本程序通杀:
ASP、ASPX、PHP、CGI、JSP、VBS等脚本WebShell,并能查出99%加密过的脚本WebShell。后来发现,精度越高误杀越高,基本做到宁误扫三千不放过一马!
其实是利用串判断,原理很简单。有很多人向偶要代码,想到人家ScanWebshell都贡献出来了,偶要是不贡献出来就不厚道咯。以下是全部代码。
Private Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As LongPrivate Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As LongPrivate Declare Function SetLayeredWindowAttributes Lib "user32" (ByVal hwnd As Long, ByVal crKey As Long, ByVal bAlpha As Byte, ByVal dwFlags As Long) As LongPrivate Const WS_EX_LAYERED = &H80000Private Const GWL_EXSTYLE = (-20)Private Const LWA_ALPHA = &H2Private Const LWA_COLORKEY = &H1Private Declare Function ReleaseCapture Lib "user32" () As LongPrivate Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As LongPrivate Const HTCAPTION = 2Private Const WM_NCLBUTTONDOWN = &HA1Private Declare Function timeGetTime Lib "winmm.dll" () As LongPrivate Declare Sub InitCommonControls Lib "comctl32.dll" ()Dim SuJu1 As LongDim Faxian As StringDim FaJs As StringPrivate Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As LongPrivate Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileA" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As LongPrivate Declare Function GetFileAttributes Lib "kernel32" Alias "GetFileAttributesA" (ByVal lpFileName As String) As LongPrivate Declare Function FindClose Lib "kernel32" (ByVal hFindFile As Long) As LongConst MAX_PATH = 260Const MAXDWORD = &HFFFFConst INVALID_HANDLE_VALUE = -1Const FILE_ATTRIBUTE_ARCHIVE = &H20Const FILE_ATTRIBUTE_DIRECTORY = &H10Const FILE_ATTRIBUTE_HIDDEN = &H2Const FILE_ATTRIBUTE_NORMAL = &H80Const FILE_ATTRIBUTE_READONLY = &H1Const FILE_ATTRIBUTE_SYSTEM = &H4Const FILE_ATTRIBUTE_TEMPORARY = &H100Private Declare Function SHBrowseForFolder Lib "shell32" (lpbi As BrowseInfo) As LongPrivate Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias "SHGetPathFromIDListA" (ByVal pIdl As Long, ByVal pszPath As String) As LongPrivate Type BrowseInfohwndOwner As LongpiDLroot As LongpszdisplayName As Stringlpsztitle As StringulFlags As Longlpfncallback As LonglParam As LongiImage As LongEnd TypePrivate Type FILETIMEdwLowDateTimeAs LongdwHighDateTimeAs LongEnd TypePrivate Type WIN32_FIND_DATAdwFileAttributesAs LongftCreationTimeAs FILETIMEftLastAccessTimeAs FILETIMEftLastWriteTimeAs FILETIMEnFileSizeHighAs LongnFileSizeLowAs LongdwReserved0As LongdwReserved1As LongcFileNameAs String * MAX_PATHcAlternateAs String * 14End TypePrivate Sub Form_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)ReleaseCaptureSendMessage hwnd, WM_NCLBUTTONDOWN, HTCAPTION, 0&End SubPrivate Sub Form_Initialize()InitCommonControlsDim rtn As Longrtn = GetWindowLong(hwnd, GWL_EXSTYLE)rtn = rtn Or WS_EX_LAYEREDSetWindowLong hwnd, GWL_EXSTYLE, rtnSetLayeredWindowAttributes hwnd, &HFF00FF, 0, LWA_COLORKEYEnd SubSub YS()Dim Savetime As DoubleSavetime = timeGetTimeWhile timeGetTime < Savetime + 200DoEventsWendEnd SubPrivate Sub Image1_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)Me.Image1.Visible = FalseMe.Image2.Visible = TrueYSWindowState = 1Me.Image1.Visible = TrueMe.Image2.Visible = FalseEnd SubPrivate Sub Image4_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)Me.Image4.Visible = FalseMe.Image3.Visible = TrueYSEndEnd SubPrivate Sub Command1_Click()Dim bi As BrowseInfoDim folderid As LongDim pb As StringWith bi.hwndOwner = Me.hwnd.lpsztitle = "选择查杀的文件夹:".ulFlags = 3End Withfolderid = SHBrowseForFolder(bi)If folderid = 0 Then Exit Subpb = String$(260, 0)SHGetPathFromIDList folderid, pbpb = Left$(pb, InStr(pb, vbNullChar) - 1)Text1.Text = pbEnd SubFunction StripNulls(OriginalStr As String) As StringIf (InStr(OriginalStr, Chr(0)) > 0) ThenOriginalStr = Left(OriginalStr, InStr(OriginalStr, Chr(0)) - 1)End IfStripNulls = OriginalStrEnd FunctionFunction FindFilesAPI(path As String, SearchStr As String)Dim FileNameAs StringDim DirNameAs StringDim dirNames()As StringDim nDirAs IntegerDim iAs IntegerDim hSearchAs LongDim WFDAs WIN32_FIND_DATADim ContAs IntegerIf Right(path, 1) <> "\" Then path = path & "\"nDir = 0ReDim dirNames(nDir)Cont = TruehSearch = FindFirstFile(path & "*.*", WFD)If hSearch <> INVALID_HANDLE_VALUE ThenDo While ContDirName = StripNulls(WFD.cFileName)If (DirName <> ".") And (DirName <> "..") ThenIf GetFileAttributes(path & DirName) And FILE_ATTRIBUTE_DIRECTORY ThendirNames(nDir) = DirNamenDir = nDir + 1ReDim Preserve dirNames(nDir)End IfEnd IfCont = FindNextFile(hSearch, WFD)DoEventsLoopCont = FindClose(hSearch)End IfhSearch = FindFirstFile(path & SearchStr, WFD)Cont = TrueIf hSearch <> INVALID_HANDLE_VALUE ThenWhile ContFileName = StripNulls(WFD.cFileName)If (FileName <> ".") And (FileName <> "..") ThenSuJu1 = SuJu1 + 1Dim strFileContent As StringDim strTemp As StringIf Dir(path & FileName) <> "" ThenOpen path & FileName For Input As #1While Not EOF(1)Line Input #1, strTempIf InStr(1, strTemp, "WScr" & DoMyBest & "ipt.Shell", vbTextCompare) Or InStr(1,strTemp, "clsid:72C24DD5-D70A" & DoMyBest & "-438B-8A42-98424B88AFB8", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险组件! " & " 安全评估: 危险度极高!"List1.AddItem "描述:一般被ASP木马利用来获取CMD SHELL 序列:1"Faxian = "发现危险"End IfIf InStr(1, strTemp, "She" & DoMyBest & "ll.Application", vbTextCompare) Or InStr(1, strTemp, "clsid:13709620-C27" & DoMyBest & "9-11CE-A49E-444553540000", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险组件! " & " 安全评估: 危险度极高!"List1.AddItem "描述:一般被ASP木马利用来获取系统信息 序列:2"Faxian = "发现危险"End IfIf InStr(1, strTemp, "<%@ LANGUAGE = VBScript.Encode %>", vbTextCompare) Or InStr(1, strTemp, "#@", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 文件被加密! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件被加过密!一般安全的程序是不可能加密的!极有可能是木马.图片格式文件可能会误杀请详细检查 序列:3"Faxian = "发现危险"End IfIf InStr(1, strTemp, "clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B", vbTextCompare) Or InStr(1, strTemp, "clsid:0D43FE01-F093-11CF-8940-00A0C9054228", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险组件! " & " 安全评估: 危险度高!"List1.AddItem "描述:此文件包含文件读写指令.如非上传组件.请删除! 序列:4"Faxian = "发现危险"End IfIf InStr(1, strTemp, "上传组件", vbTextCompare) Or InStr(1, strTemp, "Upload", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度中!(未知)"List1.AddItem "描述:此文件包含上传组件或上传文件的专用串.请检查是否合法. 序列:5"Faxian = "发现危险"End IfIf InStr(1, strTemp, "FSO", vbTextCompare) Or InStr(1, strTemp, "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度高!(未知)"List1.AddItem "描述:此文件包含木马执行特征.请检查是否合法. 序列:6"Faxian = "发现危险"End IfIf InStr(1, strTemp, "execute request", vbTextCompare) Or InStr(1, strTemp, "FQAAAA", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件包含一句话木马.请手工分析删除! 序列:7"Faxian = "发现危险"End IfIf InStr(1, strTemp, "java.io", vbTextCompare) Or InStr(1, strTemp, "java.util", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险组件! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件包含JSP木马.请删除! 序列:8"Faxian = "发现危险"End IfIf InStr(1, strTemp, "System.IO", vbTextCompare) Or InStr(1, strTemp, "System.Diagnostics", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险组件! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件包含ASP.NET木马.请删除! 序列:9"Faxian = "发现危险"End IfIf InStr(1, strTemp, "TBNnGMfflrqBF", vbTextCompare) Or InStr(1, strTemp, "POST[cmd]", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险组件! " & " 安全评估: 危险度高!"List1.AddItem "描述:此文件包含PHP木马.请删除! 序列:10"Faxian = "发现危险"End IfIf InStr(1, strTemp, "务服", vbTextCompare) Or InStr(1, strTemp, "琳",vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 文件被加密! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件有可能被加过密!一般安全的程序是不可能加密的!极有可能是木马 序列:11"Faxian = "发现危险"End IfIf InStr(1, strTemp, "System.Net.Sockets", vbTextCompare) Or InStr(1, strTemp,"UnEncode=temp", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件包含木马执行特征.