• Fuentes

 #486593  por Blau
 28 May 2016, 12:40
Hola guapas,
he hecho una función para (poli)metamorfizar (no sé cual es el término correcto) un script en VBS en runtime. Es una prueba de concepto, lo he probado con el propio script y funciona pero no lo he testeado con scripts más largos (H-Worm) o complejos (SafeLoader).
Call ItsMorphinTime

'####################################'
'=> By Blau (2016) - Indetectables.NET
'=> Function: ItsMorphinTime
'=> 	Description: Randomize declarations (variables, subs and functions) at runtime
Sub ItsMorphinTime()
	Dim objMatches
	Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject")
	Dim objME: Set objMe = objFSO.OpenTextfile(WScript.ScriptFullName, 1)
	Dim sScript: sScript = objMe.ReadAll
	Dim objRegExp: Set objRegExp = New RegExp: objRegExp.IgnoreCase = True: objRegExp.Global = True
	
	'=> Replace all subs & functions
	objRegExp.Pattern = "(\bSub|\bFunction)\s(.+?)\("
	If objRegExp.Test(sScript) Then
		Set objMatches = objRegExp.Execute(sScript)
		For i = 0 To (objMatches.Count - 1): sScript = Replace(sScript, objMatches.Item(i).SubMatches(1), RandomString()): Next
	End If
	
	'=> Replace variables (starting with Dim)
	objRegExp.Pattern = "\bdim\s([a-zA-Z0-9, ]+)"
	If objRegExp.Test(sScript) Then
		Set objMatches = objRegExp.Execute(sScript)
		Dim sVarSplit
		For i = 0 To (objMatches.Count - 1)
			sVarSplit = Split(objMatches.Item(i).SubMatches(0), ",")
			If (UBound(sVarSplit) > 0) Then
				For j = 1 To UBound(sVarSplit): sScript = Replace(sScript, sVarSplit(j), RandomString()): Next
			Else: sScript = Replace(sScript, objMatches.Item(i).SubMatches(0), RandomString())
			End If
		Next		
	End If
	
	'=> Rewrite	
	Set objMe = objFSO.OpenTextfile(WScript.ScriptFullName, 2): objMe.Write sScript
End Sub

Function RandomString(): Randomize:	For i = 1 To (Int(Rnd*25)+15): RandomString = RandomString & Chr(Int(26*Rnd+97)): Next: End Function
'####################################'