Implement WebShell pattern positioner using Java

Text/figure tsunami Tian Ming (Ansty) [Li Haiming, South China Agricultural University]
I wonder if you still remember the article I published in anti-DDoS last year about WebShell pattern locating methods. In that article, I used manual locating for WebShell signatures, manual positioning is not only inefficient, but also consumes our enthusiasm for killing. Therefore, it is necessary to use tools for automated operations. Next, we will use Java to compile a WebShell signature locator. 1 shows the WebShell pattern locator we want to implement.

Figure 1
Because WebShell is generally not very large, we can delete a line of WebShell code at a time and save the file. In this way, after extracting every line of WebShell code, we will generate a lot of WebShell files, and then we use the anti-virus software to disinfect the generated files. The remaining files are the webshells after we have extracted the WebShell signature. Finally, count the remaining antivirus files to find out which line or line of code the signature exists.
Let's take a look at the implementation of the Program. As for the GUI Design, I will not introduce it. This is not our focus. Before getting started, let's take a look at the Declaration of global variables.
 
Private JButton jbSelect; // select a file
Private JButton jbAna; // The start analysis button.
Private JButton jbLocate; // The locate button.
Private JTextArea jtaResult; // The result shows the text field.
Private JTextArea jtaHelp; // help text field
Private JTextField jtfFile; // File Path box
Private File shell; // webshell selects a File
Private String path; // parent directory of the file
Private String fileExt; // File Extension
Private Vector <String> fileContent; // file content, Vector

1) obtain the selected WebShell File
 
Private void chooseFile (){
Int choice;
JFileChooser jfc = new JFileChooser ();
// Use the JFileChooser class provided by JDK to obtain a file selection dialog box
Jfc. setSize (400,400 );
Choice = jfc. showOpenDialog (this );
// The JFileChooser class provides the "save file and open file" mode. Here we use the "open file" mode. showOpenDialog is used to display a file opening dialog box.
If (choice = JFileChooser. APPROVE_OPTION ){
// Select OK and return this value.
Shell = jfc. getSelectedFile ();
// The getSelectedFile method returns a File object, that is, the selected File.
JtfFile. setText (shell. getAbsolutePath ());
// Use the getAbsolutePath method of the file object to obtain the file path
FileExt = shell. getName (). substring (shell. getName (). lastIndexOf ("."));
// Get the file extension. The last "." is followed by the file extension. The Substring method is used to extract strings from a specified position.
JbAna. setEnabled (true );
}
}

2) read WebShell file content (readFile ())
After selecting WebShell, we will begin to analyze and extract the content. To improve reading efficiency, we read all webshells into the memory and save them to the Vector <String> for convenient search.
 
BufferedReader br;
Br = new BufferedReader (new InputStreamReader (new FileInputStream (shell )));
// Use the cache method to read files
String temp; // temporary variable for storing each row of data
While (temp = br. readLine ())! = Null ){
// When the object reads the last row, the return value is null, which serves as the loop end condition.
FileContent. add (temp );
// Store the file content in the Vector <String> fileContent
}
 
Here, after the program runs normally, all WebShell content will be stored in the fileContent variable.
 
3) Batch Save the WebShell (writeFile () after the extracted code ())
Before executing the writeFile () method, "path = shell. the Code getParent () + "\" + "temp" + "\"; "creates a temp folder in the same directory of WebShell to save the generated temporary file.
 
PrintWriter pw; // output to the file using printwriter
Try {
File dir = new File (this. path );
Dir. mkdir (); // create a temp folder under the WebShell directory
For (int I = 0; I <fileContent. size (); I ++ ){
// Draw a line of code for each file to loop through the entire file
String path = this. path + (I + 1) + fileExt;
// Obtain the path of the file to be saved. Each file is named by the number of lines of the extracted code. The extension is based on the original WebShell extension.
Pw = new PrintWriter (new OutputStreamWriter (new FileOutputStream (path), true );
// Establish a connection to the output file
For (int j = 0; j <fileContent. size (); j ++ ){
If (j! = I) // because the current file is named by the row number, and the file name is exactly the code we want to extract, when our row number is equal to the current file number, skip this line without output, and the code extraction function is implemented.
Pw. println (fileContent. get (j); // output to file by row
}
Pw. close (); // you must close the file output stream after each file is output.
}

4) Anti-Virus
There is nothing to say about this step. We Use anti-virus software to disinfect the generated files and delete the files directly if we find the virus. The only thing that is not killed is the WebShell that has extracted the signature. At this time, although Webshell cannot be captured by the software, it is not complete, because we have extracted some of its code, and we do not know the functions of those code, therefore, the following steps are also required.
 
5) locate ())
The positioning idea is to analyze the remaining webshells for anti-virus. As we said just now, the names of our files are implemented by using the row number where the extracted code is located. The names of the remaining files are the row number where the signature is located.
 
File result = new File (shell. getParent () + "\ temp ");
// Obtain the temp directory
Boolean [] exist = new boolean [fileContent. size ()];
// Whether the storage file exists. The value is false automatically during boolean initialization.
String [] dirContent = result. list ();
// Obtain all files in the current directory. The list () method returns String []
Int temp;
For (int I = 0; I <dirContent. length; I ++ ){
// Check the files in the directory cyclically
Temp = Integer. parseInt (dirContent [I]. substring (0, dirContent [I]. lastIndexOf (".")));
// DirContent [I]. lastIndesOf (".") obtains the location of the extension in the file name. dirContent [I]. substring () captures the file name and discards the file extension. Because the file name is named by the row number, we can use Integer. parseInt () to forcibly convert the obtained file name to the int type.
Exist [temp-1] = true;
// Set the boolean corresponding to the obtained row number to true. Because the actual file name differs from the row number by 1,-1 is used to obtain the actual row number.
}
For (int I = 0; I <exist. length; I ++ ){
If (exist [I]) {// if the row number exists, it is the row number we just located.
JtaResult. append (I + 1 + "" + fileContent. get (I) + "");
// Extract the code of the corresponding row number from the fileContent variable and display it in the positioning result window.
}
}

Of course, it is also possible that the soft scan fails. In this case, we only need to determine whether the number of generated files is the same as the number of lines. The implementation code is as follows.
 
If (dirContent. length = fileContent. size ()){
JtaResult. append ("no soft detection and removal records are killed, and there may be no signatures! ");
Return;
}

OK. Here we will introduce our WebShell pattern locator. Let's test it.
Anyone can find a WebShell-ServUsu. asp. This is something that everyone is familiar with. Serv-U's privilege escalation network horse is now being sought by a large number of attackers. After using our tool to split the network horse, we offered Kabbah for anti-virus, as shown in Figure 2. After the anti-virus is completed, let's locate it, as shown in figure 3.

Figure 2 Figure 3

In this way, we can find the WebShell pattern in the 1st and 2 lines of code. As for the no-kill processing of signatures, it will not be within the scope of this article. If you have any questions, please go to the official anti-DDoS forum to discuss my ID: Ansty.