首页
论坛
课程
招聘
[分享]CVE-2022-30190的一种利用方式
2022-6-16 23:35 4684

[分享]CVE-2022-30190的一种利用方式

2022-6-16 23:35
4684

1.

    CVE-2022-30190的分析文章已经很多了,所以我就不具体分析相同的地方了。网上没找到有关于这个漏洞相关的RPC(LPC)具体过程,于是有了这篇文章(这是我在网上发的第一篇,所以会写得十分烂,别在意啦,重在分享,提供个思路),大佬轻喷。另外微软已经修了,我跑了下不能用了,到底还能不能用我也不知道。

    郑重申明:文章仅用于学习研究,其他用途与本人无关!


2.

    首先概括下它的大致流程(内核是通过ALPC实现的,所以需要些ALPC的前置知识,可以自行查阅资料):

①combase!CoCreateInstance的启动服务的RPC过程:

(1)msdt.exe --> svchost.exe

IID:{00000136-0000-0000-c000-000000000046}

procNum:0x4

 # Child-SP          RetAddr               : Args to Child                                                           : Call Site
00 ffffe385`b785a4f0 fffff803`0a86aad4     : nt!KiSwapContext+0x76
01 ffffe385`b785a630 fffff803`0a8657ca     : nt!KiSwapThread+0x190
02 ffffe385`b785a6a0 fffff803`0a866fb0     : nt!KiCommitThreadWait+0x13a
03 ffffe385`b785a750 fffff803`0a84bd02     : nt!KeWaitForSingleObject+0x140
04 ffffe385`b785a7f0 fffff803`0a84bc90     : nt!AlpcpWaitForSingleObject+0x3e
05 ffffe385`b785a830 fffff803`0abc702b     : nt!AlpcpSignalAndWait+0x54
06 ffffe385`b785a870 fffff803`0abc6cf7     : nt!AlpcpReceiveSynchronousReply+0x57
07 ffffe385`b785a8d0 fffff803`0abcaa8f     : nt!AlpcpProcessSynchronousRequest+0x1a7
08 ffffe385`b785a9d0 fffff803`0a9af275     : nt!NtAlpcSendWaitReceivePort+0x17f
09 ffffe385`b785aa90 00007ff8`fafabf04     : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffe385`b785ab00)
0a 000000c3`2b77cd18 00007ff8`f96a6eb2     : ntdll!NtAlpcSendWaitReceivePort+0x14
0b 000000c3`2b77cd20 00007ff8`f96a4001     : RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0x112
0c 000000c3`2b77cdd0 00007ff8`f968e93f     : RPCRT4!LRPC_CCALL::SendReceive+0x51
0d 000000c3`2b77ce20 00007ff8`faaf3555     : RPCRT4!I_RpcSendReceive+0x6f
0e 000000c3`2b77ce50 00007ff8`faaf2608     : combase!CMessageCall::RpcSendRequestReceiveResponse+0xb5 [onecore\com\combase\dcomrem\call.cxx @ 4209]
0f (Inline Function) --------`--------     : combase!ThreadSendReceive+0xc0 (Inline Function @ 00007ff8`faaf2608) [onecore\com\combase\dcomrem\channelb.cxx @ 7378]
10 (Inline Function) --------`--------     : combase!CSyncClientCall::SwitchAptAndDispatchCall+0x151 (Inline Function @ 00007ff8`faaf2608) [onecore\com\combase\dcomrem\channelb.cxx @ 5900]
11 000000c3`2b77d030 00007ff8`faac7bd4     : combase!CSyncClientCall::SendReceive2+0x248 [onecore\com\combase\dcomrem\channelb.cxx @ 5459]
12 (Inline Function) --------`--------     : combase!SyncClientCallRetryContext::SendReceiveWithRetry+0x25 (Inline Function @ 00007ff8`faac7bd4) [onecore\com\combase\dcomrem\callctrl.cxx @ 1542]
13 (Inline Function) --------`--------     : combase!CSyncClientCall::SendReceiveInRetryContext+0x25 (Inline Function @ 00007ff8`faac7bd4) [onecore\com\combase\dcomrem\callctrl.cxx @ 565]
