpPipe, LPCTSTR lpPipeName) { 163 | *lpPipe = CreateNamedPipe( 164 | lpPipeName, 165 | PIPE_ACCESS_DUPLEX, 166 | PIPE_TYPE_MESSAGE | 167 | PIPE_READMODE_MESSAGE | 168 | PIPE_WAIT, 169 | PIPE_UNLIMITED_INSTANCES, 170 | BUFSIZE, 171 | BUFSIZE, 172 | 0, 173 | NULL); 174 | 175 | return !(*lpPipe == INVALID_HANDLE_VALUE); 176 | } 177 | 178 | BOOL ExecuteCommand(LPTSTR lpwsHost) { 179 | LPTSTR lpszStdoutNamedPipe = NULL; 180 | BOOL fSuccess = FALSE; 181 | DWORD length = 0; 182 | 183 | lpszStdoutNamedPipe = (LPTSTR)malloc(MAX_PATH * sizeof(lpszStdoutNamedPipe)); 184 | if (lpszStdoutNamedPipe == NULL) { 185 | return FALSE; 186 | } 187 | StringCchPrintf(lpszStdoutNamedPipe, MAX_PATH, L"\\\\%s\\pipe\\PSEXEC", lpwsHost); 188 | 189 | hStdoutPipe = CreateFile( 190 | lpszStdoutNamedPipe, 191 | GENERIC_READ | 192 | GENERIC_WRITE, 193 | 0, 194 | NULL, 195 | OPEN_EXISTING, 196 | 0, 197 | NULL); 198 | 199 | // Return if the pipe handle is invalid. 200 | if (hStdoutPipe == INVALID_HANDLE_VALUE) { 201 | wprintf(L"[!] CreateFile (PSEXEC) fail. GLE=%d.\n", GetLastError()); 202 | return -1; 203 | } 204 | 205 | // Exit if an error other than ERROR_PIPE_BUSY occurs. 206 | if (GetLastError() == ERROR_PIPE_BUSY) { 207 | wprintf(L"[!] Could not open pipe (hStdoutPipe). GLE=%d.\n", GetLastError()); 208 | return -1; 209 | } 210 | wprintf(L"[*] CreateFile PSEXEC successfully\n"); 211 | 212 | // All pipe instances are busy, so wait for 20 seconds. 213 | if (WaitNamedPipe(lpszStdoutNamedPipe, 2000)) { 214 | wprintf(L"[!] Could not open pipe (PSEXEC): 20 second wait timed out.\n"); 215 | return -1; 216 | } 217 | wprintf(L"[*] WaitNamedPipe successfully!\n"); 218 | 219 | hStdoutSemaphore = CreateSemaphore(NULL, 0, 1, L"StdoutSemaphore"); 220 | hStdinSemaphore = CreateSemaphore(NULL, 1, 1, L"StdinSemaphore"); 221 | 222 | hStdoutThread = CreateThread( 223 | NULL, 224 | 0, 225 | StdoutThread, 226 | (LPVOID)hStdoutPipe, 227 | 0, 228 | &dwStdoutThreadId); 229 | if (hStdoutThread == NULL) { 230 | wprintf(L"[!] Create Stdout Thread failed, GLE = %d.\n", GetLastError()); 231 | return FALSE; 232 | } 233 | 234 | hStdinThread = CreateThread( 235 | NULL, 236 | 0, 237 | StdinThread, 238 | (LPVOID)hStdoutPipe, 239 | 0, 240 | &dwStdinThreadId); 241 | if (hStdinThread == NULL) { 242 | wprintf(L"[!] Create Stdin Thread failed, GLE = %d.\n", GetLastError()); 243 | return FALSE; 244 | } 245 | 246 | WaitForSingleObject(hStdoutThread, INFINITE); 247 | WaitForSingleObject(hStdinThread, INFINITE); 248 | 249 | CloseHandle(hStdoutPipe); 250 | CloseHandle(hStdoutThread); 251 | CloseHandle(hStdinPipe); 252 | CloseHandle(hStdinThread); 253 | return 0; 254 | } 255 | 256 | DWORD WINAPI StdinThread(HANDLE hPipe) { 257 | DWORD dwWait = 0; 258 | std::wstring command; 259 | 260 | while (true) { 261 | dwWait = WaitForSingleObject(hStdinSemaphore, INFINITE); 262 | 263 | wprintf(L"\nPsExec>"); 264 | std::getline(std::wcin, command); 265 | 266 | cbToRead = command.length() * sizeof(command); 267 | if (!WriteFile(hPipe, (LPCVOID)command.c_str(), cbToRead, &cbRead, NULL)) { 268 | wprintf(L"[!] WriteFile to server error! GLE = %d.\n", GetLastError()); 269 | break; 270 | } 271 | wprintf(L"[*] WriteFile to server successfully! message = %s, length = %d\n", command.c_str(), cbRead); 272 | 273 | ReleaseSemaphore(hStdoutSemaphore, 1, NULL); 274 | } 275 | 276 | return TRUE; 277 | } 278 | 279 | DWORD WINAPI StdoutThread(HANDLE hPipe) { 280 | HANDLE hHeap = GetProcessHeap(); 281 | LPSTR chBuf = (LPSTR)HeapAlloc(hHeap, 0, BUFSIZE * sizeof(chBuf)); 282 | DWORD fSuccess = 0; 283 | while (true) { 284 | if (chBuf == NULL) { 285 | return FALSE; 286 | } 287 | ZeroMemory(chBuf, BUFSIZE * sizeof(chBuf)); 288 | WaitForSingleObject(hStdoutSemaphore, INFINITE); 289 | 290 | do { 291 | fSuccess = ReadFile(hPipe, chBuf, BUFSIZE * sizeof(CHAR), &cbRead, NULL); 292 | if (!fSuccess && GetLastError() != ERROR_MORE_DATA) { 293 | break; 294 | } 295 | 296 | printf("%s", chBuf); 297 | } while (!fSuccess); 298 | 299 | ReleaseSemaphore(hStdinSemaphore, 1, NULL); 300 | } 301 | 302 | HeapFree(hHeap, 0, chBuf); 303 | 304 | return TRUE; 305 | } --------------------------------------------------------------------------------