AutoIt Code:
Code: Select all
#AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 -w 7
#AutoIt3Wrapper_Icon=Bin\ICON_1.ico
#AutoIt3Wrapper_Outfile=SystemExplorerTakeover.exe
#AutoIt3Wrapper_UseUpx=Y
#AutoIt3Wrapper_Res_Description=SystemExplorer Takeover.
#AutoIt3Wrapper_Res_Fileversion=1.0.0.0
#AutoIt3Wrapper_Res_LegalCopyright=nocopyright
#AutoIt3Wrapper_Res_Language=2057
#AutoIt3Wrapper_Run_Obfuscator=Y
#Obfuscator_Parameters=/SF /SV /OM /CS=0 /CN=0
#AutoIt3Wrapper_res_requestedExecutionLevel=asInvoker
#AutoIt3Wrapper_Outfile_Type=exe
#AutoIt3Wrapper_UseX64=N
#NoTrayIcon
#RequireAdmin
#include <WinAPIEx.au3> ; By Yashied >> http://www.autoitscript.com/forum/topic/98712-winapiex-udf/
Exit _Main()
Func _Main()
Local $sWow6432Node = ""
If @OSArch = "X64" Then
$sWow6432Node = "Wow6432Node\"
EndIf
Local $iError = 0, $sFilePath = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\" & $sWow6432Node & "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe", "Debugger")
$iError = @error
If $iError Then
$sFilePath = @ScriptDir & "\SystemExplorer.exe"
Else
$sFilePath = StringStripWS(_WinAPI_PathUnquoteSpaces(_WinAPI_PathRemoveArgs($sFilePath)), 3)
EndIf
If FileExists($sFilePath) = 0 Then
Return SetError(1, 0, -1)
EndIf
If $iError Then
Return RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\" & $sWow6432Node & "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe", "Debugger", _
"REG_SZ", '"' & $sFilePath & '"') * 2
Else
Return RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\" & $sWow6432Node & "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe") * 4
EndIf
EndFunc ;==>_Main
Code: Select all
Option Explicit
Dim oFileSystem, oShell, sFilePath, sRegRead, sString, sWow6432Node
'~ By guinness (c) 2012. (with help from ZioZione for optimisation.)
Set oFileSystem = CreateObject("Scripting.FileSystemObject")
Set oShell = Wscript.CreateObject("WScript.Shell")
sWow6432Node = ""
If Is64Bit() Then
sWow6432Node = "Wow6432Node\"
End If
sRegRead = "HKEY_LOCAL_MACHINE\SOFTWARE\" & sWow6432Node & "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger"
sRegRead = ReadRegKey(sRegRead)
If sRegRead = "[None]" Then
sFilePath = oFileSystem.GetParentFolderName(WScript.ScriptFullName) & "\SystemExplorer.exe"
If oFileSystem.FileExists(sFilePath) = False Then
MsgBox "It appears SystemExplorer is missing.", vbOKOnly + vbCritical, "SystemExplorer Takeover - Error"
WScript.Quit 1
End If
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\" & sWow6432Node & "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger", """" & sFilePath & """", "REG_SZ"
sString = "Add SystemExplorer to the system."
Else
sRegRead = Replace(sRegRead, """", "")
sFilePath = Trim(Replace(sRegRead, "/z", ""))
oShell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\" & sWow6432Node & "Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\"
sString = "Removed SystemExplorer from the system."
End If
MsgBox sString, vbOKOnly + vbCritical, "SystemExplorer Takeover - Complete"
Function Is64Bit()
sRegRead = oShell.RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_ARCHITECTURE")
Is64Bit = InStr(sRegRead, "64") > 0
End Function
'~ Taken From: http://www.visualbasicscript.com/Verify-registry-key-exists-m1432.aspx
Private Function ReadRegKey(ByVal pRegKey)
On Error Resume Next
Dim sReturn
sReturn = oShell.RegRead(pRegKey)
If Err.Number <> 0 Then
sReturn = "[None]"
End If
ReadRegKey = sReturn
End Function