蝙蝠与飞蛾的启示
2006-08-17 16:02
447 查看
我删了杀毒软件,只用windows自带的防火墙挡挡风雨。结果在网上晃悠几天,电脑都成马厩了。什么乱七八糟的木马都有。简单一点的还好处理,用进程管理器找到进程,搜索相关文件,删!但现在都流行dll注入的了。在进程列表里找不到。只好查找进程调用的模块。但是模块实在太多了。用tasklist /M 命令一看,密密麻麻的几页呢。但我发现注入的module大多都是临时写写,很少还会提供一个版本信息资料。而正规的程序或动态链接库一般都有版本信息的。于是就可以通过版本信息对module的政治面目进行初步判断了。(这是不是有点像飞蛾两翼侧的那两个听觉细胞?简单对抗复杂!)呵呵!结果还真的发现了两匹野马!
/* this code had been complied and tested in follow enviroment: */
/* complier: LCC3.3 */
/* operation system: windows xp */
/* this sample provide some idea of Trojan horse detective. */
/* so it has few exception determine.*/
#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <winver.h>
/*write module information to the file*/
BOOL ModuleOut(HANDLE hFile, LPMODULEENTRY32 pMe, LPOVERLAPPED povlap);
/*write process information to the file*/
BOOL ProcOut(HANDLE hFile, LPPROCESSENTRY32 pPe, LPOVERLAPPED povlap);
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPreInst, LPSTR pszCmdLine,int nCmdShow)
{
/*open a file to save the result*/
SetFileAttributes("SysSnapShot.txt",FILE_ATTRIBUTE_NORMAL);
HANDLE htxtFile = CreateFile(
"SysSnapShot.txt",
GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_ARCHIVE||FILE_FLAG_OVERLAPPED||FILE_FLAG_WRITE_THROUGH,
NULL);
/*defines and initializes some parameters for file operation.*/
OVERLAPPED ovlap;
ZeroMemory(&ovlap, sizeof(ovlap));
ovlap.Offset = 0;//Specifies a file position at which to start the transfer.
int iFilePoint = 0;
int iTemp = 0;
DWORD* lpdwHandle;
lpdwHandle = NULL;
/*defines and initializes some parameters for enumerating modules.*/
HANDLE hSnapModule ;
HANDLE hSnapProc = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe = {
sizeof(PROCESSENTRY32) };
MODULEENTRY32 me = {
sizeof(MODULEENTRY32) };
int iErrorCode = 0;
/* enumerates the running processes and their modules, */
/* and get its File Version Information Size, */
/* if zero, save the module's information to the opened file. */
if(Process32First(hSnapProc, &pe))
{
ProcOut(htxtFile, &pe, &ovlap);
hSnapModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe.th32ProcessID);
if(Module32First(hSnapModule, &me))
{
ModuleOut(htxtFile, &me, &ovlap);
while (Module32Next(hSnapModule, &me))
{
if(GetFileVersionInfoSize( me.szExePath,lpdwHandle )==0)
ModuleOut(htxtFile, &me, &ovlap);
}
}
CloseHandle(hSnapModule);
while (Process32Next(hSnapProc, &pe))
{
ProcOut(htxtFile, &pe, &ovlap);
hSnapModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe.th32ProcessID);
if(Module32First(hSnapModule, &me))
{
ModuleOut(htxtFile, &me, &ovlap);
while (Module32Next(hSnapModule, &me))
{
if(GetFileVersionInfoSize( me.szExePath,lpdwHandle )==0)
ModuleOut(htxtFile, &me, &ovlap);
}
}
CloseHandle(hSnapModule);
}
}
CloseHandle(hSnapModule);
CloseHandle(hSnapProc);
CloseHandle(htxtFile);
return(0);
}
BOOL ModuleOut(HANDLE hFile, LPMODULEENTRY32 pMe, LPOVERLAPPED povlap )
{
char* pchTemp = (char*) malloc(500);
ZeroMemory(pchTemp,500);
sprintf(pchTemp,"/nmodBaseSize = %d; /t", pMe->modBaseSize);
// lstrcat(pchTemp,pMe->szModule);
lstrcat(pchTemp,TEXT(" szExePath=/0"));
lstrcat(pchTemp,pMe->szExePath);
int iTemp = lstrlen(pchTemp);
if(WriteFile(hFile, pchTemp, iTemp, NULL, povlap )==0)
return FALSE;
povlap->Offset += iTemp;
free(pchTemp);
return TRUE;
}
BOOL ProcOut(HANDLE hFile, LPPROCESSENTRY32 pPe, LPOVERLAPPED povlap)
{
char* pchTemp = (char*) malloc(500);
ZeroMemory(pchTemp,500);
sprintf(pchTemp," /n/n/ncntUsage = %d; /nth32ProcessID = %d; /ncntThreads = %d; /nth32ParentProcessID = %d; /nszExeFilePath= /0",pPe->cntUsage,pPe->cntThreads,pPe->th32ParentProcessID);
lstrcat(pchTemp,pPe->szExeFile);
int iTemp = lstrlen(pchTemp);
if(WriteFile(hFile, pchTemp, iTemp, NULL, povlap )==0)
return FALSE;
povlap->Offset += iTemp;
free(pchTemp);
return TRUE;
}
/* this code had been complied and tested in follow enviroment: */
/* complier: LCC3.3 */
/* operation system: windows xp */
/* this sample provide some idea of Trojan horse detective. */
/* so it has few exception determine.*/
#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <winver.h>
/*write module information to the file*/
BOOL ModuleOut(HANDLE hFile, LPMODULEENTRY32 pMe, LPOVERLAPPED povlap);
/*write process information to the file*/
BOOL ProcOut(HANDLE hFile, LPPROCESSENTRY32 pPe, LPOVERLAPPED povlap);
int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPreInst, LPSTR pszCmdLine,int nCmdShow)
{
/*open a file to save the result*/
SetFileAttributes("SysSnapShot.txt",FILE_ATTRIBUTE_NORMAL);
HANDLE htxtFile = CreateFile(
"SysSnapShot.txt",
GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_ARCHIVE||FILE_FLAG_OVERLAPPED||FILE_FLAG_WRITE_THROUGH,
NULL);
/*defines and initializes some parameters for file operation.*/
OVERLAPPED ovlap;
ZeroMemory(&ovlap, sizeof(ovlap));
ovlap.Offset = 0;//Specifies a file position at which to start the transfer.
