序言:首先,我不能保证全部拦住,只能保证拦住简单的那种,没经过特殊处理的
我们都知道,远程控制木马病毒,一直是杀毒软件困扰的
但是我们通过观察他们的表面特征,都能发现几个共同点
1.没有窗口
2.一般来说没有签名
3.Mutex互斥体(防止重复上线)
4.联网
特征显而易见
但是有些远控不加Mutex 所以我们不判断这个
那么剩下的就是 没有窗口 没有签名 和联网了
有些木马是有签名的,我们暂时不提
#include <iostream>
#include <windows.h>
#include <softpub.h>
#include <wintrust.h>
#include <tchar.h>
#include <psapi.h>
#include <tlhelp32.h>
#include <Iphlpapi.h>
#include <vector>
#pragma comment (lib, "wintrust")
#pragma comment(lib, "Iphlpapi.lib")
using namespace std;我们要用到的头文件和namespace这些
好,我们可以开始编写主体部分了
1.判断是否有窗口,代码如下
bool DoesProcessHaveWindow(DWORD processId) {
HWND hwnd = FindWindow(nullptr, nullptr);
while (hwnd) {
DWORD windowProcessId;
GetWindowThreadProcessId(hwnd, &windowProcessId);
if (windowProcessId == processId) {
return true;
}
hwnd = GetWindow(hwnd, GW_HWNDNEXT);
}
return false;
}
int Is_Has_Window(DWORD targetProcessId) {
if (DoesProcessHaveWindow(targetProcessId)) {
std::cout << "The specified process has a window." << std::endl;
return 1;
}
else {
std::cout << "The specified process does not have a window." << std::endl;
return 0;
}
}Is_Has_Window(进程PID) 如果返回1 就有窗口 如果返回0 就没窗口
2.判断签名是否合法
int VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
LONG lStatus;
DWORD dwLastError;
// Initialize the WINTRUST_FILE_INFO structure.
// 待验证文件的完整路径
WINTRUST_FILE_INFO FileData;
memset(&FileData, 0, sizeof(FileData));
FileData.cbStruct = sizeof(WINTRUST_FILE_INFO);
FileData.pcwszFilePath = pwszSourceFile;
FileData.hFile = NULL;
FileData.pgKnownSubject = NULL;
/*
WVTPolicyGUID specifies the policy to apply on the file
WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:
1) The certificate used to sign the file chains up to a root
certificate located in the trusted root certificate store. This
implies that the identity of the publisher has been verified by
a certification authority.
2) In cases where user interface is displayed (which this example
does not do), WinVerifyTrust will check for whether the
end entity certificate is stored in the trusted publisher store,
implying that the user trusts content from this publisher.
3) The end entity certificate has sufficient permission to sign
code, as indicated by the presence of a code signing EKU or no
EKU.
*/
GUID WVTPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_DATA WinTrustData;
// Initialize the WinVerifyTrust input data structure.
// Default all fields to 0.
memset(&WinTrustData, 0, sizeof(WinTrustData));
WinTrustData.cbStruct = sizeof(WinTrustData);
// Use default code signing EKU.
WinTrustData.pPolicyCallbackData = NULL;
// No data to pass to SIP.
WinTrustData.pSIPClientData = NULL;
// Disable WVT UI.
WinTrustData.dwUIChoice = WTD_UI_NONE;
// No revocation checking.
WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE;
// 采用文件方式验证, 其他还有内存等
// Verify an embedded signature on a file.
WinTrustData.dwUnionChoice = WTD_CHOICE_FILE;
// Verify action.
WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
// Verification sets this value.
WinTrustData.hWVTStateData = NULL;
// Not used.
WinTrustData.pwszURLReference = NULL;
// This is not applicable if there is no UI because it changes
// the UI to accommodate running applications instead of
// installing applications.
WinTrustData.dwUIContext = 0;
// Set pFile.
WinTrustData.pFile = &FileData;
// 当前操作是要验证签名,后面还需要调用一次关闭去释放从此次验证操作中得到的放在trustData中的数据
// PS: 微软为啥老喜欢同一个接口换个flag就变成完全不同的功能,感觉用个FreeWinVerifyTrustedData之类的不好嘛。。(微软:你在教我做事?) -_-
// WinVerifyTrust verifies signatures as specified by the GUID
// and Wintrust_Data.
lStatus = WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
switch (lStatus)
{
case ERROR_SUCCESS:
/*
Signed file:
- Hash that represents the subject is trusted.
- Trusted publisher without any verification errors.
- UI was disabled in dwUIChoice. No publisher or
time stamp chain errors.
- UI was enabled in dwUIChoice and the user clicked
"Yes" when asked to install and run the signed
subject.
*/
// 只是验证了签名有效,但是到底是不是预期的签名者进行的签名还不确定, 可以进一步验证
wprintf_s(L"The file \"%s\" is signed and the signature "
L"was verified.\n",
pwszSourceFile);
return 1;
break;
case TRUST_E_NOSIGNATURE:
// The file was not signed or had a signature
// that was not valid.
