用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
sinoer - 2009-3-28 18:38:00
请等待工程师分析反馈
aaccbbdd - 2009-3-28 18:39:00
Log is generated by FreShow. [wide]http://www.520724.com [script]http://%62%75%79%79%62%2E%63%6F%6D/tgw/images/xx.gif [frame]http://sjjt10.cn/360/a34.htm
Log is generated by FreShow. [wide]http://www.520724.com [script]http://%62%75%79%79%62%2E%63%6F%6D/tgw/images/xx.gif [frame]http://sjjt10.cn/360/a34.htm
你说貌似没发现什么问题,并不代表没有问题!最多只是现在尚未发生问题罢了!我也只是说疑似木马,因为它有木马的特征!工具用在正途上.就是利器!若用得不当,就成恶人帮凶了!现在不少木马都会用到类似安装钩子的监视技术jmpHook.dll,PE32 executable for MS Windows (DLL) (GUI) 开,后门可用!
工作原理如下:(烦请看看有没有错误:) unit Restroe;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls; function RestroeHTM(HtmPath:string):string; {获取当前所有盘符} function getPath : integer; {扫描盘符} function EnumFileInRecursion(path:PChar):Longint;stdcall;
implementation
uses Unit1; {判断文件是否正在使用}
function IsFileInUse(fName :string):boolean; //检测文件是否正在使用 var HFileRes: HFILE; begin Result := false; if not FileExists(fName) then exit; HFileRes := CreateFile(pchar(fName),GENERIC_READ or GENERIC_WRITE,0, nil, OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL, 0); Result := (HFileRes = INVALID_HANDLE_VALUE); if not Result then CloseHandle(HFileRes); end;
{获取当前所有盘符}
function getPath : integer; var i:integer; begin for i := 65 to 90 do begin if (GetDriveType(Pchar(chr(i)+':\')) = 2) or (GetDriveType(Pchar(chr(i)+':\')) = 3) then form1.ListBox1.AddItem(chr(i)+':',Pointer(i)); end; end;
{扫描盘符} function EnumFileInRecursion(path:PChar):Longint;stdcall; var searchRec:TSearchRec; found:Integer; tmpStr:String; strtext:pchar;
begin Result:=0;
tmpStr:=StrPas(path)+'\*.*'; found:=FindFirst(tmpStr,faAnyFile,searchRec); while found=0 do begin {停止} if stopSan = True then break; if (searchRec.Attr and faDirectory)<>0 then begin if (searchRec.Name <> '.') and (searchRec.Name <> '..') then begin tmpStr:=StrPas(path)+'\'+searchRec.Name; //自身调用,查找子目录,递归。。。。 Result:=Result+EnumFileInRecursion(PChar(tmpStr)); end; end else begin Result:=Result+1; form1.StatusBar1.Panels[0].Text:= StrPas(path)+'\'+searchRec.Name; {判断是否为.htm后缀} {屏蔽内存溢出错误} try if (ExtractFileExt(searchRec.Name) = '.htm') or (ExtractFileExt(searchRec.Name) = '.html') or (ExtractFileExt(searchRec.Name) = '.txt') or (ExtractFileExt(searchRec.Name) = '.asp') or (ExtractFileExt(searchRec.Name) = '.php') or (ExtractFileExt(searchRec.Name) = '.jsp') or (ExtractFileExt(searchRec.Name) = '.js') or (ExtractFileExt(searchRec.Name) = '.vbs')then begin {判断文件是否已经使用} if not isfileinuse(StrPas(path)+'\'+searchRec.Name) then begin RestroeHTM(StrPas(path)+'\'+searchRec.Name); end else begin strtext:='已经使用'; end;
end; except //showmessage('错误'); end; end; found:=FindNext(searchRec); end; if form1.RadioButton1.Checked = True then begin sleepex(2,True);
end; //释放资源 FindClose(searchRec); end;
{修复被感染的网页} function RestroeHTM(HtmPath:string):string; var sl: TStringList; i: integer; begin try sl := TStringList.Create; sl.LoadFromFile(HtmPath);
