search

RoomaSec / RmTools

蓝队应急工具
MIT License
422 stars 42 forks source link

为什么cs木马的exe文件和冰蝎PHP文件均无法扫描出? #2

Closed tammypi closed 5 months ago

tammypi commented 5 months ago

在桌面放置了cs4.3木马(exe)和冰蝎3(php)文件: 企业微信截图_17128228775129 config配置如下:

  "use_log": 1,
  "scan_file_thread": 60,
  "only_scan_suffix": 1,
  "scan_file_suffix": [
    ".exe",
    ".dll",
    ".sys",
    ".js",
    ".jsp",
    ".php",
    ".asp",
    ".aspx",
    ".cmd",
    ".bat",
    ".vbs",
    ".vbe",
    ".vb",
    ".ps1",
    ".psm1",
    ".wsh",
    ".vbscript",
    ".wsf",
    ".eml"
  ],
  "scan_path": ["C:\\Users\\Administrator\\Desktop"],
  "skip_scan_paths": ["windows\\WinSxS", "Windows\\Microsoft.NET", "Windows\\assembly", "Program Files\\WindowsApps", "Windows\\servicing", "Windows\\Installer"],
  "hashes": ["EE9E2816170E9441690EBEE28324F43046056712"],
  "filenames": ["InstDrv.bin"],
  "max_file_limit": 5002400
}

而且已经将冰蝎规则:https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Behinder.yar 也加到了Yara-Rules文件夹。但是,执行yara_scanner.exe无结果,连exe文件的名称和PHP文件的名称都没有打印: 企业微信截图_17128230979399

tammypi commented 5 months ago

"scan_path": ["C:\\Users\\Administrator\\Desktop\\"], sacn_path改成C:\Users\Administrator\Desktop\,依旧也是无结果。

