混淆cmd中的运算符和报价优先级 [英] Operators and quote precedence in obfuscated cmd
问题描述
我在理解此方法的评估方式时遇到麻烦,它来自于我剖析的一块恶意软件,请当心。
Im having trouble understanding how this will evaluate, it comes from a piece of malware I'm dissecting, so beware.
我删除了foor循环中的ascii乱码和整数,它们很可能带有恶意指令。因此应该没问题,我可以根据需要提供它。
I've removed the ascii giberish and the integers in the foor loop which is likely to have the malicious instructions. So it should be fine, I can provide it if need be.
如果我在基本理解所允许的范围内精简了代码,它将尝试通过以下操作: / p>
If i strip down the code the most my basic understanding allows, it is trying to pass this:
cmd.exe /c CmD /V/C"set foo=ASCIIgibberish bazz=moreASCIIgibberish&&for %f in (BunchOfIntegers)do set bar=!bar!!foo:~%f,1!&&if %f == 88 powershell.exe "!bar:~6!""
收件人:
Interaction.Shell(`here`,0)
因此,我不确定cmd和powershell如何解析引号或变量名
So, I am not sure how cmd and powershell would resolve the quotes or variable names since I'm not really familiarized with powershell and cmd precedence.
我想知道的是
cmd会将!解释为逻辑上不正确吗?
would cmd interpret the ! as a logical not?
如果这样,cmd或powershell如何评估否定性是一个字面值吗?,我想假设它看到了ascii值并在逻辑上取反它(0001变成1110),但不确定。
if so, how does cmd or powershell evaluate the negation of a literal value?, I want to assume it sees the ascii value and logically negates it, (0001 becomes 1110) but not sure.
Am我纠正了假设这只是说 powershell.exe barSubstringStartingAt6 的一种混淆方式,因为正如我所见, bar 只是从 foo 分配了88个字符,长度为79个字符,因此无法知道 bar 的内容是什么[6 ]。
Am I correct in assuming that this is just an obfuscated way of saying powershell.exe barSubstringStartingAt6, because as I see it bar is only being assigned character 88 from foo which is 79 chars long, so is not possible to know what would be at bar[6].
他们只是想将溢出的地址发送到Powershell吗?
Are they just trying to send an overflowed address to powershell?
推荐答案
正如@MC ND和@lit所解释的,!var!不是逻辑运算符,而是延迟扩展语法的简写。因此,该语句只是通过使用for循环中的int作为索引来重新排列变量中的字符
As kindly explained by @MC ND and @lit, !var! is not a logical operator but rather shorthand for delayed expansion syntax. Therefore the statement is just rearranging characters within the variable by using the int within the for loop as an index
这篇关于混淆cmd中的运算符和报价优先级的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
