├── LICENSE ├── README.md ├── ShellCSV.csv ├── ShellCSV.ps1 ├── ShellExtractKeywords.ps1 ├── ShellScan.ps1 ├── ShellSwee.py ├── ShellSweep.lua ├── ShellSweep.ps1 ├── ShellSweepPlus.lua ├── ShellSweepPlus.ps1 └── src └── sweep.png /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # ShellSweep 4 | *ShellSweeping the evil* 5 | 6 | ## Why ShellSweep 7 | 8 | "ShellSweep" is a PowerShell/Python/Lua tool designed to detect potential webshell files in a specified directory. 9 | 10 | ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells. 11 | - It only processes files with certain extensions (.asp, .aspx, .asph, .php, .jsp), which are commonly used in webshells. 12 | - Certain directories can be excluded from scanning. 13 | - Files with certain hashes can be ignored during the scan. 14 | 15 | ### How does ShellSweep find the shells? 16 | 17 | Entropy, in the context of information theory or data science, is a measure of the unpredictability, randomness, or disorder in a set of data. The concept was introduced by Claude Shannon in his 1948 paper "[A Mathematical Theory of Communication](https://people.math.harvard.edu/~ctm/home/text/others/shannon/entropy/entropy.pdf)". 18 | 19 | When applied to a file or a string of text, entropy can help assess the randomness of the data. Here's how it works: 20 | If a file consists of completely random data (each byte is just as likely to be any value between 0 and 255), the entropy is high, close to 8 (since log2(256) = 8). 21 | 22 | If a file consists of highly structured data (for example, a text file where most bytes are ASCII characters), the entropy is lower. 23 | In the context of finding webshells or malicious files, entropy can be a useful indicator: 24 | - Many obfuscated scripts or encrypted payloads can have high entropy because the obfuscation or encryption process makes the data look random. 25 | - A normal text file or HTML file would generally have lower entropy because human-readable text has patterns and structure (certain letters are more common, words are usually separated by spaces, etc.). 26 | So, a file with unusually high entropy might be suspicious and worth further investigation. However, it's not a surefire indicator of maliciousness -- there are plenty of legitimate reasons a file might have high entropy, and plenty of ways malware might avoid causing high entropy. It's just one tool in a larger toolbox for detecting potential threats. 27 | 28 | ShellSweep includes a Get-Entropy function that calculates the entropy of a file's contents by: 29 | - Counting how often each character appears in the file. 30 | - Using these frequencies to calculate the probability of each character. 31 | - Summing -p*log2(p) for each character, where p is the character's probability. This is the formula for entropy in information theory. 32 | 33 | 34 | ## ShellScan 35 | ShellScan provides the ability to scan multiple known bad webshell directories and output the average, median, minimum and maximum entropy values by file extension. 36 | 37 | Pass ShellScan.ps1 some directories of webshells, any size set. I used: 38 | 39 | - https://github.com/tennc/webshell 40 | - https://github.com/BlackArch/webshells 41 | - https://github.com/tarwich/jackal/blob/master/libraries/ 42 | 43 | This will give a decent training set to get entropy values. 44 | 45 | Output example: 46 | 47 | ``` 48 | Statistics for .aspx files: 49 | Average entropy: 4.94212121048115 50 | Minimum entropy: 1.29348709979974 51 | Maximum entropy: 6.09830238020383 52 | Median entropy: 4.85437969842084 53 | Statistics for .asp files: 54 | Average entropy: 5.51268104400858 55 | Minimum entropy: 0.732406213077191 56 | Maximum entropy: 7.69241278153711 57 | Median entropy: 5.57351177724806 58 | 59 | ``` 60 | 61 | 62 | ## ShellCSV 63 | 64 | First, let’s break down the usage of ShellCSV and how it assists with identifying entropy of the good files on disk. The idea is that defenders can run this on web servers to gather all files and entropy values to better understand what paths and extensions are most prominent in their working environment. 65 | 66 | See ShellCSV.csv as example output. 67 | 68 | ## ShellSweep 69 | 70 | First, choose your flavor: Python, PowerShell or Lua. 71 | 72 | - Based on results from ShellScan or ShellCSV, modify entropy values as needed. 73 | - Modify file extensions as needed. No need to look for ASPX on a non-ASPX app. 74 | - Modify paths. I don't recommend just scanning all the C:\, lots to filter. 75 | - Modify any filters needed. 76 | - Run it! 77 | 78 | If you made it here, this is the part where you iterate on tuning. Find new shell? Gather entropy and modify as needed. 79 | 80 | 81 | ## Questions 82 | Feel free to open a Git issue. 83 | 84 | ## Thank You 85 | 86 | If you enjoyed this project, be sure to star the project and share with your family and friends. -------------------------------------------------------------------------------- /ShellCSV.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Script Name: ShellCSV.ps1 3 | Author: Michael Haag 4 | Version: 0.1 5 | Description: 6 | "ShellCSV" is a PowerShell tool designed to scan directories for potential webshells and report on their entropy and hash values. Like ShellSweep, it uses entropy as an indicator of potential webshell files. 7 | 8 | How It Works: 9 | The script calculates the entropy of the contents of each file in the specified directories and with the specified file extensions. 10 | The entropy, full file path, hash, and date of the scan are stored in a PSObject and added to an array of results. 11 | After the scan is complete, the results are exported to a CSV file. 12 | 13 | Usage: 14 | Provide the directory paths to be scanned in the $directoryPaths array. 15 | Specify the file extensions to be scanned in the $fileExtensions array. 16 | Run the script in PowerShell. 17 | 18 | Output: 19 | The script generates a CSV file that contains the full file path, entropy value, file hash, and scan date for each scanned file. 20 | #> 21 | 22 | 23 | 24 | function Get-Entropy { 25 | param( 26 | [Parameter(Mandatory=$true, Position=0)] [string] $String 27 | ) 28 | 29 | $length = $String.Length 30 | $symbolFrequency = @{} 31 | foreach ($symbol in $String.ToCharArray()) { 32 | if ($symbolFrequency.ContainsKey($symbol)) { 33 | $symbolFrequency[$symbol]++ 34 | } else { 35 | $symbolFrequency.Add($symbol, 1) 36 | } 37 | } 38 | 39 | $entropy = 0 40 | $symbolFrequency.Values | foreach { 41 | $freq = $_ / $length 42 | $entropy -= $freq * [Math]::Log($freq, 2) 43 | } 44 | 45 | return $entropy 46 | } 47 | 48 | # Define the directories and file extensions to scan 49 | #$DirectoryPaths = @( 50 | # 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\oab', 51 | # 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth', 52 | # 'C:\inetpub\wwwroot' 53 | #) 54 | 55 | $directoryPaths = @('C:\Users\Administrator\Downloads\reGeorg-master\reGeorg-master','C:\Users\Administrator\Downloads\p0wny-shell-master','C:\Users\Administrator\Desktop\10684728197_human2_cisa_report','C:\Users\Administrator\Downloads\xl7dev\WebShell-master','C:\Users\Administrator\Downloads\webshells-master\webshells-master', 'C:\Users\Administrator\Downloads\webshell-master\webshell-master','C:\Users\Administrator\Desktop\10660311902') 56 | 57 | $fileExtensions = @('.aspx', '.asp', '.js', '.jsp', '.php','') 58 | 59 | # Initialize an array to store the results 60 | $results = @() 61 | 62 | # Process each directory and file extension 63 | foreach ($DirectoryPath in $DirectoryPaths) { 64 | Get-ChildItem $DirectoryPath -Recurse -File | Where-Object { $_.Extension -in $fileExtensions } | foreach { 65 | $content = Get-Content $_.FullName -Raw 66 | $entropy = Get-Entropy -String $content 67 | $hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash 68 | $lastModified = $_.LastWriteTime 69 | 70 | # Add the file's details to the results array 71 | $results += New-Object PSObject -Property @{ 72 | Date = Get-Date -Format "MM/dd/yyyy" 73 | FullName = $_.FullName 74 | Entropy = $entropy 75 | Hash = $hash 76 | LastModified = $lastModified 77 | } 78 | } 79 | } 80 | 81 | # Export the results to a CSV file 82 | $results | Export-Csv -Path "c:\temp\shellcsv.csv" -NoTypeInformation -------------------------------------------------------------------------------- /ShellExtractKeywords.ps1: -------------------------------------------------------------------------------- 1 | # This script is used to extract keywords from a set of directories containing webshell files. 2 | # It reads each file, splits the content into words and updates each word's frequency in a hash table. 3 | # It then filters out words that appear more than 3 times and considers them as suspicious. 4 | # The suspicious words are then written to a file 'suspiciousPatterns.txt'. 5 | 6 | 7 | $webshellDirectoryPath = @( 8 | 'C:\Users\Administrator\Downloads\reGeorg-master\reGeorg-master', 9 | 'C:\Users\Administrator\Downloads\p0wny-shell-master', 10 | 'C:\Users\Administrator\Desktop\10684728197_human2_cisa_report', 11 | 'C:\Users\Administrator\Downloads\xl7dev\WebShell-master', 12 | 'C:\Users\Administrator\Downloads\webshells-master\webshells-master', 13 | 'C:\Users\Administrator\Downloads\webshell-master\webshell-master', 14 | 'C:\Users\Administrator\Desktop\10660311902' 15 | ) 16 | 17 | $wordFrequencyInDirectory = @{} 18 | 19 | # Walk through each file in the directory 20 | Get-ChildItem $webshellDirectoryPath -File | foreach { 21 | $content = Get-Content $_.FullName -Raw 22 | 23 | # Split the content into words and update each word's frequency in the hash table 24 | $content -split '\s+' | foreach { 25 | if ($wordFrequencyInDirectory.ContainsKey($_)) { 26 | $wordFrequencyInDirectory[$_]++ 27 | } else { 28 | $wordFrequencyInDirectory.Add($_, 1) 29 | } 30 | } 31 | } 32 | 33 | # Filter out words that appear more than 3 times 34 | $suspiciousWords = $wordFrequencyInDirectory.GetEnumerator() | Where-Object { $_.Value -gt 3 } | ForEach-Object { $_.Key } 35 | 36 | $output = "`$suspiciousPatterns = @(" + "`r`n" 37 | foreach ($word in $suspiciousWords) { 38 | $output += " '$word'," + "`r`n" 39 | } 40 | $output += ")" 41 | 42 | $output | Out-File -FilePath 'C:\temp\suspiciousPatterns.txt' 43 | 44 | -------------------------------------------------------------------------------- /ShellScan.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Script Name: ShellScan.ps1 3 | Author: Michael Haag 4 | Version: 0.1 5 | Description: 6 | "ShellScan" is a PowerShell script that calculates and reports entropy statistics for files grouped by extension in specified directories. This script provides an expanded functionality over the previous scripts by including statistical analysis of the entropy values. 7 | 8 | How It Works: 9 | The script calculates the entropy of the contents of each file in the specified directories. 10 | The entropy values are then stored in a hashtable, categorized by file extension. 11 | After calculating all entropies, the script outputs statistics for each file extension, including the average, minimum, maximum, and median entropy. 12 | 13 | Usage: 14 | Provide the directory paths to be scanned in the $directoryPaths array. 15 | Run the script in PowerShell. 16 | 17 | Output: 18 | The script outputs the entropy statistics for each file extension in the console. 19 | #> 20 | 21 | 22 | 23 | function Get-Entropy { 24 | param( 25 | [Parameter(Mandatory=$true, Position=0)] [string] $String 26 | ) 27 | 28 | $length = $String.Length 29 | $symbolFrequency = @{} 30 | foreach ($symbol in $String.ToCharArray()) { 31 | if ($symbolFrequency.ContainsKey($symbol)) { 32 | $symbolFrequency[$symbol]++ 33 | } else { 34 | $symbolFrequency.Add($symbol, 1) 35 | } 36 | } 37 | 38 | $entropy = 0 39 | $symbolFrequency.Values | foreach { 40 | $freq = $_ / $length 41 | $entropy -= $freq * [Math]::Log($freq, 2) 42 | } 43 | 44 | return $entropy 45 | } 46 | 47 | # Define the array of directories to scan 48 | $directoryPaths = @('C:\Users\Administrator\Downloads\xl7dev\WebShell-master','C:\Users\Administrator\Downloads\webshells-master\webshells-master', 'C:\Users\Administrator\Downloads\webshell-master\webshell-master','C:\Users\Administrator\Desktop\10660311902') 49 | #$directoryPaths = @('C:\Users\Administrator\Downloads\proxyshell','C:\Users\Administrator\Desktop\10660311902\test') 50 | # Initialize a hashtable to store the entropy values by extension 51 | $entropyValuesByExtension = @{} 52 | 53 | # Walk through each directory and calculate the entropy for each file 54 | foreach ($directoryPath in $directoryPaths) { 55 | Get-ChildItem $directoryPath -Recurse -File | foreach { 56 | $content = Get-Content $_.FullName -Raw 57 | $entropy = Get-Entropy -String $content 58 | $extension = $_.Extension 59 | $lastModified = $_.LastWriteTime 60 | if (-not $entropyValuesByExtension.ContainsKey($extension)) { 61 | $entropyValuesByExtension[$extension] = @() 62 | } 63 | $entropyValuesByExtension[$extension] += $entropy 64 | Write-Output "$($_.FullName) - Last Modified: ${lastModified}: Entropy: $entropy" 65 | } 66 | } 67 | 68 | # Calculate and output the entropy statistics for each file extension 69 | foreach ($extension in $entropyValuesByExtension.Keys) { 70 | $entropyValues = $entropyValuesByExtension[$extension] 71 | $entropyStats = $entropyValues | Measure-Object -Average -Minimum -Maximum 72 | Write-Output "Statistics for $extension files:" 73 | Write-Output "Average entropy: $($entropyStats.Average)" 74 | Write-Output "Minimum entropy: $($entropyStats.Minimum)" 75 | Write-Output "Maximum entropy: $($entropyStats.Maximum)" 76 | 77 | # To calculate the median, we need to sort the values and find the middle one 78 | $sortedEntropyValues = $entropyValues | Sort-Object 79 | $middleIndex = $sortedEntropyValues.Count / 2 80 | if ($sortedEntropyValues.Count % 2 -eq 0) { 81 | # If there is an even number of values, the median