Sub CheckArg() tmpPath = Left(WScript.Arguments.Item(1), InStrRev(WScript.Arguments.Item(1),"/")-1) Set objFSO = WScript.CreateObject ("Scripting.FileSystemObject") If Not objFSO.FolderExists(WScript.Arguments.Item(0)) Then WScript.Echo "Error:错误的路径“" & WScript.Arguments.Item(0) & "”!" WScript.Quit ElseIf Not objFSO.FolderExists(tmpPath) Then WScript.Echo "Error:错误的文件路径“" & tmpPath & "”!" WScript.Quit End If Set objFSO = Nothing End Sub
'遍历处理path及其子目录所有文件 Sub ShowAllFile(Path) WScript.Echo "正在检查目录" & path Set FSO = CreateObject("Scripting.FileSystemObject") Set f = FSO.GetFolder(Path) Set fc2 = f.files For Each myfile in fc2 If CheckExt(FSO.GetExtensionName(path&"/"&myfile.name)) Then 'WScript.Echo "正在检查文件" & path&"/"&myfile.name Call ScanFile(Path&Temp&"/"&myfile.name, "") SumFiles = SumFiles + 1 End If Next Set fc = f.SubFolders For Each f1 in fc ShowAllFile path&"/"&f1.name SumFolders = SumFolders + 1 Next Set FSO = Nothing End Sub
'检查文件后缀,如果与预定的匹配即返回TRUE Function CheckExt(FileExt) If DimFileExt = "*" Then CheckExt = True Ext = Split(DimFileExt,",") For i = 0 To Ubound(Ext) If Lcase(FileExt) = Ext(i) Then CheckExt = True Exit Function End If Next End Function
'检测文件 Sub ScanFile(FilePath, InFile) If InFile "" Then Infiles = " font color=red 该文件被"& InFile & "文件包含执行 /font " End If temp = FilePath On Error Resume Next Set tStream = WScript.CreateObject("ADODB.Stream") tStream.type = 1 tStream.mode = 3 tStream.open tStream.Position=0 tStream.LoadFromFile FilePath If err Then Exit Sub end if tStream.type = 2 tStream.charset = "GB2312" Do Until tStream.EOS filetxt = filetxt & LCase(replace(tStream.ReadText(102400), Chr(0), "")) Loop tStream.close() Set tStream = Nothing
Set FSOs = WScript.CreateObject("Scripting.FileSystemObject") if len(filetxt) 0 then '特征码检查 filetxt = vbcrlf & filetxt 'Check "WScr"&DoMyBest&"ipt.Shell" If Instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then Report = Report tr td "&temp /td td WScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8 /td td font color=red 危险组件,一般被ASP木马利用 /font "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End if 'Check "She"&DoMyBest&"ll.Application" If Instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then Report = Report tr td "&temp /td td She"&DoMyBest&"ll.Application 或者 clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000 /td td font color=red 危险组件,一般被ASP木马利用 /font "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check Unicode If instr( filetxt, chr(-22048)) then Report = Report tr td "&temp /td td 无 /td td font color=red 使用 Unicode 编码 ASP 代码 /font "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check .Encode Set regEx = New RegExp regEx.IgnoreCase = True regEx.Global = True regEx.Pattern = "/bLANGUAGE/s*=/s*[""]?/s*(vbscript|jscript|javascript).encode/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td (vbscript|jscript|javascript).Encode /td td font color=red 似乎脚本被加密了,一般ASP文件是不会加密的 /font "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check my ASP backdoor :( regEx.Pattern = "/bEv"&"al/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td Ev" /td td e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X) br 但是javascript代码中也可以使用,有可能是误报。"&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check exe&cute backdoor regEx.Pattern = "[^.]/bExe"&"cute/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td Exec"&"ute /td td font color=red e"&"xecute()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X) /font br "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check .(Open|Create)TextFile regEx.Pattern = "/.(Open|Create)TextFile/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td .Crea"&"teTextFile|.O"&"penTextFile /td td 使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check .SaveT&oFile regEx.Pattern = "/.SaveT"&"oFile/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td .Sa"&"veToFile /td td 使用了Stream或者JMail的SaveToFile函数写文件"&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check .&Save regEx.Pattern = "/.Sa"&"ve/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td .Sa" /td td 使用了XMLHTTP的Save函数写文件"&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check set Server regEx.Pattern = "set/s*.*/s*=/s*server/s" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td Set xxx=Se"&"rver /td td font color=red 发现Set xxx=Ser" & jj & "ver,请管理员仔细检查是否调用.execute /font br "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check Server.