网站程序安全分析器VB源码

本程序通杀:

ASP ASPX PHP CGI JSP VBS 等脚本WebShell

并能查出99%加密过的脚本WebShell

后来发现..精度越高误杀越高…基本做到宁误扫三千不放过1马~

其实是利用串判断.原理很简单.有很多人向偶要代码.想到人家ScanWebshell都贡献出来了~偶要是不贡献出来就不厚道咯.以下是全部代码.

Private Declare Function GetWindowLong Lib “user32” Alias “GetWindowLongA” (ByVal hwnd As Long, ByVal nIndex As Long) As Long
Private Declare Function SetWindowLong Lib “user32” Alias “SetWindowLongA” (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function SetLayeredWindowAttributes Lib “user32” (ByVal hwnd As Long, ByVal crKey As Long, ByVal bAlpha As Byte, ByVal dwFlags As Long) As Long
Private Const WS_EX_LAYERED = &H80000
Private Const GWL_EXSTYLE = (-20)
Private Const LWA_ALPHA = &H2
Private Const LWA_COLORKEY = &H1
Private Declare Function ReleaseCapture Lib “user32” () As Long
Private Declare Function SendMessage Lib “user32” Alias “SendMessageA” (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Const HTCAPTION = 2
Private Const WM_NCLBUTTONDOWN = &HA1
Private Declare Function timeGetTime Lib “winmm.dll” () As Long
Private Declare Sub InitCommonControls Lib “comctl32.dll” ()
Dim SuJu1 As Long
Dim Faxian As String
Dim FaJs As String
Private Declare Function FindFirstFile Lib “kernel32” Alias “FindFirstFileA” (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function FindNextFile Lib “kernel32” Alias “FindNextFileA” (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function GetFileAttributes Lib “kernel32” Alias “GetFileAttributesA” (ByVal lpFileName As String) As Long
Private Declare Function FindClose Lib “kernel32” (ByVal hFindFile As Long) As Long
Const MAX_PATH = 260
Const MAXDWORD = &HFFFF
Const INVALID_HANDLE_VALUE = -1
Const FILE_ATTRIBUTE_ARCHIVE = &H20
Const FILE_ATTRIBUTE_DIRECTORY = &H10
Const FILE_ATTRIBUTE_HIDDEN = &H2
Const FILE_ATTRIBUTE_NORMAL = &H80
Const FILE_ATTRIBUTE_READONLY = &H1
Const FILE_ATTRIBUTE_SYSTEM = &H4
Const FILE_ATTRIBUTE_TEMPORARY = &H100
Private Declare Function SHBrowseForFolder Lib “shell32” (lpbi As BrowseInfo) As Long
Private Declare Function SHGetPathFromIDList Lib “shell32.dll” Alias “SHGetPathFromIDListA” (ByVal pIdl As Long, ByVal pszPath As String) As Long
Private Type BrowseInfo
hwndOwner As Long
piDLroot As Long
pszdisplayName As String
lpsztitle As String
ulFlags As Long
lpfncallback As Long
lParam As Long
iImage As Long
End Type
Private Type FILETIME
    dwLowDateTime   As Long
    dwHighDateTime   As Long
End Type
Private Type WIN32_FIND_DATA
    dwFileAttributes   As Long
    ftCreationTime   As FILETIME
    ftLastAccessTime   As FILETIME
    ftLastWriteTime   As FILETIME
    nFileSizeHigh   As Long
    nFileSizeLow   As Long
    dwReserved0   As Long
    dwReserved1   As Long
    cFileName   As String * MAX_PATH
    cAlternate   As String * 14
End Type
Private Sub Form_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)
ReleaseCapture
SendMessage hwnd, WM_NCLBUTTONDOWN, HTCAPTION, 0&
End Sub
Private Sub Form_Initialize()
  InitCommonControls
  Dim rtn As Long
  rtn = GetWindowLong(hwnd, GWL_EXSTYLE)
  rtn = rtn Or WS_EX_LAYERED
  SetWindowLong hwnd, GWL_EXSTYLE, rtn
  SetLayeredWindowAttributes hwnd, &HFF00FF, 0, LWA_COLORKEY
End Sub
Sub YS()
  Dim Savetime As Double
  Savetime = timeGetTime
  While timeGetTime < Savetime + 200
  DoEvents
  Wend
End Sub
Private Sub Image1_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)
Me.Image1.Visible = False
Me.Image2.Visible = True
YS
WindowState = 1
Me.Image1.Visible = True
Me.Image2.Visible = False
End Sub
Private Sub Image4_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)
Me.Image4.Visible = False
Me.Image3.Visible = True
YS
End
End Sub
Private Sub Command1_Click()
Dim bi As BrowseInfo
Dim folderid As Long
Dim pb As String
With bi
.hwndOwner = Me.hwnd
.lpsztitle = “选择查杀的文件夹:”
.ulFlags = 3
End With
folderid = SHBrowseForFolder(bi)
If folderid = 0 Then Exit Sub
pb = String$(260, 0)
SHGetPathFromIDList folderid, pb
pb = Left$(pb, InStr(pb, vbNullChar) – 1)
Text1.Text = pb
End Sub
Function StripNulls(OriginalStr As String) As String
    If (InStr(OriginalStr, Chr(0)) > 0) Then
          OriginalStr = Left(OriginalStr, InStr(OriginalStr, Chr(0)) – 1)
    End If
    StripNulls = OriginalStr
End Function

