这一段时间,我在找盗号木马的踪迹,这是我的记录及心得。请大佬绕步。
我的系统是windows11系统。找盗号木马,用的是这个命令。
netstat -p TCP -anb
最后的-b参数能显示进程名。
根据进程找可疑ip可以定位木马。。。
这段代码通过进程名获得pid.
#写一段hook指定进程的程序
import psutil
def hook_process(process_name):
for proc in psutil.process_iter():
try:
pinfo = proc.as_dict(attrs=['pid', 'name', 'cmdline'])
except psutil.NoSuchProcess:
pass
else:
if pinfo['name'] == process_name:
print(pinfo)
return pinfo['pid']
if __name__ == '__main__':
pid = hook_process('SearchHost.exe')
if pid:
print('hook process success')
else:
print('hook process failed')
我在SearchHost进程中找到了CoreMessaging.dll模块,里面的PostMessageW函数可疑。下面是我的hook代码。。。
#根据进程pid钩住CoreMessaging.dll模块的PostMessagew函数
from ctypes import *
from ctypes.wintypes import HWND, UINT, WPARAM, LPARAM
# Load DLL
dll = windll.LoadLibrary("CoreMessaging.dll")
# Get PostMessage function from DLL
PostMessage = dll.PostMessageW
# Set argument types and return type of PostMessage
PostMessage.argtypes = [HWND, UINT, WPARAM, LPARAM]
PostMessage.restype = BOOL # According to the documentation, PostMessage returns a BOOL
# Create a handle to a window (HWND)
hwnd = c_int(6224) # You should replace this with the actual window handle you want to send the message to
# Define the message you want to send (UINT) and the parameters for the message (WPARAM and LPARAM)
message = 0x100 # You should replace this with the actual message you want to send
wparam = 0
lparam = 0
# Call PostMessage with the given arguments
#result = PostMessage(hwnd, message, wparam, lparam)
result = PostMessage(6224, message, wparam, lparam)
if result == 0:
print("Failed to post message")
else:
print("Message posted successfully")
我将这两个文件发上来。同时还有相关工具。。。