先说几点:
[注意]本程序没有在其它操作系统上测试,目前只试用于Windows XP SP2系统!
1.本来是想写HIPS的,联想到自己功底太差,只好先写一个Ring3下的日志扫描器了.
2.别看加载了驱动,都做的是无用功.以后再改进吧.
3.当然是写给菜鸟们用的,高手们就不用看了.
4.如果您发现了BUG,请及时告知我(kxsystem@163.com),谢谢.
软件信息:
名称: KsProcessMonitor V 1.00 测试版
作者: Lightning(kxsystem@163.com)
BLOG: http://hi.baidu.com/Aegisys
大小: 压缩包65.8KB
文件: ProcessMon.exe && KsMonDrv.sys
MD5: 6a765cc7eaf7af3ff172a352e65a151e
下载地址:
[ http://Aegisys.googlegroups.com/web/KsProcessMonitor.rar ]
软件截图:
其实废话不用多讲,大家一看便知道了.和HJ之类的软件是一样的.只不过扫描的内容有一些区别.也没有对返回的内容做处理.留着以后添加吧.
自我保护自认为还可以.不想搞大深的保护.一来兼容性会变差,二来一但程序出错关也关不掉,三来本来就是扫R3木马的东西.对R0的木马就没有多少用了.加得太深反而容易被木马重视.
点击关闭(X)按钮是关不掉KPM的.必须点右下角的随机按钮才能关掉.
中毒日志示例:
(用偶的小木马试了一下.结果如下:)
KsProcessMonitor Scanner V 1.00
Made By Lightning(kxsystem@163.com)
//---------------------------------------------------------------------//
进程
PID:0 [System Idle Process] NT OS KERNEL
PID:4 [System] NT OS KERNEL
PID:576 \SystemRoot\System32\smss.exe
PID:652 C:\WINDOWS\system32\csrss.exe
PID:684 C:\WINDOWS\system32\winlogon.exe
PID:736 C:\WINDOWS\system32\services.exe
PID:748 C:\WINDOWS\system32\lsass.exe
PID:928 C:\WINDOWS\system32\svchost.exe
PID:980 C:\WINDOWS\system32\svchost.exe
PID:1352 E:\Program Files\Rising\Rav\CCenter.exe
PID:1376 C:\WINDOWS\System32\svchost.exe
PID:1644 C:\WINDOWS\system32\svchost.exe
PID:1684 C:\WINDOWS\system32\svchost.exe
PID:1716 E:\Program Files\Rising\Rav\Ravmond.exe
PID:1852 e:\program files\rising\rfw\rfwsrv.exe
PID:220 C:\WINDOWS\Explorer.EXE
PID:272 C:\WINDOWS\system32\spoolsv.exe
PID:564 E:\Program Files\Rising\Rav\RavStub.exe
PID:832 e:\program files\rising\rfw\RfwMain.exe
PID:1160 C:\Program Files\SimpleCheck\HH\SimpleCheck.exe
PID:1216 C:\WINDOWS\system32\atiptaxx.exe
PID:1248 C:\Program Files\OEM\AccessRunner ADSL\CnxDslTb.exe
PID:1304 C:\WINDOWS\system32\wdfmgr.exe
PID:1576 E:\Program Files\Rising\Rav\RavTask.exe
PID:1820 D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
PID:1824 E:\Program Files\Rising\Rav\Ravmon.exe
PID:1980 C:\Program Files\FlashGet\FlashGet.exe
PID:2024 C:\WINDOWS\system32\ctfmon.exe
PID:1088 C:\Program Files\Internet Download Manager\IDMan.exe
PID:408 E:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
PID:524 C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
PID:2128 C:\WINDOWS\system32\vmnat.exe
PID:2244 C:\WINDOWS\system32\drivers\WDelMgr20.exe
PID:2368 C:\WINDOWS\system32\vmnetdhcp.exe
PID:2504 E:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
PID:2924 C:\WINDOWS\System32\alg.exe
PID:3200 C:\WINDOWS\system32\wscntfy.exe
PID:892 E:\Program Files\Tencent\QQ\QQ.exe
PID:3940 C:\WINDOWS\system32\wuauclt.exe
PID:532 C:\WINDOWS\system32\conime.exe
PID:908 E:\Program Files\Tencent\QQ\QQ.exe
PID:3244 E:\Program Files\IceSword\IceSword.exe
PID:1276 C:\Program Files\foobar2000\foobar2000.exe
PID:168 C:\Program Files\GreenBrowser\GreenBrowser.exe
PID:3408 D:\RemoteShell\Release\RemoteShell.exe
PID:1084 C:\WINDOWS\system32\expl0rer.exe
PID:1544 D:\KsProcessMon\Release\ProcessMon.exe
映象劫持
Your Image File Name Here without a path ntsd -d
启动项
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
SimpleCheck "C:\Program Files\SimpleCheck\HH\SimpleCheck.exe"
AtiPTA atiptaxx.exe
CnxDslTaskBar C:\Program Files\OEM\AccessRunner ADSL\CnxDslTb.exe
RavTask "E:\Program Files\Rising\Rav\RavTask.exe" -system
RfwMain "E:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Flashget C:\Program Files\FlashGet\FlashGet.exe /min
expl0rer.exe C:\WINDOWS\system32\expl0rer.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
IDMan C:\Program Files\Internet Download Manager\IDMan.exe /onboot
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
cscdll cscdll.dll
Schedule wlnotify.dll
sclgntfy sclgntfy.dll
SensLogn WlNotify.dll
termsrv wlnotify.dll
wlballoon wlnotify.dll
系统服务与驱动
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
aec system32\drivers\aec.sys
ALG %SystemRoot%\System32\alg.exe
AsyncMac system32\DRIVERS\asyncmac.sys
atapi system32\DRIVERS\atapi.sys
Atmarpc system32\DRIVERS\atmarpc.sys
audstub system32\DRIVERS\audstub.sys
BaseTDI System32\DRIVERS\BaseTDI.SYS
Browser %SystemRoot%\system32\svchost.exe -k netsvcs
Cdrom system32\DRIVERS\cdrom.sys
CnxEtP system32\DRIVERS\CnxEtP.sys
CnxEtU system32\DRIVERS\CnxEtU.sys
CnxTgN system32\DRIVERS\CnxTgN.sys
CryptSvc %SystemRoot%\system32\svchost.exe -k netsvcs
DcomLaunch %SystemRoot%\system32\svchost -k DcomLaunch
Disk system32\DRIVERS\disk.sys
dmboot System32\drivers\dmboot.sys
dmio System32\drivers\dmio.sys
DMusic system32\drivers\DMusic.sys
drmkaud system32\drivers\drmkaud.sys
Eventlog %SystemRoot%\system32\services.exe
Fdc system32\DRIVERS\fdc.sys
FltMgr system32\DRIVERS\fltMgr.sys
FsVga system32\DRIVERS\fsvga.sys
gmer System32\DRIVERS\gmer.sys
HidServ %SystemRoot%\System32\svchost.exe -k netsvcs
HookCont \??\E:\Program Files\Rising\Rav\HOOKCONT.sys
HookReg \??\E:\Program Files\Rising\Rav\HookReg.sys
HookSys \??\E:\Program Files\Rising\Rav\HookSys.sys
HookUrl \??\E:\Program Files\Rising\Rfw\HookUrl.sys
HSFHWBS2 system32\DRIVERS\HSFBS2S2.sys
HSF_DP system32\DRIVERS\HSFDPSP2.sys
HTTP System32\Drivers\HTTP.sys
i8042prt system32\DRIVERS\i8042prt.sys
Imapi system32\DRIVERS\imapi.sys
intelppm system32\DRIVERS\intelppm.sys
Ip6Fw system32\DRIVERS\Ip6Fw.sys
IpInIp system32\DRIVERS\ipinip.sys
IpNat system32\DRIVERS\ipnat.sys
IPSec system32\DRIVERS\ipsec.sys
isapnp system32\DRIVERS\isapnp.sys
kmixer system32\drivers\kmixer.sys
lanmanworkstation %SystemRoot%\system32\svchost.exe -k netsvcs
mdmxsdk system32\DRIVERS\mdmxsdk.sys
mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
Mouclass system32\DRIVERS\mouclass.sys
MRxDAV system32\DRIVERS\mrxdav.sys
MRxSmb system32\DRIVERS\mrxsmb.sys
MSKSSRV system32\drivers\MSKSSRV.sys
MSPQM system32\drivers\MSPQM.sys
ms_mpu401 system32\drivers\msmpu401.sys