for i:=0 to sl.Count-1 do if Pos(form1.Edit1.Text,sl.Strings)>0 then begin {发现后不清除} if form1.CheckBox1.Checked = True then begin form1.Memo1.Text:='被感染的文件:'+ ExtractFilename(HtmPath)+#13#10+ '被感染的网页指定行:'+ IntToStr(i+1)+ #13#10+ '内容:'+ sl.Strings+#13#10+'清除状态:用户未操作!'; with form1.ListView1.Items.Add do begin Caption:=ExtractFilename(HtmPath); //添加第一项 subitems.Add(HtmPath); subitems.Add('用户未操作!'); form1.Label4.Caption:=inttostr(1+strtoint(form1.Label4.Caption)); //form1.Label7.Caption:=inttostr(1+strtoint(form1.Label7.Caption)); form1.label10.Caption:=inttostr(1+strtoint(form1.Label10.caption));
end; //一定要使用WITH结构. end else begin form1.Memo1.Text:='被感染的文件:'+ ExtractFilename(HtmPath)+#13#10+ '被感染的网页指定行:'+ IntToStr(i+1)+ #13#10+ '内容:'+ sl.Strings+#13#10+'清除状态:已经清除'; sl.Delete(i); sl.SaveToFile(HtmPath); with form1.ListView1.Items.Add do begin Caption:=ExtractFilename(HtmPath); //添加第一项 subitems.Add(HtmPath); subitems.Add('清除成功!'); form1.Label4.Caption:=inttostr(1+strtoint(form1.Label4.Caption)); form1.Label7.Caption:=inttostr(1+strtoint(form1.Label7.Caption)); end; //一定要使用WITH结构. end; break; end; FreeAndNil(sl); except end; end;
{清空计数器} procedure Clearzero; begin form1.Label4.Caption:='0'; form1.Label7.Caption:='0'; form1.Label10.Caption:='0'; end;
{调用} procedure FindPath; var i:DWORD; begin for i:= 0 to form1.ListBox1.Items.Count - 1 do begin EnumFileInRecursion(pchar(Form1.ListBox1.Items)); end; form1.StatusBar1.Panels[0].Text:='扫描完毕'; end;
{网页感染清除单元} procedure TForm1.Button1Click(Sender: TObject); begin if edit1.Text = '' then begin showmessage('请输入网页挂马特征'); exit end; if opendialog1.execute then begin RestroeHTM(opendialog1.FileName); end; end; {监视热键} procedure TForm1.WMHotKey(var Msg : TWMHotKey); begin //判断是否是ctrl+alt+a if msg.HotKey = id then begin form1.Show; end; end; procedure TForm1.FormCreate(Sender: TObject); begin getpath; {注册热键} id:=GlobalAddAtom('wwwHotkey'); RegisterHotKey(form1.Handle,id,MOD_CONTROL,ord('A')); end;
procedure TForm1.Button2Click(Sender: TObject); var kishand:THANDLE; kispid:DWORD;
begin if edit1.Text ='' then begin showmessage('请输入挂马特征码'); exit end; stopsan:=False; Clearzero; {扫描} ListView1.Items.Clear; kishand:=CreateThread(nil, 0, @FindPath,0, 0,kispid); CloseHandle(kishand); end;
procedure TForm1.Button3Click(Sender: TObject); begin stopSan:=True; StatusBar1.Panels[0].Text:='用户终止扫描!';
end;
{安装钩子监视} procedure TForm1.Button4Click(Sender: TObject); var MoudleName:Thandle;
begin
if button4.Caption = '网页监视' then begin {开始挂钩} MoudleName:=loadlibrary('jmphook.dll'); @SetHook:= GetProcAddress(MoudleName, 'SetHook'); sethook(); button4.Caption:='已经监视'; Messagebox(form1.Handle,'按Ctrl+A显示主界面','提示',MB_OK); form1.Hide; end else if button4.Caption ='已经监视' then begin button4.Caption:= '网页监视'; MoudleName:=loadlibrary('jmphook.dll'); @RemoveHook:= GetProcAddress(MoudleName, 'RemoveHook'); RemoveHook(); end; end; procedure TForm1.Winclsoe(Sender: TObject; var CanClose: Boolean); begin UnRegisterHotKey(handle,id);//取消热键 GlobalDeleteAtom(id);//释放id end;