windows后门自启动笔记

• 作者:c4bbage
• 时间:2017.8.17
• 链接:http://dobest1.com/windows_persistence_note/

本文只是记录自启方式方法，不涉及后门

Word load arbitrary DLLs

AdditionalActionsDLL persistence? New method to have Word load arbitrary DLLs. Put property at: HKCU\Software\Microsoft\Office\\Common This has only been tested on 7/8.1 w/ Office 2013. Not sure of its application to other software versions.

reg add HKCU\Software\Microsoft\Office5.0\Common /v AdditionalActionsDLL /t reg_sz /d "c:\\office.dll"

[dll hijack on in explorer.exe]

生成linkinfo.dll 放到 c:\windows\system32\linkinfo.dll