TheWanderer
09-09-2007, 22:02
Witam,
W związku z nasilającymi się próbami kradzieży kont graczy, postanowiłem pomóc Wam w przypadkach, gdy nie jesteście pewni, czy dany plik (np. zdjęcie pobrane z Internetu czy otrzymane e-mailem) nie zawiera keyloggera.
Poniżej zamieszczam skrypt PHP służący do skanowania pliku pod kątem popularnych keyloggerów Tibijskich.
<?php
/*
Warning numbers:
1 File MIME type like that of EXE
2 File header like that of EXE
3 "This program must be run under Win32"
4 File includes dangerous libraries (this is considered unreliable)
5 Binary is randomly filled with bytes
6 Binary contains IE tunnelling
7 Program links to external URL
8 Program modifies system registry
9 File has a double extension
*/
class KeyloggerDetector
{
public $title = '';
public $pagecontent = '';
protected function CheckFile()
{
$this->title = 'Checking file...';
$warnings = array();
if(!isset($_FILES['suspected_file']) || !file_exists($_FILES['suspected_file']['tmp_name']))
{
$this->pagecontent = 'POST error. Your browser may have sent an incomplete file.';
return false;
}
if(!isset($_POST['program']) && ($_FILES['suspected_file']['type'] == 'application/x-dosexec' || $_FILES['suspected_file']['type'] == 'application/x-ms-windows-executable' || $_FILES['suspected_file']['type'] == 'application/x-msdos-program')) $warnings[] = 1;
$filename = basename(&$_FILES['suspected_file']['name']);
$dot1 = strpos($filename,'.');
if(strpos($filename,'.',$dot1+1) !== false) $warnings[] = 9;
$file_contents = file_get_contents($_FILES['suspected_file']['tmp_name']);
if(!isset($_POST['program']) && substr($file_contents,0,3) == 'MZP') $warnings[] = 2;
if(!isset($_POST['program']) && substr($file_contents,80,36) == 'This program must be run under Win32') $warnings[] = 3;
if(strpos($file_contents,'RegOpenKeyExA') !== false) $warnings[] = 8;
if(!isset($_POST['program']) && strpos($file_contents,"\x00advapi32.dll") !== false) $warnings[] = 4;
if(strpos($file_contents,'11111011') != false) $warnings[] = 5;
if(strpos($file_contents,"iexplore*****\x00\x00\x00\x00open") !== false) $warnings[] = 6;
if(strpos($file_contents,"\x00\x00\x00http://") !== false) $warnings[] = 7;
if(!empty($warnings))
{
$this->pagecontent .= '<ul>';
foreach($warnings as $v)
{
$this->pagecontent .= '<li>';
switch($v)
{
case 1: $this->pagecontent .= 'File MIME type indicates that file is an executable program for Windows.'; break;
case 2: $this->pagecontent .= 'Found a file header indicating Windows executable.'; break;
case 3: $this->pagecontent .= 'File matches the standard template for Windows executable programs.'; break;
case 4: $this->pagecontent .= 'Binary includes advanced Windows libraries, commonly used in keyloggers.'; break;
case 5: $this->pagecontent .= 'Program is filled with random trash data to increase its size.'; break;
case 6: $this->pagecontent .= 'Program uses Internet Explorer to hide its internet traffic from firewalls. <strong>High risk!</strong>'; break;
case 7: $this->pagecontent .= 'Program contains references to external websites.'; break;
case 8: $this->pagecontent .= 'Program modifies system registry. <strong>High risk!</strong>'; break;
case 9: $this->pagecontent .= 'Filename has a double extension. This technique is often used to hide malicious software in files that seem to be images, photos, movies, music, etc.'; break;
}
$this->pagecontent .= "</li>\n";
}
$this->pagecontent .= '</ul>';
$this->pagecontent .= '<p>You have a <strong>'.round(count($warnings) / 9 * 100).'%</strong> chance that scanned file is a Tibia keylogger.</p>';
}
else
{
$this->pagecontent .= '<p>The file seems to be safe. However, you can also check it with your anti-virus program for increased security.</p>';
}
}
protected function DisplayForm()
{
$this->title = 'Select a file to check';
$this->pagecontent = '<form action="'.$_SERVER['SCRIPT_NAME'].'" method="POST" enctype="multipart/form-data"><label for="fsf">File to scan:</label> <input id="fsf" type="file" name="suspected_file" /><br /><label for="exe">Check this field if you know that the file is an executable program (EXE):</label> <input id="exe" type="checkbox" name="program" value="yes" /><br /><input type="submit" name="go" value="Scan" /></form>';
}
public function Run()
{
if(!isset($_POST['go'])) $this->DisplayForm();
else $this->CheckFile();
}
}
$checker = new KeyloggerDetector();
$checker->Run();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title><?php echo $checker->title; ?></title>
</head>
<body>
<div id="main_container">
<?php echo $checker->pagecontent; ?>
</div>
</body>
</html>
EDIT: Skaner już jest w Sieci. Można go znaleźć pod adresem:
http://www.safetibia.yoyo.pl/
Mam nadzieję, że mój skrypt uchroni Was w wielu sytuacjach od utraty konta.