14 000000c3`2b77d530 00007ff8`faac3dbb     : combase!DefaultSendReceive+0x64 [onecore\com\combase\dcomrem\callctrl.cxx @ 523]
15 000000c3`2b77d590 00007ff8`faacb2b4     : combase!CSyncClientCall::SendReceive+0x18b [onecore\com\combase\dcomrem\ctxchnl.cxx @ 783]
16 000000c3`2b77d7c0 00007ff8`fab4030e     : combase!CClientChannel::SendReceive+0x84 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 655]
17 000000c3`2b77d830 00007ff8`f9739d84     : combase!NdrExtpProxySendReceive+0x4e [onecore\com\combase\ndr\ndrole\proxy.cxx @ 2002]
18 000000c3`2b77d860 00007ff8`fab3a3b8     : RPCRT4!NdrpClientCall3+0x3a4
19 000000c3`2b77dbd0 00007ff8`fabb6b32     : combase!ObjectStublessClient+0x138 [onecore\com\combase\ndr\ndrole\amd64\stblsclt.cxx @ 369]
1a 000000c3`2b77df60 00007ff8`faafe381     : combase!ObjectStubless+0x42 [onecore\com\combase\ndr\ndrole\amd64\stubless.asm @ 176]
1b 000000c3`2b77dfb0 00007ff8`fab63206     : combase!CRpcResolver::DelegateActivationToSCM+0x4b5 [onecore\com\combase\dcomrem\resolver.cxx @ 2283]
1c 000000c3`2b77e170 00007ff8`faafcf05     : combase!CRpcResolver::CreateInstance+0x1a [onecore\com\combase\dcomrem\resolver.cxx @ 2491]
1d 000000c3`2b77e1a0 00007ff8`fab00610     : combase!CClientContextActivator::CreateInstance+0x135 [onecore\com\combase\objact\actvator.cxx @ 616]
1e 000000c3`2b77e450 00007ff8`fab0b7ba     : combase!ActivationPropertiesIn::DelegateCreateInstance+0x90 [onecore\com\combase\actprops\actprops.cxx @ 1983]
1f 000000c3`2b77e4e0 00007ff8`fab0a289     : combase!ICoCreateInstanceEx+0x90a [onecore\com\combase\objact\objact.cxx @ 2028]
20 000000c3`2b77f3b0 00007ff8`fab0a0cc     : combase!CComActivator::DoCreateInstance+0x169 [onecore\com\combase\objact\immact.hxx @ 386]
21 (Inline Function) --------`--------     : combase!CoCreateInstanceEx+0xd1 (Inline Function @ 00007ff8`fab0a0cc) [onecore\com\combase\objact\actapi.cxx @ 177]
22 000000c3`2b77f510 00007ff8`f4139964     : combase!CoCreateInstance+0x10c [onecore\com\combase\objact\actapi.cxx @ 121]
23 000000c3`2b77f5b0 00007ff8`f413894f     : sdiageng!CScriptedDiag::InitializeHost+0x130
24 000000c3`2b77f670 00007ff6`1841f876     : sdiageng!CScriptedDiag::Diagnose+0x12f
25 000000c3`2b77f750 00007ff6`18416da9     : msdt!PackageCollection::Diagnose+0x166
26 000000c3`2b77f7b0 00007ff6`18413c36     : msdt!Package_Diagnose+0x51
27 000000c3`2b77f7f0 00007ff6`184069ad     : msdt!Packages_Diagnose+0x176
28 000000c3`2b77f890 00007ff8`f9556fd4     : msdt!WorkerThread+0x37d
29 000000c3`2b77f8f0 00007ff8`faf5cec1     : KERNEL32!BaseThreadInitThunk+0x14
2a 000000c3`2b77f920 00000000`00000000     : ntdll!RtlUserThreadStart+0x21