tammypi commented 5 months ago

把scan_path改成c:\ 可以扫描出一些系统的exe,dll文件,对于desktop上的shell.php和beacon.exe依旧无输出。

C:\Users\Administrator\Desktop\RmTools\yara_scanner_beta>yara_scanner.exe
[2024-04-11 16:24:13.718] [info] scan file: C:\\Windows\System32\EhStorAPI.dll
[2024-04-11 16:24:13.735] [info] scan file: C:\\Windows\System32\EhStorAuthn.exe
[2024-04-11 16:24:13.740] [info] scan file: C:\\Windows\System32\EhStorPwdMgr.dll
[2024-04-11 16:24:13.751] [info] scan file: C:\\Windows\System32\elshyph.dll
[2024-04-11 16:24:13.773] [info] scan file: C:\\Windows\System32\efscore.dll
[2024-04-11 16:24:13.790] [info] scan file: C:\\Windows\System32\embeddedmodesvcapi.dll
[2024-04-11 16:24:13.793] [info] scan file: C:\\Windows\System32\EsdSip.dll
[2024-04-11 16:24:13.796] [info] scan file: C:\\Windows\System32\EoAExperiences.exe
[2024-04-11 16:24:13.799] [info] scan file: C:\\Windows\System32\efsutil.dll
[2024-04-11 16:24:13.809] [info] scan file: C:\\Windows\System32\escUnattend.exe
[2024-04-11 16:24:13.813] [info] scan file: C:\\Windows\System32\esentprf.dll
[2024-04-11 16:24:13.817] [info] scan file: C:\\Windows\System32\esevss.dll
[2024-04-11 16:24:13.824] [info] scan file: C:\\Windows\System32\esentutl.exe
[2024-04-11 16:24:13.839] [info] scan file: C:\\Windows\System32\eShims.dll
[2024-04-11 16:24:13.858] [info] scan file: C:\\Windows\System32\EthernetMediaManager.dll
[2024-04-11 16:24:13.865] [info] scan file: C:\\Windows\System32\ETWESEProviderResources.dll
[2024-04-11 16:24:13.869] [info] scan file: C:\\Windows\System32\ETWCoreUIComponentsResources.dll
[2024-04-11 16:24:13.880] [info] scan file: C:\\Windows\System32\EtwRundown.dll
[2024-04-11 16:24:13.897] [info] scan file: C:\\Windows\System32\eudcedit.exe
[2024-04-11 16:24:13.910] [info] scan file: C:\\Windows\System32\EventAggregation.dll
[2024-04-11 16:24:13.918] [info] scan file: C:\\Windows\System32\eventcls.dll
[2024-04-11 16:24:13.922] [info] scan file: C:\\Windows\System32\eventcreate.exe
[2024-04-11 16:24:13.928] [info] scan file: C:\\Windows\System32\eventvwr.exe
[2024-04-11 16:24:13.960] [info] scan file: C:\\Windows\System32\evr.dll
[2024-04-11 16:24:13.980] [info] scan file: C:\\Windows\System32\esent.dll
[2024-04-11 16:24:13.984] [info] scan file: C:\\Windows\System32\execmodelproxy.dll
[2024-04-11 16:24:13.992] [info] scan file: C:\\Windows\System32\ExecModelClient.dll
[2024-04-11 16:24:14.014] [info] scan file: C:\\Windows\System32\expand.exe
[2024-04-11 16:24:14.019] [info] scan file: C:\\Windows\System32\extrac32.exe
[2024-04-11 16:24:14.033] [info] scan file: C:\\Windows\System32\ExSMime.dll
[2024-04-11 16:24:14.037] [info] scan file: C:\\Windows\System32\ExtrasXmlParser.dll
[2024-04-11 16:24:14.042] [info] scan file: C:\\Windows\System32\f3ahvoas.dll
[2024-04-11 16:24:14.082] [info] scan file: C:\\Windows\System32\ExplorerFrame.dll
[2024-04-11 16:24:14.092] [info] scan file: C:\\Windows\System32\Facilitator.dll
[2024-04-11 16:24:14.112] [info] scan file: C:\\Windows\System32\Family.Cache.dll
[2024-04-11 16:24:14.116] [info] scan file: C:\\Windows\System32\Family.Authentication.dll
[2024-04-11 16:24:14.124] [info] scan file: C:\\Windows\System32\Family.SyncEngine.dll
[2024-04-11 16:24:14.126] [info] scan file: C:\\Windows\System32\FamilySafetyExt.dll
[2024-04-11 16:24:14.129] [info] scan file: C:\\Windows\System32\Faultrep.dll
[2024-04-11 16:24:14.138] [info] scan file: C:\\Windows\System32\FaxPrinterInstaller.dll
[2024-04-11 16:24:14.142] [info] scan file: C:\\Windows\System32\fc.exe
[2024-04-11 16:24:14.143] [info] scan file: C:\\Windows\System32\Family.Client.dll
[2024-04-11 16:24:14.153] [info] scan file: C:\\Windows\System32\fdBth.dll
[2024-04-11 16:24:14.158] [info] scan file: C:\\Windows\System32\fcon.dll
[2024-04-11 16:24:14.165] [info] scan file: C:\\Windows\System32\fdBthProxy.dll
[2024-04-11 16:24:14.169] [info] scan file: C:\\Windows\System32\FdDevQuery.dll
[2024-04-11 16:24:14.172] [info] scan file: C:\\Windows\System32\fdPHost.dll
