Author: Xinggui (oRbIt) E_Mail: inte2000@163.com
We use the web to browse the colorful, dynamic webpage, and the information you need. Do you think of this is the credit of embedded script code? If there is no such script code, the web page is just a static picture and the combination of text, it looks like a taste, the charm of the network is lost. However, as any other thing, the script code embedded in the web page has two sides: on the one hand, network engineers can bring a lot of incredible effects to the web page through scripting, produce both beautiful and powerful web pages; on the other hand, don't have interested People can also use these codes to bring your system to your system. Some websites deliberately embed these malicious code into the web page, collect the information of the visitor, set its URL to the default open page of IE, and even lock the visitor's registry, implant the Trojans on the visitor's computer. These malicious script codes are often concealed, and the operations are completed without awareness, so they have a lot of harm. It is often referred to as a script virus, and the script virus is not an executable program. It is just a program code sequence, which is usually VB Script because VB Script is powerful and has a script debugger support for Windows operating system. The malicious script code used to use it often is huge. Script viruses can usually be divided into two categories, one is a simple script code, all of which implement the script code, reaching the destruction of the script code directly on the host computer. This type of virus is usually embedded in the webpage to deceive the host computer execution or using an email using the HTML format to send to the host computer, the user who deceives the host computer opens the mail, thereby performing viral code. Another type of script virus is a composite script virus that is combined with script code and executable files. The main body to perform destruction is an executable file, and the script code is only propagated and implanted. This type of script virus is mainly by sending an email to host computer, spoofing host computer users open mail, and performs viral body hidden in the attachment by embedding the script code within the HTML format. However, it can also be embedded in the web page, using the HTTP protocol and the vulnerability of IE to execute on the web page viewer, this article is to introduce such a method. To execute a program on the host computer, you must first implant the program file to the host computer. Under normal circumstances, the script code is no access to the host computer, but it can do this with the HTTP protocol and the vulnerability of IE. The HTTP protocol supports it to embed media files in the web page, and can expand the type of media file, but only determine the media file type according to the extension name of the file, and does not legality on the media file (whether it is really this type of media file. Verification, which gives us a machine that can take our executable to deceive the HTTP protocol to the legitimate media file, so that the HTTP protocol is transmitted as media files. But how do you take this? Specifically how to find this file that has been downloaded to the host computer? This is to use a vulnerability of the IE browser. IE downloads the media files embedded in the web when browsing a web page to a temporary directory. The location of this temporary directory is fixed, and it is used when saving files. The original name of the file specified in the web page, if there is already the same name in this directory, add "[1]", "[2]", etc., and the like is added to the file name. Based on these "laws" we can write scripting code in the web page to find our program in the browser's cache directory. Although the principle is simple, there are still many problems to consider, first of all, how to deceive the virus software. The extension of the executable program file is changed to the extension of the media file type of BMP, JPG, GIF, but it is difficult to escape the anti-virus software reconnaissance. Many antivirus software is judged by viewing the head structure of the file. The file type, so a simple change name is very easy to know.
However, it is the so-called "Tao Gao one foot, the magic high!" We can fake a head structure to deceive such antivirus software. Usually we use BMP bitmap files to camourgently, forgetting a list of legitimate bitmap files, embedding the executable as bitmap data as bitmap data. The reason why the selection of a camouflage BMP bitmap file format is because the BMP bitmap file header structure is simple, easy to fake, many software use BMP files to disaminate themselves or hide information. The bitmap file has a file header structure with a length of 14 bytes and a bitmap information head structure with a length of 40 bytes. Using the C language can be made as described below: typedef struct tagbmpfileHeader // bitmap file header structure {char bfsign [2]; // file characteristics, generally the flag "BM" unsigned long bfsize; unsigned short bfreserved1; unsigned short bfreserved2; unsigned long bfoffbits;} bmpfileHeader;
Typedef struct tagbmpinfoheader // bitmap information head structure (Windows style) {unsigned long bisize; // The size of the information structure, this field must fill in the long biwidth; // bit map of the width long biheight; // bitmap height unsigned short biPlanes; unsigned short biBitCount; // color depth unsigned long biCompression; unsigned long biSizeImage; long biXPelsPerMeter // size of the bitmap data; long biYPelsPerMeter; unsigned long biClrUsed; unsigned long biClrImportant;} BmpInfoHeader;
The BFSIGN of the file header must be "BM", BFSIZE is the size of the entire bitmap file, BFoffBits is the size of the file header to add the information head structure for the 24-bit bitmap, and the bitmap file using the color palette Cross the palette area, can generally fill in casually, anti-virus software typically do not check this field, BFRESERVED1 and BFRESERVED2 must be 0. Bisize of bitmap information head structure must be 40, BIBITCOUNT usually selection 24 because the 24-bit bitmap calculation is relatively simple. BisizeImage is determined by BiWidth and Biheight and BiBitCount fields, which can be fill in according to the size of the executable, but to ensure that BiWidth * Biheight * BibitCount / 8 is slightly larger than the size of the executable file, in calculating BisizeImage, pay attention to bitmap files The data is aligned per line, select BiWidth and Biheight, so that the calculated BisizeImage is slightly larger than the size of the executable file, and more portions can be filled with random numbers. Things to do after being deceived browser and anti-virus software are to find our fake BMP bitmap file, restore and execute in the bitmap file from the bitmap file. IE Download media files embedded in the web when browsing the web, this cache directory can be obtained from the registry, its location is: HKCU / Software / Microsoft / Windows / CurrentVersion / Explorer / Shell Folders / Cache Using script objects WScript.Shell's Regread method can be easily available, so you can find our fake bitmap file, of course, in order to prevent the problem of rename files in the cache directory, you can appropriately apply for our fake chart file. It takes a long quirky name. After finding the fake bitmap file that the browser is downloaded, you can restore our executable from the false bit graph file, but the direct operation file in the IE cache directory will cause a warning of the Windows system, so it is necessary to disguise Bitmap files are copied to the system's temporary directory to perform a restore operation. Direct operation of binary files is not the expertise of VB Script, and operates binary files via scripting.filesystemObject objects that cause anti-virus software, but using scripting.filesystemObject operation text files generally do not cause attention to anti-virus software, so we can combine Win-DOS batch files and debug commands have smartly solve this problem. Win-DOS batch file is a text file consisting of a DOS command, similar to UNIX / Linux's shell program, its file extension is .bat, the batch file we generate To complete the following tasks: Position Drawing files from the IE cache directory to the temporary directory of Windows, restore executables from the fake bit graph file, delete the temporary file, copy the original executable to the Windows system directory, delete the temporary directory The false bit graph file and the last executable program that is restored. Only if you restore the operation of the executable file, you can use the COPY and DEL commands, so I will focus on the next paragraph to restore the operation of executable files from the fake bit graph file without using the Scripting.FileSystemObject object. Restore executable requires another DOS command: debug, Debug is a powerful debugging tool, which has a lot of subcommands, you can map binary files to memory, or write data in memory into files, we use This feature completes the restore of the executable program file.
