윈 도 우 cmd 파일 암호화 복화/암화 어떻게 하나요?

하지만 메모장이나 편집기로 열면 내용은 일반적인 exe 파일 처럼 보여지네요

 

하지만 메모장이나 편집기로 열면 내용은 일반적인 cmd 파일 처럼 보여지네요 <-- 이게 맞는 말 아닌가요?

 

이게 맞다면 우클릭 메뉴 트윅을 했는지 봐야할 것 같네요

 

암호화 복호화의 문제는 아닌 것 같네요

배치 파일 cmd 난독화라고 구글에 검색하면 대충 나옵니다. 

난독화 기술은 현재 랜섬웨어에 사용되고 있는 기술들 중 하나입니다.

 

첨부한 cmd파일에 해골 모양있는 것 보니까 중국에서 만든 암호화 프로그램 사용하는 것 같습니다.

암호해독 하는 분 윈포에서 저는 한분 확인했습니다.

 

 

 

 

디펜더가 조심하라고 경고 띄우는데요.

 

 

 &cls

@echo off  & title Windows 10 

    

mode con cols=50 lines=10 

::PowerShell -NoLogo -WindowStyle Hidden -ExecutionPolicy Bypass -Command  "& '.\*.ps1'" 

move /y "c:\Windows\Setup\Scripts\Defender\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppxManifest.xml" "c:\windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy" >nul 2>&1 \r\nmove /y "c:\Windows\Setup\Scripts\Defender\Program Files\Windows Defender\MsMpEng.exe" "c:\Program Files\Windows Defender" >nul 2>&1\r\n     \r\n:: v2: less flicker\r\n\r\n:gui_dialog_1\r\nset first_choices=

,Microsoft-Defender 

,Windows10 

&set title=

:: Show gui dialog 1=Title 2=choices 3=outputvariable\r\ncall :choice "Windows 10 

" "%first_choices%" CHOICE\r\n:: Quit if no choice selected\r\nif not defined CHOICE color 0c & exit /b\r\n:: Print choices\r\necho Choice1: %CHOICE% & echo.\r\n:: Continue to dialog_2\r\ngoto gui_dialog_2\r\n\r\n\r\n:gui_dialog_2\r\n:: Process results from dialog_1\r\nif "%CHOICE%"=="

" set next_choices=EasyDrv (

),K-Driver (

 A~Z:\K-Driver),

&set title=

if "%CHOICE%"=="

" set next_choices=7-zip,

 9.0,

 (Translucent),Office 2021 LTSC 

&set title=

if "%CHOICE%"=="Microsoft-Defender 

" goto "Microsoft-Defender 

if "%CHOICE%"=="Windows10 

" goto "Windows10 

if "%CHOICE%"=="

"   call :"

"  & reg delete "HKLM\SOFTWARE\EasyDrv7" /f >nul 2>&1 & exit\r\n:: Show gui dialog 1=Title 2=choices 3=outputvariable\r\ncall :choice "%title%" "%next_choices%" CHOICE\r\n:: Quit if no choice selected\r\nif not defined CHOICE color 0c & exit /b\r\n:: Print choices\r\necho Choice2: %CHOICE% & echo.\r\n:: Back to dialog_1\r\nif "%CHOICE%"=="

" goto gui_dialog_1\r\n\r\n:: Process final choice\r\ncall :"%CHOICE%"\r\n\r\n:: Choice code\r\n:"EasyDrv (

for %%A in ( Z Y X W V U T S R Q P O N M L K J I H G F E D C B A ) do (\r\n

for /f "tokens=*" %%B in ( '"dir /a:d /b %%A:\EasyDrv* 2>nul"' ) do ( set "EasyDrvPath=%%A:\%%B" )\r\n)\r\nif not defined EasyDrvPath ( goto gui_dialog_2 )\r\n\r\nfor /f "tokens=*" %%A in ( '"dir /a:-d /b "%EasyDrvPath%\EasyDrv7*.exe ""' ) do ( set "EasyDrvExe=%%A" )\r\nif not defined EasyDrvExe ( goto gui_dialog_2 )\r\n\r\ncall "%EasyDrvPath%\%EasyDrvExe%" /a /c\r\ntitle EasyDrv 

goto gui_dialog_2\r\n\r\n:"K-Driver (

 A~Z:\K-Driver)"\r\nfor %%A in ( Z Y X W V U T S R Q P O N M L K J I H G F E D C B A ) do (\r\n

for /f "tokens=*" %%B in ( '"dir /a:d /b %%A:\K-Dri* 2>nul"' ) do ( set "KDriverPath=%%A:\%%B" )\r\n)\r\nif not defined KDriverPath ( goto gui_dialog_2 )\r\n\r\nfor /f "tokens=*" %%A in ( '"dir /a:-d /b "%KDriverPath%\KDLaunc*.exe ""' ) do ( set "KDriverExe=%%A" )\r\nif not defined KDriverExe ( goto gui_dialog_2 )\r\n\r\ncall "%KDriverPath%\%KDriverExe%"\r\ntitle KDriver 

