Last active
July 7, 2020 06:40
-
-
Save snappyJack/3ddcc06c3a967bdef7b90dc60831774e to your computer and use it in GitHub Desktop.
Auto run bypass detect
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import winreg | |
| def obtain(): | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\mscfile\shell\open\command") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print('fileless uac bypass using eventvwr exe and registry hijacking') | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| print('') | |
| print('==========需人工查看netsh动态链接库有无异常==========') | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\NetSh") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name+':'+value) | |
| i += 1 | |
| except WindowsError : | |
| pass | |
| print('============netsh结束============') | |
| print('') | |
| print('') | |
| print('==========CLR劫持.Net程序的后门==========') | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\CLSID") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| print('============CLR劫持.Net程序的后门结束============') | |
| print('') | |
| print('') | |
| print('==========COM Object hijacking==========') | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CLASSES_ROOT, r"Environment\UserInitMprLogonScript") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| try: | |
| key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}") | |
| i = 0 | |
| while 1: | |
| name, value, type1 = winreg.EnumValue(key, i) | |
| print(name + ':' + value) | |
| i += 1 | |
| except WindowsError: | |
| pass | |
| print('============COM Object hijacking结束============') | |
| print('') | |
| if __name__ == '__main__': | |
| obtain() | |
| # print('Use msdtc to maintain persistence: 检测%windir%\system32\是否包含可疑oci.dll') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment