2014年4月6日 星期日
實用資安命令列指令-尋找哪個程序載入了惡意的DLL檔
範例:
尋找哪個程序載入了惡意的Dll檔 例如:malware.dll
指令:
tasklist /m malware.dll
結果:
Image Name PID Modules
========================= ====== ============================================
MalwareLoader.exe 1220 malware.dll
另外再參照PC上所有的Process 並列出成HTML表格 參考
wmic process get /format:htable > c:\process.htm
可以了解程式執行的實際路徑位置
如果要再查看此惡意程式 還有載入那些異常的DLL
指令:
tasklist /m /fi "imagename eq MalwareLoader.exe"
結果:
Image Name PID Modules
========================= ====== =============================================
MalwareLoader.exe 1856 ntdll.dll, kernel32.dll, malware.dll,
RPCRT4.dll, Secur32.dll, BROWSEUI.dll,
GDI32.dll, USER32.dll, msvcrt.dll,
ole32.dll, SHLWAPI.dll, OLEAUT32.dll,
SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,
CRYPTUI.dll, NETAPI32.dll, VERSION.dll,
2014年4月4日 星期五
VB6 剖析 Autorunsc 命令列工具產生的 XML檔
Autorunsc 是一個資安命令列工具,可以查看特定電腦開啟會用到的資訊,對於檢測惡意程式相當有幫助.本範例先透過批次檔產生一個XML檔案,再利用VB6處理XML檔案 供後續應用....
批次檔內容
@echo off
rem -accepteula 接受EULA
rem -a Show all entries.
rem -x 輸出XML
rem -v 驗證簽章
rem -f 產生MD5等HASH資訊
.\autorunsc.exe -accepteula -a -x -v -f > .\xxxx4.xml
VB6 程式碼
Dim G_Temps As String '暫存供輸出用
Dim G_subItem As Integer '統計每個item 包含多少node數
Private Sub Form_Load()
ParseXmlDocument
End Sub
'處理XML檔
Sub ParseXmlDocument()
Dim xmlDoc As DOMDocument30
Dim intCounter As Integer
Set xmlDoc = New MSXML2.DOMDocument30
'xmlDoc.loadXML Me.TxtXML.Text
xmlDoc.Load (App.Path & "\xxxx4.xml")
Call RecurseChildNodes(xmlDoc, xmlDoc.childNodes) '遞迴處理
Set xmlDoc = Nothing
End Sub
'遞迴XML文件內的節點
Public Function RecurseChildNodes(xmlDoc As MSXML2.DOMDocument30, childNode As IXMLDOMNodeList)
Dim icnt As Integer
Dim CurrChildNode As IXMLDOMNodeList
Dim intNodeCounter As Integer
Set CurrChildNode = childNode
Dim subItem As Integer
Dim temps As String
For intNodeCounter = 0 To CurrChildNode.length - 1
'Debug.Print intNodeCounter
If CurrChildNode.length > 0 Then
Set childNode = CurrChildNode.Item(intNodeCounter).childNodes
If childNode.length > 0 Then
RecurseChildNodes xmlDoc, childNode
Select Case LCase(CurrChildNode.Item(intNodeCounter).nodeName)
Case "item" '每次經過 item 就輸出先前累積的資訊
icnt = icnt + 1
Debug.Print "次數 " & (icnt) & " " & G_subItem & ". " & G_Temps
Call WriteFiles("output.txt", "次數 " & (icnt) & " " & G_subItem & ". " & G_Temps)
G_Temps = ""
G_subItem = 0
Case Else
G_Temps = G_Temps & CurrChildNode.Item(intNodeCounter).nodeTypedValue & "," ' & vbCrLf
G_subItem = G_subItem + 1
End Select
End If
End If
Next intNodeCounter
End Function
'寫入LOG
Sub WriteFiles(ByVal FN, ByVal sContent)
On Error Resume Next
Const ForWriting = 2
Const ForAppend = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(App.Path & "\" & FN & ".txt", 8, True)
f.WriteLine sContent
f.Close
Set fso = Nothing
End Sub
'輸出範例
次數 492 14. HKLM\Software\Classes\Folder\Shellex\ColumnHandlers,PDF Shell Extension,Enabled,HKCR\CLSID\{F9DB5320-233E-11D1-9F84-707F02C10627},PDF Shell Extension,Adobe Systems, Inc.,(Verified) Adobe Systems,11.0.3.37,c:\program files\common files\adobe\acrobat\activex\pdfshell.dll,2013/5/11 下午 05:34,edfa163fdbd7051cd9148410e4b56af0,6c512b12f830ef82ed09e985187fbd704329f66b,8db4a369f42ff3701e02de3b3ba182e81b4690d6b95aa2c7281b43ccfbf9c242,8db4a369f42ff3701e02de3b3ba182e81b4690d6b95aa2c7281b43ccfbf9c242,
次數 493 2. HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers,2013/5/8 下午 02:05,
次數 494 14. HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers,Shell Extension for Malware scanning,Enabled,HKCR\CLSID\{45AC2688-0253-4ED8-97DE-B5370FA7D48A},AntiVirus context menu,Avira Operations GmbH & Co. KG,(Verified) Avira Operations GmbH & Co. KG,14.0.3.336,c:\program files\avira\antivir desktop\shlext.dll,2014/2/13 下午 10:31,e39276483186ef0a9e0b483016a36180,22b2d12ad8428e8f6b171a21aa900daab9d1c7fc,c4836624c4194cf9862bedc83c93bf7c368c59af0292b71b45da7672163546eb,c4836624c4194cf9862bedc83c93bf7c368c59af0292b71b45da7672163546eb,
......