(2)svchost.exe --> svchost.exe

IID:{9b8699ae-0e44-47b1-8e7f-86a461d7ecdc}

procNum:0x0

# Child-SP          RetAddr               : Call Site
00 ffffe385`b81174f0 fffff803`0a86aad4     : nt!KiSwapContext+0x76
01 ffffe385`b8117630 fffff803`0a8657ca     : nt!KiSwapThread+0x190
02 ffffe385`b81176a0 fffff803`0a866fb0     : nt!KiCommitThreadWait+0x13a
03 ffffe385`b8117750 fffff803`0a84bd02     : nt!KeWaitForSingleObject+0x140
04 ffffe385`b81177f0 fffff803`0a84bc90     : nt!AlpcpWaitForSingleObject+0x3e
05 ffffe385`b8117830 fffff803`0abc702b     : nt!AlpcpSignalAndWait+0x54
06 ffffe385`b8117870 fffff803`0abc6cf7     : nt!AlpcpReceiveSynchronousReply+0x57
07 ffffe385`b81178d0 fffff803`0abcaa8f     : nt!AlpcpProcessSynchronousRequest+0x1a7
08 ffffe385`b81179d0 fffff803`0a9af275     : nt!NtAlpcSendWaitReceivePort+0x17f
09 ffffe385`b8117a90 00007ff8`fafabf04     : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffe385`b8117b00)
0a 00000069`8b97cff8 00007ff8`f96a3d9f     : ntdll!NtAlpcSendWaitReceivePort+0x14
0b 00000069`8b97d000 00007ff8`f96b8c87     : RPCRT4!LRPC_BASE_CCALL::SendReceive+0x12f
0c 00000069`8b97d0d0 00007ff8`f96617f0     : RPCRT4!NdrpSendReceive+0x97
0d 00000069`8b97d100 00007ff8`f966120f     : RPCRT4!NdrpClientCall2+0x5d0
0e 00000069`8b97d720 00007ff8`f6696ad8     : RPCRT4!NdrClientCall2+0x1f
0f 00000069`8b97d750 00007ff8`f66c7c96     : rpcss!CClassicComClassData::LaunchActivatorServer+0x178
10 00000069`8b97d8a0 00007ff8`f66b62b4     : rpcss!CServerTableEntry::StartServerAndWait+0x2de
11 00000069`8b97dc40 00007ff8`f66b54c0     : rpcss!Activation+0xa04
12 00000069`8b97def0 00007ff8`f66d71a9     : rpcss!ActivateFromProperties+0x230
13 00000069`8b97dfe0 00007ff8`f66b49f6     : rpcss!ActivationPropertiesIn::DelegateCreateInstance+0x99
14 00000069`8b97e080 00007ff8`f66b1207     : rpcss!ActivateFromPropertiesPreamble+0x2406
15 00000069`8b97e3a0 00007ff8`f66ac501     : rpcss!PerformScmStage+0x9e7
16 00000069`8b97e5d0 00007ff8`f96d2033     : rpcss!SCMActivatorCreateInstance+0x1b1
17 00000069`8b97e900 00007ff8`f967c837     : RPCRT4!Invoke+0x73
18 00000069`8b97e980 00007ff8`f96bd8ba     : RPCRT4!NdrStubCall2+0x727
19 00000069`8b97efe0 00007ff8`f96b6708     : RPCRT4!NdrServerCall2+0x1a
1a 00000069`8b97f010 00007ff8`f9699196     : RPCRT4!DispatchToStubInCNoAvrf+0x18
1b 00000069`8b97f060 00007ff8`f9698ae8     : RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1a6
1c 00000069`8b97f140 00007ff8`f96a72ff     : RPCRT4!RPC_INTERFACE::DispatchToStub+0xf8
1d 00000069`8b97f1b0 00007ff8`f96a6708     : RPCRT4!LRPC_SCALL::DispatchRequest+0x31f
1e 00000069`8b97f280 00007ff8`f96a5cf1     : RPCRT4!LRPC_SCALL::HandleRequest+0x7f8
1f 00000069`8b97f390 00007ff8`f96a575e     : RPCRT4!LRPC_ADDRESS::HandleRequest+0x341
20 00000069`8b97f430 00007ff8`f96a9ce2     : RPCRT4!LRPC_ADDRESS::ProcessIO+0x89e
21 00000069`8b97f570 00007ff8`faf4f220     : RPCRT4!LrpcIoComplete+0xc2
22 00000069`8b97f610 00007ff8`faf22536     : ntdll!TppAlpcpExecuteCallback+0x260
23 00000069`8b97f690 00007ff8`f9556fd4     : ntdll!TppWorkerThread+0x456
24 00000069`8b97f990 00007ff8`faf5cec1     : KERNEL32!BaseThreadInitThunk+0x14
25 00000069`8b97f9c0 00000000`00000000     : ntdll!RtlUserThreadStart+0x21

