我的目的是通过CreateProcess创建一个cmd进程,并传命令给它,执行结果写入匿名管道,主线程在管道另一端读,我使用下面的方法:
char cmdline[] = "cmd /c dir";
CreateProcess(NULL, buf, NULL, NULL, TRUE, NULL, NULL, NULL, &sinfo, &pi);
CloseHandle(hwrite);
while(ReadFile(hread, buf, sizeof(buf), &bytesRead, NULL))
{
printf("%s\n", buf);
memset(buf, 0, sizeof(buf));
}
CloseHandle(hread);但如果要执行n条命令,那么就要创建&销毁cmd.exe进程n次,如果客户端和服务器频繁交互的话就要创建好多进程,这样似乎不太好
有什么办法能让cmd.exe每次对话只创建&销毁一次,让它等待主线程从管道写入命令,然后读取、执行?
char cmdline[] = "cmd /c dir";
CreateProcess(NULL, buf, NULL, NULL, TRUE, NULL, NULL, NULL, &sinfo, &pi);
CloseHandle(hwrite);
while(ReadFile(hread, buf, sizeof(buf), &bytesRead, NULL))
{
printf("%s\n", buf);
memset(buf, 0, sizeof(buf));
}
CloseHandle(hread);但如果要执行n条命令,那么就要创建&销毁cmd.exe进程n次,如果客户端和服务器频繁交互的话就要创建好多进程,这样似乎不太好
有什么办法能让cmd.exe每次对话只创建&销毁一次,让它等待主线程从管道写入命令,然后读取、执行?
而且我发现WriteFile写进去的命令没有被当成命令执行......
这里用到两个管道,cmd管道和echo管道
cmd管道是主线程用于向cmd.exe线程写命令
echo管道是cmd.exe进程用于向主线程写回显数据
再加上SOCKET就基本可以实现远程cmd
代码贴出来和大家共享DWORD ReadThread(void *param);int main(int argc, char* argv[])
{
SECURITY_ATTRIBUTES sa;
HANDLE hread_cmd = 0, hwrite_cmd = 0, hread_echo = 0, hwrite_echo = 0;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE; //create a pipe for cmdlines
if(!CreatePipe(&hread_cmd, &hwrite_cmd, &sa, 0))
{
printf("CreatePipe(cmd) failed!!!\n");
exit(0);
}
//create a pipe for echo
if(!CreatePipe(&hread_echo, &hwrite_echo, &sa, 0))
{
printf("CreatePipe(echo) failed!!!\n");
exit(0);
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError = hwrite_echo;
si.hStdOutput = hwrite_echo;
si.hStdInput = hread_cmd;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; char cmdline[32];
DWORD bytesWritten;
memset(cmdline, 0, sizeof(cmdline));
if(!CreateProcess("c:\\windows\\system32\\cmd.exe", NULL, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi))
{
printf("Create Process failed!!!\n");
exit(0);
}
CloseHandle(hread_cmd);
CloseHandle(hwrite_echo); //read from pipe
char buf[256];
memset(buf, 0, sizeof(buf));
DWORD id;
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ReadThread, (void *)&hread_echo, NULL, &id);
int end;
while(1)
{
memset(cmdline, 0, sizeof(cmdline));
scanf("%s", cmdline);
end = strlen(cmdline);
cmdline[end] = '\n';
WriteFile(hwrite_cmd, cmdline, strlen(cmdline), &bytesWritten, NULL);
if(strcmp(cmdline, "exit\n") == 0)
break;
}
CloseHandle(hwrite_cmd);
CloseHandle(hread_echo); return 0;
}DWORD ReadThread(void *param)
{
char buf[32];
memset(buf, 0, sizeof(buf));
DWORD bytesRead;
HANDLE *phread_echo = (HANDLE *)param;
while(ReadFile(*phread_echo, buf, sizeof(buf) - 1, &bytesRead, NULL))
{
printf("%s", buf);
memset(buf, 0, sizeof(buf));
}
return 0;
}
大家来拿分!!!