VBE、VBS、PowerShell和JavaScript木马

VBE

VBE是编译后（加密）的VBS代码。

加密工具有很多，其中常用的是Microsoft Script Encoder(screnc.exe),此外还有许多。

可以利用Microsoft Script Encoder进行解码，但是微软官网已经下架了相关下载链接。

CMD执行decoder.vbs (目标vbe)

例如：

1	`decoder.vbs information.vbe`

information.vbe（MD5: E9FFDB716AF3D355B25096A8ED4DE8EF）

结果：

因为源码写的是弹窗，不能复制。进行了修改（从第63行到第68行），在CMD执行路径下生成1.txt。

'VBE decoder
'
'Decode all files encoded (original version) with screnc.exe
'This script give you a decoded listing from an encoded file.
'Supports *,je, ,vbe, .asp, .hta, .htm, .html…
'If used under cscript, puts the result to stdout.
'The file can be multi-encoded (many scripts in the file, for ex. in an html file)
'Used under wscript, pops up the decoded file in a message box.
'
'File Name : decovbe.vbs
'Requirement : none
'Author : Jean-Luc Antoine
'Submitted : 05/09/2001
'Updated : 09/12/2001
'Category : 4K
'
'http://www.interclasse.com/scripts/decovbe.php

option explicit
Dim oArgs, NomFichier, a
'Optional argument : the encoded filename
NomFichier=""
Set oArgs = WScript.Arguments
Select Case oArgs.Count
Case 0 'No Arg, popup a dialog box to choose the file
	NomFichier=BrowseForFolder("Choose an encoded file", &H4031, &H0011)
Case 1
	If Instr(oArgs(0),"?")=0 Then '-? ou /? => aide
		NomFichier=oArgs(0)
	End If
Case Else
	WScript.Echo "Too many parameters"
End Select
Set oArgs = Nothing

If NomFichier<>"" Then
	Dim fso
	Set fso=WScript.CreateObject("Scripting.FileSystemObject")
	If fso.FileExists(NomFichier) Then
		Dim fic,contenu
		Set fic = fso.OpenTextFile(NomFichier, 1)
		Contenu=fic.readAll
		fic.close
		Set fic=Nothing

		Const TagInit="#@~^" '#@~^awQAAA==
		Const TagFin="==^#~@" '& chr(0)
		Dim DebutCode, FinCode
		Do
			FinCode=0
			DebutCode=Instr(Contenu,TagInit)
			If DebutCode>0 Then
				If (Instr(DebutCode,Contenu,"==")-DebutCode)=10 Then 'If "==" follows the tag
					FinCode=Instr(DebutCode,Contenu,TagFin)
					If FinCode>0 Then
						Contenu=Left(Contenu,DebutCode-1) & _
						Decode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _
						Mid(Contenu,FinCode+6)
					End If
				End If
			End If
		Loop Until FinCode=0
		'WScript.Echo Contenu     
		'修改为生成1.txt文件
		Set fso =CreateObject("Scripting.FileSystemObject")
		Set a = fso.CreateTextFile("1.TXT", True)
		a.WriteLine(Contenu)
		a.Close 
	Else
		WScript.Echo Nomfichier & " not found"
	End If
	Set fso=Nothing
Else
	WScript.Echo "Please give a filename"
	WScript.Echo "Usage : " & wscript.fullname  & " " & WScript.ScriptFullName & " <filename>"
End If

Function Decode(Chaine)
	Dim se,i,c,j,index,ChaineTemp
	Dim tDecode(127)
	Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132"

	Set se=WSCript.CreateObject("Scripting.Encoder")
	For i=9 to 127
		tDecode(i)="JLA"
	Next
	For i=9 to 127
		ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3)
		For j=1 to 3
			c=Asc(Mid(ChaineTemp,j,1))
			tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1)
		Next
	Next
	'Next line we correct a bug, otherwise a ")" could be decoded to a ">"
	tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1)
	Set se=Nothing

	Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13))
	Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<")
	Chaine=Replace(Chaine,"@$","@")
	index=-1
	For i=1 to Len(Chaine)
		c=asc(Mid(Chaine,i,1))
		If c<128 Then index=index+1
		If (c=9) or ((c>31) and (c<128)) Then
			If (c<>60) and (c<>62) and (c<>64) Then
				Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison,(index mod 64)+1,1),1) & Mid(Chaine,i+1)
			End If
		End If
	Next
	Decode=Chaine
End Function

Function BrowseForFolder(ByVal pstrPrompt, ByVal pintBrowseType, ByVal pintLocation)
	Dim ShellObject, pstrTempFolder, x
	Set ShellObject=WScript.CreateObject("Shell.Application")
	On Error Resume Next
	Set pstrTempFolder=ShellObject.BrowseForFolder(&H0,pstrPrompt,pintBrowseType,pintLocation)
	BrowseForFolder=pstrTempFolder.ParentFolder.ParseName(pstrTempFolder.Title).Path
	If Err.Number<>0 Then BrowseForFolder=""
	Set pstrTempFolder=Nothing
	Set ShellObject=Nothing
End Function

VBS

VBS可以使用msgbox、WScript.StdOut.WriteLine或者WScript.Echo方法

也可以使用notepad++插件NppExec进行调试，

或者执行

1 2	`WScript /x vbsfile CScript /x vbsfile`

调用VS进行调试

PowerShell

Powershell脚本混淆的方法有很多，包括随机大小写、字符串拼接、简写与通配符、Ascii编码、Base64编码、逆序等等。

但是万变不离其宗，PowerShell脚本最后都要执行，都会用到iex（invoke-Expression）函数。

我们只需要找到代码中的iex、Invoke-Expression或者其他变形&($psHOme[4]+$pshOme[34]+’x’) 、$Env:ComSpec[4,26,25]-Join’’、$ShellId[1]+$ShellId[13]+’x’ 、$EnV:cOmSPeC[4,24,25]-jOIn’’等，然后直接修改为Write-Output就可以了。

例如：

function aes
{
	param ([String]$InputString,
		[String]$hash = "cVdA6gMCLBUrWK3mqhai24KhwaAufX7yN")
	
	
	$InputData = [Convert]::FromBase64String($InputString)
	
	$Salt = New-Object Byte[](32)
	[Array]::Copy($InputData, 0, $Salt, 0, 32)
	$Rfc2898 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($hash, $Salt)
	$AESKey = $Rfc2898.GetBytes(32)
	$AESIV = $Rfc2898.GetBytes(16)
	$Hmac = New-Object System.Security.Cryptography.HMACSHA1( ,$Rfc2898.GetBytes(20))
	
	$AuthCode = $Hmac.ComputeHash($InputData, 52, $InputData.Length - 52)
	
	if (Compare-Object $AuthCode ($InputData[32 .. 51]) -SyncWindow 0)
	{
		throw 'Checksum failure.'
	}
	
	$AES = New-Object Security.Cryptography.RijndaelManaged
	$AESDecryptor = $AES.CreateDecryptor($AESKey, $AESIV)
	
	$DecryptedInputData = $AESDecryptor.TransformFinalBlock($InputData, 52, $InputData.Length - 52)
	
	$DataStream = New-Object System.IO.MemoryStream($DecryptedInputData, $false)
	if ($DecryptedInputData[0] -eq 0x1f)
	{
		$DataStream = New-Object System.IO.Compression.GZipStream($DataStream, [IO.Compression.CompressionMode]::Decompress)
	}
	
	$StreamReader = New-Object System.IO.StreamReader($DataStream, $true)
	$OutputString = ([System.Text.Encoding]::unicode.GetString([System.Convert]::FromBase64String($StreamReader.ReadToEnd())))
	iex $Outputstring
}