(Transfer|Ex&ecute) regEx.Pattern = "Server.(Ex"&"ecute|Transfer)([ /t]*|/()[^""]/)" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td Server.Ex"&"ecute /td td font color=red 不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查 /font br "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check .Ru&n regEx.Pattern = "/.R"&"un/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td .Ru" /td td font color=red 发现 WScript 的 Run 函数 /font br "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check .Exe&c regEx.Pattern = "/.Ex"&"ec/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td .Ex" /td td font color=red 发现 WScript 的 Exec 函数 /font br "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If 'Check .Shel&lExecute regEx.Pattern = "/.Shel"&"lExecute/b" If regEx.Test(filetxt) Then Report = Report tr td "&temp /td td .ShellE"&"xecute /td td font color=red 发现 Application 的 ShellExecute 函数 /font br "&infiles /td td "&GetDateCreate(filepath) br "&GetDateModify(filepath) /td /tr " Sun = Sun + 1 End If Set regEx = Nothing
'Check include file not with "&' Set regEx = New RegExp regEx.IgnoreCase = True regEx.Global = True regEx.Pattern = " !--/s*#include/s+(file|virtual)/s*=/s*.*-- " Set Matches = regEx.Execute(filetxt) For Each Match in Matches tFile = Replace(Trim(Mid(Match.Value, Instr(Match.Value, "=") + 1, Len(Match.Value) - Instr(Match.Value, "=") - 1)),"/","/") If Left(tFile, 1)="'" Then tFile = Mid(tFile, 2, InStr(2, tFile, "'", 1) - 2) ElseIf Left(tFile, 1)="""" Then tFile = Mid(tFile, 2, InStr(2, tFile, """", 1) - 2) Else tFile = Replace(tFile, Chr(9), " ") If InStr(tFile, " ") 0 Then tFile = Left(tFile, InStr( tFile, " ") - 1) Else tFile = Left(tFile, InStr( tFile, "-") - 1) End If End If If Not CheckExt(FSOs.GetExtensionName(tFile)) Then Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"/"))&tFile, FilePath) SumFiles = SumFiles + 1 End If Next Set Matches = Nothing Set regEx = Nothing
'Check Server&.Execute|Transfer Set regEx = New RegExp regEx.IgnoreCase = True regEx.Global = True regEx.Pattern = "Server.(Exec"&"ute|Transfer)([ /t]*|/()"".*?""" Set Matches = regEx.Execute(filetxt) For Each Match in Matches tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","/") If Not CheckExt(FSOs.GetExtensionName(tFile)) Then Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"/"))&tFile, FilePath) SumFiles = SumFiles + 1 End If Next Set Matches = Nothing Set regEx = Nothing
'Check RunatScript Set XregEx = New RegExp XregEx.IgnoreCase = True XregEx.Global = True XregEx.Pattern = " scr"&"ipt/s*(.|/n)*?runat/s*=/s*""?server""?(.|/n)*? " Set XMatches = XregEx.Execute(filetxt) For Each Match in XMatches tmpLake2 = Mid(Match.Value, 1, InStr(Match.Value, " ")) srcSeek = InStr(1, tmpLake2, "src", 1) If srcSeek 0 Then srcSeek2 = instr(srcSeek, tmpLake2, "=") For i = 1 To 50 tmp = Mid(tmpLake2, srcSeek2 + i, 1) If tmp " " and tmp chr(9) and tmp vbCrLf Then Exit For End If Next If tmp = """" Then tmpName = Mid(tmpLake2, srcSeek2 + i + 1, Instr(srcSeek2 + i + 1, tmpLake2, """") - srcSeek2 - i - 1) Else If InStr(srcSeek2 + i + 1, tmpLake2, " ") 0 Then tmpName = Mid(tmpLake2, srcSeek2 + i, Instr(srcSeek2 + i + 1, tmpLake2, " ") - srcSeek2 - i) Else tmpName = tmpLake2 If InStr(tmpName, chr(9)) 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, chr(9)) - 1) If InStr(tmpName, vbCrLf) 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, vbcrlf) - 1) If InStr(tmpName, " ") 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, " ") - 1) End If Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"/"))&tmpName , FilePath) SumFiles = SumFiles + 1 End If Next Set Matches = Nothing Set regEx = Nothing
end if set fsos = nothing
End Sub
Function GetDateModify(filepath) Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.GetFile(filepath) s = f.DateLastModified set f = nothing set fso = nothing GetDateModify = s End Function
Function GetDateCreate(filepath) Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.GetFile(filepath) s = f.DateCreated set f = nothing set fso = nothing GetDateCreate = s End Function
Sub WriteToFile() Set FSO = CreateObject("Scripting.FileSystemObject") Set theFile = FSO.OpenTextFile(WScript.Arguments.Item(1), 2, True) theFile.Write(Report2) theFile.Close Set FSO = Nothing WScript.Echo "扫描结果已经写入文件“"&WScript.Arguments.Item(1)&"”,请查看之!" End Sub html教程
