Malware Note
1.0.0
1.0.0
  • 恶意软件学习笔记
  • 权限维持
    • 服务
      • 新建服务
      • 修改服务
      • 隐藏服务
      • 劫持服务
    • 启动项
      • 注册表
      • 文件夹
    • 用户账户
      • 新建用户
      • 隐藏用户
    • DLL劫持
      • 劫持自启动程序
      • 劫持.NET程序
      • NTFS短文件名
    • COM劫持
      • COM劫持
    • 映像劫持
      • 映像劫持
    • 计划任务
      • 新建任务
    • WMI
      • WMI事件
    • Office
      • VSTO
      • WLL/XLL
      • 模板文件
      • COM劫持
    • BITS Jobs
      • BITS
    • Rootkit
      • Rootkit
    • 未分类
      • Windows Telemetry
      • 替换文件
      • AppInit_DLLs注入
      • 粘滞键
      • cmd启动劫持
      • 屏幕保护
      • 注册SSP DLL
      • AddMonitor
      • 滥用POWERSHELL配置文件
      • W32Time
      • UWP
      • Waitfor
      • Bios
      • 劫持更新程序
      • 利用LAPS
      • SDB文件
      • lsasrv.dll
      • LangBarAddin
      • GPO
      • SPReview.exe
  • LOLBins
    • LOLBin
    • Take a Test
    • createdump.exe
    • sihclient.exe
    • change.exe
    • ftp.exe
    • tpmtool.exe
    • tar.exe
    • curl.exe
    • IMEWDBLD.exe
  • 提权
    • Privileges
    • UAC Bypass
    • 漏洞
    • 错误配置
  • 横向移动
    • WMI
    • RPC
    • DCOM
    • HASH
    • Kerberos tickets
  • 文件结构
    • Office
    • LNK
      • 钓鱼lnk
    • PE
    • CHM
      • 钓鱼chm
  • 注入
    • 注入
  • 反分析
    • 反虚拟机/沙盒
  • 获取用户密码或hash
    • SMB
    • 注入mstsc.exe
    • Mimikatz
    • NPLogonNotify
    • Tickets
  • 进程链
    • 启动进程
  • 关闭杀软
    • 关闭WD
  • AMSI
    • 绕过AMSI
  • Dump内存
    • MiniDumpWriteDump
    • Shellcode
    • SilentProcessExit
    • procdump
    • Task Manager/Process Explorer
    • Sqldumper
    • comsvcs.dll
    • WinPmem
    • ProcessDump.exe
    • Dumpert
    • BSOD
    • PPLdump
    • Hibernation
  • 木马分析
    • Stealer
      • 输入法
    • Hidden Remote
  • 常用工具
    • Untitled
  • 鬼知道有什么用的小知识
    • 鬼知道有什么用的小知识
由 GitBook 提供支持
在本页

这有帮助吗?

  1. 权限维持
  2. 启动项

注册表

Flag:等有时间,每一条都写个poc或者解释下利用方法

注册表项

HKCU\Environment\UserInitMprLogonScript

HKCU\Software\Classes*\ShellEx\ContextMenuHandlers

HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers

HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers

HKCU\Software\Classes\Directory\Shellex\DragDropHandlers

HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows

HKCU\Software\Policies\Microsoft\Windows\System\Scripts

HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Classes*\ShellEx\PropertySheetHandlers

HKLM\Software\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance

HKLM\Software\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance

HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers

HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers

HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers

HKLM\Software\Classes\Directory\Shellex\DragDropHandlers

HKLM\Software\Classes\Filter

HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers

HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

HKLM\Software\Microsoft\Rpc\Extensions

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKLM\Software\Policies\Microsoft\Windows\System\Scripts

HKLM\Software\Wow6432Node\Classes*\ShellEx\ContextMenuHandlers

HKLM\Software\Wow6432Node\Classes*\ShellEx\PropertySheetHandlers

HKLM\Software\Wow6432Node\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance

HKLM\Software\Wow6432Node\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance

HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers

HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers

HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers

HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers

HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers

HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers

HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKLM\System\CurrentControlSet\Control\Lsa\

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\

HKLM\System\CurrentControlSet\Services

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

HKU*\software\microsoft\windows\currentversion\explorer\user shell folders\startup

上一页启动项下一页文件夹

最后更新于4年前

这有帮助吗?