20CN网络安全小组论坛 - 病毒专区 - 让脚本躲过杀毒软件

论坛: 病毒专区标题: 让脚本躲过杀毒软件

作者: abctm [abctm]

版主

让脚本躲过杀毒软件
现在杀毒的对vbs相当敏感，只要发现对注册表的xx作，或使用vbs运行命令（加用户）就可能被杀。下面谈2方法可以简单解决：

1.使用连接符"&" 如：
Set CURObj = CreateObject("WScript.Shell")
mhk="HK"&"LM\SOFT"&"WARE\Micr"&"osoft\Win"&"dows\Curren"&"tVersion\Run\"
CURObj.RegWrite ""&mhk&"internat.exe","internat.exe"

2.使用Execute函数（BY 动鲨）

一些杀毒软件，如瑞星，他门会监视网页中的代码，一旦你创建了FSO或写注册表，即使是正常的脚本他也会报告危险，但是当年新欢乐时光也用了FSO怎么就没报警呢？原因是这个病毒使用Execute这个函数来躲过了防火墙，呵呵。病毒将这段声明代码转化为字符串，然后通过Execute(String)函数执行，举个例子
str="set fso=CreateObject( " & chr(34) & "scrip" & chr(116)& "ing.FileSystemObject"&chr(34)&")"
msgbox str
Execute str
将如上的代码放入test.vbs中就会被创建FSO，而瑞星就不会报警了。

地主发表时间: 11/23 17:13

回复: cicada [cicada]

论坛用户

你好，我有个问题帮帮我吧。
我在编写VBscript时为何总是报告“缺少对象：WScript”？
代码如下：<TITLE></TITLE>
<script language="VBScript">

Set ws = CreateObject("WScript.Shell")
Set fso = Createobject("scripting.filesystemobject")
Set fn = fso.OpenTextFile(WScript.ScriptFullname,1)‘该句话报的错
......
</script>
......
如何调试成功？
我的机器是win2000，WScript.exe在system32目录下。我将带有该脚本的网页拷到winnt和system32目录下调试也不行。

B1层发表时间: 11/23 20:38

回复: abctm [abctm]

版主

http://www.k12.com.cn/webpage/vbscript/
大多数 Script 代码在 Sub 或 Function 过程中
你加
了没

[此贴被日月双星(abctm) 在 11月23日21时22分编辑过]

B2层发表时间: 11/23 21:34

回复: abctm [abctm]

版主

经典VBS代码
下面是我认为比较经典的VBS代码,其中包括Windows 2000的管理、编码、解码等等...
希望大家能够也喜欢上VBS。

注销/重起/关闭本地Windows NT/2000 计算机

Sub ShutDown()
Dim Connection, WQL, SystemClass, System

'Get connection To local wmi
Set Connection = GetObject("winmgmts:root\cimv2")

'Get Win32_OperatingSystem objects - only one object In the collection
WQL = "Select Name From Win32_OperatingSystem"
Set SystemClass = Connection.ExecQuery(WQL)

'Get one system object
'I think there is no way To get the object using URL?
For Each System In SystemClass
System.Win32ShutDown (2)
Next
End Sub

注销/重起/关闭远程Windows NT/2000 计算机

Sub ShutDownEx(Server, User, Password) Dim Connection, WQL, SystemClass, System 'Get connection To remote wmi Dim Locator Set Locator = CreateObject("WbemScripting.SWbemLocator") Set Connection = Locator.ConnectServer(Server, "root\cimv2", User, Password) 'Get Win32_OperatingSystem objects - only one object In the collection WQL = "Select Name From Win32_OperatingSystem" Set SystemClass = Connection.ExecQuery(WQL) 'Get one system object 'I think there is no way To get the object using URL? For Each System In SystemClass System.Win32ShutDown (2) NextEnd Sub

上面两段代码都用到了WMI中Win32_OperationSystem的方法Win32ShutDown,Win32ShutDown(flag)中flag的参数可以是下表中的任意一种: 值描述
0 注销
0 + 4 强制注销
1 关机
1 + 4 强制关机
2 重起
2 + 4 强制重起
8 关闭电源
8 + 4 强制关闭电源

使用ADODB.Stream对象写二进制文件

Function SaveBinaryData(FileName, ByteArray)
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2

'Create Stream object
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")

'Specify stream type - we want To save binary data.
BinaryStream.Type = adTypeBinary

'Open the stream And write binary data To the object
BinaryStream.Open
BinaryStream.Write ByteArray

'Save binary data To disk
BinaryStream.SaveToFile FileName, adSaveCreateOverWrite
End Function

使用ADODB.Stream对象写文本文件

Function SaveTextData(FileName, Text, CharSet)
Const adTypeText = 2
Const adSaveCreateOverWrite = 2

'Create Stream object
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")

'Specify stream type - we want To save text/string data.
BinaryStream.Type = adTypeText

'Specify charset For the source text (unicode) data.
If Len(CharSet) > 0 Then
BinaryStream.CharSet = CharSet
End If

'Open the stream And write binary data To the object
BinaryStream.Open
BinaryStream.WriteText Text

'Save binary data To disk
BinaryStream.SaveToFile FileName, adSaveCreateOverWrite
End Function

使用ADODB.Stream对象读二进制文件

Function ReadBinaryFile(FileName)
Const adTypeBinary = 1

'Create Stream object
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")

'Specify stream type - we want To get binary data.
BinaryStream.Type = adTypeBinary

'Open the stream
BinaryStream.Open

'Load the file data from disk To stream object
BinaryStream.LoadFromFile FileName

'Open the stream And get binary data from the object
ReadBinaryFile = BinaryStream.Read
End Function

使用ADODB.Stream对象读文本文件

Function ReadTextFile(FileName, CharSet)
Const adTypeText = 2

'Create Stream object
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")

'Specify stream type - we want To get binary data.
BinaryStream.Type = adTypeText

'Specify charset For the source text (unicode) data.
If Len(CharSet) > 0 Then
BinaryStream.CharSet = CharSet
End If

'Open the stream
BinaryStream.Open

'Load the file data from disk To stream object
BinaryStream.LoadFromFile FileName

'Open the stream And get binary data from the object
ReadTextFile = BinaryStream.ReadText
End Function

使用FileSystemObject对象写文件

Function SaveBinaryDataTextStream(FileName, ByteArray)
'Create FileSystemObject object
Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")

'Create text stream object
Dim TextStream
Set TextStream = FS.CreateTextFile(FileName)

'Convert binary data To text And write them To the file
TextStream.Write BinaryToString(ByteArray)
End Function

读取和写入Windows的INI文件

Sub WriteINIStringVirtual(Section, KeyName, Value, FileName)
WriteINIString Section, KeyName, Value, _
Server.MapPath(FileName)
End Sub
Function GetINIStringVirtual(Section, KeyName, Default, FileName)
GetINIStringVirtual = GetINIString(Section, KeyName, Default, _
Server.MapPath(FileName))
End Function

'Work with INI files In VBS (ASP/WSH)
'v1.00
'2003 Antonin Foller, PSTRUH Software, http://www.pstruh.cz
'Function GetINIString(Section, KeyName, Default, FileName)
'Sub WriteINIString(Section, KeyName, Value, FileName)

Sub WriteINIString(Section, KeyName, Value, FileName)
Dim INIContents, PosSection, PosEndSection

'Get contents of the INI file As a string
INIContents = GetFile(FileName)

'Find section
PosSection = InStr(1, INIContents, "[" & Section & "]", vbTextCompare)
If PosSection>0 Then
'Section exists. Find end of section
PosEndSection = InStr(PosSection, INIContents, vbCrLf & "[")
'?Is this last section?
If PosEndSection = 0 Then PosEndSection = Len(INIContents)+1

'Separate section contents
Dim OldsContents, NewsContents, Line
Dim sKeyName, Found
OldsContents = Mid(INIContents, PosSection, PosEndSection - PosSection)
OldsContents = split(OldsContents, vbCrLf)

'Temp variable To find a Key
sKeyName = LCase(KeyName & "=")