NdisTapi system32\DRIVERS\ndistapi.sys
Ndisuio system32\DRIVERS\ndisuio.sys
NdisWan system32\DRIVERS\ndiswan.sys
NetBIOS system32\DRIVERS\netbios.sys
NetBT system32\DRIVERS\netbt.sys
NetDDEdsdm %SystemRoot%\system32\netdde.exe
Netlogon %SystemRoot%\system32\lsass.exe
Nla %SystemRoot%\system32\svchost.exe -k netsvcs
npkcrypt \??\E:\Program Files\Tencent\QQ\npkcrypt.sys
NtLmSsp %SystemRoot%\system32\lsass.exe
NwlnkFlt system32\DRIVERS\nwlnkflt.sys
NwlnkFwd system32\DRIVERS\nwlnkfwd.sys
Parport system32\DRIVERS\parport.sys
PCI system32\DRIVERS\pci.sys
PolicyAgent %SystemRoot%\system32\lsass.exe
PptpMiniport system32\DRIVERS\raspptp.sys
PSched system32\DRIVERS\psched.sys
RasAcd system32\DRIVERS\rasacd.sys
Rasl2tp system32\DRIVERS\rasl2tp.sys
RasPppoe system32\DRIVERS\raspppoe.sys
Raspti system32\DRIVERS\raspti.sys
Rdbss system32\DRIVERS\rdbss.sys
rdpdr system32\DRIVERS\rdpdr.sys
redbook system32\DRIVERS\redbook.sys
RfwProxySrv e:\program files\rising\rfw\rfwproxy.exe
RfwService e:\program files\rising\rfw\rfwsrv.exe
RpcLocator %SystemRoot%\system32\locator.exe
RsNTGDI system32\Drivers\RsNTGdi.sys
RsRavMon "E:\Program Files\Rising\Rav\Ravmond.exe"
RSVP %SystemRoot%\system32\rsvp.exe
rtl8139 system32\DRIVERS\RTL8139.SYS
safemon system32\drivers\safemon.sys
Secdrv system32\DRIVERS\secdrv.sys
SENS %SystemRoot%\system32\svchost.exe -k netsvcs
serenum system32\DRIVERS\serenum.sys
Serial system32\DRIVERS\serial.sys
ShellHWDetection %SystemRoot%\System32\svchost.exe -k netsvcs
SiS7012 system32\drivers\sis7012.sys
sisagp system32\DRIVERS\sisagp.sys
splitter system32\drivers\splitter.sys
Srv system32\DRIVERS\srv.sys
stisvc %SystemRoot%\system32\svchost.exe -k imgsvc
swenum system32\DRIVERS\swenum.sys
swmidi system32\drivers\swmidi.sys
sysaudio system32\drivers\sysaudio.sys
Tcpip system32\DRIVERS\tcpip.sys
TesSafe \??\C:\WINDOWS\system32\TesSafe.sys
TlntSvr C:\WINDOWS\system32\tlntsvr.exe
UMWdf C:\WINDOWS\system32\wdfmgr.exe
Update system32\DRIVERS\update.sys
UPS %SystemRoot%\System32\ups.exe
usbhub system32\DRIVERS\usbhub.sys
USBSTOR system32\DRIVERS\USBSTOR.SYS
VMnetAdapter system32\DRIVERS\vmnetadapter.sys
VMnetBridge system32\DRIVERS\vmnetbridge.sys
VMparport \??\C:\WINDOWS\system32\Drivers\VMparport.sys
vmusb System32\Drivers\vmusb.sys
VSS %SystemRoot%\System32\vssvc.exe
W32Time %SystemRoot%\System32\svchost.exe -k netsvcs
Wanarp system32\DRIVERS\wanarp.sys
wdmaud system32\drivers\wdmaud.sys
winachsf system32\DRIVERS\HSFCXTS2.sys
WmdmPmSN %SystemRoot%\System32\svchost.exe -k netsvcs
Wmi %SystemRoot%\System32\svchost.exe -k netsvcs
WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
wuauserv %systemroot%\system32\svchost.exe -k netsvcs
WZCSVC %SystemRoot%\System32\svchost.exe -k netsvcs
xmlprov %SystemRoot%\System32\svchost.exe -k netsvcs
//---------------------------------------------------------------------//
呵呵,红体字标示的为木马项.
