bug

grayddq · grayddq · commit d5be14ca395b · 2019-05-06T20:10:34.000+08:00
diff --git a/GScan.py b/GScan.py
@@ -79,6 +79,8 @@
         Rootkit_Analysis().run()
         # WEBShell类扫描
         Webshell_Analysis().run()
+        # 漏洞扫描
+
 
         # 输出报告
         print(u'-' * 30)
diff --git a/lib/.DS_Store b/lib/.DS_Store
diff --git a/lib/History_Analysis.py b/lib/History_Analysis.py
@@ -51,7 +51,7 @@ def run(self):
         result_output_tag(suspicious, malice)
 
         # 检测结果输出到文件
-        result_output_file(u'可疑的操作记录如下：\n', self.history)
+        result_output_file(u'可疑的操作记录如下：', self.history)
 
 
 if __name__ == '__main__':
diff --git a/lib/Proc_Analysis.py b/lib/Proc_Analysis.py
@@ -137,7 +137,6 @@ def keyi_analysis(self):
         except:
             return suspicious, malice
 
-
     def run(self):
         print(u'\n开始进程类安全扫描')
         file_write(u'\n开始进程类安全扫描\n')
@@ -166,8 +165,6 @@ def run(self):
         result_output_file(u'恶意进程如下：', self.process_backdoor)
 
 
-
-
 if __name__ == '__main__':
     infos = Proc_Analysis()
     infos.run()
diff --git a/lib/Rootkit_Analysis.py b/lib/Rootkit_Analysis.py
@@ -747,7 +747,7 @@ def run(self):
         result_output_tag(suspicious, malice)
 
         # 检测结果输出到文件
-        result_output_file(u'Rootkit类安全扫描如下：\n', self.rootkit)
+        result_output_file(u'Rootkit类安全扫描如下：', self.rootkit)
 
 
 if __name__ == '__main__':
diff --git a/lib/Webshell_Analysis.py b/lib/Webshell_Analysis.py
@@ -3,6 +3,7 @@
 from lib.common import *
 import os, platform, sys
 from lib.Webserver import *
+from lib.globalvar import *
 
 
 # 作者：咚咚呛
@@ -63,42 +64,44 @@ def scan_web(self):
 
     def init_scan(self):
         suspicious, malice, skip = False, False, False
-        if sys.version_info < (3, 0):
-            DEPENDENT_LIBRARIES_2_6 = "/lib/egg/yara_python-3.5.0-py2.6-linux-2.32-x86_64.egg"
-            DEPENDENT_LIBRARIES_3_10 = "/lib/egg/yara_python-3.5.0-py2.7-linux-3.10-x86_64.egg"
-            DEPENDENT_LIBRARIES_4_20 = "/lib/egg/yara_python-3.8.1-py2.7-linux-4.20-x86_64.egg"
-            DEPENDENT_LIBRARIES_16 = "/lib/egg/yara_python-3.5.0-py2.7-macosx-10.12-x86_64.egg"
-            DEPENDENT_LIBRARIES_17 = "/lib/egg/yara_python-3.5.0-py2.7-macosx-10.13-x86_64.egg"
-            _kernel = platform.release()
-            if _kernel.startswith('2.6'):
-                sys.path.append(sys.path[0] + DEPENDENT_LIBRARIES_2_6)
-            elif _kernel.startswith('3.') and ("6." in str(platform.dist())):
-                sys.path.append(sys.path[0] + DEPENDENT_LIBRARIES_2_6)
-            elif _kernel.startswith('3.'):
-                sys.path.append(sys.path[0] + DEPENDENT_LIBRARIES_3_10)
-            elif _kernel.startswith('4.'):
-                sys.path.append(sys.path[0] + DEPENDENT_LIBRARIES_4_20)
-            elif _kernel.startswith('16.'):
-                sys.path.append(sys.path[0] + DEPENDENT_LIBRARIES_16)
-            elif _kernel.startswith('17.'):
-                sys.path.append(sys.path[0] + DEPENDENT_LIBRARIES_17)
+        try:
+            SYS_PATH = get_value('SYS_PATH')
+            if sys.version_info < (3, 0):
+                DEPENDENT_LIBRARIES_2_6 = "/lib/egg/yara_python-3.5.0-py2.6-linux-2.32-x86_64.egg"
+                DEPENDENT_LIBRARIES_3_10 = "/lib/egg/yara_python-3.5.0-py2.7-linux-3.10-x86_64.egg"
+                DEPENDENT_LIBRARIES_4_20 = "/lib/egg/yara_python-3.8.1-py2.7-linux-4.20-x86_64.egg"
+                DEPENDENT_LIBRARIES_16 = "/lib/egg/yara_python-3.5.0-py2.7-macosx-10.12-x86_64.egg"
+                DEPENDENT_LIBRARIES_17 = "/lib/egg/yara_python-3.5.0-py2.7-macosx-10.13-x86_64.egg"
+                _kernel = platform.release()
+                if _kernel.startswith('2.6'):
+                    sys.path.append(SYS_PATH + DEPENDENT_LIBRARIES_2_6)
+                elif _kernel.startswith('3.') and ("6." in str(platform.dist())):
+                    sys.path.append(SYS_PATH + DEPENDENT_LIBRARIES_2_6)
+                elif _kernel.startswith('3.'):
+                    sys.path.append(SYS_PATH + DEPENDENT_LIBRARIES_3_10)
+                elif _kernel.startswith('4.'):
+                    sys.path.append(SYS_PATH + DEPENDENT_LIBRARIES_4_20)
+                elif _kernel.startswith('16.'):
+                    sys.path.append(SYS_PATH + DEPENDENT_LIBRARIES_16)
+                elif _kernel.startswith('17.'):
+                    sys.path.append(SYS_PATH + DEPENDENT_LIBRARIES_17)
+                else:
+                    return suspicious, malice, True
+                import yara
             else:
-                # pringf(u'跳过', suspicious=True)
                 return suspicious, malice, True
-            import yara
-        else:
-            # pringf(u'跳过', suspicious=True)
-            return suspicious, malice, True
 
-        # 编译规则
-        self.yararule = self.getRules(yara)
-        self.scan_web()
+            # 编译规则
+            self.yararule = self.getRules(yara)
+            self.scan_web()
 
-        if len(self.webshell_list) > 0:
-            malice = True
-        # 内容去重
-        self.webshell_list = list(set(self.webshell_list))
-        return suspicious, malice, skip
+            if len(self.webshell_list) > 0:
+                malice = True
+            # 内容去重
+            self.webshell_list = list(set(self.webshell_list))
+            return suspicious, malice, skip
+        except:
+            return suspicious, malice, skip
 
     def run(self):
         print(u'\n开始Webshell安全扫描')
diff --git a/lib/common.py b/lib/common.py
@@ -272,7 +272,8 @@ def analysis_file(file):
 
         if not os.path.exists(file): return ""
         if os.path.isdir(file): return ""
-        if " " in file: return ""
+        if (" " in file) or ("GScan" in file) or ("\\" in file) or (".jpg" in file) or (")" in file) or (
+                "(" in file): return ""
         if 'GScan' in file: return ""
         if '\\' in file: return ""
         if os.path.splitext(file)[1] == '.log': return ""
