https://learn.microsoft.com/zh-CN/office/vba/Language/Reference/User-Interface-Help/vartype-function
https://learn.microsoft.com/en-us/windows/win32/api/oaidl/ns-oaidl-variant
#include <Windows.h>
#include <shlobj.h>
#include <Shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
HRESULT
GetDesktopShellView(REFIID riid, void **ppv) {
*ppv = NULL;
IShellWindows *psw;
HRESULT hr = CoCreateInstance(&CLSID_ShellWindows, NULL, CLSCTX_LOCAL_SERVER,
&IID_IShellWindows, &psw);
if (SUCCEEDED(hr)) {
HWND hwnd;
IDispatch *pdisp;
VARIANT vEmpty;
vEmpty.vt = VT_EMPTY;
hr = psw->lpVtbl->FindWindowSW(psw ,& vEmpty, &vEmpty, SWC_DESKTOP,
(LONG *)&hwnd,
SWFO_NEEDDISPATCH, &pdisp);
if (SUCCEEDED(hr)) {
IShellBrowser *psb;
hr = IUnknown_QueryService((IUnknown*)pdisp, &SID_STopLevelBrowser,
&IID_IShellBrowser, &psb);
if (SUCCEEDED(hr)) {
IShellView *psv;
hr = psb->lpVtbl->QueryActiveShellView(psb,&psv);
if (SUCCEEDED(hr)) {
hr = psv->lpVtbl->QueryInterface(psv,riid, ppv);
psv->lpVtbl->Release(psv);
}
psb->lpVtbl->Release(psb);
}
pdisp->lpVtbl->Release(pdisp);
}
psw->lpVtbl->Release(psw);
}
return hr;
}
HRESULT
GetShellDispatch(IShellView *psv, REFIID riid, void **ppv) {
*ppv = NULL;
IDispatch *pdispBackground;
HRESULT hr = psv->lpVtbl->GetItemObject(psv, SVGIO_BACKGROUND, &IID_IDispatch,
&pdispBackground
);
if (SUCCEEDED(hr)) {
IShellFolderViewDual *psfvd;
hr = pdispBackground->lpVtbl->QueryInterface(pdispBackground,
&IID_IShellFolderViewDual, &psfvd);
if (SUCCEEDED(hr)) {
IDispatch *pdisp;
hr = psfvd->lpVtbl->get_Application(psfvd ,& pdisp);
if (SUCCEEDED(hr)) {
hr = pdisp->lpVtbl->QueryInterface(pdisp,riid, ppv);
pdisp->lpVtbl->Release(pdisp);
}
psfvd->lpVtbl->Release(psfvd);
}
pdispBackground->lpVtbl->Release(pdispBackground);
}
return hr;
}
BOOL ShellExecInExplorer(PCWSTR lpszFile) {
HRESULT hr = CoInitialize(NULL);
if (FAILED(hr))
return FALSE;
BSTR bstrFile = SysAllocString(lpszFile);
if (!bstrFile) {
CoUninitialize();
return FALSE;
}
IShellView *psv;
hr = GetDesktopShellView(&IID_IShellView, &psv);
if (SUCCEEDED(hr)) {
IShellDispatch2 *psd;
hr = GetShellDispatch(psv, &IID_IShellDispatch2, &psd);
if (SUCCEEDED(hr)) {
VARIANT vtEmpty;
vtEmpty.vt = VT_EMPTY;
hr = psd->lpVtbl->ShellExecuteW(psd,bstrFile, vtEmpty, vtEmpty, vtEmpty,
vtEmpty);
psd->lpVtbl->Release(psd);
}
psv->lpVtbl->Release(psv);
}
SysFreeString(bstrFile);
CoUninitialize();
return SUCCEEDED(hr);
}
int main(int argc, char *argv[]) {
ShellExecInExplorer(L"c:\\windows\\notepad.exe");
return 1;
}
//方便做Shellcode的版本
#include <Shlwapi.h>
#include <Windows.h>
#include <shlobj.h>
#pragma comment(lib, "shlwapi.lib")
HRESULT
GetDesktopShellView(REFIID riid, void **ppv) {
*ppv = NULL;
IShellWindows *psw;
const CLSID l_CLSID_ShellWindows = {
0x9ba05972,
0xf6a8,
0x11cf,
{0xa4, 0x42, 0x00, 0xa0, 0xc9, 0x0a, 0x8f, 0x39}};
const IID l_IID_IShellWindows = {
0x85cb6900,
0x4d95,
0x11cf,
{0x96, 0x0c, 0x00, 0x80, 0xc7, 0xf4, 0xee, 0x85}};
HRESULT hr =
CoCreateInstance(&l_CLSID_ShellWindows, NULL, CLSCTX_LOCAL_SERVER,
