我想用Python启动一个可执行文件,但给它一个不同的进程名。例如,Rootkit Revealer的页面提到它现在被一个服务调用,该服务用一个随机名称创建一个可执行文件的副本并运行它。这有助于它跟踪恶意软件,将不会运行,如果它检测到存在的Rootkit展示。这是受this question in security.stackexchange启发的
Rootkit展示器现在已经被抛弃了,但是恶意软件仍然希望避免像Wireshark和processmonitor这样的软件。在家里,我想到的是:
import psutil
import subprocess
import shutil
randomString = "saf9dsfjkoopY.exe"
shutil.copy("C:\\Windows\System32\\notepad.exe",randomString)
p = subprocess.Popen(randomString)
# Look for process by name
for proc in psutil.process_iter():
try:
process_info = proc.as_dict(attrs=['pid','name'])
except psutil.NoSuchProcess:
pass
else:
if process_info['name'] == "TextPad.exe":
print(process_info)
if process_info['name'] == "notepad.exe":
print(process_info)
你认为第一部分在重命名进程和规避恶意软件方面会起作用吗?通过使可执行文件作为服务而不是常规进程运行,我将获得什么好处?malware in question使用以下代码来避免使用某些安全工具:
std::vector<DWORD> SetOfPID;
GetProcessID("Wireshark",SetOfPID);
if (SetOfPID.empty())
{
// Nothing found running, Safe to execute bot.
}
else
{
// One of the process was found running, Exit install.
// If you want to you could also make it kill connections or cut process. ~ h1t3m
ExitProcess(0);
目前没有回答
相关问题 更多 >
编程相关推荐