[2024-04-11 16:24:14.174] [info] scan file: C:\\Windows\System32\fdeploy.dll
[2024-04-11 16:24:14.181] [info] scan file: C:\\Windows\System32\fdPnp.dll
[2024-04-11 16:24:14.190] [info] scan file: C:\\Windows\System32\fdprint.dll
[2024-04-11 16:24:14.196] [info] scan file: C:\\Windows\System32\fde.dll
[2024-04-11 16:24:14.197] [info] scan file: C:\\Windows\System32\FDResPub.dll
[2024-04-11 16:24:14.203] [info] scan file: C:\\Windows\System32\fdProxy.dll
[2024-04-11 16:24:14.209] [info] scan file: C:\\Windows\System32\fdSSDP.dll
[2024-04-11 16:24:14.213] [info] scan file: C:\\Windows\System32\fdWNet.dll
[2024-04-11 16:24:14.221] [info] scan file: C:\\Windows\System32\fdWSD.dll
[2024-04-11 16:24:14.233] [info] scan file: C:\\Windows\System32\ffbroker.dll
[2024-04-11 16:24:14.236] [info] scan file: C:\\Windows\System32\feclient.dll
[2024-04-11 16:24:14.241] [info] scan file: C:\\Windows\System32\FileAppxStreamingDataSource.dll
[2024-04-11 16:24:24.049] [info] scan file: C:\\Windows\System32\NetSetupShim.dll
[2024-04-11 16:24:24.066] [info] scan file: C:\\Windows\System32\NetSetupEngine.dll
[2024-04-11 16:24:24.070] [info] scan file: C:\\Windows\System32\NetSetupSvc.dll
[2024-04-11 16:24:24.079] [info] scan file: C:\\Windows\System32\NETSTAT.EXE
[2024-04-11 16:24:24.097] [info] scan file: C:\\Windows\System32\netshell.dll
[2024-04-11 16:24:24.102] [info] scan file: C:\\Windows\System32\netutils.dll
[2024-04-11 16:24:24.102] [info] scan file: C:\\Windows\System32\nettrace.dll
[2024-04-11 16:24:24.128] [info] scan file: C:\\Windows\System32\NetworkBindingEngineMigPlugin.dll
[2024-04-11 16:24:24.133] [info] scan file: C:\\Windows\System32\NetworkDesktopSettings.dll
[2024-04-11 16:24:24.140] [info] scan file: C:\\Windows\System32\networkexplorer.dll
[2024-04-11 16:24:24.150] [info] scan file: C:\\Windows\System32\NetworkIcon.dll
[2024-04-11 16:24:41.226] [info] scan file: C:\\Windows\System32\Windows.Media.dll
[2024-04-11 16:24:41.262] [info] scan file: C:\\Windows\System32\Windows.Media.BackgroundMediaPlayback.dll
[2024-04-11 16:24:41.290] [info] scan file: C:\\Windows\System32\Windows.Media.Import.dll
[2024-04-11 16:24:41.323] [info] scan file: C:\\Windows\System32\Windows.Media.FaceAnalysis.dll
[2024-04-11 16:24:41.330] [info] scan file: C:\\Windows\System32\Windows.Media.Playback.BackgroundMediaPlayer.dll
[2024-04-11 16:24:41.365] [info] scan file: C:\\Windows\System32\Windows.Media.Ocr.dll
[2024-04-11 16:24:41.367] [info] scan file: C:\\Windows\System32\Windows.Media.Playback.MediaPlayer.dll
[2024-04-11 16:24:41.385] [info] scan file: C:\\Windows\System32\Windows.Networking.BackgroundTransfer.BackgroundManagerPolicy.dll
[2024-04-11 16:24:41.391] [info] scan file: C:\\Windows\System32\Windows.Media.Streaming.ps.dll
[2024-04-11 16:24:41.394] [info] scan file: C:\\Windows\System32\Windows.Media.Playback.ProxyStub.dll
[2024-04-11 16:24:41.411] [info] scan file: C:\\Windows\System32\Windows.Media.Streaming.dll
[2024-04-11 16:24:41.425] [info] scan file: C:\\Windows\System32\Windows.Networking.BackgroundTransfer.ContentPrefetchTask.dll
[2024-04-11 16:24:41.453] [info] scan file: C:\\Windows\System32\Windows.Networking.Connectivity.dll
[2024-04-11 16:24:41.454] [info] scan file: C:\\Windows\System32\Windows.Networking.BackgroundTransfer.dll
[2024-04-11 16:24:41.481] [info] scan file: C:\\Windows\System32\Windows.Networking.HostName.dll
[2024-04-11 16:24:41.482] [info] scan file: C:\\Windows\System32\Windows.Networking.NetworkOperators.ESim.dll
[2024-04-11 16:24:41.488] [info] scan file: C:\\Windows\System32\Windows.Networking.NetworkOperators.HotspotAuthentication.dll
[2024-04-11 16:24:41.497] [info] scan file: C:\\Windows\System32\Windows.Networking.ServiceDiscovery.Dnssd.dll
[2024-04-11 16:24:41.507] [info] scan file: C:\\Windows\System32\Windows.Networking.Proximity.dll
[2024-04-11 16:24:41.512] [info] scan file: C:\\Windows\System32\Windows.Networking.dll
[2024-04-11 16:24:41.521] [info] scan file: C:\\Windows\System32\Windows.Networking.Sockets.PushEnabledApplication.dll
