First commit

HookDLL/config.cpp

@@ -0,0 +1,75 @@
+#pragma once
+#include "stdafx.h"
+#include "config.h"
+#include <string>
+#include <vector>
+#include <iostream>
+#include <map>
+#include <filesystem>
+
+using std::cout;
+using std::endl; 
+
+std::map<string, string> Config::argvFlagMap;
+CLI::App* Config::app;
+std::vector<std::string> Config::scanList;
+
+std::string Config::outputPath = "";
+
+void Config::insert(string registry, string option, string defaultValue, string helpString) {
+	argvFlagMap[registry] = defaultValue;
+	app->add_option(option, argvFlagMap[registry], helpString);
+}
+
+void Config::initialize() {
+	app = new CLI::App{ "WebShellKill CLI" };
+	LPWSTR *szArglist;
+	int nArgs;
+	szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);
+
+	insert("Check_Hide_File", "-i,--show-hidden-file", "1", "扫描隐藏文件");
+	insert("Show_Zend_File", "-z,--show-zend-file", "1", "显示经过Zend加密的文件");
+	insert("Auto_Check_New_Ver", "-a,--auto-check-new-version", "1", "自动更新行为库");
+	insert("Hide_Levl1", "-d,--hide-level1", "1", "隐藏低级别威胁");
+	insert("Check_Type", "-t,--type", "1", "TBD");
+	insert("Show_Hide_dir_", "-e,--exclude-dir", "0", "排除指定的文件夹（TBD）");
+
+	app->add_option("-f,--output", outputPath, "输出到文件");
+
+	app->allow_extras(true);
+
+	const char** args = new const char*[nArgs];
+	for (auto i = 0; i < nArgs; i++) {
+		size_t len = lstrlenW(szArglist[i]);
+		char* arg = new char[len * 2];
+		sprintf_s(arg, len + 1, "%ls", szArglist[i]);
+		args[i] = arg;
+	}
+
+	try {
+		app->parse(nArgs, args);
+		scanList = app->remaining();
+		if (scanList.size() == 0) {
+			throw CLI::CallForHelp();
+		}
+		for (auto &f : scanList) {
+			if (!std::experimental::filesystem::exists(f)) {
+				std::cout << f << " not exists!";
+				ExitProcess(1);
+			}
+		}
+	}
+	catch (const CLI::ParseError &e) {
+		//cout << e.what() << endl;
+		int ret = app->exit(e);
+		ExitProcess(ret);
+	}
+	delete args;
+}
+
+string Config::get(string key) {
+	auto intValue = argvFlagMap.find(key);
+	if (intValue == argvFlagMap.end()) return "";
+	return intValue->second;// std::to_string(intValue->second);
+}
+

HookDLL/config.h

@@ -0,0 +1,22 @@
+#pragma once
+#include <string>
+#include <map>
+#include <vector>
+#include <windows.h>
+#include <shellapi.h>
+#include "CLI11.hpp"
+using std::string;
+
+class Config {
+private:
+	static std::map<string, string> argvFlagMap;
+	static CLI::App* app;
+	static void insert(string registry, string option, string defaultValue, string helpString = "");
+
+public:
+
+	static std::vector<std::string> scanList;
+	static std::string outputPath;
+	static void initialize();
+	static std::string get(std::string);
+};

HookDLL/data.cpp

@@ -0,0 +1,54 @@
+#pragma once
+#include "stdafx.h"
+#include "data.h"
+#include "global.h"
+#include "picojson.h"
+#include <shlobj.h>
+#include <Windows.h>
+#include <tlhelp32.h>
+#include <string>
+
+namespace WebShellKillHook {
+
+	Data::Data() {
+		data.set<>(picojson::array());
+	}
+
+	std::string Data::serialize() {
+		return data.serialize();
+	}
+
+	LRESULT CALLBACK Data::hookCallback(int nCode, WPARAM wParam, LPARAM lParam) {
+		CWPSTRUCT msg = *(CWPSTRUCT*)lParam;
+		if (msg.message == WM_ENABLE) {
+			if (isScanning) {
+				isScanning = false;
+				Global::event.emit(Global::EVENT_SCAN_END);
+			}
+		}
+		else if (msg.message == LVM_INSERTITEMA) {
+			currentColumnIndex = -1;
+			isWaitingForText = true;
+			isSecondCall = 0;
+			item.set<>(picojson::object());
+			isScanning = true;
+		}
+		else if (msg.message == LVM_SETITEMA) {
+			if (isWaitingForText) {
+				data.get<picojson::array>().push_back(item);
+				item.get<picojson::object>().clear();
+				isWaitingForText = false;
+			}
+		}
+		else if (msg.message == LVM_SETITEMTEXTA) {
+			if (isWaitingForText && ++isSecondCall % 2 == 1) {
+				currentColumnIndex++;
+				LPSTR str = (LPSTR)(malloc(sizeof(LPSTR) * 255));
+				ListView_GetItemText(msg.hwnd, ((LVITEMA*)lParam)->iItem, currentColumnIndex, str, 255);
+				item.get<picojson::object>()[columnMap[currentColumnIndex]] = picojson::value(str);
+				free(str);
+			}
+		}
+		return CallNextHookEx(0, nCode, wParam, lParam);
+	}
+}

