mayx/blog
1
0
Fork 0
mirror of https://github.com/Mabbs/mabbs.github.io synced 2025-10-31 09:19:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update 2 files

Browse Source 
- /_posts/2019-02-01-history.md
- /_posts/2024-11-02-trojan.md
This commit is contained in:
mayx
2025-04-09 17:31:38 +00:00
parent 78d65eae30
commit 9382acdabd
2 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
_posts/2019-02-01-history.md
View File

@@ -25,17 +25,17 @@ tags: [Mayx, 计算机, 学习]
<script>
function showcode() {
$('.showbutton').toggle();
$('.language-code').toggle();
$('.language-bat').toggle();
}
</script>
<style>
.language-code{ display:none; }
.language-bat{ display:none; }
.language-shell{ display:none; }
</style>
<button onclick="showcode()" class="showbutton">Show Code</button>
<button onclick="showcode()" class="showbutton" style="display:none;">Hide Code</button>
```code
```bat
@echo off
color f0
mode con cols=50 lines=10

17
_posts/2024-11-02-trojan.md
View File

@@ -14,6 +14,19 @@ tags: [Python, 木马, 病毒]
# 提取源代码
pyinstaller解包还是挺简单的用[PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor)就可以首先我在我的电脑上尝试解包不过因为Python版本不对里面的PYZ文件不能解包并且提示我使用Python 2.7的环境再试一次。我找了台装有Python 2.7环境的服务器又执行了一次之后就全部解包完了。想不到这个木马居然没有加密😂,直接就能解压,不过就算加密了我之前看过一篇[文章](https://www.cnblogs.com/liweis/p/15891170.html)可以进行解密。
不过现在得到的文件都是字节码pyc文件还需要反编译才能看到源代码这个步骤也很简单安装个[uncompyle6](https://github.com/rocky/python-uncompyle6)工具就可以。它的主程序名字叫“ii.py”于是我反编译了一下不过看起来作者还整了一些混淆但是极其简单就把几个函数换成一串变量而已所以写了个简单的脚本给它还原回去了最终处理的结果如下里面有个[混淆过的PowerShell版mimikatz](https://github.com/DanMcInerney/Invoke-Cats),太长了所以我给删掉了):
<script>
function showcode() {
$('.showbutton').toggle();
$('.language-python').toggle();
}
</script>
<style>
.language-python{ display:none; }
</style>
<button onclick="showcode()" class="showbutton">Show Code</button>
<button onclick="showcode()" class="showbutton" style="display:none;">Hide Code</button>
```python
# uncompyle6 version 3.9.2
# Python bytecode version base 2.7 (62211)
@@ -1493,6 +1506,10 @@ while var == 1:
# global h_one ## Warning: Unused global
```
里面有两个不是公开的库mysmb和psexec其中mysmb看起来是[永恒之蓝RCE中的代码](https://github.com/0xsyr0/OSCP/blob/main/exploits/CVE-2017-0144-EternalBlue-MS17-010-RCE/mysmb.py)psexec有找到几个相似的但是没找到一样的所以代码也放上来
<button onclick="showcode()" class="showbutton">Show Code</button>
<button onclick="showcode()" class="showbutton" style="display:none;">Hide Code</button>
```python
# uncompyle6 version 3.9.2
# Python bytecode version base 2.7 (62211)