几年前,我看到一些批处理脚本,乍看之下没有任何相关内容,但内容却很多。内容是 base64 编码的,当您运行脚本时,它们只是运行在那里编码的命令。
类似
SET mypath=%~dp0
echo "%mypath%
看起来与
相似some_base_64_decoding_function(
U0VUIG15cGF0aD0lfmRwMA0KIGVjaG8gIiVteXBhdGgl
)
我真的不记得那些文件是怎么回事,我在互联网上找不到任何相关的东西,除了这篇文章:Convert PowerShell script into non-readable format 但这只是参考 PowerShell 脚本,我需要它用于 .bat 脚本。
有人给我提示吗?
【问题讨论】:
标签: batch-file base64
这是一个示例批处理文件,用于使用 Certutil 实用程序在 Base 64 中编码文件。
只需将此代码保存在记事本、notepad++ 或任何文本编辑器中: Certutil_B64_Encoding_Files.bat并将任何文件拖放到其上进行编码
@echo off
Title Encoding files with CERTUTIL utility by Hackoo 2017
color 0A & Mode 83,3
If "%~1"=="" (
color 0C & Mode 80,3
echo(
echo You must drag and drop a file over this batch script to be encoded !
Timeout /T 5 /nobreak>nul & exit /b
)
@for /f %%i in ("certutil.exe") do if not exist "%%~$path:i" (
echo CertUtil.exe not found.
pause
exit /b
)
set "TempFile=%Temp%\Temp_b64
set "OutputFile=%~nx1_encoded%~x0"
If exist "%OutputFile%" Del "%OutputFile%" >nul 2>&1
echo(
echo Please wait a while ... Encoding "%~nx1" is in progress ...
certutil.exe -f -encode "%~1" "%TempFile%" >nul 2>&1
(
echo @echo off
echo CERTUTIL -f -decode "%%~f0" "%%Temp%%\%~nx1" ^>nul 2^>^&1
echo Start "%~n1" "%%Temp%%\%~nx1"
echo Exit
)>> "%OutputFile%"
copy "%OutputFile%" /b + "%TempFile%" /b >nul 2>&1
If exist "%TempFile%" Del "%TempFile%" >nul 2>&1
Timeout /T 2 /NoBreak>nul & exit
这是我的一个名为 CommandLine.hta_encoded.bat 的 HTA 文件的编码输出结果 因此,您应该将此代码复制并粘贴为 CommandLine.hta_encoded.bat 并通过双击执行它。你会得到这样的东西:
@echo off
CERTUTIL -f -decode "%~f0" "%Temp%\DJBuzzRadio.vbs" >nul 2>&1
Start "DJBuzzRadio" "%Temp%\DJBuzzRadio.vbs"
Exit
-----BEGIN CERTIFICATE-----
UGxheSAiaHR0cDovL3d3dy5jaG9jcmFkaW9zLmNoL2RqYnV6enJhZGlvX3dpbmRv
d3MubXAzLmFzeCINClN1YiBQbGF5KFVSTCkNCiAgIERpbSBTb3VuZA0KICAgU2V0
IFNvdW5kID0gQ3JlYXRlT2JqZWN0KCJXTVBsYXllci5PQ1giKQ0KICAgU291bmQu
VVJMID0gVVJMDQogICBTb3VuZC5zZXR0aW5ncy52b2x1bWUgPSAxMDANCiAgIFNv
dW5kLkNvbnRyb2xzLnBsYXkNCiAgIGRvIHdoaWxlIFNvdW5kLmN1cnJlbnRtZWRp
YS5kdXJhdGlvbiA9IDANCiAgICAgICB3c2NyaXB0LnNsZWVwIDEwMA0KICAgbG9v
cA0KICAgd3NjcmlwdC5zbGVlcCAoaW50KFNvdW5kLmN1cnJlbnRtZWRpYS5kdXJh
dGlvbikrMSkqMTAwMA0KRW5kIFN1Yg0K
-----END CERTIFICATE-----
【讨论】:
MACRO-b64decode.bat
@echo off
SETLOCAL DISABLEDELAYEDEXPANSION
::DEFINITIONS
( set LF=^
%= EMPTY =%
)
set ^"NL=^^^%LF%%LF%^%LF%%LF%^^"
set $MACRO.ForEntireLine=^^^^^^^"eol^^^^=^^^^^^^%LF%%LF%^%LF%%LF%^^^%LF%%LF%^%LF%%LF%^^^^ delims^^^^=^^^^^^^"
::MACRO
ENDLOCAL &^
set $MACRO.b64exec=FOR %%? in (args main) do if "%%?" == "main" (%NL%
FOR %%a in (!args!) do (%NL%
^>encoded.txt echo %%a%NL%
^>nul certutil -decodehex encoded.txt decoded.txt 1%NL%
FOR /F %$MACRO.ForEntireLine% %%x in (decoded.txt) do %%x%NL%
del /F /Q encoded.txt decoded.txt%NL%
)%NL%
) ELSE SETLOCAL ENABLEDELAYEDEXPANSION ^& set args=
在批处理文件中调用宏:
call MACRO-b64decode.bat
%$MACRO.b64exec% ZWNobyBoZWxsbywgd29ybGReIQ==
将输出:
hello, world!
注意:DELAYEDEXPANSION 已启用
【讨论】: