蝙蝠与飞蛾的启示

我删了杀毒软件，只用windows自带的防火墙挡挡风雨。结果在网上晃悠几天，电脑都成马厩了。什么乱七八糟的木马都有。简单一点的还好处理，用进程管理器找到进程，搜索相关文件，删！但现在都流行dll注入的了。在进程列表里找不到。只好查找进程调用的模块。但是模块实在太多了。用tasklist   /M 命令一看，密密麻麻的几页呢。但我发现注入的module大多都是临时写写，很少还会提供一个版本信息资料。而正规的程序或动态链接库一般都有版本信息的。于是就可以通过版本信息对module的政治面目进行初步判断了。（这是不是有点像飞蛾两翼侧的那两个听觉细胞？简单对抗复杂！）呵呵！结果还真的发现了两匹野马！

 

/* this code had been complied and tested in follow enviroment:   */
/*  complier: LCC3.3           */
/* operation system: windows xp       */
/*  this sample provide some idea of Trojan horse detective. */
/* so it has few exception determine.*/
#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <winver.h>

/*write module information to the file*/
BOOL ModuleOut(HANDLE hFile, LPMODULEENTRY32 pMe, LPOVERLAPPED povlap);
/*write process information to the file*/
BOOL ProcOut(HANDLE hFile, LPPROCESSENTRY32 pPe, LPOVERLAPPED povlap);

int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPreInst, LPSTR pszCmdLine,int nCmdShow)
{

 /*open a file to save the result*/
 SetFileAttributes("SysSnapShot.txt",FILE_ATTRIBUTE_NORMAL);
 HANDLE htxtFile = CreateFile(
  "SysSnapShot.txt",
  GENERIC_WRITE,
  0,
  NULL,
  CREATE_ALWAYS,
  FILE_ATTRIBUTE_ARCHIVE||FILE_FLAG_OVERLAPPED||FILE_FLAG_WRITE_THROUGH,
  NULL);

 /*defines and initializes some parameters for file operation.*/

 OVERLAPPED ovlap;
 ZeroMemory(&ovlap, sizeof(ovlap));
 ovlap.Offset = 0;//Specifies a file position at which to start the transfer.

 int iFilePoint = 0;
 int iTemp = 0;

 DWORD* lpdwHandle;
 lpdwHandle = NULL;

 /*defines and initializes some parameters for enumerating modules.*/
 HANDLE hSnapModule ;
 HANDLE hSnapProc = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 PROCESSENTRY32 pe = {
  sizeof(PROCESSENTRY32) };
 MODULEENTRY32 me = {
  sizeof(MODULEENTRY32) };
 int iErrorCode = 0;

 /* enumerates the running processes and their modules,   */
 /* and get its File Version Information Size,      */
 /*  if zero, save the module's information to the opened file. */

 if(Process32First(hSnapProc, &pe))
 {
  ProcOut(htxtFile, &pe, &ovlap);

  hSnapModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe.th32ProcessID);

  if(Module32First(hSnapModule, &me))
  {
   ModuleOut(htxtFile, &me, &ovlap);
   while (Module32Next(hSnapModule, &me))
   {
    if(GetFileVersionInfoSize( me.szExePath,lpdwHandle )==0)
     ModuleOut(htxtFile, &me, &ovlap);
   }
  }

  CloseHandle(hSnapModule);

  while (Process32Next(hSnapProc, &pe))
  {
   ProcOut(htxtFile, &pe, &ovlap);

   hSnapModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe.th32ProcessID);
   if(Module32First(hSnapModule, &me))
   {
    ModuleOut(htxtFile, &me, &ovlap);
    while (Module32Next(hSnapModule, &me))
    {
     if(GetFileVersionInfoSize( me.szExePath,lpdwHandle )==0)
      ModuleOut(htxtFile, &me, &ovlap);
    }
   }
   CloseHandle(hSnapModule);
    }
 }

 CloseHandle(hSnapModule);
 CloseHandle(hSnapProc);
 CloseHandle(htxtFile);
 return(0);
}

BOOL ModuleOut(HANDLE hFile, LPMODULEENTRY32 pMe, LPOVERLAPPED povlap )
{
 char* pchTemp = (char*) malloc(500);
 ZeroMemory(pchTemp,500);

 sprintf(pchTemp,"/nmodBaseSize  = %d; /t", pMe->modBaseSize);
 // lstrcat(pchTemp,pMe->szModule);
 lstrcat(pchTemp,TEXT(" szExePath=/0"));
 lstrcat(pchTemp,pMe->szExePath);

 int iTemp = lstrlen(pchTemp);
 if(WriteFile(hFile, pchTemp, iTemp, NULL, povlap )==0)
  return FALSE;

 povlap->Offset += iTemp;
 free(pchTemp);
 return TRUE;
}

BOOL ProcOut(HANDLE hFile, LPPROCESSENTRY32 pPe, LPOVERLAPPED povlap)
{
 char* pchTemp = (char*) malloc(500);
 ZeroMemory(pchTemp,500);

 sprintf(pchTemp," /n/n/ncntUsage = %d; /nth32ProcessID = %d; /ncntThreads = %d;  /nth32ParentProcessID = %d; /nszExeFilePath= /0",pPe->cntUsage,pPe->cntThreads,pPe->th32ParentProcessID);
 lstrcat(pchTemp,pPe->szExeFile);

 int iTemp = lstrlen(pchTemp);
 if(WriteFile(hFile, pchTemp, iTemp, NULL, povlap )==0)
  return FALSE;

 povlap->Offset += iTemp;
 free(pchTemp);
 return TRUE;

}