Function FindFilesAPI(path As String, SearchStr As String)
    Dim FileName   As String
    Dim DirName   As String
    Dim dirNames()   As String
    Dim nDir   As Integer
    Dim i   As Integer
    Dim hSearch   As Long
    Dim WFD   As WIN32_FIND_DATA
    Dim Cont   As Integer
    If Right(path, 1) <> “\” Then path = path & “\”
   
    nDir = 0
    ReDim dirNames(nDir)
    Cont = True
    hSearch = FindFirstFile(path & “*.*”, WFD)
    If hSearch <> INVALID_HANDLE_VALUE Then
        Do While Cont
          DirName = StripNulls(WFD.cFileName)
          If (DirName <> “.”) And (DirName <> “..”) Then
                If GetFileAttributes(path & DirName) And FILE_ATTRIBUTE_DIRECTORY Then
                    dirNames(nDir) = DirName
                    nDir = nDir + 1
                    ReDim Preserve dirNames(nDir)
                End If
          End If
          Cont = FindNextFile(hSearch, WFD)
          DoEvents
          Loop
         
          Cont = FindClose(hSearch)
    End If
    hSearch = FindFirstFile(path & SearchStr, WFD)
    Cont = True
    If hSearch <> INVALID_HANDLE_VALUE Then
          While Cont
                FileName = StripNulls(WFD.cFileName)
                If (FileName <> “.”) And (FileName <> “..”) Then
                              
                SuJu1 = SuJu1 + 1
               

  Dim strFileContent As String
  Dim strTemp As String
  
  If Dir(path & FileName) <> “” Then
    Open path & FileName For Input As #1
    While Not EOF(1)
        Line Input #1, strTemp
              
        If InStr(1, strTemp, “WScr” & DoMyBest & “ipt.Shell”, vbTextCompare) Or InStr(1, strTemp, “clsid:72C24DD5-D70A” & DoMyBest & “-438B-8A42-98424B88AFB8”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险组件! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:一般被ASP木马利用来获取CMD SHELL 序列:1”
        Faxian = “发现危险”
        End If
      
        If InStr(1, strTemp, “She” & DoMyBest & “ll.Application”, vbTextCompare) Or InStr(1, strTemp, “clsid:13709620-C27” & DoMyBest & “9-11CE-A49E-444553540000”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险组件! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:一般被ASP木马利用来获取系统信息 序列:2”
        Faxian = “发现危险”
        End If
      