// Get the reason for no signature.
dwLastError = GetLastError();
if (TRUST_E_NOSIGNATURE == dwLastError ||
TRUST_E_SUBJECT_FORM_UNKNOWN == dwLastError ||
TRUST_E_PROVIDER_UNKNOWN == dwLastError)
{
// The file was not signed.
wprintf_s(L"The file \"%s\" is not signed.\n",
pwszSourceFile);
return 0;
}
else
{
// The signature was not valid or there was an error
// opening the file.
wprintf_s(L"An unknown error occurred trying to "
L"verify the signature of the \"%s\" file.\n",
pwszSourceFile);
return 0;//无签名
}
break;
case TRUST_E_EXPLICIT_DISTRUST:
// The hash that represents the subject or the publisher
// is not allowed by the admin or user.
wprintf_s(L"The signature is present, but specifically "
L"disallowed.\n");
return 0;//无效签名
break;
case TRUST_E_SUBJECT_NOT_TRUSTED:
// The user clicked "No" when asked to install and run.
wprintf_s(L"The signature is present, but not "
L"trusted.\n");
return -1;
break;
case CRYPT_E_SECURITY_SETTINGS:
/*
The hash that represents the subject or the publisher
was not explicitly trusted by the admin and the
admin policy has disabled user trust. No signature,
publisher or time stamp errors.
*/
wprintf_s(L"CRYPT_E_SECURITY_SETTINGS - The hash "
L"representing the subject or the publisher wasn't "
L"explicitly trusted by the admin and admin policy "
L"has disabled user trust. No signature, publisher "
L"or timestamp errors.\n");
return -1;
break;
default:
// The UI was disabled in dwUIChoice or the admin policy
// has disabled user trust. lStatus contains the
// publisher or time stamp chain error.
wprintf_s(L"Error is: 0x%x.\n",
lStatus);
return -1;
break;
}
// 设置flag为CLOSE, 然后释放掉上面申请出来的内存。。
// Any hWVTStateData must be released by a call with close.
WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
lStatus = WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
//return true;
}VerifyEmbeddedSignature(文件路径) 如果返回1 则合法 如果其他 则不合法
3.是否联网
bool IsProcessCommunicating(DWORD processId) {
MIB_TCPTABLE_OWNER_PID* pTcpTable;
DWORD dwSize = 0;
DWORD dwRetVal = 0;
pTcpTable = (MIB_TCPTABLE_OWNER_PID*)malloc(sizeof(MIB_TCPTABLE_OWNER_PID));
if (pTcpTable == NULL) {
std::cout << "Error allocating memory." << std::endl;
return false;
}
dwRetVal = GetExtendedTcpTable(pTcpTable, &dwSize, TRUE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0);
if (dwRetVal != ERROR_INSUFFICIENT_BUFFER) {
free(pTcpTable);
std::cout << "Error getting extended TCP table." << std::endl;
return false;
}
pTcpTable = (MIB_TCPTABLE_OWNER_PID*)malloc(dwSize);
if (pTcpTable == NULL) {
std::cout << "Error allocating memory." << std::endl;
return false;
}
dwRetVal = GetExtendedTcpTable(pTcpTable, &dwSize, TRUE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0);
if (dwRetVal == NO_ERROR) {
for (DWORD i = 0; i < pTcpTable->dwNumEntries; i++) {
if (pTcpTable->table[i].dwOwningPid == processId) {
free(pTcpTable);
return true;
}
}
}
else {
std::cout << "Error getting extended TCP table." << std::endl;
}
free(pTcpTable);
return false;
}
IsProcessCommunicating(进程PID)
如果返回True 则联网
如果为False 则没联网
仅仅是判断了TCP(如果是纯UDP或者纯HTTP可能检测不到)
一个简单的Method 根据进程PID获取路径
LPCWSTR GetProcessPath(DWORD processId) {
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processId);
static wchar_t szProcessPath[MAX_PATH];
if (hProcess != nullptr) {
DWORD size = sizeof(szProcessPath) / sizeof(szProcessPath[0]);
if (GetModuleFileNameEx(hProcess, nullptr, szProcessPath, size) != 0) {
CloseHandle(hProcess);
return szProcessPath;
}
else {
std::wcerr << L"无法获取进程路径。错误码: " << GetLastError() << std::endl;
}
CloseHandle(hProcess);
}
else {
std::wcerr << L"无法打开指定进程。错误码: " << GetLastError() << std::endl;
}
return nullptr;
}这个不用解释了,很简单
接下来的工作就很简单了
遍历进程然后判断就好
也可以用Event Trace For Windows(ProcessMon判断新进程是否为yuankong.exe)
void test(DWORD PID, std::vector<DWORD>& abnormalProcesses) {
bool a = false; bool b = false; bool c = false;
if (Is_Has_Window(PID) == 1) {//窗口
b = true;
a = true;
c = true;
}
if (VerifyEmbeddedSignature(GetProcessPath(PID)) != 0) {//签名
b = true;
a = true;
c = true;
}
if (IsProcessCommunicating(PID) == 0) {//联网
c = true;
}
cout << a << b << c << endl;
if (!(a && b && c)) {
abnormalProcesses.push_back(PID);
}
}
int main() {
DWORD processes[1024], cbNeeded, cProcesses;
std::vector<DWORD> abnormalProcesses;
if (EnumProcesses(processes, sizeof(processes), &cbNeeded)) {
cProcesses = cbNeeded / sizeof(DWORD);
for (DWORD i = 0; i < cProcesses; i++) {
test(processes[i], abnormalProcesses);
}
system("cls");
std::cout << "不正常的进程:" << std::endl;
for (DWORD PID : abnormalProcesses) {
std::cout << PID;
std::wcout << " " << GetProcessPath(PID) << endl;
}
}
else {
std::cout << "无法枚举进程。错误码: " << GetLastError() << std::endl;
}
system("pause");
return 0;
}
这个方法误报是有点高的
但是确实有效
可以接入ViursTotal来判断是否为白文件
或者直接过滤System目录
原创:ShaShen The_Laster
未经允许不可转载
Bilibili:
ShaShen Bilbili
https://space.bilibili.com/1267481159?spm_id_from=333.1007.0.0
The_Laster Bilibilihttps://space.bilibili.com/1399543742
260
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
