|
拙长孩提狮
|
发表于:
2009-03-29 16:20
|
短消息
资料
回复: 求助啊,我网站被挂马了,又找不到被改在什么地方
原帖由 newcenturymoon 于 2009-3-28 22:52:00 发表
[quote] 原帖由 天涯在线 于 2009-3-28 22:28:00 发表
附件:
文件名:网页感染清除精灵1.1.rar
下载次数:8
文件类型:application/x...... 真是晕,我怎么成了妖言惑众了??这个工具真的会收集用户信息!它用的技术正是现在流行木马所用的挂钩技术!难道这点你不承认??你说貌似没发现什么问题,并不代表没有问题!最多只是现在尚未发生问题罢了!我也只是说疑似木马,因为它有木马的特征!工具用在正途上.就是利器!若用得不当,就成恶人帮凶了!现在不少木马都会用到类似安装钩子的监视技术jmpHook.dll,PE32 executable for MS Windows (DLL) (GUI) 开,后门可用!工作原理如下:(烦请看看有没有错误:)unit Restroe;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
function RestroeHTM(HtmPath:string):string;
{获取当前所有盘符}
function getPath : integer;
{扫描盘符}
function EnumFileInRecursion(path:PChar):Longint;stdcall;
implementation
uses
Unit1;
{判断文件是否正在使用}
function IsFileInUse(fName :string):boolean; //检测文件是否正在使用
var
HFileRes: HFILE;
begin
Result := false;
if not FileExists(fName) then
exit;
HFileRes := CreateFile(pchar(fName),GENERIC_READ or GENERIC_WRITE,0, nil, OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL, 0);
Result := (HFileRes = INVALID_HANDLE_VALUE);
if not Result then
CloseHandle(HFileRes);
end;
{获取当前所有盘符}
function getPath : integer;
var
i:integer;
begin
for i := 65 to 90 do
begin
if (GetDriveType(Pchar(chr(i)+':\')) = 2) or (GetDriveType(Pchar(chr(i)+':\')) = 3) then
form1.ListBox1.AddItem(chr(i)+':',Pointer(i));
end;
end;
{扫描盘符}
function EnumFileInRecursion(path:PChar):Longint;stdcall;
var
searchRec:TSearchRec;
found:Integer;
tmpStr:String;
strtext:pchar;
begin
Result:=0;
tmpStr:=StrPas(path)+'\*.*';
found:=FindFirst(tmpStr,faAnyFile,searchRec);
while found=0 do
begin
{停止}
if stopSan = True then break;
if (searchRec.Attr and faDirectory)<>0 then
begin
if (searchRec.Name <> '.') and (searchRec.Name <> '..') then
begin
tmpStr:=StrPas(path)+'\'+searchRec.Name;
//自身调用,查找子目录,递归。。。。
Result:=Result+EnumFileInRecursion(PChar(tmpStr));
end;
end
else begin
Result:=Result+1;
form1.StatusBar1.Panels[0].Text:= StrPas(path)+'\'+searchRec.Name;
{判断是否为.htm后缀}
{屏蔽内存溢出错误}
try
if (ExtractFileExt(searchRec.Name) = '.htm') or (ExtractFileExt(searchRec.Name) = '.html') or (ExtractFileExt(searchRec.Name) = '.txt') or (ExtractFileExt(searchRec.Name) = '.asp') or
(ExtractFileExt(searchRec.Name) = '.php') or (ExtractFileExt(searchRec.Name) = '.jsp') or (ExtractFileExt(searchRec.Name) = '.js') or (ExtractFileExt(searchRec.Name) = '.vbs')then
begin
{判断文件是否已经使用}
if not isfileinuse(StrPas(path)+'\'+searchRec.Name) then
begin
RestroeHTM(StrPas(path)+'\'+searchRec.Name);
end
else
begin
strtext:='已经使用';
end;
end;
except
//showmessage('错误');
end;
end;
found:=FindNext(searchRec);
end;
if form1.RadioButton1.Checked = True then
begin
sleepex(2,True);
end;
//释放资源
FindClose(searchRec);
end;
{修复被感染的网页}
function RestroeHTM(HtmPath:string):string;
var
sl: TStringList;
i: integer;
begin
try
sl := TStringList.Create;
sl.LoadFromFile(HtmPath);
for i:=0 to sl.Count-1 do
if Pos(form1.Edit1.Text,sl.Strings)>0 then
begin
{发现后不清除}
if form1.CheckBox1.Checked = True then
begin
form1.Memo1.Text:='被感染的文件:'+ ExtractFilename(HtmPath)+#13#10+
'被感染的网页指定行:'+ IntToStr(i+1)+ #13#10+ '内容:'+ sl.Strings+#13#10+'清除状态:用户未操作!';
with form1.ListView1.Items.Add do
begin
Caption:=ExtractFilename(HtmPath); //添加第一项
subitems.Add(HtmPath);
subitems.Add('用户未操作!');
form1.Label4.Caption:=inttostr(1+strtoint(form1.Label4.Caption));
//form1.Label7.Caption:=inttostr(1+strtoint(form1.Label7.Caption));
form1.label10.Caption:=inttostr(1+strtoint(form1.Label10.caption));
end; //一定要使用WITH结构.