        If InStr(1, strTemp, “<%@ LANGUAGE = VBScript.Encode %>”, vbTextCompare) Or InStr(1, strTemp, “#@”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 文件被加密! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件被加过密!一般安全的程序是不可能加密的!极有可能是木马.图片格式文件可能会误杀请详细检查 序列:3”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B”, vbTextCompare) Or InStr(1, strTemp, “clsid:0D43FE01-F093-11CF-8940-00A0C9054228”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险组件! ” & ” 安全评估: 危险度高!”
        List1.AddItem “描述:此文件包含文件读写指令.如非上传组件.请删除! 序列:4”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “上传组件”, vbTextCompare) Or InStr(1, strTemp, “Upload”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度中!(未知)”
        List1.AddItem “描述:此文件包含上传组件或上传文件的专用串.请检查是否合法. 序列:5”
        Faxian = “发现危险”
        End If
   
        If InStr(1, strTemp, “FSO”, vbTextCompare) Or InStr(1, strTemp, “<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度高!(未知)”
        List1.AddItem “描述:此文件包含木马执行特征.请检查是否合法. 序列:6”
        Faxian = “发现危险”
        End If
   
        If InStr(1, strTemp, “execute request”, vbTextCompare) Or InStr(1, strTemp, “FQAAAA”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件包含一句话木马.请手工分析删除! 序列:7”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “java.io”, vbTextCompare) Or InStr(1, strTemp, “java.util”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险组件! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件包含JSP木马.请删除! 序列:8”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “System.IO”, vbTextCompare) Or InStr(1, strTemp, “System.Diagnostics”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险组件! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件包含ASP.NET木马.请删除! 序列:9”
        Faxian = “发现危险”
        End If

        If InStr(1, strTemp, “TBNnGMfflrqBF”, vbTextCompare) Or InStr(1, strTemp, “POST[cmd]”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险组件! ” & ” 安全评估: 危险度高!”
        List1.AddItem “描述:此文件包含PHP木马.请删除! 序列:10”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “务服”, vbTextCompare) Or InStr(1, strTemp, “琳”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 文件被加密! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件有可能被加过密!一般安全的程序是不可能加密的!极有可能是木马 序列:11”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “System.Net.Sockets”, vbTextCompare) Or InStr(1, strTemp, “UnEncode=temp”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件包含木马执行特征.请检查是否合法 序列:12”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “execute request(“, vbTextCompare) Or InStr(1, strTemp, “vbs&”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 文件被加密! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件有可能被加过密!一般安全的程序是不可能加密的!极有可能是木马 序列:13”
        Faxian = “发现危险”
        End If
   
        If InStr(1, strTemp, “MSXML2.XMLHTTP”, vbTextCompare) Or InStr(1, strTemp, “127.0.0.1”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险组件! ” & ” 安全评估: 危险度高!”
        List1.AddItem “描述:此文件包含木马执行特征.请检查是否合法 序列:14”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “Encoding.ASCII”, vbTextCompare) Or InStr(1, strTemp, “cmd”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度高!”
        List1.AddItem “描述:此文件包含木马转码特征或CMD关键字.请检查是否合法 序列:15”
        Faxian = “发现危险”
        End If
   
        If InStr(1, strTemp, “GetSpecialFolder”, vbTextCompare) Or InStr(1, strTemp, “Socket”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度高!”
        List1.AddItem “描述:此文件包含木马执行特征.请检查是否合法 序列:16”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “gif””” & “–“, vbTextCompare) Or InStr(1, strTemp, “jpg””” & “–“, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件引用了图片极有可能是图片木马 序列:17”
        Faxian = “发现危险”
        End If

        If InStr(1, strTemp, “bmp””” & “–“, vbTextCompare) Or InStr(1, strTemp, “png””” & “–“, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度极高!”
        List1.AddItem “描述:此文件引用了图片极有可能是图片木马 序列:18”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “<?require(“, vbTextCompare) Or InStr(1, strTemp, “require($”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度高!(未知)”
        List1.AddItem “描述:此文件包涵了PHP的特殊引用如发现类似<?require($AAA);?>引用请检查是否合法 序列:19”
        Faxian = “发现危险”
        End If
        