[2024-04-11 16:24:41.540] [info] scan file: C:\\Windows\System32\Windows.Networking.UX.EapRequestHandler.dll
[2024-04-11 16:24:41.569] [info] scan file: C:\\Windows\System32\Windows.Perception.Stub.dll
[2024-04-11 16:24:41.573] [info] scan file: C:\\Windows\System32\Windows.Networking.Vpn.dll
[2024-04-11 16:24:41.582] [info] scan file: C:\\Windows\System32\Windows.Security.Authentication.Identity.Provider.dll
[2024-04-11 16:24:41.602] [info] scan file: C:\\Windows\System32\Windows.Payments.dll
[2024-04-11 16:24:41.628] [info] scan file: C:\\Windows\System32\Windows.Security.Authentication.Web.Core.dll
[2024-04-11 16:24:41.636] [info] scan file: C:\\Windows\System32\Windows.Security.Credentials.UI.CredentialPicker.dll
[2024-04-11 16:24:41.645] [info] scan file: C:\\Windows\System32\Windows.Security.Authentication.OnlineId.dll
[2024-04-11 16:24:41.649] [info] scan file: C:\\Windows\System32\Windows.Security.Credentials.UI.UserConsentVerifier.dll
[2024-04-11 16:24:41.658] [info] scan file: C:\\Windows\System32\Windows.Security.Integrity.dll
[2024-04-11 16:24:41.669] [info] scan file: C:\\Windows\System32\Windows.SharedPC.CredentialProvider.dll
[2024-04-11 16:24:41.676] [info] scan file: C:\\Windows\System32\Windows.SharedPC.AccountManager.dll
[2024-04-11 16:24:41.684] [info] scan file: C:\\Windows\System32\Windows.Services.TargetedContent.dll
[2024-04-11 16:24:41.691] [info] scan file: C:\\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
[2024-04-11 16:24:41.693] [info] scan file: C:\\Windows\System32\Windows.StateRepository.dll
[2024-04-11 16:24:41.697] [info] scan file: C:\\Windows\System32\Windows.Shell.BlueLightReduction.dll
[2024-04-11 16:24:41.702] [info] scan file: C:\\Windows\System32\Windows.Shell.StartLayoutPopulationEvents.dll
[2024-04-11 16:24:41.707] [info] scan file: C:\\Windows\System32\Windows.StateRepositoryBroker.dll
[2024-04-11 16:24:41.714] [info] scan file: C:\\Windows\System32\Windows.StateRepositoryCore.dll
[2024-04-11 16:24:41.733] [info] scan file: C:\\Windows\System32\Windows.StateRepositoryUpgrade.dll
[2024-04-11 16:24:41.739] [info] scan file: C:\\Windows\System32\Windows.StateRepositoryPS.dll
[2024-04-11 16:24:41.745] [info] scan file: C:\\Windows\System32\Windows.Storage.Compression.dll
[2024-04-11 16:24:41.751] [info] scan file: C:\\Windows\System32\Windows.Storage.ApplicationData.dll
[2024-04-11 16:24:41.753] [info] scan file: C:\\Windows\System32\windows.storage.dll
[2024-04-11 16:24:41.760] [info] scan file: C:\\Windows\System32\Windows.StateRepositoryClient.dll
[2024-04-11 16:24:41.769] [info] scan file: C:\\Windows\System32\Windows.Storage.OneCore.dll
[2024-04-11 16:25:00.383] [info] scan file: C:\\Windows\SysWOW64\PeerDistSh.dll
[2024-04-11 16:25:00.389] [info] scan file: C:\\Windows\SysWOW64\perfos.dll
[2024-04-11 16:25:00.394] [info] scan file: C:\\Windows\SysWOW64\perfproc.dll
[2024-04-11 16:25:00.399] [info] scan file: C:\\Windows\SysWOW64\perfnet.dll
[2024-04-11 16:25:00.406] [info] scan file: C:\\Windows\SysWOW64\pfclient.dll
[2024-04-11 16:25:00.413] [info] scan file: C:\\Windows\SysWOW64\perfts.dll
[2024-04-11 16:25:00.420] [info] scan file: C:\\Windows\SysWOW64\PhoneCallHistoryApis.dll
[2024-04-11 16:25:00.432] [info] scan file: C:\\Windows\SysWOW64\PhotoMetadataHandler.dll
[2024-04-11 16:25:00.434] [info] scan file: C:\\Windows\SysWOW64\PhoneutilRes.dll
[2024-04-11 16:25:00.443] [info] scan file: C:\\Windows\SysWOW64\PhoneOm.dll
[2024-04-11 16:25:00.448] [info] scan file: C:\\Windows\SysWOW64\Phoneutil.dll
[2024-04-11 16:25:00.459] [info] scan file: C:\\Windows\SysWOW64\PickerHost.exe
[2024-04-11 16:25:00.468] [info] scan file: C:\\Windows\SysWOW64\photowiz.dll
[2024-04-11 16:25:00.472] [info] scan file: C:\\Windows\SysWOW64\PickerPlatform.dll
[2024-04-11 16:25:00.475] [info] scan file: C:\\Windows\SysWOW64\pid.dll
[2024-04-11 16:25:00.483] [info] scan file: C:\\Windows\SysWOW64\pifmgr.dll
[2024-04-11 16:25:00.486] [info] scan file: C:\\Windows\SysWOW64\PimIndexMaintenanceClient.dll
