User
#!/usr/bin/python import os import sys import _winreg windir = os.environ['WINDIR']; sysdir = windir + "\\system32\\" tmpdir = windir + "\\temp\\" catalog = [] find = [] reg = 0 def isInfected(): checkRegKey() checkCatalogs() checkAllFiles() def checkRegKey(): global reg regkey = "SYSTEM\\CurrentControlSet\\Control\\Lsa\\" value_name = "Authentication Packages" key = _winreg.OpenKey(_winreg.HKEY_LOCAL_MACHINE, regkey) key_value = _winreg.QueryValueEx(key, value_name)[0] regvalues = ["mssecmgr.ocx", "authpack.ocx"] for regvalue in regvalues: if regvalue in key_value: reg = 1 def checkCatalogs(): progfiles = os.environ['PROGRAMFILES']; path = progfiles + "\\Common Files\\Microsoft Shared\\" catalogs = ["MSSecurityMgr", "MSAudio", "MSAuthCtrl", "MSSndMix"] for cname in catalogs: cpath = path + cname; exists = os.path.isdir(cpath) if exists : catalog.append(cpath) def checkAllFiles(): global find exists = os.path.isfile(windir + "\\Ef_trace.log") if exists : find.append(fpath) sysfiles = ["mssecmgr.ocx", "wavsup3.drv","~zff042.ocx","msdclr64.ocx","ccalc32.sys", "msglu32.ocx","boot32drv.sys","nteps32.ocx","advnetcfg.ocx","soapr32.sys", "Advpck.dat","ntaps.dat","Rpcnc.dat","svchost1ex.mof","Svchostevt.mof", "frog.bat","netcfgi.ocx","authpack.ocx","~a29.tmp","rdcvlt32.exe","to961.tmp", "authcfg.dat","Wpab32.bat","ctrllist.dat","winrt32.ocx","winrt32.dll", "scsec32.exe","grb9m2.bat","winconf32.ocx","watchxb.sys","sdclt32.exe", "scaud32.exe","pcldrvx.ocx","mssvc32.ocx","mssui.drv","modevga.com", "indsvc32.ocx","comspol32.ocx","comspol32.dll","browse32.ocx"] tmpfiles = ["~DEB93D.tmp","~8C5FF6C.tmp","~DF05AC8.tmp","~DFD85D3.tmp","~DFL*.tmp", "~dra*.tmp","~fghz.tmp","~HLV*.tmp","~KWI988.tmp","~KWI989.tmp","~rei524.tmp", "~rei525.tmp","~rf288.tmp","~rft374.tmp","~TFL848.tmp","~TFL849.tmp", "~mso2a0.tmp","~mso2a1.tmp","~mso2a2.tmp","sstab*.dat"] for sysfile in sysfiles: spath = sysdir + sysfile exists = os.path.isfile(spath) if exists : find.append(spath) for tmpfile in tmpfiles: tpath = tmpdir + tmpfile exists = os.path.isfile(tpath) if exists : find.append(tpath) def printResults(): if reg == 1 or len(find) > 0 or len(catalog) > 0 : print "You are infected!" if (reg): print "Modified registry key found:" print " HKLM_SYSTEM\CurrentControlSet\Control\Lsa\ -> Authentication Packages" if (len(find) > 0): print "Malicious files found:" for fpath in find: print " " + fpath if (len(catalog) > 0): print "Malicious catalogs found:" for cpath in catalog: print " " + cpath else : print "You are not infected :)" def printHelp(): print "\nflame detector 1.0 (http://www.ldelgado.es/?flamedetector)\n" print "Usage: python flame_detector.py OPTIONS\n" print "Options:" print "--check Checks if your system is infected by Flame/SkyWiper searching" print " for some special files, catalogs and registry keys" if len(sys.argv) == 2: param = sys.argv[1].lower() if param == "--check": isInfected() printResults() else: printHelp() else: printHelp()
Передать не силовой структуре красную кнопку — шикарно
Переделать механизм фильтрации на более адекватный — замечательно
Другой вопрос: кто это всё будет делать.