        If InStr(1, strTemp, “4e454c33322”, vbTextCompare) Or InStr(1, strTemp, “””\x”, vbTextCompare) Then
        List1.AddItem “发现 ” & FileName & ” 包含危险特征! ” & ” 安全评估: 危险度高!(未知)”
        List1.AddItem “描述:此文件极有可能是提权PHP木马或加过密的文件 序列:20”
        Faxian = “发现危险”
        End If
   
    Wend
        
        If SuJu1 > 100 Then
        Text5.Text = “”
        End If
        
        If Faxian = “发现危险” Then
        List1.AddItem “发现存在危险的文件是: “
        List1.AddItem “”
        List1.AddItem path & FileName
        List1.AddItem “———————————————————————————————–“
        Faxian = “”
        FaJs = FaJs + 1
        Me.Label2.Caption = “发现有隐患的文件有:” & FaJs & “个”
        Else
        Faxian = “”
        End If
   
    Close #1
  End If
              
                GC1 = Text5.Text & “正在检测文件…” & Chr(13) & Chr(10) & path & FileName & Chr(13) & Chr(10)
                Text5.Text = GC1
                  
               
                End If
               
               
                If Me.Command3.Enabled = True Then
                Exit Function
                End If
               
               
                Cont = FindNextFile(hSearch, WFD)
                DoEvents
               
                Me.Label3.Caption = “扫描进程: ” & “已经扫描文件:” & SuJu1 & “个”
               
          Wend
          Cont = FindClose(hSearch)
    End If
   
    If nDir > 0 Then
          For i = 0 To nDir – 1
                FindFilesAPI = FindFilesAPI + FindFilesAPI(path & dirNames(i) & “\”, SearchStr)
          Next i
    End If
   
End Function

Private Sub Command3_Click()

Dim SearchPath   As String, FindStr     As String
Dim FileSize   As Long

If Text1.Text = “” Then
MsgBox “请输入正确扫描路径”
Exit Sub
End If

Me.Command3.Enabled = False
Me.Command7.Enabled = True

List1.Clear
FaJs = 0
SuJu1 = 0
Me.Text5 = “”
  Screen.MousePointer = vbHourglass
  List1.Clear
    LUjin = Text1.Text & “\”
    SearchPath = LUjin
    FindStr = “*.*”
  FindFilesAPI SearchPath, FindStr
  Screen.MousePointer = vbDefault
  If Screen.MousePointer = vbDefault Then
  MsgBox “扫描完成!自动导出扫描结果.”
  CxLog
  FaJs = “0”
  Me.Command3.Enabled = True
  Me.Command7.Enabled = False
  End If
End Sub

Sub CxLog()
  On Error Resume Next
  Open App.path & “\LOG\” & Date & “查杀结果.log” For Output As #1
  Print #1, “www.ChinNetHack.Com – 网站程序安全分析器 零号服务器专用”
  Print #1, “发现对服务器具有安全隐患的文件有” & FaJs & “个. 具体结果如下:” & Chr(13) & Chr(10)
  For i = 0 To List1.ListCount
  Print #1, List1.List(i)
  Next
  Close #1
  Shell “NOTEPAD.EXE ” & App.path & “\LOG\” & Date & “查杀结果.log”, vbMaximizedFocus
End Sub
Private Sub Command7_Click()
Me.Command3.Enabled = True
Me.Command7.Enabled = False
Screen.MousePointer = vbDefault
End Sub
Private Sub Text5_Change()
Text5.SelStart = Len(Text5.Text)
End Sub

原文链接:https://www.cnblogs.com/allyesno/archive/2007/07/02/802633.html

原创文章,作者:优速盾-小U,如若转载,请注明出处:https://www.cdnb.net/bbs/archives/18458

(0)
上一篇 2023年6月21日
下一篇 2023年6月21日

相关推荐

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

优速盾注册领取大礼包www.cdnb.net
/sitemap.xml