&l_IID_IShellWindows, &psw);
if (SUCCEEDED(hr)) {
HWND hwnd;
IDispatch *pdisp;
VARIANT vEmpty;
vEmpty.vt = VT_EMPTY;
hr = psw->lpVtbl->FindWindowSW(psw, &vEmpty, &vEmpty, SWC_DESKTOP,
(LONG *)&hwnd, SWFO_NEEDDISPATCH, &pdisp);
if (SUCCEEDED(hr)) {
IShellBrowser *psb;
const GUID l_SID_STopLevelBrowser = {
0x4c96be40,
0x915c,
0x11cf,
{0x99, 0xd3, 0x00, 0xaa, 0x00, 0x4a, 0xe8, 0x37}};
const IID l_IID_IShellBrowser = {
0x000214e2, 0, 0, {0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}};
hr = IUnknown_QueryService((IUnknown *)pdisp, &l_SID_STopLevelBrowser,
&l_IID_IShellBrowser, &psb);
if (SUCCEEDED(hr)) {
IShellView *psv;
hr = psb->lpVtbl->QueryActiveShellView(psb, &psv);
if (SUCCEEDED(hr)) {
hr = psv->lpVtbl->QueryInterface(psv, riid, ppv);
psv->lpVtbl->Release(psv);
}
psb->lpVtbl->Release(psb);
}
pdisp->lpVtbl->Release(pdisp);
}
psw->lpVtbl->Release(psw);
}
return hr;
}
HRESULT
GetShellDispatch(IShellView *psv, REFIID riid, void **ppv) {
*ppv = NULL;
IDispatch *pdispBackground;
const IID l_IID_IDispatch = {0x00020400,0 ,0 , {0xc0,0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x46}};
HRESULT hr = psv->lpVtbl->GetItemObject(psv, SVGIO_BACKGROUND,
&l_IID_IDispatch,
&pdispBackground);
if (SUCCEEDED(hr)) {
IShellFolderViewDual *psfvd;
const IID l_IID_IShellFolderViewDual = {0xe7a1af80, 0x4d96,0x11cf , {0x96,0x0c,0x00,0x80,0xc7,0xf4,0xee,0x85}};
hr = pdispBackground->lpVtbl->QueryInterface(
pdispBackground, &l_IID_IShellFolderViewDual, &psfvd);
if (SUCCEEDED(hr)) {
IDispatch *pdisp;
hr = psfvd->lpVtbl->get_Application(psfvd, &pdisp);
if (SUCCEEDED(hr)) {
hr = pdisp->lpVtbl->QueryInterface(pdisp, riid, ppv);
pdisp->lpVtbl->Release(pdisp);
}
psfvd->lpVtbl->Release(psfvd);
}
pdispBackground->lpVtbl->Release(pdispBackground);
}
return hr;
}
BOOL ShellExecInExplorer(PCSTR lpszFile) {
HRESULT hr = CoInitialize(NULL);
if (FAILED(hr))
return FALSE;
int cchLength =
MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS, lpszFile, -1, NULL, 0);
PWCHAR wfile = LocalAlloc(LPTR, sizeof(WCHAR) * cchLength);
MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS, lpszFile, -1, wfile,
cchLength);
BSTR bstrFile = SysAllocString(wfile);
LocalFree(wfile);
if (!bstrFile) {
CoUninitialize();
return FALSE;
}
IShellView *psv;
const IID l_IID_IShellView = {
0x000214e3, 0, 0, {0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}};
hr = GetDesktopShellView(&l_IID_IShellView, &psv);
if (SUCCEEDED(hr)) {
IShellDispatch2 *psd;
const IID l_IID_IShellDispatch2 = {
0xa4c6892c,
0x3ba9,
0x11d2,
{0x9d, 0xea, 0x00, 0xc0, 0x4f, 0xb1, 0x61, 0x62}};
hr = GetShellDispatch(psv, &l_IID_IShellDispatch2, &psd);
if (SUCCEEDED(hr)) {
VARIANT vtEmpty;
vtEmpty.vt = VT_EMPTY;
hr = psd->lpVtbl->ShellExecuteW(psd, bstrFile, vtEmpty, vtEmpty, vtEmpty,
vtEmpty);
psd->lpVtbl->Release(psd);
}
psv->lpVtbl->Release(psv);
}
SysFreeString(bstrFile);
CoUninitialize();
return SUCCEEDED(hr);
}
int main(int argc, char *argv[]) {
PCHAR file = "notepad.exe";
ShellExecInExplorer(file);
return 1;
}
发表回复