(3)svchost.exe创建服务进程sdiagnhost.exe

Child-SP          RetAddr               : Call Site
ffffe385`b6b74d98 fffff803`0ab7547a     : nt!MmCreatePeb
ffffe385`b6b74da0 fffff803`0aba8b6d     : nt!PspAllocateProcess+0x1162
ffffe385`b6b752d0 fffff803`0a9af275     : nt!NtCreateUserProcess+0x6ed
ffffe385`b6b75a90 00007ff8`fafac684     : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffe385`b6b75b00)
00000062`141fcd58 00007ff8`f86d876c     : ntdll!NtCreateUserProcess+0x14
00000062`141fcd60 00007ff8`f86d6083     : KERNELBASE!CreateProcessInternalW+0xfcc
00000062`141fe270 00007ff8`f955dac0     : KERNELBASE!CreateProcessAsUserW+0x63
00000062`141fe2e0 00007ff8`f66ca95e     : KERNEL32!CreateProcessAsUserWStub+0x60
00000062`141fe350 00007ff8`f66d027f     : rpcss!CClassData::PrivilegedLaunchActivatorServer+0x79a
00000062`141fe7e0 00007ff8`f66d03bd     : rpcss!<lambda_cc7c03200483d218cdd1c387096ab1c1>::operator()+0x17b
00000062`141fe900 00007ff8`f96d2033     : rpcss!_LaunchActivatorServer+0xed
00000062`141fe9d0 00007ff8`f967c837     : RPCRT4!Invoke+0x73
00000062`141fea80 00007ff8`f96bd8ba     : RPCRT4!NdrStubCall2+0x727
00000062`141ff0e0 00007ff8`f96b6708     : RPCRT4!NdrServerCall2+0x1a
00000062`141ff110 00007ff8`f9699196     : RPCRT4!DispatchToStubInCNoAvrf+0x18
00000062`141ff160 00007ff8`f9698ae8     : RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1a6
00000062`141ff240 00007ff8`f96a72ff     : RPCRT4!RPC_INTERFACE::DispatchToStub+0xf8
00000062`141ff2b0 00007ff8`f96a6708     : RPCRT4!LRPC_SCALL::DispatchRequest+0x31f
00000062`141ff380 00007ff8`f96a5cf1     : RPCRT4!LRPC_SCALL::HandleRequest+0x7f8
00000062`141ff490 00007ff8`f96a575e     : RPCRT4!LRPC_ADDRESS::HandleRequest+0x341
00000062`141ff530 00007ff8`f96a9ce2     : RPCRT4!LRPC_ADDRESS::ProcessIO+0x89e
00000062`141ff670 00007ff8`faf4f220     : RPCRT4!LrpcIoComplete+0xc2
00000062`141ff710 00007ff8`faf22536     : ntdll!TppAlpcpExecuteCallback+0x260
00000062`141ff790 00007ff8`f9556fd4     : ntdll!TppWorkerThread+0x456
00000062`141ffa90 00007ff8`faf5cec1     : KERNEL32!BaseThreadInitThunk+0x14
00000062`141ffac0 00000000`00000000     : ntdll!RtlUserThreadStart+0x21

这个流程很常见,类似的有篇文章里的图画的很详细、很漂亮:。。。在收藏夹里找了半天没找到,我就先放图吧,作者看到了或者记得出处的大佬,麻烦告诉我一下,我再把图删了然后补上链接。