is the average of the two middle values 82 | $medianEntropy = ($sortedEntropyValues[$middleIndex-1] + $sortedEntropyValues[$middleIndex]) / 2 83 | } else { 84 | # If there is an odd number of values, the median is the middle value 85 | $medianEntropy = $sortedEntropyValues[[Math]::Floor($middleIndex)] 86 | } 87 | Write-Output "Median entropy: $medianEntropy" 88 | } -------------------------------------------------------------------------------- /ShellSwee.py: -------------------------------------------------------------------------------- 1 | import os 2 | import hashlib 3 | import math 4 | from collections import Counter 5 | import datetime 6 | 7 | 8 | print("""\ 9 | _________ _________ 10 | / \ / \ Normand 11 | / /~~~~~\ \ / /~~~~~\ \ Veilleux 12 | | | | | | | | | 13 | | | | | | | | | 14 | | | | | | | | | / 15 | | | | | | | | | // 16 | (o o) \ \_____/ / \ \_____/ / 17 | \__/ \ / \ / 18 | | ~~~~~~~~~ ~~~~~~~~ 19 | ^ 20 | 21 | ShellSwee.py 22 | """) 23 | 24 | 25 | # file extensions and entropy thresholds 26 | file_extensions = { 27 | '.asp': [('lt', 0.805376867704514), ('gt', 5.51268104400858)], 28 | '.ashx': [('gt', 3.75840459657413)], 29 | '.asax': [('gt', 3.7288741494524)], 30 | '.jspx': [('gt', 4.87651397975203)], 31 | '.html': [('gt', 4.8738392644771)], 32 | '.aspx': [('lt', 0.805376867704514), ('gt', 4.15186444439319)], 33 | '.php': [('gt', 4.23015141285636)], 34 | '.jsp': [('gt', 4.40958415652662)], 35 | '.js': [('gt', 4.25868439013462)] 36 | } 37 | 38 | # Calculate the entropy of a given string 39 | def get_entropy(input_string): 40 | probability = [float(x) / len(input_string) for x in Counter(input_string).values()] 41 | return - sum(p * math.log(p, 2) for p in probability) 42 | 43 | # Directories to scan 44 | directory_paths = ['/opt/webshells'] 45 | 46 | # Directories to exclude 47 | exclude_paths = ['exclude_path1', 'exclude_path2', 'exclude_path3'] 48 | 49 | # File hashes to ignore. 50 | ignore_hashes = ['hash1', 'hash2', 'hash3'] 51 | 52 | # Check if ignore_hashes file exists, if yes then read the hashes from the file into an array 53 | if os.path.isfile('path_to_your_file.txt'): 54 | with open('path_to_your_file.txt', 'r') as f: 55 | file_hashes = f.read().splitlines() 56 | 57 | # If the file_hashes list is not empty, use it instead of ignore_hashes 58 | if file_hashes: 59 | ignore_hashes = file_hashes 60 | 61 | webshell_found = False 62 | 63 | # Walk through each directory and flag files with high/low entropy 64 | for directory_path in directory_paths: 65 | for root, dirs, files in os.walk(directory_path): 66 | # Exclude specified paths 67 | if any(root.startswith(path) for path in exclude_paths): 68 | continue 69 | for file in files: 70 | full_path = os.path.join(root, file) 71 | if any(file.endswith(ext) for ext in file_extensions.keys()): 72 | # Skip if file is empty 73 | if os.stat(full_path).st_size == 0: 74 | continue 75 | with open(full_path, 'r', errors='ignore') as f: 76 | content = f.read() 77 | entropy = get_entropy(content) 78 | hasher = hashlib.sha256() 79 | hasher.update(content.encode()) 80 | file_hash = hasher.hexdigest() 81 | 82 | # get last modification time 83 | last_modified = datetime.datetime.fromtimestamp(os.path.getmtime(full_path)) 84 | 85 | for extension, conditions in file_extensions.items(): 86 | if file.endswith(extension): 87 | for operation, value in conditions: 88 | met_condition = False 89 | if operation == 'gt' and entropy > value: 90 | met_condition = True 91 | elif operation == 'lt' and entropy < value: 92 | met_condition = True 93 | if met_condition and file_hash not in ignore_hashes: 94 | print(f"Possible webshell found: {full_path}, Last Modified: {last_modified}, Entropy: {entropy}, Hash: {file_hash}") 95 | webshell_found = True 96 | 97 | 98 | # If no webshells were found --> 99 | if not webshell_found: 100 | print("No evil identified today.") 101 | -------------------------------------------------------------------------------- /ShellSweep.lua: -------------------------------------------------------------------------------- 1 | -- Entropy thresholds and operations for each file extension using a Lua table 2 | -- Each file extension maps to a nested Lua table with 'operation' and 'value' fields. 3 | -- Adjust the values based on your requirements. 4 | 5 | -- ASCII art 6 | local asciiArt = [[ 7 | ██████ ██░ ██ ▓█████ ██▓ ██▓ ██████ █ █░▓█████ ▓█████ ██▓███ 8 | ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒ ▒██ ▒ ▓█░ █ ░█░▓█ ▀ ▓█ ▀ ▓██░ ██▒ 9 | ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░ ░ ▓██▄ ▒█░ █ ░█ ▒███ ▒███ ▓██░ ██▓▒ 10 | ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░ ▒ ██▒░█░ █ ░█ ▒▓█ ▄ ▒▓█ ▄ ▒██▄█▓▒ ▒ 11 | ▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒▒██████▒▒░░██▒██▓ ░▒████▒░▒████▒▒██▒ ░ ░ 12 | ▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░▒ ▒▓▒ ▒ ░░ ▓░▒ ▒ ░░ ▒░ ░░░ ▒░ ░▒▓▒░ ░ ░ 13 | ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░░ ░▒ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░░▒ ░ 14 | ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ 15 | ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ 16 | 17 | ]] 18 | 19 | print(asciiArt) 20 | 21 | local fileExtensions = { 22 | ['.asp'] = { 23 | { operation = 'lt', value = 0.805376867704514 }, 24 | { operation = 'gt', value = 5.51268104400858 } 25 | }, 26 | ['.ashx'] = { 27 | { operation = 'gt', value = 3.75840459657413 } 28 | }, 29 | ['.asax'] = { 30 | { operation = 'gt', value = 3.7288741494524 } 31 | }, 32 | ['.jspx'] = { 33 | { operation = 'gt', value = 4.87651397975203 } 34 | }, 35 | ['.html'] = { 36 | { operation = 'gt', value = 4.8738392644771 } 37 | }, 38 | ['.aspx'] = { 39 | { operation = 'lt', value = 0.805376867704514 }, 40 | { operation = 'gt', value = 4.15186444439319 } 41 | }, 42 | ['.php'] = { 43 | { operation = 'gt', value = 4.23015141285636 } 44 | }, 45 | ['.jsp'] = { 46 | { operation = 'gt', value = 4.40958415652662 } 47 | }, 48 | ['.js'] = { 49 | { operation = 'gt', value = 4.25868439013462 } 50 | } 51 | } 52 | 53 | -- Calculate the entropy of a given string 54 | local function getEntropy(str) 55 | local length = #str 56 | local symbolFrequency = {} 57 | for i = 1, length do 58 | local symbol = str:sub(i, i) 59 | if symbolFrequency[symbol] then 60 | symbolFrequency[symbol] = symbolFrequency[symbol] + 1 61 | else 62 | symbolFrequency[symbol] = 1 63 | end 64 | end 65 | 66 | local entropy = 0 67 | for _, frequency in pairs(symbolFrequency) do 68 | local freq = frequency / length 69 | entropy = entropy - (freq * math.log(freq, 2)) 70 | end 71 | 72 | return entropy 73 | end 74 | 75 | -- Directories to scan 76 | local directoryPaths = { 77 | '/opt/webshells' 78 | } 79 | 80 | -- Directories to exclude 81 | local excludePaths = { 82 | '/path/to/exclude1', 83 | '/path/to/exclude2', 84 | '/path/to/exclude3' 85 | } 86 | 87 | -- File hashes to ignore 88 | local ignoreHashes = { 89 | 'FE3F0B4326FF9754CB8B61AA3CEFB465A5308658064EE51C41B0A8B50027728D', 90 | 'B6675117A7B174C3AA2510DDDEFF4221BA6E31005333F47C7239ED5D055BBBDD', 91 | '54EFA324203B762A03033879057F8A9DB0F7B45C83C8E1A40529CAFF1EB18004', 92 | '71FE41C6CCB0023576483A1C89929255480A4F5F0F07CFF9A8D2030ECF70E7AE' 93 | } 94 | 95 | -- Read the hashes from the file into an array (if needed) 96 | local ignoreHashesFilePath = 'path_to_your_file.txt' 97 | local file = io.open(ignoreHashesFilePath, 'r') 98 | if file then 99 | ignoreHashes = {} 100 | for line in file:lines() do 101 | table.insert(ignoreHashes, line) 102 | end 103 | file:close() 104 | end 105 | 106 | local webshellFound = false 107 | 108 | -- Walk through each directory and flag files with high/low entropy 109 | for _, directoryPath in ipairs(directoryPaths) do 110 | for file in io.popen('find "'..directoryPath..'" -type f'):lines() do 111 | local exclude = false 112 | for _, excludePath in ipairs(excludePaths) do 113 | if file:find('^'..excludePath) then 114 | exclude = true 115 | break 116 | end 117 | end 118 | 119 | local extension = file:match('^.+(%..+)$') 120 | if extension and fileExtensions[extension] and not exclude then 121 | local f = io.open(file, 'r') 122 | if f then 123 | local content = f:read('*all') 124 | f:close() 125 | 126 | local entropy = getEntropy(content) 127 | local hash = io.popen('sha256sum "'..file..'"'):read():match('^([%w%d]+)') 128 | 129 | for _, condition in ipairs(fileExtensions[extension]) do 130 | local operation = condition.operation 131 | local value = condition.value 132 | local metCondition = false 133 | 134 | if operation == 'gt' then 135 | if entropy > value then 136 | metCondition = true 137 | end 138 | elseif operation == 'lt' then 139 | if entropy < value then 140 | metCondition = true 141 | end 142 | elseif operation == 'eq' then 143 | if entropy == value then 144 | metCondition = true 145 | end 146 | end 147 | 148 | if metCondition and not ignoreHashes[hash] then 149 | print('Possible webshell found: '..file..', Entropy: '..entropy..', Hash: '..hash) 150 | webshellFound = true 151 | end 152 | end 153 | end 154 | end 155 | end 156 | end 157 | 158 | -- If no webshells were found 159 | if not webshellFound then 160 | print('No evil identified today.') 161 | end 162 | -------------------------------------------------------------------------------- /ShellSweep.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Script Name: ShellSweep.ps1 3 | Author: Michael Haag 4 | Version: 0.1 5 | Description: 6 | "ShellSweep" is a PowerShell tool designed to detect potential webshell files in a specified directory. 7 | A webshell is a script that can be uploaded to a web server to enable remote administration of the machine. They are often used in malicious activities such as server infiltration and data extraction. 8 | 9 | How It Works: 10 | The script calculates the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells. 11 | It only processes files with certain extensions (.asp, .aspx, .asph, .php, .jsp), which are commonly used in webshells. 12 | Certain directories can be excluded from scanning. 13 | Files with certain hashes can be ignored during the scan. 14 | 15 | Usage: 16 | Provide the directory paths to be scanned in the $DirectoryPaths array. 17 | Specify the directories to be excluded from the scan in the $excludePaths array. 18 | Specify the file hashes to be ignored during the scan in the $ignoreHashes array or a text file specified in $ignoreHashesFilePath. 19 | Run the script in PowerShell. 20 | 21 | Output: 22 | If potential webshells are found, the script prints out the file name, its entropy value, and its hash. 23 | If no webshells are found, the script prints "No evil identified today." 24 | #> 25 | 26 | 27 | Write-Output @" 28 | ██████ ██░ ██ ▓█████ ██▓ ██▓ ██████ █ █░▓█████ ▓█████ ██▓███ 29 | ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒ ▒██ ▒ ▓█░ █ ░█░▓█ ▀ ▓█ ▀ ▓██░ ██▒ 30 | ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░ ░ ▓██▄ ▒█░ █ ░█ ▒███ ▒███ ▓██░ ██▓▒ 31 | ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░ ▒ ██▒░█░ █ ░█ ▒▓█ ▄ ▒▓█ ▄ ▒██▄█▓▒ ▒ 32 | ▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒▒██████▒▒░░██▒██▓ ░▒████▒░▒████▒▒██▒ ░ ░ 33 | ▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░▒ ▒▓▒ ▒ ░░ ▓░▒ ▒ ░░ ▒░ ░░░ ▒░ ░▒▓▒░ ░ ░ 34 | ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░░ ░▒ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░░▒ ░ 35 | ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ 36 | ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ 37 | 38 | "@ 39 | 40 | 41 | # Entropy thresholds and operations for each file extension using nested array of hashtables, each containing an 'operation' and a 'value'. 42 | # We recommend only going after the file extensions most found in your environment (asp* for IIS/Exchange). Use ShellCSV to identify what is in the paths to be monitored. 43 | 44 | $fileExtensions = @{ 45 | '.asp' = @( 46 | @{ 'operation' = 'lt'; 'value' = 0.805376867704514 }, 47 | @{ 'operation' = 'gt'; 'value' = 5.51268104400858 } 48 | ) 49 | '.ashx' = @(@{ 'operation' = 'gt'; 'value' = 3.75840459657413 }) 50 | '.asax' = @(@{ 'operation' = 'gt'; 'value' = 3.7288741494524 }) 51 | '.jspx' = @(@{ 'operation' = 'gt'; 'value' = 4.87651397975203 }) 52 | '.html' = @(@{ 'operation' = 'gt'; 'value' = 4.8738392644771 }) 53 | '.aspx' = @( 54 | @{ 'operation' = 'lt'; 'value' = 0.805376867704514 }, 55 | @{ 'operation' = 'gt'; 'value' = 4.15186444439319 } 56 | ) 57 | '.php' = @(@{ 'operation' = 'gt'; 'value' = 4.23015141285636 }) 58 | '.jsp' = @(@{ 'operation' = 'gt'; 'value' = 4.40958415652662 }) 59 | '.js' = @(@{ 'operation' = 'gt'; 'value' = 4.25868439013462 }) 60 | } 61 | 62 | 63 | # Calculate the entropy of a given string 64 | function Get-Entropy { 65 | param( 66 | [Parameter(Mandatory=$true, Position=0)] [string] $String 67 | ) 68 | 69 | $length = $String.Length 70 | $symbolFrequency = @{} 71 | foreach ($symbol in $String.ToCharArray()) { 72 | if ($symbolFrequency.ContainsKey($symbol)) { 73 | $symbolFrequency[$symbol]++ 74 | } else { 75 | $symbolFrequency.Add($symbol, 1) 76 | } 77 | } 78 | 79 | $entropy = 0 80 | $symbolFrequency.Values | foreach { 81 | $freq = $_ / $length 82 | $entropy -= $freq * [Math]::Log($freq, 2) 83 | } 84 | 85 | return $entropy 86 | } 87 | 88 | # Directories to scan 89 | $DirectoryPaths = @('C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\oab','C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\','C:\inetpub\wwwroot') 90 | 91 | # Directories to exclude 92 | $excludePaths = @('C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.1713\scripts','C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium','C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\','C:\Windows\WinSxS','C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\Current2\version\debug\scripts\','C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\Current\scripts\') 93 | 94 | # File hashes to ignore. If the list is too long, use the txt file next. 95 | $ignoreHashes = @('FE3F0B4326FF9754CB8B61AA3CEFB465A5308658064EE51C41B0A8B50027728D','B6675117A7B174C3AA2510DDDEFF4221BA6E31005333F47C7239ED5D055BBBDD', '54EFA324203B762A03033879057F8A9DB0F7B45C83C8E1A40529CAFF1EB18004','71FE41C6CCB0023576483A1C89929255480A4F5F0F07CFF9A8D2030ECF70E7AE') 96 | 97 | # Path to a txt file containing hashes to ignore 98 | $ignoreHashesFilePath = 'path_to_your_file.txt' 99 | 100 | # Read the hashes from the file into an array 101 | $fileHashes = Get-Content $ignoreHashesFilePath 102 | 103 | if ($fileHashes) { 104 | $ignoreHashes = $fileHashes 105 | } 106 | 107 | $webshellFound = $false 108 | 109 | # Walk through each directory and flag files with high/low entropy 110 | foreach ($DirectoryPath in $DirectoryPaths) { 111 | Get-ChildItem $DirectoryPath -Recurse -File | foreach { 112 | $exclude = $false 113 | foreach($excludePath in $excludePaths) { 114 | if ($_.DirectoryName.StartsWith($excludePath)) { 115 | $exclude = $true 116 | break 117 | } 118 | } 119 | 120 | if ($_.Extension -in $fileExtensions.Keys -and -not $exclude) { 121 | $content = Get-Content $_.FullName -Raw 122 | $entropy = Get-Entropy -String $content 123 | $hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash 124 | 125 | foreach ($condition in $fileExtensions[$_.Extension]) { 126 | $operation = $condition['operation'] 127 | $value = $condition['value'] 128 | $metCondition = $false 129 | switch ($operation) { 130 | 'gt' { if ($entropy -gt $value) { $metCondition = $true } } 131 | 'lt' { if ($entropy -lt $value) { $metCondition = $true } } 132 | 'eq' { if ($entropy -eq $value) { $metCondition = $true } } 133 | } 134 | 135 | if ($metCondition -and $hash -notin $ignoreHashes) { 136 | $lastModified = $_.LastWriteTime.ToString("yyyy-MM-ddTHH:mm:ssZ") 137 | # Create a new object and add it to the results array 138 | $result = New-Object PSObject -Property @{ 139 | 'FilePath' = $_.FullName 140 | 'Entropy' = $entropy 141 | 'Hash' = $hash 142 | 'LastModified' = $lastModified 143 | } 144 | # Convert the result to JSON and output to stdout 145 | $result | ConvertTo-Json -Compress 146 | $webshellFound = $true 147 | } 148 | } 149 | } 150 | } 151 | } 152 | # If no webshells were found --> 153 | if (-not $webshellFound) { 154 | # Create a special result 155 | $result = New-Object PSObject -Property @{ 156 | 'Message' = "No evil identified today." 157 | } 158 | # Convert the result to JSON and output to stdout 159 | $result | ConvertTo-Json -Compress 160 | } -------------------------------------------------------------------------------- /ShellSweepPlus.lua: -------------------------------------------------------------------------------- 1 | --[[ 2 | ShellSweepPlus.lua 3 | authors: Michael Haag 4 | 5 | This script is part of the ShellSweepPlus suite, designed to detect potential webshells and other malicious scripts within a given set of directories. It performs various types of analysis, including entropy-based, standard deviation-based, mixed mode, and heuristic-based detection methods. 6 | 7 | Key Features: 8 | 1. **Entropy-Based Detection**: Calculates the entropy of file contents to identify anomalies. 9 | 2. **Standard Deviation-Based Detection**: Uses statistical analysis to detect deviations from normal file behavior. 10 | 3. **Mixed Mode Detection**: Combines standard deviation thresholds with hard-coded values for more robust detection. 11 | 4. **Heuristic-Based Detection**: Scans for suspicious patterns and known malicious code snippets. 12 | 5. **Configurable Parameters**: Allows customization of file extensions, entropy thresholds, and suspicious patterns. 13 | 6. **Exclusion and Ignore Lists**: Supports directories and file hashes to be excluded from the scan. 14 | 15 | Usage: 16 | - Define the directories to scan and exclude. 17 | - Customize the file extensions and their respective entropy thresholds. 18 | - Add or modify suspicious patterns for heuristic analysis. 19 | - Run the script to perform a comprehensive scan and output the results. 20 | 21 | This script is intended for cybersecurity professionals and system administrators to enhance their web security measures by identifying and mitigating potential threats. 22 | ]] 23 | 24 | print([[ 25 | _____ ________ _ _ _ _ ____ _ 26 | |_ _|__ / / ___\ \| |__ ___| | | __ _ _ __ __| | | __ ) __ _ ___| | __ 27 | _____ | |/ _ \ | |\___ \| | '_ \ / _ \ | | / _` | '_ \ / _` | | _ \ / _` |/ __| |/ / _____ 28 | |_____| | | (_) | | | ___) | | | | | __/ | | | (_| | | | | (_| | | |_) | (_| | (__| < |_____| 29 | |_|\___/ | ||____/| |_| |_|\___|_|_| \__,_|_| |_|\__,_| |____/ \__,_|\___|_|\_\ 30 | \_\ /_/ 31 | ____ _ _ _ ____ ____ _ 32 | / ___|| |__ ___| | / ___|_ _____ ___ _ __ | _ \| |_ _ ___ 33 | \___ \| '_ \ / _ \ | \___ \ \ /\ / / _ \/ _ \ '_ \| |_) | | | | / __| 34 | ___) | | | | __/ | |___) \ V V / __/ __/ |_) | __/| | |_| \__ \ 35 | |____/|_| |_|\___|_|_|____/ \_/\_/ \___|\___| .__/|_| |_|\__,_|___/ 36 | |_| 37 | ]]) 38 | -- Define entropy thresholds and operations for each file extension 39 | local fileExtensions = { 40 | ['.asp'] = { 41 | { operation = 'lt', value = 0.805376867704514 }, 42 | { operation = 'gt', value = 5.51268104400858 } 43 | }, 44 | ['.ashx'] = { 45 | { operation = 'gt', value = 3.75840459657413 } 46 | }, 47 | ['.asax'] = { 48 | { operation = 'gt', value = 3.7288741494524 } 49 | }, 50 | ['.jspx'] = { 51 | { operation = 'gt', value = 4.87651397975203 } 52 | }, 53 | ['.html'] = { 54 | { operation = 'gt', value = 4.8738392644771 } 55 | }, 56 | ['.lua'] = { 57 | { operation = 'gt', value = 4.15186444439319 } 58 | }, 59 | ['.php'] = { 60 | { operation = 'gt', value = 4.23015141285636 } 61 | }, 62 | ['.jsp'] = { 63 | { operation = 'gt', value = 4.40958415652662 } 64 | }, 65 | ['.js'] = { 66 | { operation = 'gt', value = 4.25868439013462 } 67 | } 68 | } 69 | 70 | -- Define suspicious patterns for static code analysis 71 | local suspiciousPatterns = { 72 | 'server', 73 | 'String', 74 | 'DeflateStream', 75 | 'runat', 76 | 'width', 77 | 'eval', 78 | 'base64_decode', 79 | 'exec', 80 | 'shell_exec', 81 | 'passthru', 82 | 'system', 83 | 'popen', 84 | 'proc_open', 85 | 'false', 86 | 'Value', 87 | 'style', 88 | 'Visible', 89 | 'ToString', 90 | 'Response', 91 | 'PUBLIC', 92 | 'TableCell', 93 | 'table', 94 | 'TextBox', 95 | 'Write', 96 | 'Request', 97 | 'object', 98 | 'protected', 99 | 'sender', 100 | 'System', 101 | 'align', 102 | 'onclick', 103 | 'catch', 104 | 'EventArgs', 105 | 'height', 106 | 'input', 107 | 'Exception', 108 | 'return', 109 | 'class', 110 | 'ERROR', 111 | 'Button', 112 | 'color', 113 | 'Label', 114 | 'script', 115 | 'center', 116 | 'Message', 117 | 'CssClass', 118 | 'border', 119 | 'Controls', 120 | 'Replace', 121 | 'fileName', 122 | 'TableRow', 123 | 'Length', 124 | 'Session', 125 | 'Namespace', 126 | 'Import', 127 | 'Attributes', 128 | 'Close', 129 | 'ListItem', 130 | 'instr', 131 | 'DataTable', 132 | 'select', 133 | 'directory', 134 | 'action', 135 | 'function', 136 | 'Checked', 