利用映像劫持替换记事本

1 Windows Registry Editor Version 5.00
2 
3 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]
4 "Debugger"="\"D:\\Program Files\\Notepad2\\Notepad2.exe\" /z"

 1 @echo off
 2 cd /d "%~dp0"
 3 echo.
 4 echo.
 5 pause
 6 cd /d "%~dp0"
 7 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "Debugger" /d "\"%~dp0Notepad2.exe\" /z" /f
 8 cls
 9 echo.
10 echo.
11 pause

 1 @echo off
 2 set regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe
 3 reg add "%regkey%" /v "test" /f 1>nul 2>nul && (reg delete "%regkey%" /v "test" /f) || (echo.&echo.&echo 缺少权限，请右键点击此脚本，选择“以管理员身份运行”。&pause>nul&exit)
 4 
 5 :begin
 6 cls
 7 for /L %%i in (1,1,5) do echo.
 8 set num=0
 9 reg query "%regkey%" /v "Debugger" 1>nul 2>nul && goto undo || goto done
10 
11 :done
12 set /P num=记事本[未劫持]，是否开启劫持？（ 1--是，其他--否 ） :
13 echo %num%
14 if %num% equ 1 reg add "%regkey%" /v "Debugger" /d "\"%~dp0Notepad2.exe\" /z" /f
15 goto begin
16 
17 :undo
18 set /P num=记事本[已劫持]，是否取消劫持？（ 1--是，其他--否 ） :
19 echo %num%
20 if %num% equ 1 reg delete "%regkey%" /f
21 goto begin

 1 [Version]
 2 
 3 Signature="$WINDOWS NT$"
 4 
 5 [DefaultInstall]
 6 AddReg=an
 7 [an]
 8 HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe","Debugger",0,"""%01%\Notepad2.exe"" /z"
 9 HKCR,"*\shell\NotePad2",,,"用 &NotePad2 编辑"
10 HKCR,"*\shell\NotePad2\command",,,"%01%\Notepad2.exe ""%1"""

[Version]

Signature="$WINDOWS NT$"

[DefaultInstall]
delReg=hf
[hf]
HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"
HKCR,"*\shell\NotePad2"