[2024-04-11 16:25:00.517] [info] scan file: C:\\Windows\SysWOW64\Pimstore.dll
[2024-04-11 16:25:00.520] [info] scan file: C:\\Windows\SysWOW64\PING.EXE
[2024-04-11 16:25:00.520] [info] scan file: C:\\Windows\SysWOW64\pidgenx.dll
[2024-04-11 16:25:00.549] [info] scan file: C:\\Windows\SysWOW64\pku2u.dll
[2024-04-11 16:25:00.552] [info] scan file: C:\\Windows\SysWOW64\PkgMgr.exe
[2024-04-11 16:25:14.930] [info] scan file: C:\\Windows\System32\drivers\csc.sys
[2024-04-11 16:25:14.949] [info] scan file: C:\\Windows\System32\drivers\drmkaud.sys
[2024-04-11 16:25:41.110] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeCore\123.0.2420.81\vk_swiftshader.dll
[2024-04-11 16:25:41.111] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeComRegisterShellARM64.exe
[2024-04-11 16:25:41.123] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateBroker.exe
[2024-04-11 16:25:41.135] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe
[2024-04-11 16:25:41.142] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateCore.exe
[2024-04-11 16:25:41.143] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateOnDemand.exe
[2024-04-11 16:25:41.423] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\msedgeupdateres_af.dll
[2024-04-11 16:25:41.448] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\msedgeupdateres_am.dll
[2024-04-11 16:25:41.480] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\MicrosoftEdgeUpdateSetup.exe
[2024-04-11 16:25:41.488] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\msedgeupdateres_ar.dll
[2024-04-11 16:25:41.490] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\msedgeupdateres_as.dll
[2024-04-11 16:25:41.494] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\msedgeupdateres_az.dll
[2024-04-11 16:25:41.498] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\msedgeupdateres_bg.dll
[2024-04-11 16:25:41.511] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\msedgeupdateres_bn-IN.dll
[2024-04-11 16:25:41.523] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeCore\123.0.2420.81\eventlog_provider.dll
[2024-04-11 16:25:41.525] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeUpdate\1.3.185.29\msedgeupdate.dll
[2024-04-11 16:25:41.580] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeCore\123.0.2420.81\notification_helper.exe
[2024-04-11 16:25:41.589] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeCore\123.0.2420.81\wdag.dll
[2024-04-11 16:25:41.591] [info] scan file: C:\\Program Files (x86)\Microsoft\EdgeCore\123.0.2420.81\msedge_pwa_launcher.exe
[2024-04-11 16:25:53.391] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usb4devicerouter.inf_amd64_55bc67aadf84dca6\Usb4DeviceRouter.sys
[2024-04-11 16:25:53.398] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usb4hostrouter.inf_amd64_b0157d9a87a99d81\Usb4HostRouter.sys
[2024-04-11 16:25:53.402] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbhub3.inf_amd64_37b71bb48ba3dca8\USBHUB3.SYS
[2024-04-11 16:25:53.408] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_c35ac4504ea32e17\usbohci.sys
[2024-04-11 16:25:53.408] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_c5a9289f450669e3\usbnet.sys
[2024-04-11 16:25:53.421] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_c35ac4504ea32e17\usbport.sys
[2024-04-11 16:25:53.424] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_c35ac4504ea32e17\usbehci.sys
[2024-04-11 16:25:53.424] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_c35ac4504ea32e17\usbhub.sys
[2024-04-11 16:25:53.429] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_1e81a18d61ea2d0e\usbprint.sys
[2024-04-11 16:25:53.437] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_5692ef19962b5871\SecureUSBVideo.dll
[2024-04-11 16:25:53.441] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_d9c344155296a584\USBSTOR.SYS
[2024-04-11 16:25:53.448] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_5692ef19962b5871\usbvideo.sys
