Application Research And Design Of Malicious Code Based On Powershell

With the development of science and technology,the detection technologies of malware are becoming more and more mature,and the threats of traditional malicious code are gradually weakening.Due to the good anti-kill characteristics of Powershell,the applications based on Powershell malicious code is gradually increasing,and the trend is flooding.The banking Trojans VAWTRAK and worm Duqu 2.0,prevalent in recent years,are two malwares based on Powershell,and their harm has spread to countless banking systems and business organizations,leading to immeasurable losses.Therefore,the study of Powershell-based malicious code has become a hot topic of information security issues.This article begins with the Powershell script,and introduces the five execution strategies of Powershell script detailedly,then proposes three common methods for bypassing its default restriction execution strategy.The next is the application research of Powershell malicious code,focusing on two parts of the application for Powershell malicious code.The first part is the regular applications of Powershell malicious code,which explains how Powershell code loads malicious payloads and uses Powershell malicious code to make phishing files,and uses Powershell malicious code to collect system informations with instance.And this part makes in-depth analysis and anatomy for these function scripts,it is found out that the use of the core is using Powershell to load malicious payload.The second part is the other applications of Powershell malicious code,and this part briefly introduces the applications of Powershell malicious code in network penetration and procedural analysis.And then,after proceeding the study,comparison and analysis of the application of Powershell malicious code,the advantages of its application is obtained,and the advantages are: the.Net Framework bottom can be fully called;"no file" penetration attack can be proceeded;the application code is simple and flexible,and the function is powerful.In addition,its shortcomings are also briefly described.Based on the Powershell malicious code application research,the thinking of Powershell malicious code attack defense is developed,and combined with Powershell’s own three-point defense measures,three suggestions and proposals are put forward against the Powershell malicious code attack defense: restricting user access;executing the signed script;using the endpoint security tool.Finally,in response to the shortcomings of Powershell’s malicious code application,an optimized application design is proposed,which is the dynamic and integrated application design based on Powershell malicious code.The design of this application software is divided into two parts,namely,the client and the server.The server uses the regular LAMP combination software to be built,and the key client part uses the C++ language to write the procedure.The client software interacts with the server through the HTTP protocol,analyzes the data after receiving the data of the server,and then judges the data type: if in conformity with the conditions,the client software creates the subroutine,invokes Powershell program to execute the Powershell command;returns the execution result to the service side and then shuts down the sub-thread;if not meet the conditions,then it discards the data directly.After processing the data,it continues to receive data from the server,and continues to repeat the process.In the code implementation,json library for parsing json data and HTTP class encapsulated by their own for HTTP communication aer mainly used,and the key functions such as heart function,memory allocation function and data processing function are explained intensively combined with the code and flow chart in detail.At last,the simulation of the specific function of the software is carried out successfully.