信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
复制内容到剪贴板
代码:
#!/usr/bin/perl
#[email]cnhackTNT@hotmail.com[/email]
#Patching [M$] ^-^
#Tested ok on ActivePerl 5.8
use File::Copy;
use Win32::Registry;
print<<_DATA_;
========================================================
Run under Win32(for Win2000 and WinXp),ActivePerl
kill svchost process via pskill
This script will make a backup file called rpcss.dll.bak
Change RPC default port 135 to 0(Do not exist)
Forbidden IPC$ null connection
And change SMBDeviceEnabled to Disable(close 445 port) ^-^
-------MagicQ,cnhackTNT
本程序适用于Windows 2000和Windows Xp操作系统
用pskill杀掉svchost进程
并且会生成一个叫rpcss.dll.bak的备份文件
把RPC的135端口改为0
禁止IPC空连接
关闭445端口
-------MagicQ,cnhackTNT
========================================================
_DATA_
$::HKEY_LOCAL_MACHINE->Open("System\\CurrentControlSet\\Control\\LSA",$reg) or die"Can't open Reg_obj: $^E";
$reg->SetValueEx("restrictanonymous",0,REG_DWORD,0x00000001);
print "Set [HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA](restrictanonymous)'s value to '0x00000001'\n";
$reg->Close();
$::HKEY_LOCAL_MACHINE->Open("System\\CurrentControlSet\\Services\\NetBT\\Parameters",$reg) or die"Can't open Reg_obj: $^E";
$reg->SetValueEx("SMBDeviceEnabled",0,REG_DWORD,0x00000000);
print "Set [HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters](SMBDeviceEnabled)'s value to '0x00000000'\n";
$reg->Close();
$::HKEY_LOCAL_MACHINE->Open("SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters",$reg) or die"Can't open Reg_obj: $^E";
$reg->SetValueEx("AutoShareWks",0,REG_DWORD,0x00000000);
$reg->SetValueEx("AutoShareServer",0,REG_DWORD,0x00000000);
$reg->Close();
print "Set [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters](AutoShareWks) and (AutoShareServe)'s value to '0x00000000'\n";
$::HKEY_LOCAL_MACHINE->Open("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",$reg) or die"Can't open Reg_obj: $^E";
$reg->SetValueEx("Delipc",0,REG_SZ,'net share ipc$ /d');
$reg->Close();
print "Set [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run](Delipc)'s value to 'net share ipc$/d'\n";
$file="$ENV{'WINDIR'}\\system32\\rpcss.dll";
$file2="$ENV{'WINDIR'}\\system32\\dllcache\\rpcss.dll";
$code="\x30\x00\x30\x00\x30";
$need_patch_code="\x31\x00\x33\x00\x35";
copy("$file","$file.bak") or die "Copy failed: $!\n";
print "Rpcss.dll was copied to $ENV{'WINDIR'}\\system32\\rpcss.dll.bak\n";
if(-e $file2){die qq(Please delete $file2 first !\n)};
open(DLL,"+<$file");
binmode DLL;
seek(DLL,0,2);
$length=tell DLL;
seek(DLL,0,0);
read(DLL,$tmp,$length,0);
$offset=index($tmp,$need_patch_code);
if($offset == -1){
print "Your Rpcss.dll has already patched!\n";
}else{
seek(DLL,$offset,0);
print DLL $code;
}
close DLL;
print "OK~~All patched~~~!\nYour [MS] system is safer now ^-^." ;