②执行注入的ps命令的RPC过程:

msdt.exe --> sdiagnhost.exe

IID:{72b05d8b-258d-469d-a4d1-d142e823394c}: IID_IScriptedDiagnosticHost

procNum:0x4


msdt.exe堆栈:

fffff880`06c0c370 fffff800`028e8992     : nt!KiSwapContext+0x7a
fffff880`06c0c4b0 fffff800`028eb1af     : nt!KiCommitThreadWait+0x1d2
fffff880`06c0c540 fffff800`0290575f     : nt!KeWaitForSingleObject+0x19f
fffff880`06c0c5e0 fffff800`02bf3376     : nt!AlpcpSignalAndWait+0x8f
fffff880`06c0c690 fffff800`02bf2a70     : nt!AlpcpReceiveSynchronousReply+0x46
fffff880`06c0c6f0 fffff800`02bf086b     : nt!AlpcpProcessSynchronousRequest+0x33d
fffff880`06c0c830 fffff880`04027b86     : nt!NtAlpcSendWaitReceivePort+0x1ab
fffff880`06c0c8e0 fffff800`028e28d3     : 360Hvm64+0x17b86
fffff880`06c0ca70 00000000`77491b6a     : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06c0cae0)
00000000`028ae668 000007fe`fdc2a776     : ntdll!NtAlpcSendWaitReceivePort+0xa
00000000`028ae670 000007fe`fdc24e42     : RPCRT4!LRPC_CCALL::SendReceive+0x156
00000000`028ae730 000007fe`fe3b28c0     : RPCRT4!I_RpcSendReceive+0x42
00000000`028ae760 000007fe`fe3b282f     : ole32!ThreadSendReceive+0x40 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 5003]
00000000`028ae7b0 000007fe`fe3b265b     : ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0xa3 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4454]
00000000`028ae850 000007fe`fe26daaa     : ole32!CRpcChannelBuffer::SendReceive2+0x11b [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4074]
00000000`028aea10 000007fe`fe26da0c     : ole32!CAptRpcChnl::SendReceive+0x52 [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 603]
00000000`028aeae0 000007fe`fe3b205d     : ole32!CCtxComChnl::SendReceive+0x68 [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 734]
00000000`028aeb90 000007fe`fdccfd61     : ole32!NdrExtpProxySendReceive+0x45 [d:\w7rtm\com\rpc\ndrole\proxy.cxx @ 1932]
00000000`028aebc0 000007fe`fe3af82f     : RPCRT4!NdrpClientCall2+0x9ea
00000000`028af330 000007fe`fe26d8a2     : ole32!ObjectStublessClient+0x1ad [d:\w7rtm\com\rpc\ndrole\amd64\stblsclt.cxx @ 620]
00000000`028af6c0 000007fe`f8f9cb68     : ole32!ObjectStubless+0x42 [d:\w7rtm\com\rpc\ndrole\amd64\stubless.asm @ 117]
00000000`028af710 000007fe`f8f980fe     : sdiageng!Script::Run+0x264
00000000`028af7a0 000007fe`f8f94418     : sdiageng!Rootcause::Resolve+0x162
00000000`028af800 000007fe`f8f8f942     : sdiageng!DiagPackage::Resolve+0x88
00000000`028af840 00000000`ff592f5e     : sdiageng!CScriptedDiag::Resolve+0x296
00000000`028af8f0 00000000`ff593110     : msdt!SDEngine::Resolve+0xa2
00000000`028af930 00000000`ff592da1     : msdt!SDEngine::ResolveAndVerifyResolution+0x170
00000000`028af9a0 00000000`ff5aa72c     : msdt!SDEngine::Resolve+0x265
00000000`028afa30 00000000`7733652d     : msdt!WorkerThread+0x5c8
00000000`028afaa0 00000000`7746c521     : kernel32!BaseThreadInitThunk+0xd
00000000`028afad0 00000000`00000000     : ntdll!RtlUserThreadStart+0x1d



 sdiagnhost.exe的堆栈:

00000000`003ae578 000007fe`fdc223d5     :sdiagnhost!CScriptedDiagNativeHost::RunScript+0x3
00000000`003ae580 000007fe`fdc169b2     :RPCRT4!Invoke+0x65
00000000`003ae5e0 000007fe`fe3af16e     :RPCRT4!NdrStubCall2+0x32a
00000000`003aec00 000007fe`fe0710b4     :ole32!CStdStubBuffer_Invoke+0x8b [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1559]
00000000`003aec30 000007fe`fe3b0ccd     :OLEAUT32!CUnivStubWrapper::Invoke+0xe4
00000000`003aec80 000007fe`fe3b0c43     :ole32!SyncStubInvoke+0x5d [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187]
00000000`003aecf0 000007fe`fe26a4f0     :ole32!StubInvoke+0xdb [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396]
00000000`003aeda0 000007fe`fe3b14d6     :ole32!CCtxComChnl::ContextInvoke+0x190 [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262]
00000000`003aef30 000007fe`fe3b122b     :ole32!AppInvoke+0xc2 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086]
00000000`003aefa0 000007fe`fe3afd6d     :ole32!ComInvokeWithLockAndIPID+0x52b [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1727]
00000000`003af130 000007fe`fdc150f4     :ole32!ThreadInvoke+0x30d [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4751]
00000000`003af1d0 000007fe`fdc14f56     :RPCRT4!DispatchToStubInCNoAvrf+0x14
00000000`003af200 000007fe`fdc1775b     :RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x146
00000000`003af320 000007fe`fdc1769b     :RPCRT4!RPC_INTERFACE::DispatchToStub+0x9b
00000000`003af360 000007fe`fdc17632     :RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x5b
00000000`003af3e0 000007fe`fdc1532d     :RPCRT4!LRPC_SCALL::DispatchRequest+0x422
00000000`003af4c0 000007fe`fdc32e7f     :RPCRT4!LRPC_SCALL::HandleRequest+0x20d
00000000`003af5f0 000007fe`fdc32a35     :RPCRT4!LRPC_ADDRESS::ProcessIO+0x3bf
00000000`003af730 00000000`7745b68b     :RPCRT4!LrpcIoComplete+0xa5
00000000`003af7c0 00000000`7745feff     :ntdll!TppAlpcpExecuteCallback+0x26b
00000000`003af850 00000000`7733652d     :ntdll!TppWorkerThread+0x3f8
00000000`003afb50 00000000`7746c521     :kernel32!BaseThreadInitThunk+0xd
00000000`003afb80 00000000`00000000     :ntdll!RtlUserThreadStart+0x1d


3.

    在上述的几个关键的RPC过程调试一遍,就可以发现,其实我们也可以自己照着流程跑一遍。具体见附件代码。

    另外代码中的IScriptedDiag的接口获取方式,自己逆向导出函数sdiageng!DllGetClassObject就能知道了,逻辑较为简单。


需要自行调试的关键函数:

①sdiageng!CScriptedDiag::Initialize

②sdiageng!CScriptedDiag::Resolve


4.

    我的调试思路:

    ①在内核创建进程的函数下断nt!NtCreateUserProcess(建议逆向下内核进程创建的过程,看雪也有文章),然后再通过ALPC的机制追溯整个流程(用_port_message追溯:RPCRT4!LRPC_ADDRESS::HandleRequest的第二个参数)。

    ②在内核加载dll的时候下断nt!DbgkMapViewOfSection(效果同3环使用windbg的”sxe ld“,可以逆向下nt!DbgkMapViewOfSection),然后拿到dll的基址,再加上偏移下断到想要断的函数(只能想到这种笨办法,比较麻烦。如果大佬有高见,望分享下!)


5.后续

    其实一开始的思路是想按代码worker2的实现,即直接调用CScriptedDiagNativeHost::RunScript来运行任意脚本,但是在构造过程中发现,好麻烦。于是就有了代码中worker1的实现,确实很方便快捷。不过终究还是逃不过的!详情见附件2。

    woker2束缚更少些,能让sdiagnhost.exe执行vbscript和ps脚本(其他脚本没试过)。




【看雪培训】《Adroid高级研修班》2022年夏季班招生中!

最后于 5天前 被DXXXXxxxxx编辑 ,原因:
上传的附件:
收藏
点赞1
打赏
分享
最新回复 (2)
雪    币: 2690
活跃值: 活跃值 (1850)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
caolinkai 活跃值 2022-6-20 17:22
2
1
感谢 分享,就是 图挂了
雪    币: 119
活跃值: 活跃值 (80)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
zhangtaopy 活跃值 1 11小时前
3
0
居然碰到个和我想法一样的人,但是这个CScriptedDiagNativeHost::Initialize 有个参数是ScriptedDiagInteraction,这个不好弄,可能要硬编码去搜
游客
登录 | 注册 方可回帖
返回