137 | 'Count', 138 | 'xseuB', 139 | 'break', 140 | 'foreach', 141 | 'LinkButton', 142 | 'margin', 143 | 'private', 144 | 'javascript', 145 | 'solid', 146 | 'ServerVariables', 147 | 'Cells', 148 | 'QueryString', 149 | 'EnableViewState', 150 | 'Append', 151 | 'className', 152 | 'title', 153 | 'Items', 154 | 'Panel', 155 | 'Bin_Files', 156 | 'Process', 157 | 'Parse', 158 | 'AXSbb', 159 | '100px', 160 | 'innerText', 161 | 'SqlCommand', 162 | 'Dispose', 163 | 'TreeNode', 164 | 'encoding', 165 | 'cellspacing', 166 | 'colspan', 167 | 'command', 168 | 'background', 169 | 'Result', 170 | 'Password', 171 | 'Bin_PostBack', 172 | 'alert', 173 | 'SqlConnection', 174 | 'Substring', 175 | 'Registry', 176 | 'Database', 177 | 'Bin_DataGrid', 178 | 'FileInfo', 179 | 'Bin_H2_Title', 180 | 'default', 181 | 'Version', 182 | 'Properties', 183 | 'DirectoryInfo', 184 | 'IndexOf', 185 | 'SelectedItem', 186 | 'Empty', 187 | 'padding', 188 | 'Success', 189 | 'UrlEncode', 190 | 'Hidden', 191 | 'master', 192 | 'InnerHtml', 193 | 'CheckBox', 194 | 'target', 195 | 'delete', 196 | 'DirectoryEntry', 197 | 'Focus', 198 | 'CellPadding', 199 | 'Environment', 200 | 'Reg_Path', 201 | 'Bin_Error', 202 | 'submit', 203 | 'WICxe', 204 | 'onmouseover', 205 | 'DropDownList', 206 | 'location', 207 | 'StartInfo', 208 | 'FileAttributes', 209 | 'Columns', 210 | 'StreamWriter', 211 | 'onmouseout', 212 | 'Bin_FileList', 213 | 'Query', 214 | 'MapPath', 215 | 'Content', 216 | 'regkey', 217 | 'right', 218 | 'DataGridItem', 219 | 'Buffer', 220 | 'XP_CmdShell', 221 | 'Regex', 222 | 'OpenSubKey', 223 | 'Exists', 224 | 'Stream', 225 | 'child', 226 | 'DataBind', 227 | 'Bin_Request', 228 | 'TcpClient', 229 | 'FileSize', 230 | 'CommandType', 231 | 'error_x', 232 | 'FullName', 233 | 'datetime', 234 | 'ByVal', 235 | 'INDEX', 236 | 'StreamReader', 237 | 'Microsoft', 238 | 'Language', 239 | 'Convert', 240 | 'Start', 241 | 'bin_cmd', 242 | 'fname', 243 | 'filepath', 244 | 'StringBuilder', 245 | 'textarea', 246 | 'SetAttributes', 247 | 'GetAttributes', 248 | 'DB_NAME', 249 | 'Split', 250 | 'Tables', 251 | 'fpath', 252 | 'ForeColor', 253 | 'newdir', 254 | 'Execute', 255 | 'option', 256 | 'RegistryKey', 257 | 'Bin_upTextBox', 258 | 'LastIndexOf', 259 | 'bottom', 260 | 'SelectedNode', 261 | 'decoration', 262 | 'create', 263 | 'xcleanpath', 264 | 'DataSet', 265 | 'ReadOnly', 266 | 'sp_configure', 267 | 'RECONFIGURE', 268 | 'getall', 269 | 'buttom', 270 | 'clear', 271 | 'UEbTI', 272 | 'rename', 273 | 'Upload', 274 | '_blank', 275 | 'float', 276 | 'Shell', 277 | 'Int32', 278 | 'Transitional', 279 | 'sqlstr', 280 | 'tblname', 281 | 'contents', 282 | 'declare', 283 | 'Format', 284 | 'param', 285 | 'static', 286 | 'ReadToEnd', 287 | 'StartsWith', 288 | 'instream', 289 | 'Nodes', 290 | 'getocmd', 291 | 'Bin_folder', 292 | 'Socket', 293 | 'Bin_path', 294 | 'xhtml1', 295 | 'goaction', 296 | 'Assembly', 297 | 'strResult', 298 | 'SelectedValue', 299 | 'DataSource', 300 | 'XHTML', 301 | 'ElseIf', 302 | 'Arguments', 303 | 'Culture', 304 | 'OleDbConnection', 305 | 'neutral', 306 | 'PublicKeyToken', 307 | 'AutoPostBack', 308 | 'tmpstr', 309 | 'GetValue', 310 | 'White', 311 | 'Please', 312 | 'ltcpClient', 313 | 'Windows', 314 | 'ExecuteNonQuery', 315 | 'while', 316 | 'AsyncCallback', 317 | 'HKEY_LOCAL_MACHINE', 318 | 'ToLower', 319 | 'Bin_Scroll', 320 | 'GetFileName', 321 | 'SELECTED', 322 | 'B03F5F7F11D50A3A', 323 | 'files', 324 | 'Thread', 325 | 'NVarChar', 326 | 'document', 327 | 'TreeView4', 328 | 'tqstr', 329 | 'AddHeader', 330 | 'history', 331 | 'OleDb', 332 | 'UserName', 333 | 'Bin_DataTable', 334 | 'summary', 335 | 'OleDbDataAdapter', 336 | 'Sp_Oacreate', 337 | 'ToDateTime', 338 | 'Archive', 339 | 'Bin_Action', 340 | 'IpParts1', 341 | 'getselfurl', 342 | 'Bin_DBinfoLabel', 343 | 'Parameters', 344 | 'display', 345 | 'DataGrid', 346 | '009900', 347 | 'rtcpClient', 348 | 'zcg_ShowError', 349 | 'Cmdpro', 350 | 'State', 351 | 'NetworkStream', 352 | 'rootkey', 353 | 'xfile', 354 | 'mydir', 355 | 'where', 356 | 'TextMode', 357 | 'Charset', 358 | 'MSSQL', 359 | 'CloneTime', 360 | 'Bin_IISPanel', 361 | 'myProcessStartInfo', 362 | 'formatpath', 363 | '631px', 364 | 'iisinfo', 365 | 'OleDbCommand', 366 | 'Label_Files', 367 | 'Driver', 368 | 'STATUS', 369 | 'subkey', 370 | 'ArrayList', 371 | 'sysname', 372 | 'chkall', 373 | 'rootkit', 374 | 'accstr', 375 | 'Expanded', 376 | 'backup', 377 | 'LocalMachine', 378 | 'prompt', 379 | 'CONNECT', 380 | 'Bin_LoginPanel', 381 | 'Bin_RegPanel', 382 | 'Bin_SQLPanel', 383 | 'Bin_PortPanel', 384 | 'Bin_SuPanel', 385 | 'Bin_CmdPanel', 386 | 'Bin_AccPanel', 387 | 'Bin_DBmenuPanel', 388 | 'Options', 389 | 'confirm', 390 | 'family', 391 | 'IAsyncResult', 392 | 'SocketFlags', 393 | 'iaMKl', 394 | 'Output', 395 | 'recResult', 396 | '172px', 397 | 'Domain', 398 | 'Bin_dir', 399 | 'Console', 400 | 'Bin_Msg', 401 | 'application', 402 | '52521', 403 | 'Parent', 404 | 'Children', 405 | 'Access', 406 | 'INSERT', 407 | 'overflow', 408 | 'Remove', 409 | 'weight', 410 | 'folder', 411 | 'Provider', 412 | 'SqlDataAdapter', 413 | 'Cookies', 414 | 'scanport', 415 | 'DirectoryServices', 416 | 'Image', 417 | 'PortForward', 418 | 'prostr', 419 | 'TreeView2', 420 | 'Bin_Table', 421 | 'Bin_file', 422 | 'information', 423 | 'bgcolor', 424 | 'Bin_MenuPanel', 425 | 'Bin_dirPanel', 426 | 'Diagnostics', 427 | 'Upfile', 428 | 'GetFiles', 429 | 'localhost', 430 | 'GetDirectories', 431 | 'CommandText', 432 | 'green', 433 | 'Array', 434 | 'source', 435 | 'xmlns', 436 | 'packet', 437 | 'system32', 438 | 'BackColor', 439 | 'continue', 440 | 'Sysinfo', 441 | 'getspyrootfolder', 442 | 'TreeView3', 443 | 'advanced', 444 | 'Wmi_Function', 445 | '__EVENTTARGET', 446 | 'DOCTYPE', 447 | 'IsMatch', 448 | 'SqlClient', 449 | 'jXkaE', 450 | 'DPrPL', 451 | 'SQL2005', 452 | 'RaTGr', 453 | 'click', 454 | 'sqlrootkit', 455 | 'Bin_Regread', 456 | 'strValueName', 457 | 'Integer', 458 | 'd_file', 459 | 'Connection', 460 | 'AsyncState', 461 | 'objfile', 462 | 'Users', 463 | 'Bin_FilePanel', 464 | 'tempFile', 465 | 'RadioButton', 466 | 'ContentType', 467 | 'ManagementObjectSearcher', 468 | 'uppath', 469 | 'RegexOptions', 470 | 'myprocess', 471 | 'IgnoreCase', 472 | 'LOCAL_ADDR', 473 | 'SqlDbType', 474 | 'MultiLine', 475 | 'Bin_ExecSql', 476 | 'const', 477 | 'PostedFile', 478 | 'HKEY_CLASSES_ROOT', 479 | 'HKEY_CURRENT_USER', 480 | 'ProcessStartInfo', 481 | 'HKEY_USERS', 482 | 'HKEY_CURRENT_CONFIG', 483 | 'filepath2', 484 | 'RawLength', 485 | 'TreeView5', 486 | 'GetParent', 487 | 'Description', 488 | '084B8E', 489 | 'foldername', 490 | 'Getparentdir', 491 | 'DropDownList1', 492 | 'switch', 493 | 'program', 494 | 'OnSelectedIndexChanged', 495 | 'FFFFFF', 496 | 'LastWriteTime', 497 | 'Bin_TextBox_Path', 498 | 'ListBox', 499 | 'change', 500 | 'GetString', 501 | 'method', 502 | 'Sendstr', 503 | 'Bin_Listdir', 504 | 'theform', 505 | 'getjkrev', 506 | 'Page_Load', 507 | 'VALUES', 508 | 'ProcessID', 509 | 'BoundColumn', 510 | 'Match', 511 | 