W związku z nasilającymi się próbami kradzieży kont graczy, postanowiłem pomóc Wam w przypadkach, gdy nie jesteście pewni, czy dany plik (np. zdjęcie pobrane z Internetu czy otrzymane e-mailem) nie zawiera keyloggera.
Poniżej zamieszczam skrypt PHP służący do skanowania pliku pod kątem popularnych keyloggerów Tibijskich.
<?php
/*
Warning numbers:
1 File MIME type like that of EXE
2 File header like that of EXE
3 "This program must be run under Win32"
4 File includes dangerous libraries (this is considered unreliable)
5 Binary is randomly filled with bytes
6 Binary contains IE tunnelling
7 Program links to external URL
8 Program modifies system registry
9 File has a double extension
*/
class KeyloggerDetector
{
public $title = '';
public $pagecontent = '';
protected function CheckFile()
{
$this->title = 'Checking file...';
$warnings = array();
if(!isset($_FILES['suspected_file']) || !file_exists($_FILES['suspected_file']['tmp_name']))
{
$this->pagecontent = 'POST error. Your browser may have sent an incomplete file.';
return false;
}
if(!isset($_POST['program']) && ($_FILES['suspected_file']['type'] == 'application/x-dosexec' || $_FILES['suspected_file']['type'] == 'application/x-ms-windows-executable' || $_FILES['suspected_file']['type'] == 'application/x-msdos-program')) $warnings[] = 1;
$filename = basename(&$_FILES['suspected_file']['name']);
$dot1 = strpos($filename,'.');
if(strpos($filename,'.',$dot1+1) !== false) $warnings[] = 9;
$file_contents = file_get_contents($_FILES['suspected_file']['tmp_name']);
if(!isset($_POST['program']) && substr($file_contents,0,3) == 'MZP') $warnings[] = 2;
if(!isset($_POST['program']) && substr($file_contents,80,36) == 'This program must be run under Win32') $warnings[] = 3;
if(strpos($file_contents,'RegOpenKeyExA') !== false) $warnings[] = 8;
if(!isset($_POST['program']) && strpos($file_contents,"\x00advapi32.dll") !== false) $warnings[] = 4;
if(strpos($file_contents,'11111011') != false) $warnings[] = 5;
if(strpos($file_contents,"iexplore*****\x00\x00\x00\x00open") !== false) $warnings[] = 6;
if(strpos($file_contents,"\x00\x00\x00http://") !== false) $warnings[] = 7;
if(!empty($warnings))
{
$this->pagecontent .= '<ul>';
foreach($warnings as $v)
{
$this->pagecontent .= '<li>';
switch($v)
{
case 1: $this->pagecontent .= 'File MIME type indicates that file is an executable program for Windows.'; break;
case 2: $this->pagecontent .= 'Found a file header indicating Windows executable.'; break;
case 3: $this->pagecontent .= 'File matches the standard template for Windows executable programs.'; break;
case 4: $this->pagecontent .= 'Binary includes advanced Windows libraries, commonly used in keyloggers.'; break;
case 5: $this->pagecontent .= 'Program is filled with random trash data to increase its size.'; break;
case 6: $this->pagecontent .= 'Program uses Internet Explorer to hide its internet traffic from firewalls. <strong>High risk!</strong>'; break;
case 7: $this->pagecontent .= 'Program contains references to external websites.'; break;
case 8: $this->pagecontent .= 'Program modifies system registry. <strong>High risk!</strong>'; break;
case 9: $this->pagecontent .= 'Filename has a double extension. This technique is often used to hide malicious software in files that seem to be images, photos, movies, music, etc.'; break;
}
$this->pagecontent .= "</li>\n";
}
$this->pagecontent .= '</ul>';
$this->pagecontent .= '<p>You have a <strong>'.round(count($warnings) / 9 * 100).'%</strong> chance that scanned file is a Tibia keylogger.</p>';
}
else
{
$this->pagecontent .= '<p>The file seems to be safe. However, you can also check it with your anti-virus program for increased security.</p>';
}
}
protected function DisplayForm()
{
$this->title = 'Select a file to check';
$this->pagecontent = '<form action="'.$_SERVER['SCRIPT_NAME'].'" method="POST" enctype="multipart/form-data"><label for="fsf">File to scan:</label> <input id="fsf" type="file" name="suspected_file" /><br /><label for="exe">Check this field if you know that the file is an executable program (EXE):</label> <input id="exe" type="checkbox" name="program" value="yes" /><br /><input type="submit" name="go" value="Scan" /></form>';
}
public function Run()
{
if(!isset($_POST['go'])) $this->DisplayForm();
else $this->CheckFile();
}
}
$checker = new KeyloggerDetector();
$checker->Run();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title><?php echo $checker->title; ?></title>
</head>
<body>
<div id="main_container">
<?php echo $checker->pagecontent; ?>
</div>
</body>
</html>
EDIT: Skaner już jest w Sieci. Można go znaleźć pod adresem:
http://www.safetibia.yoyo.pl/
Mam nadzieję, że mój skrypt uchroni Was w wielu sytuacjach od utraty konta.