是什么使得通过 Windows SMB 协议启动服务成为可能?
What makes it possible to start services through the Windows SMB protocol?
为什么可以在 Windows 中通过 SMB 协议管理服务?
SMB 协议是为管理网络共享(文件和目录)和打印机而制定的,那么协议中的什么机制可以与服务进行交互?
PsExec starts an executable on a remote system and controls the input
and output streams of the executable's process so that you can
interact with the executable from the local system. PsExec does so by
extracting from its executable image an embedded Windows service named
Psexesvc and copying it to the Admin$ share of the remote system.
PsExec then uses the Windows Service Control Manager API, which has a
remote interface, to start the Psexesvc service on the remote system.
The Psexesvc service creates a named pipe, psexecsvc, to which PsExec
connects and sends commands that tell the service on the remote system
which executable to launch and which options you've specified. If you
specify the -d (don't wait) switch, the service exits after starting
the executable; otherwise, the service waits for the executable to
terminate, then sends the exit code back to PsExec for it to print on
the local console.
这是一个非常有创意的技巧。 psexec 使用 SMB 将自己的 EXE 复制到目标机器。然后使用 Windows 服务控制管理器 API(不同的协议)在远程机器上启动 exe。缺少的细节是在远程机器上启动 psexec 的确切 API。我做了一些挖掘,发现 OpenSCManager API is what facilitates this. Once a handle to the remote machine's service control manager is obtained, APIs such as CreateService and StartService 可以用来启动远程进程。
所以它本身不是 SMB 协议。更具体地说,是 Windows 服务控制管理器可以执行类似于 psexec 的操作。
为什么可以在 Windows 中通过 SMB 协议管理服务?
SMB 协议是为管理网络共享(文件和目录)和打印机而制定的,那么协议中的什么机制可以与服务进行交互?
PsExec starts an executable on a remote system and controls the input and output streams of the executable's process so that you can interact with the executable from the local system. PsExec does so by extracting from its executable image an embedded Windows service named Psexesvc and copying it to the Admin$ share of the remote system. PsExec then uses the Windows Service Control Manager API, which has a remote interface, to start the Psexesvc service on the remote system.
The Psexesvc service creates a named pipe, psexecsvc, to which PsExec connects and sends commands that tell the service on the remote system which executable to launch and which options you've specified. If you specify the -d (don't wait) switch, the service exits after starting the executable; otherwise, the service waits for the executable to terminate, then sends the exit code back to PsExec for it to print on the local console.
这是一个非常有创意的技巧。 psexec 使用 SMB 将自己的 EXE 复制到目标机器。然后使用 Windows 服务控制管理器 API(不同的协议)在远程机器上启动 exe。缺少的细节是在远程机器上启动 psexec 的确切 API。我做了一些挖掘,发现 OpenSCManager API is what facilitates this. Once a handle to the remote machine's service control manager is obtained, APIs such as CreateService and StartService 可以用来启动远程进程。
所以它本身不是 SMB 协议。更具体地说,是 Windows 服务控制管理器可以执行类似于 psexec 的操作。