'allfile', 512 | 'AUTHKEY', 513 | 'adoConn', 514 | 'vbhLn', 515 | 'UseShellExecute', 516 | 'PATH_TRANSLATED', 517 | 'Tahoma', 518 | 'Params', 519 | 'PhysicalApplicationPath', 520 | 'dAJTD', 521 | 'RedirectStandardOutput', 522 | 'StandardOutput', 523 | 'dQIIF', 524 | 'About', 525 | 'OpenConnection', 526 | 'cmdstr', 527 | 'iisstr', 528 | 'PATH_INFO', 529 | 'ShowError', 530 | 'shell_color', 531 | 'Bin_Databind', 532 | 'Black', 533 | 'ConnectionString', 534 | 'GetBytes', 535 | 'hover', 536 | 'MachineName', 537 | 'TableName', 538 | 'dColumn', 539 | '000000', 540 | 'BeginReceive', 541 | 'commandargument', 542 | 'newdir1', 543 | 'oEnum', 544 | 'sp_oamethod', 545 | 'Arial', 546 | 'Control', 547 | 'GetLogicalDrives', 548 | 'current', 549 | 'myString', 550 | 'config', 551 | 'newfile', 552 | 'HttpUtility', 553 | 'OSVersion', 554 | 'SaveAs', 555 | 'Security', 556 | 'ServiceProcess', 557 | 'SelectCommand', 558 | 'TEMP2', 559 | 'getElementById', 560 | 'finally', 561 | 'validateRequest', 562 | 'ToolTip', 563 | '300px', 564 | 'Bin_CopytoTextBox', 565 | 'Login', 566 | 'Bin_SQLRadioButton', 567 | 'form1', 568 | 'modified', 569 | 'patharray', 570 | 'Flush', 571 | 'Disposition', 572 | '763px', 573 | 'Debug', 574 | 'Bin_DBstrTextBox', 575 | 'Threading', 576 | 'getjksend', 577 | 'attachment', 578 | 'ASPXSpy', 579 | 'acctable', 580 | '43958', 581 | 'nowrap', 582 | 'ListBox3', 583 | 'fields_split', 584 | 'mysession', 585 | 'getport', 586 | 'FF0000', 587 | 'Bin_Createfile', 588 | 'SqlDataReader', 589 | 'CreateDirectory', 590 | 'RegularExpressions', 591 | 'Maintenance', 592 | 'PortNo', 593 | 'GetStream', 594 | 'zcg_GetTableRow', 595 | 'Sockets', 596 | 'download', 597 | 'tmpbyte', 598 | 'IPEndPoint', 599 | 'sfile', 600 | 'wscript', 601 | 'GridView1', 602 | 'ClassesRoot', 603 | 'ComputerName', 604 | 'FileManager', 605 | 'UnixTime', 606 | 'Caption', 607 | 'ProcessName', 608 | 'Nothing', 609 | 'DdmPl', 610 | 'Search', 611 | 'showfolder', 612 | 'ListBox4', 613 | 'kQmRu', 614 | 'connstr', 615 | 'Redirect', 616 | 'kRXgt', 617 | 'TEMP1', 618 | 'lyTOK', 619 | 'Win32', 620 | 'oJiym', 621 | 'drivers', 622 | '119px', 623 | 'hwJeS', 624 | 'ljtzC', 625 | 'Bin_Td_Res', 626 | 'ConnectionState', 627 | 'AllowPaging', 628 | 'Verdana', 629 | 'block', 630 | 'HEADER', 631 | 'FileStream', 632 | 'Boolean', 633 | 'FOOTER', 634 | 'PacketCapture', 635 | 'using', 636 | 'addextendedproc', 637 | 'Timestamp', 638 | 'sp_makewebtask', 639 | 'm_Writer', 640 | 'db_owner', 641 | '0x62696E', 642 | 'GetSize', 643 | 'style3', 644 | 'LastAccessTime', 645 | 'Bin_login', 646 | 'GroupName', 647 | 'DataRow', 648 | 'CreationTime', 649 | 'SQLOLEDB', 650 | 'sysobjects', 651 | 'LocalPort', 652 | 'Localaddress', 653 | 'Clone', 654 | 'ExecuteReader', 655 | 'CurrentUser', 656 | 'Management', 657 | 'IISSpy', 658 | '__File', 659 | 'mywrite', 660 | 'CurrentConfig', 661 | 'fileconfigpath', 662 | 'strTmp', 663 | 'strong', 664 | 'getfs', 665 | 'Bin_ToBase64', 666 | 'Trace', 667 | 'Bin_MainPanel', 668 | 'TreeView1', 669 | 'Bin_CopyTextBox', 670 | 'db_info', 671 | 'TreeView', 672 | 'SERVER_PORT', 673 | 'Bin_SAexecButton', 674 | 'Bin_Accbind', 675 | 'ASCII', 676 | 'oleconn', 677 | 'typeof', 678 | 'is_dir', 679 | '150px', 680 | 'ULOGIN', 681 | 'GetType', 682 | 'normal', 683 | 'innerSubKey', 684 | 'Bin_CFile', 685 | 'Bin_Editfile', 686 | 'LinkLayerType', 687 | 'RemotePort', 688 | 'GetProcesses', 689 | 'Bin_Style_Login', 690 | 'RemoteAddress', 691 | 'ServerIP', 692 | 'PathName', 693 | 'Double', 694 | 'SETDOMAIN', 695 | 'Int64', 696 | 'Label1', 697 | 'packetData', 698 | 'Address', 699 | 'valign', 700 | 'Bin_main', 701 | 'Position', 702 | 'CmdShell', 703 | 'W3SVC', 704 | 'GetLastWriteTime', 705 | 'CreateObject', 706 | 'dbname', 707 | 'OnCheckedChanged', 708 | 'binftp', 709 | 'dirstr', 710 | 'showatt', 711 | 'space', 712 | 'HostName', 713 | 'LogFile', 714 | 'OleDbSchemaGuid', 715 | 'Threads', 716 | 'FromBase64String', 717 | 'GetOleDbSchemaTable', 718 | 'PortScan', 719 | 'SOFTWARE', 720 | 'Matches', 721 | 'operation', 722 | 'Hide_Div', 723 | 'getpath', 724 | 'iisend', 725 | 'AnonymousUserName', 726 | 'scanres', 727 | 'tnQRF', 728 | 'existdir', 729 | 'ListBox5', 730 | 'HTTP_X_FORWARDED_FOR', 731 | 'urldecode', 732 | 'server_name', 733 | 'varchar', 734 | 'vbcrlf', 735 | 'logIt', 736 | 'Label2', 737 | 'file_name', 738 | 'iisstart', 739 | 'PortMap', 740 | 'mWGEm', 741 | 'sqlname', 742 | 'fileObject', 743 | 'Paste', 744 | 'unknown', 745 | 'Drives', 746 | 'Services', 747 | 'msxsl', 748 | 'SERVER_SOFTWARE', 749 | 'YFcNP', 750 | 'ports', 751 | 'forms', 752 | 'Rport', 753 | 'Documents', 754 | 'Abandon', 755 | 'HttpCookie', 756 | 'XP_dirtree', 757 | 'RegShell', 758 | 'cutboard', 759 | 'lRavM', 760 | 'strQuery', 761 | 'Terminal', 762 | 'openrowset', 763 | 'TdgGU', 764 | 'baseStream', 765 | 'throw', 766 | 'HczyN', 767 | '_timeSpent', 768 | 'zKvOw', 769 | 'ZhWSK', 770 | 'kDgkX', 771 | '120px', 772 | 'FgzeQ', 773 | 'Dstog', 774 | 'VisualBasic', 775 | 'uXevN', 776 | 'lFAvw', 777 | 'Closed', 778 | 'IPAddress', 779 | 'loadpath', 780 | 'lblInfo', 781 | 'oZnZV', 782 | 'nGroup', 783 | 'iDgmL', 784 | 'FTBtf', 785 | 'mtoJb', 786 | 'procedures', 787 | 'ArraySegment', 788 | 'SessionName', 789 | 'aYRwo', 790 | 'pathfile', 791 | 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 792 | 'hOWTm', 793 | 'MyFileStream', 794 | 'dbporta', 795 | 'check', 796 | 'getdataport', 797 | 'lblStatus', 798 | 'vbnewline', 799 | 'objProcessInfo', 800 | 'Bin_ReadOnlyCheckBox', 801 | 'Bin_ResLabel', 802 | 'Bin_DriveList', 803 | 'Bin_AccessTimeTextBox', 804 | 'Bin_AccRadioButton', 805 | 'ConnString', 806 | 'vertical', 807 | 'Bin_Filedel', 808 | 'Bin_CreateTextBox', 809 | 'Bin_CreationTimeTextBox', 810 | 'cellContents', 811 | 'jktest', 812 | 'job_name', 813 | 'GetFileSystemEntries', 814 | 'Bin_DirTextBox', 815 | 'nowdir', 816 | 'Win32_Process', 817 | 'processes', 818 | 'Bin_HiddenCheckBox', 819 | 'kusqlpass', 820 | 'kusqlportstr', 821 | 'DriveInfo', 822 | 'winObj', 823 | 'Bin_Option', 824 | 'kusqlname', 825 | '289px', 826 | 'Bin_Change', 827 | 'subdir', 828 | 'Bin_SystemCheckBox', 829 | 'tblsDt', 830 | 'sqlpass', 831 | 'Bin_ExecButton', 832 | 'ServerBindings', 833 | 'parstr', 834 | '500px', 835 | 'InfoLabel', 836 | 'Bin_SqlDir', 837 | 'Bin_ArchiveCheckBox', 838 | 'Sqlcmd', 839 | 'Fields_to_Show', 840 | 'Bin_SQLconnTextBox', 841 | 'Bin_LastWriteTimeTextBox', 842 | 'lport', 843 | 'HeaderText', 844 | 'Fields_to_load', 845 | 'RunTable', 846 | 'copystr', 847 | 'copyto', 848 | 'ProtocolType', 849 | 'AddressFamily', 850 | 'InterNetwork', 851 | '200px', 852 | 'Manager', 853 | 'IsPostBack', 854 | 'xtype', 855 | 'SocketType', 856 | 'monospace', 857 | 'lportC', 858 | 'outstr', 859 | 'sqlEx', 860 | 'packets', 861 | 'HARDWARE', 862 | 'IIsWebVirtualDir', 863 | 'deldir', 864 | 'db_conn', 865 | 'Client', 866 | 'Logout', 867 | 'AddressList', 868 | 'uname', 869 | 'ManagementObject', 870 | 'CIMV2', 871 | 'octet', 872 | 'filecontent', 873 | 'absolute', 874 | 'is_file', 875 | 'elements', 876 | 