|
来源:lam's blog . F" @/ Y* J* M& t* Q M: ~
最近好象又开始流行播放器里插木马了,我于是在网上转了转,看有没有什么好东西能预防的.
% D$ l5 t; c& I- ~9 ] Z/ \1 b结果在安天CERT小组 看到了这个:
+ M( A+ V% N0 ^: Q软件名称:exe2swf- s4 a" W3 l2 i
适用系统:WIN 9x/ME/2000/NT, Z F+ O; @8 I0 V
文件大小:11K
7 f, L0 @" J, N0 f, T' ~/ O文件说明:FLASH格式文件转换器为了防止有人在可执行的FLASH格式文件(.exe)中夹插木马,或者用flash图标的木马冒充flash文件,编写了一个简单的工具。 " e @% j; s0 f; \$ A3 p4 }3 W
下载:http://soft.hackbase.com/37/20050319/6389.html 6 y! G- t' M2 H5 Q) X& X: ?5 K+ P
哈,但是还有还想不到的呢,我找到了一段可以实验这个功能的代码
, u: r- P9 P: r3 T6 P) _作者:海娃 % D- L0 S1 v0 a# Z) d9 E" e: N: O
用法: ' Y5 V$ d9 m" Q. f
) S; a( K* X: \4 n- 将下面代码存为 exe2swf.vbs 2 A { E/ g" y$ }% [9 N" h
- 将exe格式的flash拖放在此文件上,即可生成swf文件,
$ Y7 \- C1 g5 T/ l; H, t
' z; e: l* f1 I- A'haiwa@http://www.51windows.Net) Z) P' W0 T4 y* [8 l+ P# f
'感谢jimbob提供帮助.+ ]4 F5 L( t9 l s
dim AsoR,FlashFileName
& X+ L$ t0 J) V+ i; \Set ArgObj = WScript.Arguments
" v1 ^" t1 j/ r7 }9 a. Wdim PositionStart,OKed,Tag,EndSize
* ^" i3 v ] j/ j8 w% r( o; [PositionStart = 920000'flash 4的播放器的大致字节数
+ b7 q& Y5 X; J% b5 N5 E$ TEndSize = 8 'exe文件结尾字节数,其它版本可以设置为01 U) q- |1 n1 v2 t5 D
FlashFileName = ArgObj(0)'传递路径
4 r, n' \7 v: A. P7 j% e! Jset AsoR=CreateObject("Adodb.Stream")2 ]& M* z$ ?1 D+ _# X: j
AsoR.Mode=3 8 Z: s& m- g. W; i
AsoR.Type=1
- x* M& U: S2 E, ]. Z3 gAsoR.Open , j x% e: E$ N8 m$ q- g
set AsoW=CreateObject("Adodb.Stream")
3 c, `( T, s) W* N" gAsoW.Mode=3
4 [4 k- {1 A2 }. p* j& qAsoW.Type=1 d0 E# S) c# w2 b' s1 C
AsoW.Open' Y o) A$ P7 p4 I. y2 P
AsoR.LoadFromFile(FlashFileName) 1 p( j& U @ R1 y& A4 o( ~* b
OKed = true
! p8 b6 K& q( Z8 Fdim filesize) U1 B* R$ N0 A- g6 u! u, v
filesize = AsoR.size
9 T* c- L- z# V* c7 qif filesize> ositionStart then+ m' w+ x9 ~& b7 N
while OKed/ p# R7 e! h, w C f# R
AsoR.Position = PositionStart2 W* u5 O& N2 S. q
Tag = Bin2Str(AsoR.read(20))
3 }% m5 I4 W" l' b) U if instr(Tag,"0000000") >0 then) d. J8 B0 P" F" D
PositionStart = PositionStart + 1: X) U& J w0 D. m- o
else% ^0 x6 w9 F' m3 X7 [0 d: \
PositionStart = PositionStart + 20
3 F: G" w. v, H6 l end if5 h H4 O+ |* A. U# ~2 q5 `8 ^
if Tag = "00000000000000000708783" or Tag = "00000000000000000678783" then
* v* m5 e( T- E2 I OKed = false
6 s- G6 i I9 \( a4 `# ^* q- F( v end if' B: m4 t0 R& P0 d
'if PositionStart > filesize then9 b& c. Z; m& H W8 ~5 M
' OKed = false
% o4 n* h$ y Q6 ^ 'end if# a: d1 i) n4 j# w2 g D9 f; S
wend
0 s, x0 q/ R4 ^* F* lelse9 w2 W. J% ]8 B3 y+ e2 w
msgbox "文件错误", b! N$ Z# M) V/ D$ _/ L
end if
, V+ E1 q2 O UPositionStart = PositionStart + 16, u6 b5 j; `6 J, \4 Y
'msgbox PositionStart6 F# h, s0 F& l; i
AsoR.Position = PositionStart
- n; Y+ W( o6 Z, ~8 e# [; ?AsoW.write AsoR.read(filesize-int(PositionStart)-int(EndSize)) & s6 P$ T' ^( Y3 I( p
'新文件名
3 a7 G2 B/ ] }0 Rdim newFileName
9 m& o$ @0 I9 u" H* ]'newFileName = left(FlashFileName,len(FlashFileName)-4) & ".swf": v" P! c. ]6 s9 V# ]' Z
newFileName = FlashFileName & ".swf" 2 |$ Q9 Y4 O0 x0 V7 |
Set fso = CreateObject("Scripting.FileSystemObject")
9 y2 C4 j7 Z' d$ o+ o: c/ wIf (fso.FileExists(newFileName)) Then
2 }5 M( d; A* x, R' ] overwrite = msgbox(newFileName&" 已存在"& vbnewline &"要替换它吗?",308,"文件已经存在 - exe2swf脚本")" e' O5 R' y* S6 S# Z
if overwrite=6 then7 q5 Y+ @2 l* X& c! t n
AsoW.SaveToFile newFileName, 2
" Z7 f. j$ Y$ \7 ? else
1 h4 @/ z7 V; R. n' Y7 A9 _1 _ msgbox "操作被取消",0,"exe2swf脚本"
) V$ \, x' T1 Z6 v. Y' y' B" R end if
$ z& G4 G3 t1 r- J Pelse
5 J6 b. T+ ~9 B AsoW.SaveToFile newFileName, 1
3 J9 E! Q- j4 l+ U d! ^/ Uend if
5 a; N [3 g* {. P- Z- ]+ e6 yAsoR.close) \* E5 P+ e z! [: b$ X n
set AsoR=nothing
, I* l) w7 O, @1 G7 @( RAsoW.close
; _0 J* p& s) Lset AsoW=nothing ' F) ^$ d$ {% A3 k) H V. T' m
Function Bin2Str(Bin)5 N" T) a! f- ^4 }2 D7 B5 h
Dim I, Str
9 s1 M& j; ^+ U+ D For I=1 to LenB(Bin)' Z! R7 a3 g0 v! \2 o" e4 K' m
clow=MidB(Bin,I,1)6 [) f) o8 B* N6 L* O3 ~7 N
if ASCB(clow)<128 then
( V( Q! C1 _6 U3 Z& [9 E" i( c( R3 G# ? Str = Str & (ASCB(clow))9 O/ d5 H" U; M$ y! z
else: v4 O `- B. t( n
I=I+1$ Y' i P1 D) y* O( E" O
if I <= LenB(Bin) then Str = Str & (ASCW(MidB(Bin,I,1)&clow))
& l$ a5 y) P7 Q* a+ W! b end if
b) S3 B& C5 \, P; r Next
" u* z6 l* {* a/ W9 f9 r- ? Bin2Str = Str6 y0 |& o6 `8 R8 L" `
End Function
6 c) V( _; I& q7 s9 n3 O
% ^1 i8 h8 \* C* N3 o, D4 m |