[Python3.3.1] EXE转BAT工具
本帖最后由 20230713G001133 于 2024-4-6 15:09 编辑用法:转换.py Input.exe Output.bat
仅限Python3.3.1
将包括但不限于EXE的文件转码为Base64并写入一个BAT文件中
```
import sys, os, base64, zipfile
use_zip = "-zip" in sys.argv
for_xp = "-xp" in sys.argv
use_script = "-zip" in sys.argv or "-xp" in sys.argv
ZIP_NAME = "z.zip"
EXE_NAME = "MEMZ.exe"
BASE64_NAME = "x"
JS_NAME = "x.js"
def writeScript(script, path):
out = ""
i = 0
for line in script.splitlines():
if i == 0:
out += 'echo %s>%s\r\n' % (batchescape(line), path)
else:
out += 'echo %s>>%s\r\n' % (batchescape(line), path)
i+=1
return out
def batchescape(s):
chrs = '<>|"&'
for c in chrs:
s = s.replace(c, "^"+c)
return s#.replace("%", "%%")
out = "@echo off\r\n\r\n"
fn = sys.argv
if use_zip:
with zipfile.ZipFile("temp.zip", "w") as z:
z.write(sys.argv, EXE_NAME, zipfile.ZIP_DEFLATED)
fn = "temp.zip"
ifile = open(fn, "rb")
inp = ifile.read()
ifile.close()
b64 = base64.encodebytes(inp).decode('utf-8')
out += writeScript(b64, BASE64_NAME)
if use_zip:
os.remove("temp.zip")
if use_script:
out += "\r\n"
if use_zip:
js = """f=new ActiveXObject("Scripting.FileSystemObject");i=f.getFile("%s").openAsTextStream();
x=new ActiveXObject("MSXml2.DOMDocument").createElement("Base64Data");x.dataType="bin.base64";
x.text=i.readAll();o=new ActiveXObject("ADODB.Stream");o.type=1;o.open();o.write(x.nodeTypedValue);
z=f.getAbsolutePathName("%s");o.saveToFile(z);s=new ActiveXObject("Shell.Application");
s.namespace(26).copyHere(s.namespace(z).items());o.close();i.close();""" % (BASE64_NAME, ZIP_NAME)
out += writeScript(js, JS_NAME)
elif for_xp:
js = """i=WScript.createObject("Scripting.FileSystemObject").getFile("%s").openAsTextStream();
x=WScript.createObject("MSXml2.DOMDocument").createElement("Base64Data");x.dataType="bin.base64";
x.text=i.readAll();o=WScript.createObject("ADODB.Stream");o.type=1;o.open();o.write(x.nodeTypedValue);
o.saveToFile("%s");o.close();i.close();""" % (BASE64_NAME, EXE_NAME)
out += writeScript(js, JS_NAME)
out += "\r\n"
out += 'set v="%%appdata%%\\%s"\r\n' % EXE_NAME
out += "del %v% >NUL 2>NUL\r\n"
if use_script:
out += "cscript %s >NUL 2>NUL\r\n" % JS_NAME
out += "del %s >NUL 2>NUL\r\n" % JS_NAME
else:
out += "certutil -decode %s %%v%% >NUL 2>NUL\r\n" % BASE64_NAME
if for_xp:
out += "move %s %%v%% >NUL 2>NUL\r\n" % EXE_NAME
if use_zip:
out += "del %s >NUL 2>NUL\r\n" % ZIP_NAME
out += "del %s >NUL 2>NUL\r\n" % BASE64_NAME
out += 'start "" %v%'
ofile = open(sys.argv, "wb")
ofile.write(out.encode('utf-8'))
ofile.close()
print(len(out), "characters.")
``` 本帖最后由 lccccccc 于 2024-4-6 17:33 编辑
这个应该是memz源码里面的吧?
https://s21.ax1x.com/2024/04/06/pFqYBCR.png
你只是将py2的版本改成适用于py3的就发出来了
应该改成“转载”才行 试了一下,可惜火绒直接拦截了 {:1_907:} 默默地问一句,这样做的主要用途是?某些电脑不让执行外部exe? wkdxz 发表于 2024-4-6 15:22
试了一下,可惜火绒直接拦截了
火绒安全的人说符合检测模型但我不知道是什么模型
您好,kernel32.bat符合检测模型,不进行处理。 lemonatalk952 发表于 2024-4-6 15:24
默默地问一句,这样做的主要用途是?某些电脑不让执行外部exe?
我觉得这个拿来做CrackMe不错 我觉得这个拿来做CrackMe不错安全软件不一定会放过的,最好是在沙盘、虚拟机上弄吧 lemonatalk952 发表于 2024-4-6 15:30
安全软件不一定会放过的,最好是在沙盘、虚拟机上弄吧
转换器本身没恶意行为,但是转换的文件有没有恶意行为谁都不知道 有些巨大无比的Linux安装脚本估计就是这么来的 感觉有用
页:
[1]
2