end
else
begin
form1.Memo1.Text:='被感染的文件:'+ ExtractFilename(HtmPath)+#13#10+
'被感染的网页指定行:'+ IntToStr(i+1)+ #13#10+ '内容:'+ sl.Strings+#13#10+'清除状态:已经清除';
sl.Delete(i);
sl.SaveToFile(HtmPath);
with form1.ListView1.Items.Add do
begin
Caption:=ExtractFilename(HtmPath); //添加第一项
subitems.Add(HtmPath);
subitems.Add('清除成功!');
form1.Label4.Caption:=inttostr(1+strtoint(form1.Label4.Caption));
form1.Label7.Caption:=inttostr(1+strtoint(form1.Label7.Caption));
end; //一定要使用WITH结构.
end;
break;
end;
FreeAndNil(sl);
except
end;
end;
end.
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,Restroe, ComCtrls, WinSkinData;
type
TForm1 = class(TForm)
Button1: TButton;
Button2: TButton;
OpenDialog1: TOpenDialog;
Edit1: TEdit;
Label1: TLabel;
ListView1: TListView;
Label2: TLabel;
Label3: TLabel;
Label4: TLabel;
Label5: TLabel;
StatusBar1: TStatusBar;
ListBox1: TListBox;
Button3: TButton;
Label6: TLabel;
Label7: TLabel;
Label8: TLabel;
CheckBox1: TCheckBox;
Label9: TLabel;
Label10: TLabel;
Label11: TLabel;
Button4: TButton;
Memo1: TMemo;
Label12: TLabel;
RadioButton1: TRadioButton;
procedure Button1Click(Sender: TObject);
procedure FormCreate(Sender: TObject);
procedure Button2Click(Sender: TObject);
procedure Button3Click(Sender: TObject);
procedure Button4Click(Sender: TObject);
procedure Winclsoe(Sender: TObject; var CanClose: Boolean);
// procedure Button4Click(Sender: TObject);
private
{ Private declarations }
id:integer;
procedure WMHotKey(var Msg : TWMHotKey); message WM_HOTKEY;{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
{停止}
stopSan:Boolean;
{挂钩}
setHook: function:Boolean; stdcall;
RemoveHook:function:Boolean; stdcall;
API_HookDown:procedure;stdcall;
implementation
{$R *.dfm}
{清空计数器}
procedure Clearzero;
begin
form1.Label4.Caption:='0';
form1.Label7.Caption:='0';
form1.Label10.Caption:='0';
end;
{调用}
procedure FindPath;
var
i:DWORD;
begin
for i:= 0 to form1.ListBox1.Items.Count - 1 do
begin
EnumFileInRecursion(pchar(Form1.ListBox1.Items));
end;
form1.StatusBar1.Panels[0].Text:='扫描完毕';
end;
{网页感染清除单元}
procedure TForm1.Button1Click(Sender: TObject);
begin
if edit1.Text = '' then
begin
showmessage('请输入网页挂马特征');
exit
end;
if opendialog1.execute then
begin
RestroeHTM(opendialog1.FileName);
end;
end;
{监视热键}
procedure TForm1.WMHotKey(var Msg : TWMHotKey);
begin
//判断是否是ctrl+alt+a
if msg.HotKey = id then
begin
form1.Show;
end;
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
getpath;
{注册热键}
id:=GlobalAddAtom('wwwHotkey');
RegisterHotKey(form1.Handle,id,MOD_CONTROL,ord('A'));
end;
procedure TForm1.Button2Click(Sender: TObject);
var
kishand:THANDLE;
kispid:DWORD;
begin
if edit1.Text ='' then
begin
showmessage('请输入挂马特征码');
exit
end;
stopsan:=False;
Clearzero;
{扫描}
ListView1.Items.Clear;
kishand:=CreateThread(nil, 0, @FindPath,0, 0,kispid);
CloseHandle(kishand);
end;
procedure TForm1.Button3Click(Sender: TObject);
begin
stopSan:=True;
StatusBar1.Panels[0].Text:='用户终止扫描!';
end;
{安装钩子监视}
procedure TForm1.Button4Click(Sender: TObject);
var
MoudleName:Thandle;
begin
if button4.Caption = '网页监视' then
begin
{开始挂钩}
MoudleName:=loadlibrary('jmphook.dll');
@SetHook:= GetProcAddress(MoudleName, 'SetHook');
sethook();
button4.Caption:='已经监视';
Messagebox(form1.Handle,'按Ctrl+A显示主界面','提示',MB_OK);
form1.Hide;
end
else if button4.Caption ='已经监视' then
begin
button4.Caption:= '网页监视';
MoudleName:=loadlibrary('jmphook.dll');
@RemoveHook:= GetProcAddress(MoudleName, 'RemoveHook');
RemoveHook();
end;
end;
procedure TForm1.Winclsoe(Sender: TObject; var CanClose: Boolean);
begin
UnRegisterHotKey(handle,id);//取消热键
GlobalDeleteAtom(id);//释放id
end;
end.
|