goto gui_dialog_2\r\n\r\n:"7-zip"\r\ncall %~dp0data\7z2200-x64.exe /S\r\necho. \r\ntimeout /t 1 >nul\r\nmove /y "c:\Windows\Setup\Scripts\data\7-Zip\*.*" "c:\Program Files\7-Zip" >nul 2>&1 \r\ntitle 7-zip 

call :MsgBox "7-zip 

" "" "7-zip"\r\ncls\r\ngoto gui_dialog_2\r\n\r\n:"

netsh advfirewall firewall add rule name="Bandizip" dir=in program="C:\Program Files\Bandizip\Bandizip.exe" action=block >nul 2>&1\r\n\r\nnetsh advfirewall firewall add rule name="Bandizip" dir=out program="C:\Program Files\Bandizip\Bandizip.exe" action=block >nul 2>&1\r\n\r\ntimeout /t 2 >nul 2>&1\r\n\r\ncall %~dp0data\BANDIZIP-SETUP-ENT.EXE /S Bandizip@Forum.kr 20991231-ENT027912-CED03578AC-1695ED01\r\ntitle 

call :MsgBox "

" "" "

goto gui_dialog_2\r\n\r\n:"

 9.0"\r\nstart /wait %~dp0Packages\DX9\DX90c_Addon_Installer.exe /VERYSILENT /NORESTART /SUPPRESSMSGBOXES\r\ntitle 

 9.0 

call :MsgBox "

 9.0 

" "" "

 9.0"\r\ncls\r\ngoto gui_dialog_2\r\n\r\n:"

start /wait %~dp0Packages\AppCheck\AppCheckSetup.exe /S\r\nxcopy /y /s /h "%~dp0\Packages\AppCheck\AppCheck.reg" "c:\Windows\Setup\bat\data\Reg\" >nul 2>&1\r\ntitle 

call :MsgBox "

" "" "

goto gui_dialog_2\r\n\r\n:"

 (Translucent)"\r\nxcopy /y /s /h "%~dp0\Packages\Translucent" "%ProgramFiles(x86)%\Translucent\" >nul 2>&1\r\ntimeout /t 1 >nul\r\ncd /d "C:\Windows\Setup\Scripts\schedule" && schtasks /Create /XML "Translucent.xml"  /TN "\Microsoft\Windows\Task Manager\Translucent" >nul 2>&1 \r\ntitle 

call :MsgBox "

" "" "

goto gui_dialog_2\r\n\r\n:"Office 2021 LTSC 

ren "%~dp0schedule\Office_Setup.xml" "Office Setup.xml" >nul 2>&1 \r\ntitle Office 2021 LTSC\r\ncall :MsgBox "Office 2021 LTSC 

" "" "Office 2021 LTSC"\r\ncls\r\ngoto gui_dialog_2\r\n\r\n:"Microsoft-Defender 

call :MsgBox "Microsoft Defender 

.? "  "VBYesNo+VBQuestion" "Microsoft Defender 

 "    \r\n if errorlevel 7 ( goto gui_dialog_1 ) else if errorlevel 6 (\r\ntitle Microsoft Defender\r\n@start /b "Defender - TrustedInstaller" "%~dp0NSudo.exe" -U:T -P:E "%~dp0Defender.cmd" & call :MsgBox "Microsoft Defender 

" "" "Microsoft Defender" & goto gui_dialog_1\r\n )\r\n\r\n:"Microsoft-Store 

call :MsgBox "Windows Store 

? "  "VBYesNo+VBQuestion" "Windows Store 

 "    \r\n if errorlevel 7 ( goto gui_dialog_2 ) else if errorlevel 6 (\r\ntitle Windows Store\r\ndism /online /Remove-ProvisionedAppxPackage /PackageName:Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe /NoRestart\r\ndism /online /Remove-ProvisionedAppxPackage /PackageName:Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe /NoRestart\r\ncall :MsgBox "Windows Store 

" "" "Windows Store"\r\ngoto gui_dialog_2\r\n )\r\n\r\n:"QuickAssist 

call :MsgBox "

.? "  "VBYesNo+VBQuestion" "QuickAssist 

 "    \r\n if errorlevel 7 ( goto gui_dialog_2 ) else if errorlevel 6 (\r\ntitle App.Support.QuickAssist\r\ndism.exe /Online /Remove-capability /capabilityname:App.Support.QuickAssist~~~~0.0.1.0 /NoRestart\r\ncall :MsgBox "QuickAssist 

" "" "QuickAssist"\r\ngoto gui_dialog_2\r\n )\r\n\r\n:"Hello.Face 

call :MsgBox "Windows 

? "  "VBYesNo+VBQuestion" "Hello.Face 

 "    \r\n if errorlevel 7 ( goto gui_dialog_2 ) else if errorlevel 6 (\r\ntitle Hello.Face\r\ndism.exe /Online /Remove-capability /capabilityname:Hello.Face.18967~~~~0.0.1.0 /NoRestart\r\ncall :MsgBox "Hello.Face 