參考文章
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://www.freevbcode.com/ShowCode.asp?ID=5750
批次檔內容
@echo off
rem -accepteula 接受EULA
rem -a Show all entries.
rem -x 輸出XML
rem -v 驗證簽章
rem -f 產生MD5等HASH資訊
.\autorunsc.exe -accepteula -a -x -v -f > .\xxxx4.xml
VB6 程式碼
Dim G_Temps As String '暫存供輸出用
Dim G_subItem As Integer '統計每個item 包含多少node數
Private Sub Form_Load()
ParseXmlDocument
End Sub
'處理XML檔
Sub ParseXmlDocument()
Dim xmlDoc As DOMDocument30
Dim intCounter As Integer
Set xmlDoc = New MSXML2.DOMDocument30
'xmlDoc.loadXML Me.TxtXML.Text
xmlDoc.Load (App.Path & "\xxxx4.xml")
Call RecurseChildNodes(xmlDoc, xmlDoc.childNodes) '遞迴處理
Set xmlDoc = Nothing
End Sub
'遞迴XML文件內的節點
Public Function RecurseChildNodes(xmlDoc As MSXML2.DOMDocument30, childNode As IXMLDOMNodeList)
Dim icnt As Integer
Dim CurrChildNode As IXMLDOMNodeList
Dim intNodeCounter As Integer
Set CurrChildNode = childNode
Dim subItem As Integer
Dim temps As String
For intNodeCounter = 0 To CurrChildNode.length - 1
'Debug.Print intNodeCounter
If CurrChildNode.length > 0 Then
Set childNode = CurrChildNode.Item(intNodeCounter).childNodes
If childNode.length > 0 Then
RecurseChildNodes xmlDoc, childNode
Select Case LCase(CurrChildNode.Item(intNodeCounter).nodeName)
Case "item" '每次經過 item 就輸出先前累積的資訊
icnt = icnt + 1
Debug.Print "次數 " & (icnt) & " " & G_subItem & ". " & G_Temps
Call WriteFiles("output.txt", "次數 " & (icnt) & " " & G_subItem & ". " & G_Temps)
G_Temps = ""
G_subItem = 0
Case Else
G_Temps = G_Temps & CurrChildNode.Item(intNodeCounter).nodeTypedValue & "," ' & vbCrLf
G_subItem = G_subItem + 1
End Select
End If
End If
Next intNodeCounter
End Function
'寫入LOG
Sub WriteFiles(ByVal FN, ByVal sContent)
On Error Resume Next
Const ForWriting = 2
Const ForAppend = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(App.Path & "\" & FN & ".txt", 8, True)
f.WriteLine sContent
f.Close
Set fso = Nothing
End Sub
'輸出範例
次數 492 14. HKLM\Software\Classes\Folder\Shellex\ColumnHandlers,PDF Shell Extension,Enabled,HKCR\CLSID\{F9DB5320-233E-11D1-9F84-707F02C10627},PDF Shell Extension,Adobe Systems, Inc.,(Verified) Adobe Systems,11.0.3.37,c:\program files\common files\adobe\acrobat\activex\pdfshell.dll,2013/5/11 下午 05:34,edfa163fdbd7051cd9148410e4b56af0,6c512b12f830ef82ed09e985187fbd704329f66b,8db4a369f42ff3701e02de3b3ba182e81b4690d6b95aa2c7281b43ccfbf9c242,8db4a369f42ff3701e02de3b3ba182e81b4690d6b95aa2c7281b43ccfbf9c242,
次數 493 2. HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers,2013/5/8 下午 02:05,
次數 494 14. HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers,Shell Extension for Malware scanning,Enabled,HKCR\CLSID\{45AC2688-0253-4ED8-97DE-B5370FA7D48A},AntiVirus context menu,Avira Operations GmbH & Co. KG,(Verified) Avira Operations GmbH & Co. KG,14.0.3.336,c:\program files\avira\antivir desktop\shlext.dll,2014/2/13 下午 10:31,e39276483186ef0a9e0b483016a36180,22b2d12ad8428e8f6b171a21aa900daab9d1c7fc,c4836624c4194cf9862bedc83c93bf7c368c59af0292b71b45da7672163546eb,c4836624c4194cf9862bedc83c93bf7c368c59af0292b71b45da7672163546eb,
......
參考文章
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://www.freevbcode.com/ShowCode.asp?ID=5750
Excel VBA 將按鈕增加在[增益集]內
先增一個auto_open副程式,將要增加的按鈕寫入內容 開啟時自動載入
Sub auto_open()
Dim objCommandBar As Variant
'檢查是否已產生自訂按鍵
For Each objCommandBar In CommandBars
If objCommandBar.Name = "mytool" Then
Exit Sub
End If
Next
Set mybar = CommandBars.Add(Name:="mytool", Position:=msoBarTop, Temporary:=True)
With mybar
.Controls.Add Type:=msoControlButton, ID:=2950, Before:=1
.Controls(1).Style = msoButtonCaption
.Controls(1).Caption = " 顯示名稱" '按鈕上要顯示的名稱
.Controls(1).OnAction = "要呼叫的副程式或函式" '直接填入要呼叫的巨集副程式或函式
.Visible = True
End With
End Sub
訂閱:
文章 (Atom)