diff options
| author | mayx | 2025-04-09 17:31:38 +0000 |
|---|---|---|
| committer | mayx | 2025-04-09 17:31:38 +0000 |
| commit | 9382acdabd740565b5a9a34bf6e79af7abf0e40c (patch) | |
| tree | c141ab241e711902b4aca68257a617d2833e90c3 | |
| parent | 78d65eae30c61e1ed82142dc68309caf5bad2309 (diff) | |
Update 2 files
- /_posts/2019-02-01-history.md - /_posts/2024-11-02-trojan.md
| -rw-r--r-- | _posts/2019-02-01-history.md | 6 | ||||
| -rw-r--r-- | _posts/2024-11-02-trojan.md | 17 |
2 files changed, 20 insertions, 3 deletions
diff --git a/_posts/2019-02-01-history.md b/_posts/2019-02-01-history.md index 44ecfc6..d37b3f0 100644 --- a/_posts/2019-02-01-history.md +++ b/_posts/2019-02-01-history.md @@ -25,17 +25,17 @@ tags: [Mayx, 计算机, 学习] <script> function showcode() { $('.showbutton').toggle(); - $('.language-code').toggle(); + $('.language-bat').toggle(); } </script> <style> -.language-code{ display:none; } +.language-bat{ display:none; } .language-shell{ display:none; } </style> <button onclick="showcode()" class="showbutton">Show Code</button> <button onclick="showcode()" class="showbutton" style="display:none;">Hide Code</button> -```code +```bat @echo off color f0 mode con cols=50 lines=10 diff --git a/_posts/2024-11-02-trojan.md b/_posts/2024-11-02-trojan.md index b03bbef..60c7c37 100644 --- a/_posts/2024-11-02-trojan.md +++ b/_posts/2024-11-02-trojan.md @@ -14,6 +14,19 @@ tags: [Python, 木马, 病毒] # 提取源代码 pyinstaller解包还是挺简单的,用[PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor)就可以,首先我在我的电脑上尝试解包,不过因为Python版本不对,里面的PYZ文件不能解包,并且提示我使用Python 2.7的环境再试一次。我找了台装有Python 2.7环境的服务器又执行了一次之后就全部解包完了。想不到这个木马居然没有加密😂,直接就能解压,不过就算加密了我之前看过一篇[文章](https://www.cnblogs.com/liweis/p/15891170.html)可以进行解密。 不过现在得到的文件都是字节码pyc文件,还需要反编译才能看到源代码,这个步骤也很简单,安装个[uncompyle6](https://github.com/rocky/python-uncompyle6)工具就可以。它的主程序名字叫“ii.py”,于是我反编译了一下,不过看起来作者还整了一些混淆,但是极其简单,就把几个函数换成一串变量而已,所以写了个简单的脚本给它还原回去了,最终处理的结果如下(里面有个[混淆过的PowerShell版mimikatz](https://github.com/DanMcInerney/Invoke-Cats),太长了所以我给删掉了): + +<script> + function showcode() { + $('.showbutton').toggle(); + $('.language-python').toggle(); + } +</script> +<style> +.language-python{ display:none; } +</style> +<button onclick="showcode()" class="showbutton">Show Code</button> +<button onclick="showcode()" class="showbutton" style="display:none;">Hide Code</button> + ```python # uncompyle6 version 3.9.2 # Python bytecode version base 2.7 (62211) @@ -1493,6 +1506,10 @@ while var == 1: # global h_one ## Warning: Unused global ``` 里面有两个不是公开的库,mysmb和psexec,其中mysmb看起来是[永恒之蓝RCE中的代码](https://github.com/0xsyr0/OSCP/blob/main/exploits/CVE-2017-0144-EternalBlue-MS17-010-RCE/mysmb.py),psexec有找到几个相似的但是没找到一样的,所以代码也放上来: + +<button onclick="showcode()" class="showbutton">Show Code</button> +<button onclick="showcode()" class="showbutton" style="display:none;">Hide Code</button> + ```python # uncompyle6 version 3.9.2 # Python bytecode version base 2.7 (62211) |