" "" "Hello.Face"\r\ngoto gui_dialog_2\r\n )\r\n\r\n:"MathRecognizer 

call :MsgBox "

? "  "VBYesNo+VBQuestion" "MathRecognizer 

 "    \r\n if errorlevel 7 ( goto gui_dialog_2 ) else if errorlevel 6 (\r\ntitle MathRecognizer\r\ndism.exe /Online /Remove-capability /capabilityname:MathRecognizer~~~~0.0.1.0 /NoRestart\r\ncall :MsgBox "MathRecognizer 

" "" "MathRecognizer"\r\ngoto gui_dialog_2\r\n )\r\n\r\n:"OneSync 

call :MsgBox "

.? "  "VBYesNo+VBQuestion" "OneSync 

 "    \r\n if errorlevel 7 ( goto gui_dialog_2 ) else if errorlevel 6 (\r\ntitle OneCoreUAP.OneSync\r\ndism.exe /Online /Remove-capability /capabilityname:OneCoreUAP.OneSync~~~~0.0.1.0 /NoRestart\r\ncall :MsgBox "OneSync 

" "" "OneSync"\r\ngoto gui_dialog_2\r\n )\r\n\r\n:"OpenSSH.Client 

call :MsgBox "OpenSSH 

.? "  "VBYesNo+VBQuestion" "OpenSSH 

 "    \r\n if errorlevel 7 ( goto gui_dialog_2 ) else if errorlevel 6 (\r\ntitle OpenSSH\r\ndism.exe /Online /Remove-capability /capabilityname:OpenSSH.Client~~~~0.0.1.0 /NoRestart\r\ncall :MsgBox "OpenSSH.Client 

" "" "OpenSSH.Client"\r\ngoto gui_dialog_2\r\n )\r\n\r\n:"Windows10 

@start /b "WindowsAct - TrustedInstaller" "%~dp0NSudo.exe" -U:T -P:E "%~dp0WindowsAct.cmd" \r\ntitle Windows10 

goto gui_dialog_1\r\n\r\n::---------------------------------------------------------------------------------------------------------------------------------\r\n:choice\r\nrem 1=title 2=options 3=output_variable                                          example: call :choice Choose "op1,op2,op3" result\r\nsetlocal & set "c=about:<title>%~1</title><head><script language='javascript'>window.moveTo(-250,-250);window.resizeTo(250,250);"\r\nset "c=%c% </script><hta:application innerborder='no' sysmenu='yes' scroll='no'><style>body{background-color:white;}"\r\nset "c=%c% br{font-size:14px;vertical-align:-4px;} .button{background-color:#7D5BBE;border:2px solid #392E5C; color:white;"\r\nset "c=%c% padding:4px 4px;text-align:center;text-decoration:none;display:inline-block;font-size:16px;cursor:pointer;"\r\nset "c=%c% width:100%%;display:block;}</style></head><script language='javascript'>function choice(){"\r\nset "c=%c% var opt=document.getElementById('options').value.split(','); var btn=document.getElementById('buttons');"\r\nset "c=%c% for (o in opt){var b=document.createElement('button');b.className='button';b.onclick=function(){\r\nset "c=%c% close(new ActiveXObject('Scripting.FileSystemObject').GetStandardStream(1).Write(this.value));};"\r\nset "c=%c% b.appendChild(document.createTextNode(opt[o]));btn.appendChild(b);btn.appendChild(document.createElement('br'));};"\r\nset "c=%c% btn.appendChild(document.createElement('br'));var r=window.parent.screen;"\r\nset "c=%c% window.moveTo(r.availWidth/3,r.availHeight/6);window.resizeTo(r.availWidth/3,document.body.scrollHeight);}</script>"\r\nset "c=%c% <body onload='choice()'><div id='buttons'/><input type='hidden' name='options' value='%~2'></body>"\r\nfor /f "usebackq tokens=* delims=" %%# in (`mshta "%c%"`) do set "choice_var=%%#"\r\nendlocal & set "%~3=%choice_var%" & exit/b &rem snippet by AveYo released under MIT License\r\n::-------------------------------------------------------------------------------------------------------------------------------- \r\n\r\n::-------------------------------------------------------------------------------------------------------------------------------- \r\n :MsgBox prompt type title\r\n setlocal enableextensions\r\n set "tempFile=%temp%\%~nx0.%random%%random%%random%vbs.tmp"\r\n >"%tempFile%" echo(WScript.Quit msgBox("%~1",%~2,"%~3") & cscript //nologo //e:vbscript "%tempFile%"\r\n set "exitCode=%errorlevel%" & del "%tempFile%" >nul 2>nul\r\n endlocal & exit /b %exitCode%\r\n::-------------------------------------------------------------------------------------------------------------------------------- \r\n

저번에 저도 비슷한 질문을 올렸었는데요

https://windowsforum.kr/qna/14945899

 

인코딩 변경을 통한 난독화 방법을 사용하신 거 같은데요

제가 이것저것 해보다가 해독은 가능했는데요

똑같이 따라해보려고 했는데 난독화 시키는 방법은 모르겠더라고요.