Wykrywacz keyloggerów

[TheWanderer]

Witam,
W związku z nasilającymi się próbami kradzieży kont graczy, postanowiłem pomóc Wam w przypadkach, gdy nie jesteście pewni, czy dany plik (np. zdjęcie pobrane z Internetu czy otrzymane e-mailem) nie zawiera keyloggera.
Poniżej zamieszczam skrypt PHP służący do skanowania pliku pod kątem popularnych keyloggerów Tibijskich.

Kod:

<?php
/*
Warning numbers:
	1	File MIME type like that of EXE
	2	File header like that of EXE
	3	"This program must be run under Win32"
	4	File includes dangerous libraries (this is considered unreliable)
	5	Binary is randomly filled with bytes
	6	Binary contains IE tunnelling
	7	Program links to external URL
	8	Program modifies system registry
	9	File has a double extension
	
*/
class KeyloggerDetector
{
public $title = '';
public $pagecontent = '';
	protected function CheckFile()
	{
	$this->title = 'Checking file...';
	$warnings = array();
		if(!isset($_FILES['suspected_file']) || !file_exists($_FILES['suspected_file']['tmp_name']))
		{
		$this->pagecontent = 'POST error. Your browser may have sent an incomplete file.';
		return false;
		}
		if(!isset($_POST['program']) && ($_FILES['suspected_file']['type'] == 'application/x-dosexec' || $_FILES['suspected_file']['type'] == 'application/x-ms-windows-executable' || $_FILES['suspected_file']['type'] == 'application/x-msdos-program')) $warnings[] = 1;
		$filename = basename(&$_FILES['suspected_file']['name']);
		$dot1 = strpos($filename,'.');
		if(strpos($filename,'.',$dot1+1) !== false) $warnings[] = 9;
		$file_contents = file_get_contents($_FILES['suspected_file']['tmp_name']);
		if(!isset($_POST['program']) && substr($file_contents,0,3) == 'MZP') $warnings[] = 2;
		if(!isset($_POST['program']) && substr($file_contents,80,36) == 'This program must be run under Win32') $warnings[] = 3;
		if(strpos($file_contents,'RegOpenKeyExA') !== false) $warnings[] = 8;
		if(!isset($_POST['program']) && strpos($file_contents,"\x00advapi32.dll") !== false) $warnings[] = 4;
		if(strpos($file_contents,'11111011') != false) $warnings[] = 5;
		if(strpos($file_contents,"iexplore*****\x00\x00\x00\x00open") !== false) $warnings[] = 6;
		if(strpos($file_contents,"\x00\x00\x00http://") !== false) $warnings[] = 7;
		if(!empty($warnings))
		{
		$this->pagecontent .= '<ul>';
			foreach($warnings as $v)
			{
			$this->pagecontent .= '<li>';
				switch($v)
				{
				case 1: $this->pagecontent .= 'File MIME type indicates that file is an executable program for Windows.'; break;
				case 2: $this->pagecontent .= 'Found a file header indicating Windows executable.'; break;
				case 3: $this->pagecontent .= 'File matches the standard template for Windows executable programs.'; break;
				case 4: $this->pagecontent .= 'Binary includes advanced Windows libraries, commonly used in keyloggers.'; break;
				case 5: $this->pagecontent .= 'Program is filled with random trash data to increase its size.'; break;
				case 6: $this->pagecontent .= 'Program uses Internet Explorer to hide its internet traffic from firewalls. <strong>High risk!</strong>'; break;
				case 7: $this->pagecontent .= 'Program contains references to external websites.'; break;
				case 8: $this->pagecontent .= 'Program modifies system registry. <strong>High risk!</strong>'; break;
				case 9: $this->pagecontent .= 'Filename has a double extension. This technique is often used to hide malicious software in files that seem to be images, photos, movies, music, etc.'; break;
				}
			$this->pagecontent .= "</li>\n";
			}
		$this->pagecontent .= '</ul>';
		$this->pagecontent .= '<p>You have a <strong>'.round(count($warnings) / 9 * 100).'%</strong> chance that scanned file is a Tibia keylogger.</p>';
		}
		else
		{
		$this->pagecontent .= '<p>The file seems to be safe. However, you can also check it with your anti-virus program for increased security.</p>';
		}
	}
	protected function DisplayForm()
	{
	$this->title = 'Select a file to check';
	$this->pagecontent = '<form action="'.$_SERVER['SCRIPT_NAME'].'" method="POST" enctype="multipart/form-data"><label for="fsf">File to scan:</label> <input id="fsf" type="file" name="suspected_file" /><br /><label for="exe">Check this field if you know that the file is an executable program (EXE):</label> <input id="exe" type="checkbox" name="program" value="yes" /><br /><input type="submit" name="go" value="Scan" /></form>';
	}
	public function Run()
	{
	if(!isset($_POST['go'])) $this->DisplayForm();
	else $this->CheckFile();
	}
}
$checker = new KeyloggerDetector();
$checker->Run();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title><?php echo $checker->title; ?></title>
</head>
<body>
<div id="main_container">
<?php echo $checker->pagecontent; ?>
</div>
</body>
</html>

EDIT: Skaner już jest w Sieci. Można go znaleźć pod adresem:
http://www.safetibia.yoyo.pl/
Mam nadzieję, że mój skrypt uchroni Was w wielu sytuacjach od utraty konta.

[kondom69]

ja tam wole
Virusccan.jotti.org(nie wiem czy dobrze napisałem)

ja tego nei potrzebuje jak mi zwina wszystko z konta to bede wiedzial ze mam keyloggera

[TheWanderer]

~bump~
Może ktoś się tym zainteresuje

[xoz]

nawet fajne choc nie testowalem (moze dzialac)
przyda mi sie do skanera w findicie jesli znajde czas:S

[Duch Niespokojny]

Cytuj:

Oryginalnie napisane przez kondom69

ja tam wole
Virusccan.jotti.org(nie wiem czy dobrze napisałem)

Wątpię czy wykrywa tibijskie keyloggery.

Cytuj:

Oryginalnie napisane przez Machrumczas

ja tego nei potrzebuje jak mi zwina wszystko z konta to bede wiedzial ze mam keyloggera

Słuszne podejście...