请检查是否合法 序列:12"Faxian = "发现危险"End IfIf InStr(1, strTemp, "execute request(", vbTextCompare) Or InStr(1, strTemp, "vbs&", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 文件被加密! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件有可能被加过密!一般安全的程序是不可能加密的!极有可能是木马 序列:13"Faxian = "发现危险"End IfIf InStr(1, strTemp, "MSXML2.XMLHTTP", vbTextCompare) Or InStr(1, strTemp, "127.0.0.1", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险组件! " & " 安全评估: 危险度高!"List1.AddItem "描述:此文件包含木马执行特征.请检查是否合法 序列:14"Faxian = "发现危险"End IfIf InStr(1, strTemp, "Encoding.ASCII", vbTextCompare) Or InStr(1, strTemp, "cmd", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度高!"List1.AddItem "描述:此文件包含木马转码特征或CMD关键字.请检查是否合法 序列:15"Faxian = "发现危险"End IfIf InStr(1, strTemp, "GetSpecialFolder", vbTextCompare) Or InStr(1, strTemp, "Socket", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度高!"List1.AddItem "描述:此文件包含木马执行特征.请检查是否合法 序列:16"Faxian = "发现危险"End IfIf InStr(1, strTemp, "gif""" & "--", vbTextCompare) Or InStr(1, strTemp, "jpg""" & "--", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件引用了图片极有可能是图片木马 序列:17"Faxian = "发现危险"End IfIf InStr(1, strTemp, "bmp""" & "--", vbTextCompare) Or InStr(1, strTemp, "png""" & "--", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度极高!"List1.AddItem "描述:此文件引用了图片极有可能是图片木马 序列:18"Faxian = "发现危险"End IfIf InStr(1, strTemp, "<?require(", vbTextCompare) Or InStr(1, strTemp, "require($", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度高!(未知)"List1.AddItem "描述:此文件包涵了PHP的特殊引用如发现类似<?require($AAA);?>引用请检查是否合法 序列:19"Faxian = "发现危险"End IfIf InStr(1, strTemp, "4e454c33322", vbTextCompare) Or InStr(1, strTemp, """\x", vbTextCompare) ThenList1.AddItem "发现 " & FileName & " 包含危险特征! " & " 安全评估: 危险度高!(未知)"List1.AddItem "描述:此文件极有可能是提权PHP木马或加过密的文件 序列:20"Faxian = "发现危险"End IfWendIf SuJu1 > 100 ThenText5.Text = ""End IfIf Faxian = "发现危险" ThenList1.AddItem "发现存在危险的文件是: "List1.AddItem ""List1.AddItem path & FileNameList1.AddItem "-----------------------------------------------------------------------------------------------"Faxian = ""FaJs = FaJs + 1Me.Label2.Caption = "发现有隐患的文件有:" & FaJs & "个"ElseFaxian = ""End IfClose #1End IfGC1 = Text5.Text & "正在检测文件..." & Chr(13) & Chr(10) & path & FileName & Chr(13) & Chr(10)Text5.Text = GC1End IfIf Me.Command3.Enabled = True ThenExit FunctionEnd IfCont = FindNextFile(hSearch, WFD)DoEventsMe.Label3.Caption = "扫描进程: " & "已经扫描文件:" & SuJu1 & "个"WendCont = FindClose(hSearch)End IfIf nDir > 0 ThenFor i = 0 To nDir - 1FindFilesAPI = FindFilesAPI + FindFilesAPI(path & dirNames(i) & "\", SearchStr)Next iEnd IfEnd FunctionPrivate Sub Command3_Click()Dim SearchPathAs String, FindStrAs StringDim FileSizeAs LongIf Text1.Text = "" ThenMsgBox "请输入正确扫描路径"Exit SubEnd IfMe.Command3.Enabled = FalseMe.Command7.Enabled = TrueList1.ClearFaJs = 0SuJu1 = 0Me.Text5 = ""Screen.MousePointer = vbHourglassList1.ClearLUjin = Text1.Text & "\"SearchPath = LUjinFindStr = "*.*"FindFilesAPI SearchPath, FindStrScreen.MousePointer = vbDefaultIf Screen.MousePointer = vbDefault ThenMsgBox "扫描完成!自动导出扫描结果."CxLogFaJs = "0"Me.Command3.Enabled = TrueMe.Command7.Enabled = FalseEnd IfEnd SubSub CxLog()On Error Resume NextOpen App.path & "\LOG\" & Date & "查杀结果.log" For Output As #1Print #1, "www.ChinNetHack.Com - 网站程序安全分析器 零号服务器专用"Print #1, "发现对服务器具有安全隐患的文件有" & FaJs & "个. 具体结果如下:" & Chr(13) & Chr(10)For i = 0 To List1.ListCountPrint #1, List1.List(i)NextClose #1Shell "NOTEPAD.EXE " & App.path & "\LOG\" & Date & "查杀结果.log", vbMaximizedFocusEnd SubPrivate Sub Command7_Click()Me.Command3.Enabled = TrueMe.Command7.Enabled = FalseScreen.MousePointer = vbDefaultEnd SubPrivate Sub Text5_Change()Text5.SelStart = Len(Text5.Text)End Sub
(t116)