int iFilePoint = 0;
int iTemp = 0;
DWORD* lpdwHandle;
lpdwHandle = NULL;
/*defines and initializes some parameters for enumerating modules.*/
HANDLE hSnapModule ;
HANDLE hSnapProc = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe = {
sizeof(PROCESSENTRY32) };
MODULEENTRY32 me = {
sizeof(MODULEENTRY32) };
int iErrorCode = 0;
/* enumerates the running processes and their modules, */
/* and get its File Version Information Size, */
/* if zero, save the module's information to the opened file. */
if(Process32First(hSnapProc, &pe))
{
ProcOut(htxtFile, &pe, &ovlap);
hSnapModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe.th32ProcessID);
if(Module32First(hSnapModule, &me))
{
ModuleOut(htxtFile, &me, &ovlap);
while (Module32Next(hSnapModule, &me))
{
if(GetFileVersionInfoSize( me.szExePath,lpdwHandle )==0)
ModuleOut(htxtFile, &me, &ovlap);
}
}
CloseHandle(hSnapModule);
while (Process32Next(hSnapProc, &pe))
{
ProcOut(htxtFile, &pe, &ovlap);
hSnapModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe.th32ProcessID);
if(Module32First(hSnapModule, &me))
{
ModuleOut(htxtFile, &me, &ovlap);
while (Module32Next(hSnapModule, &me))
{
if(GetFileVersionInfoSize( me.szExePath,lpdwHandle )==0)
ModuleOut(htxtFile, &me, &ovlap);
}
}
CloseHandle(hSnapModule);
}
}
CloseHandle(hSnapModule);
CloseHandle(hSnapProc);
CloseHandle(htxtFile);
return(0);
}
BOOL ModuleOut(HANDLE hFile, LPMODULEENTRY32 pMe, LPOVERLAPPED povlap )
{
char* pchTemp = (char*) malloc(500);
ZeroMemory(pchTemp,500);
sprintf(pchTemp,"/nmodBaseSize = %d; /t", pMe->modBaseSize);
// lstrcat(pchTemp,pMe->szModule);
lstrcat(pchTemp,TEXT(" szExePath=/0"));
lstrcat(pchTemp,pMe->szExePath);
int iTemp = lstrlen(pchTemp);
if(WriteFile(hFile, pchTemp, iTemp, NULL, povlap )==0)
return FALSE;
povlap->Offset += iTemp;
free(pchTemp);
return TRUE;
}
BOOL ProcOut(HANDLE hFile, LPPROCESSENTRY32 pPe, LPOVERLAPPED povlap)
{
char* pchTemp = (char*) malloc(500);
ZeroMemory(pchTemp,500);
sprintf(pchTemp," /n/n/ncntUsage = %d; /nth32ProcessID = %d; /ncntThreads = %d; /nth32ParentProcessID = %d; /nszExeFilePath= /0",pPe->cntUsage,pPe->cntThreads,pPe->th32ParentProcessID);
lstrcat(pchTemp,pPe->szExeFile);
int iTemp = lstrlen(pchTemp);
if(WriteFile(hFile, pchTemp, iTemp, NULL, povlap )==0)
return FALSE;
povlap->Offset += iTemp;
free(pchTemp);
return TRUE;
}
相关文章推荐
- 飞蛾与蝙蝠的玩命游戏(自然篇)
- 《疯狂农场》带来的启示
- 人生警钟:商鞅职业生涯的启示
- PBC的启示-沟通和创新
- 跳蚤的启示!
- CIO、CTO总结SOA五大启示(转)
- 费米问题的启示
- 管理启示:朱元璋如何用小谋略来巩固领导地位
- 羊皮卷的启示-第三十九章
- Google招聘广告短片的启示
- 《Facebook启示录》的启示
- Sogou输入法之父给我们的启示
- 如何编写高质量的代码——来自《代码大全(第2版)》的启示
- Sogou输入法之父给我们的启示
- 职场生存--寓言四则启示
- 一个简单创业案例带来的启示
- 秀才解梦的炒股启示
- “唠叨的老板 ”的启示
- Ruby语言的发展趋势和启示
- 媒体营销创新-《洛杉矶时报》给我的一些启示