'Enumerate section lines
For Each Line In OldsContents
If LCase(Left(Line, Len(sKeyName))) = sKeyName Then
Line = KeyName & "=" & Value
Found = True
End If
NewsContents = NewsContents & Line & vbCrLf
Next

If isempty(Found) Then
'key Not found - add it at the end of section
NewsContents = NewsContents & KeyName & "=" & Value
Else
'remove last vbCrLf - the vbCrLf is at PosEndSection
NewsContents = Left(NewsContents, Len(NewsContents) - 2)
End If

'Combine pre-section, new section And post-section data.
INIContents = Left(INIContents, PosSection-1) & _
NewsContents & Mid(INIContents, PosEndSection)
else'if PosSection>0 Then
'Section Not found. Add section data at the end of file contents.
If Right(INIContents, 2) <> vbCrLf And Len(INIContents)>0 Then
INIContents = INIContents & vbCrLf
End If
INIContents = INIContents & "[" & Section & "]" & vbCrLf & _
KeyName & "=" & Value
end if'if PosSection>0 Then
WriteFile FileName, INIContents
End Sub

Function GetINIString(Section, KeyName, Default, FileName)
Dim INIContents, PosSection, PosEndSection, sContents, Value, Found

'Get contents of the INI file As a string
INIContents = GetFile(FileName)

'Find section
PosSection = InStr(1, INIContents, "[" & Section & "]", vbTextCompare)
If PosSection>0 Then
'Section exists. Find end of section
PosEndSection = InStr(PosSection, INIContents, vbCrLf & "[")
'?Is this last section?
If PosEndSection = 0 Then PosEndSection = Len(INIContents)+1

'Separate section contents
sContents = Mid(INIContents, PosSection, PosEndSection - PosSection)

If InStr(1, sContents, vbCrLf & KeyName & "=", vbTextCompare)>0 Then
Found = True
'Separate value of a key.
Value = SeparateField(sContents, vbCrLf & KeyName & "=", vbCrLf)
End If
End If
If isempty(Found) Then Value = Default
GetINIString = Value
End Function

'Separates one field between sStart And sEnd
Function SeparateField(ByVal sFrom, ByVal sStart, ByVal sEnd)
Dim PosB: PosB = InStr(1, sFrom, sStart, 1)
If PosB > 0 Then
PosB = PosB + Len(sStart)
Dim PosE: PosE = InStr(PosB, sFrom, sEnd, 1)
If PosE = 0 Then PosE = InStr(PosB, sFrom, vbCrLf, 1)
If PosE = 0 Then PosE = Len(sFrom) + 1
SeparateField = Mid(sFrom, PosB, PosE - PosB)
End If
End Function

'File functions
Function GetFile(ByVal FileName)
Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
'Go To windows folder If full path Not specified.
If InStr(FileName, ":\") = 0 And Left (FileName,2)<>"\\" Then
FileName = FS.GetSpecialFolder(0) & "\" & FileName
End If
On Error Resume Next

GetFile = FS.OpenTextFile(FileName).ReadAll
End Function

Function WriteFile(ByVal FileName, ByVal Contents)

Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
'On Error Resume Next

'Go To windows folder If full path Not specified.
If InStr(FileName, ":\") = 0 And Left (FileName,2)<>"\\" Then
FileName = FS.GetSpecialFolder(0) & "\" & FileName
End If

Dim OutStream: Set OutStream = FS.OpenTextFile(FileName, 2, True)
OutStream.Write Contents
End Function

B3层发表时间: 11/23 21:48

回复: cicada [cicada]

论坛用户

先谢谢了，但是我加上了，还是不行。
Set fn = fso.OpenTextFile(WScript.ScriptFullname,1)‘该句话报的错
很多脚本病毒的开头都有这句代码，这句代码是否就是将带毒文件本身的内容读到内存中，以进行感染？
为何在Set ws = CreateObject("WScript.Shell")时没有报错，而在这句代码上报错？ScriptFullname是WScript对象的一个属性么？它有什么用啊？

B4层发表时间: 11/24 15:51

论坛: 病毒专区