'检查文件后缀,如果与预定的匹配即返回TRUE
Function CheckExt(FileExt)
If DimFileExt = "*" Then CheckExt = True
Ext = Split(DimFileExt,",")
For i = 0 To Ubound(Ext)
If Lcase(FileExt) = Ext(i) Then
CheckExt = True
Exit Function
End If
Next
End Function
'检测文件
Sub ScanFile(FilePath, InFile)
If InFile <> "" Then
Infiles = "<font color=red>该文件被"& InFile & "文件包含执行</font>"
End If
temp = FilePath
On Error Resume Next
Set tStream = WScript.CreateObject("ADODB.Stream")
tStream.type = 1
tStream.mode = 3
tStream.open
tStream.Position=0
tStream.LoadFromFile FilePath
If err Then Exit Sub end if
tStream.type = 2
tStream.charset = "GB2312"
Do Until tStream.EOS
filetxt = filetxt & LCase(replace(tStream.ReadText(102400), Chr(0), ""))
Loop
tStream.close()
Set tStream = Nothing
Set FSOs = WScript.CreateObject("Scripting.FileSystemObject")
if len(filetxt) >0 then
'特征码检查
filetxt = vbcrlf & filetxt
'Check "WScr"&DoMyBest&"ipt.Shell"
If Instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then
Report = Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td><font color=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End if
'Check "She"&DoMyBest&"ll.Application"
If Instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then
Report = Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&"ll.Application 或者 clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td><font color=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Encode
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "bLANGUAGEs*=s*[""]?s*(vbscript|jscript|javascript).encodeb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td><font color=red>似乎脚本被加密了,一般ASP文件是不会加密的</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check my ASP backdoor :(
regEx.Pattern = "bEv"&"alb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check exe&cute backdoor
regEx.Pattern = "[^.]bExe"&"cute(Global)?b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Exec"&"ute()或者Exe"&"cuteGlobal()</td><td><font color=red>该函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check Script.Control
regEx.Pattern = ".Execu"&"teStatementb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Exec"&"uteStatement</td><td><font color=red>发现MSScriptControl.ScriptControl的.Execut"&"eStatement函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .(Open|Create)TextFile
regEx.Pattern = ".(Open|Create)TextFileb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Crea"&"teTextFile|.O"&"penTextFile</td><td>使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .SaveT&oFile
regEx.Pattern = ".SaveT"&"oFileb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Sa"&"veToFile</td><td>使用了Stream或者JMail的SaveToFile函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .&Save|.&SaveAs
regEx.Pattern = ".Sa"&"ve(As)?b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Sa"&"ve或者.Sa"&"veAs</td><td>使用了Save或SaveAs函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check set Server
regEx.Pattern = "sets*.*s*=s*servers"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Set xxx=Se"&"rver</td><td><font color=red>发现Set xxx=Ser" & jj & "ver,请管理员仔细检查是否调用.execute</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check Server.(Transfer|Ex&ecute)
regEx.Pattern = "Server.(Ex"&"ecute|Transfer)([ t]*|()[^""])"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Server.Ex"&"ecute</td><td><font color=red>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Ru&n
regEx.Pattern = ".R"&"unb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Ru"&"n</td><td><font color=red>发现 WScript 的 Run 函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Exe&c
regEx.Pattern = ".Ex"&"ecb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Ex"&"ec</td><td><font color=red>发现 WScript 的 Exec 函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Shel&lExecute
regEx.Pattern = ".Shel"&"lExecuteb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.ShellE"&"xecute</td><td><font color=red>发现 Application 的 ShellExecute 函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .&create
regEx.Pattern = ".Cre"&"ateb"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Crea"&"te</td><td>发现 Create 函数<br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
Set regEx = Nothing