[2024-04-11 16:25:53.451] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbser.inf_amd64_630faf309de553fc\usbser.sys
[2024-04-11 16:25:53.452] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_c35ac4504ea32e17\usbuhci.sys
[2024-04-11 16:25:53.458] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbxhci.inf_amd64_9045ba8c485acd50\USBXHCI.SYS
[2024-04-11 16:25:53.482] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_7e5965caa00acc5a\VBoxGuest.sys
[2024-04-11 16:25:53.488] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_7e5965caa00acc5a\VBoxControl.exe
[2024-04-11 16:25:53.488] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbxhci.inf_amd64_9045ba8c485acd50\UsbXhciCompanion.dll
[2024-04-11 16:25:53.503] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxDispD3D.dll
[2024-04-11 16:25:53.517] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_7e5965caa00acc5a\VBoxTray.exe
[2024-04-11 16:25:53.521] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxDX-x86.dll
[2024-04-11 16:25:53.522] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxGL-x86.dll
[2024-04-11 16:25:53.531] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxDispD3D-x86.dll
[2024-04-11 16:25:53.532] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxGL.dll
[2024-04-11 16:25:53.537] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxDX.dll
[2024-04-11 16:25:53.663] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxNine-x86.dll
[2024-04-11 16:25:53.707] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxNine.dll
[2024-04-11 16:25:53.800] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxSVGA-x86.dll
[2024-04-11 16:25:53.821] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxWddm.sys
[2024-04-11 16:25:53.831] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vca.inf_amd64_a975e7d8207d6ae2\vrd.sys
[2024-04-11 16:25:53.836] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vboxwddm.inf_amd64_d1e2d4d60b93b57a\VBoxSVGA.dll
[2024-04-11 16:25:53.839] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_1be8191901e78665\vdrvroot.sys
[2024-04-11 16:25:53.843] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\virtdisk.inf_amd64_983cbf0a133420d3\bttflt.sys
[2024-04-11 16:25:53.855] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vmxnet3.inf_amd64_f7cdbb974da78e14\vmxnet3.sys
[2024-04-11 16:25:53.860] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_9951628da3918e82\vhdmp.sys
[2024-04-11 16:25:53.865] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_fd8250a7fe233fe5\volume.sys
[2024-04-11 16:25:53.871] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_1fbbe83391910b93\vrd.sys
[2024-04-11 16:25:53.872] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\volmgr.inf_amd64_df7316f72006bd46\volmgr.sys
[2024-04-11 16:25:53.878] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vsmraid.inf_amd64_3d2bbc45931b8232\vsmraid.sys
[2024-04-11 16:25:53.884] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_6e02739543e49e35\MsApoFxProxy.dll
[2024-04-11 16:25:53.890] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_6e02739543e49e35\drmkaud.sys
[2024-04-11 16:25:53.894] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_6e02739543e49e35\drmk.sys
[2024-04-11 16:25:53.898] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_6e02739543e49e35\portcls.sys
[2024-04-11 16:25:53.928] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_6e02739543e49e35\SysFxUI.dll
[2024-04-11 16:25:53.952] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\wdma_usb.inf_amd64_adb284b9d2e09cff\USBAUDIO.sys
[2024-04-11 16:25:53.969] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\vstxraid.inf_amd64_300cb04282659e6d\VSTXRAID.SYS
[2024-04-11 16:25:53.989] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_c35ac4504ea32e17\usbd.sys
[2024-04-11 16:25:53.990] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_6e02739543e49e35\WMALFXGFXDSP.dll
[2024-04-11 16:25:53.990] [info] scan file: C:\\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_aa9fad204c00ad12\dmvsc.sys
tammypi commented 5 months ago