HookDLL/data.h

@@ -0,0 +1,30 @@
+#pragma once
+#pragma once
+#include "stdafx.h"
+#include "picojson.h"
+#include <shlobj.h>
+#include <Windows.h>
+#include <tlhelp32.h>
+#include <string>
+namespace WebShellKillHook {
+
+	class Data {
+
+	private:
+		int currentColumnIndex = -1;
+		int isSecondCall = 0;
+		bool isWaitingForText = false;
+		bool isScanning = false;
+		std::string columnMap[6] = { "file", "level", "description", "size", "time", "crc32" };
+		picojson::value data;
+		picojson::value item;
+
+
+	public:
+		HWND indexButtonScanHwnd = 0;
+		HWND startButtonScanHwnd = 0;
+		Data();
+		std::string serialize();
+		LRESULT CALLBACK hookCallback(int nCode, WPARAM wParam, LPARAM lParam);
+	};
+}

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Z-Blog
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

readme.md

@@ -0,0 +1,51 @@
+## webshellkill-cli
+
+webshellkill-cli 是一个通过DLL Injection + Hook实现的库，实现了通过命令行操作 [D盾_Web查杀](http://www.d99net.net/)的功能，支持Web查杀版本 V2.0.9。
+
+注意：本项目处于早期版本，不可于生产环境使用。
+
+## 用法
+
+将 version.dll 放置于 WebShellKill.exe 同目录下即可使用。
+```txt
+
+D:\Projects\WebShellKillHook\Debug>WebShellKill.exe -h
+
+WebShellKill CLI
+Usage: WebShellKill.exe [OPTIONS] [FILE]
+
+Options:
+  -h,--help                   Print this help message and exit
+  -i,--show-hidden-file       扫描隐藏文件
+  -z,--show-zend-file         显示经过Zend加密的文件
+  -a,--auto-check-new-version 自动更新行为库
+  -d,--hide-level1            隐藏低级别威胁
+  -t,--type                   TBD
+  -e,--exclude-dir            排除指定的文件夹（TBD）
+  -f,--output TEXT            输出到文件
+
+```
+### wine使用
+
+```bash
+export LC_ALL=zh_CN.UTF-8
+winetricks -q mdac28
+```
+
+接着，需要使用 winecfg，将``version.dll``配置为“原装先于内建”。
+![wine1](Images/wine-1.jpg)
+
+Docker To be done...
+
+## 示例输出
+
+``[{"crc32":"04AD707A","description":"Eval后门 {参数:$_GET[\"a\"]}","file":"","level":"4","size":"23","time":"2019-01-09 00:13:25"}]``
+
+## 注意事项
+
+1. WebShellKill 本身不是绿色软件，其在32位系统下会读写``HKEY_LOCAL_MACHINE\Software\d99net\d_webshell_kill``，本项目仅对读下了钩子，未对写进行处理。
+2. 因为 WebShellKill 是一个 GUI 程序，本项目只对窗口进行了隐藏。因此，如果需要在Wine下使用，仍然需要X Window。
+3. 本程序使用的API均为A系列，因此无论是输入输出均为ANSI编码，非中文环境下可能无法使用。在Wine下使用，必须配置环境变量``LC_ALL=zh_CN.UTF-8``，且输出需要进行编码转换：``iconv -f GBK -t UTF8``。
+
+## 协议
+The MIT License