系统为:windows server 2022

huoji120 commented 5 months ago

"scan_path": ["C:\Users\Administrator\Desktop\"], 改成 "scan_path": ["C:\Users\Administrator\Desktop"], win api不能默认\

tammypi commented 5 months ago

企业微信截图_17128253541377 我最开始就是没有加\的。

huoji120 commented 5 months ago

你试试木马放到C盘其他目录看看.你这个看样子是读不了users文件夹? 建议做一下试验:

  1. 放到C盘的a目录 看看能不能扫到
  2. 放到users的a目录看看能不能扫到
  3. 放到users的public目录看看能不能扫到
  4. 放到users的admin目录看看能不能扫到 如果1能扫到 234都扫不到 那应该是读不了users文件夹 是不是管理员运行的?
tammypi commented 5 months ago

我测试过把shell.php放到c:\和c:\Windows\System32,都没有打印这个文件,只打印了其他exe/dll/js文件。

huoji120 commented 5 months ago

yara_scanner.zip 给你一个单独的带打印调试的版本,你看看是文件读失败了还是hash算错了

huoji120 commented 5 months ago

加了这几行 printf("read file: %s \n", file_path_lower.c_str()); printf("read file failed!!! %s \n", file_path_lower.c_str()); printf("read file success %s \n", file_path_lower.c_str()); printf("hash calc failed!!! %s \n", file_path_lower.c_str());

tammypi commented 5 months ago

企业微信截图_17128269122332

huoji120 commented 5 months ago

读成功了 yara没匹配到

huoji120 commented 5 months ago

scan file日志少的原因是做了过滤,只是显示还在工作 if (draw_num > 1000) { spdlog::info("scan file: {}", path); draw_num = 0; } draw_num++;

tammypi commented 5 months ago

企业微信截图_17128271009884 看规则应该是命中了啊,为什么会没有匹配到?

huoji120 commented 5 months ago

yara的规则是all of them 不是any of them 你改成any of them就好了