'bportC', 877 | 'object_id', 878 | 'dbport', 879 | 'cursor', 880 | 'Bin_Createdir', 881 | 'dbpass', 882 | 'Courier', 883 | 'WinNT', 884 | 'Xp_Regwrite', 885 | 'running', 886 | 'event', 887 | 'SYSDATABASES', 888 | 'kusqlport', 889 | 'Bin_Span_Drv', 890 | 'network', 891 | 'ChangeDatabase', 892 | 'jkregstr', 893 | 'regstr', 894 | 'EventHandler', 895 | 'fail_description', 896 | 'thisfile', 897 | 'the_StartInfo', 898 | 'RedirectStandardError', 899 | 'Webshell', 900 | 'thatfile', 901 | 'dddddd', 902 | 'TC_USER', 903 | 'CurrentControlSet', 904 | 'oregstr', 905 | 'CloseConnection', 906 | 'PMCacheName', 907 | 's_inf', 908 | 'PreRender', 909 | '759px', 910 | 'Settings', 911 | 'sqlshow', 912 | 'Copyright', 913 | 'Scanner', 914 | 'base64String', 915 | 'CurrentPageIndex', 916 | 'filed', 917 | 'PropertyValueCollection', 918 | 'Refresh', 919 | 'SocketException', 920 | 'PhysicalPath', 921 | 'mycon', 922 | 'Equals', 923 | 'Button1', 924 | 'NewLine', 925 | 'BeginSend', 926 | 'SCRIPT_NAME', 927 | 'CentralProcessor', 928 | 'CanWrite', 929 | 'dpath', 930 | 'bbbbbb', 931 | 'SqlException', 932 | 'GetLastWriteTimeUtc', 933 | 'GetLastAccessTimeUtc', 934 | 'Bin_Data', 935 | 'HtmlEncode', 936 | 'Bin_List_DB', 937 | 'RegisterHiddenField', 938 | 'MACAddress', 939 | 'Priority', 940 | 'PropertyData', 941 | 'PropertyDataCollection', 942 | 'PropertyDataEnumerator', 943 | 'getElementsByTagName', 944 | 'Bin_Span_FrameVersion', 945 | 'ColumnSpan', 946 | 'SetLastWriteTimeUtc', 947 | 'created', 948 | 'BeginConnect', 949 | 'zcg_WmiDataTable', 950 | 'Bin_H2_Mac', 951 | 'eventArgument', 952 | 'Hashtable', 953 | 'Bin_Button_KillMe', 954 | 'SetCreationTimeUtc', 955 | 'spath', 956 | 'eventTarget', 957 | '333333', 958 | 'IIS_USER', 959 | 'Bin_Button_CreateFile', 960 | 'GetCreationTimeUtc', 961 | 'Bin_Button_CreateDir', 962 | 'PagerStyle', 963 | 'EndSend', 964 | 'ThreadCount', 965 | 'EndReceive', 966 | 'SetLastAccessTimeUtc', 967 | 'ServiceController', 968 | 'LastWriteTimeUtc', 969 | 'Bin_Ul_Sys', 970 | 'Bin_Ul_NetConfig', 971 | 'Bin_Ul_Driver', 972 | 'MD5Pass', 973 | 'Bin_H2_Driver', 974 | 'StartMode', 975 | 'Bin_RegresLabel', 976 | 'https', 977 | 'TimeSpan', 978 | 'EndsWith', 979 | 'underline', 980 | 'RedirectStandardInput', 981 | 'Bin_Span_Sname', 982 | 'Bin_SuresLabel', 983 | 'MaxCount', 984 | 'ShowFolders', 985 | 'FormsAuthentication', 986 | 'selectedIndex', 987 | 'formatfile', 988 | 'RunCmd', 989 | 'HashPasswordForStoringInConfigFile', 990 | 'IISversion', 991 | 'jkstream', 992 | 'kbconn', 993 | 'disabled', 994 | 'Demand', 995 | 'ItemArray', 996 | 'IsUserTable', 997 | 'deldomain', 998 | 'Label_Info', 999 | 'xdateformat', 1000 | 'WriteFile', 1001 | 'lastvalue', 1002 | 'IpParts2', 1003 | 'ListBox1', 1004 | 'intext', 1005 | 'DataField', 1006 | 'the_rar', 1007 | 'Bin_UpFile', 1008 | 'inline', 1009 | 'strlen', 1010 | 'strIPAddr', 1011 | 'Lucida', 1012 | 'mainSocket', 1013 | 'sql_dir', 1014 | '888px', 1015 | 'resultbox', 1016 | 'separator', 1017 | 'Restr', 1018 | 'oFile', 1019 | 'pconn', 1020 | 'oportstr', 1021 | 'Bin_EditpathTextBox', 1022 | 'Bin_EditTextBox', 1023 | 'Bin_AccinfoLabel', 1024 | 'getdrname', 1025 | 'pcount', 1026 | 'changedata', 1027 | 'Millseconds', 1028 | 'reglaststr', 1029 | 'Bin_FileRN', 1030 | 'getdelneiku', 1031 | 'cboSps', 1032 | 'HorizontalAlign', 1033 | 'Bin_ScanresLabel', 1034 | 'HeaderStyle', 1035 | 'Bin_FilelistLabel', 1036 | 'MoveNext', 1037 | 'renamedir', 1038 | 'Resolve', 1039 | 'postdata', 1040 | 'checker', 1041 | 'agentcmd', 1042 | 'CheckIsNumber', 1043 | 'Head1', 1044 | 'GridLines', 1045 | 'OBJECTPROPERTY', 1046 | 'htmlend', 1047 | 'conns', 1048 | 'getname', 1049 | 'getzhi', 1050 | 'Bin_CmdLabel', 1051 | 'HHzcY', 1052 | 'HideHidden', 1053 | 'LoginMesFile', 1054 | 'Sumbit', 1055 | 'powershell', 1056 | 'PasswordType', 1057 | 'equiv', 1058 | 'Expire', 1059 | 'BinaryWrite', 1060 | 'owner', 1061 | 'TZOEnable', 1062 | 'TZOKey', 1063 | 'ChangePassword', 1064 | 'enabled', 1065 | 'WebClient', 1066 | 'NeedSecure', 1067 | 'DELETEDOMAIN', 1068 | 'Keyword', 1069 | '0000FF', 1070 | 'Disable', 1071 | 'NoneRN', 1072 | 'LocalAdministrator', 1073 | 'Fixed', 1074 | 'ReceiveBufferSize', 1075 | 'QuotaCurrent', 1076 | 'bytes', 1077 | 'CanRead', 1078 | 'MaxNrUsers', 1079 | 'IdleTimeOut', 1080 | 'SessionTimeOut', 1081 | 'REMOTE_ADDR', 1082 | 'Regular', 1083 | 'AlwaysAllowLogin', 1084 | 'SETUSERSETUP', 1085 | 'MaxUsersLoginPerIP', 1086 | 'HomeDir', 1087 | 'SpeedLimitDown', 1088 | 'SpeedLimitUp', 1089 | 'RatiosCredit', 1090 | 'Ratios', 1091 | 'RelPaths', 1092 | 'RWAMELCDP', 1093 | 'RatioDown', 1094 | 'QuotaEnable', 1095 | 'QuotaMaximum', 1096 | 'raquo', 1097 | 'UDLvA', 1098 | 'Starts', 1099 | 'lRfRj', 1100 | 'PcAnywhere', 1101 | 'mHbjB', 1102 | 'lDODR', 1103 | 'dfile', 1104 | 'ADSPath', 1105 | 'EnableViewStateMac', 1106 | 'vJNsE', 1107 | 'vNCHZ', 1108 | 'SelectQuery', 1109 | 'dbhost', 1110 | 'myStreamReader', 1111 | 'lbjLD', 1112 | 'Renamed', 1113 | 'dtFields', 1114 | 'dbuser', 1115 | 'stNPw', 1116 | 'Cancel', 1117 | 'ADCpk', 1118 | 'XXrLw', 1119 | 'dNohJ', 1120 | 'ORUgV', 1121 | 'iiGFO', 1122 | 'iLVUT', 1123 | 'ArgumentOutOfRangeException', 1124 | 'Bin_Parent', 1125 | 'nxeDR', 1126 | 'tIykC', 1127 | 'IKjwH', 1128 | 'Bin_Button_Driv', 1129 | 'ToUpper', 1130 | 'time1', 1131 | 'PhQTd', 1132 | 'txtDatabase', 1133 | 'DGCoW', 1134 | 'outType', 1135 | 'CmdPath', 1136 | 'fhAEn', 1137 | 'txtPassword', 1138 | 'Bin_FromBase64', 1139 | 'time2', 1140 | 'myread', 1141 | 'Runtime', 1142 | 'xfileperms', 1143 | 'nbyte', 1144 | 'xparentfolder', 1145 | 'thePath', 1146 | 'FromDateTime', 1147 | 'xplog70', 1148 | 'SRVROLEMEMBER', 1149 | 'stoptime', 1150 | 'copydir', 1151 | 'IS_SRVROLEMEMBER', 1152 | 'sysadmin', 1153 | '600px', 1154 | 'DIFFERENTIAL', 1155 | 'outputfile', 1156 | 'InteropServices', 1157 | '65500', 1158 | 'literal', 1159 | 'GetStartedTime', 1160 | 'gb2312', 1161 | 'no_truncate', 1162 | 'LbReg', 1163 | 'WebAdmin', 1164 | 'tblbox', 1165 | 'IS_MEMBER', 1166 | 'odsole70', 1167 | 'UserInfo', 1168 | 'HTTP_HOST', 1169 | 'jkkudr', 1170 | 'gridResults', 1171 | 'Entries', 1172 | 'deldr', 1173 | 'connku', 1174 | 'getwz', 1175 | 'dData', 1176 | 'editpath', 1177 | 'ClearHeaders', 1178 | 'dbcmda', 1179 | 'exist', 1180 | 'ExpandDepth', 1181 | 'getattstr', 1182 | 'getIP', 1183 | 'gridParameters', 1184 | 'getself', 1185 | 'NewName', 1186 | 'xexistdir', 1187 | 'myscanner', 1188 | 'PortNumber', 1189 | 'local_copy_of_cmd', 1190 | 'jksdr', 1191 | 'PRIMARY', 1192 | 'ThreadStart', 1193 | 'TreeNodeEventArgs', 1194 | 'Login_click', 1195 | 'woanware', 1196 | 'webname', 1197 | 'middle', 1198 | '114px', 1199 | 'rdpwd', 1200 | 'agentdr', 1201 | 'refilename', 1202 | 'STYLE1', 1203 | 'AnonymousUserPass', 1204 | '194px', 1205 | 'zcg_lbtnADS_Click', 1206 | 'Notice', 1207 | 'txtSqlcmd', 1208 | 'OnSelectedNodeChanged', 1209 | 'OnTreeNodeExpanded', 1210 | 'Operate', 1211 | '312px', 1212 | 'btnExecute_Click', 1213 | 'txtcommand2', 1214 | 'shellcmd', 1215 | 'kProcessStartInfo', 1216 | '147px', 1217 | 'kProcess', 1218 | 'kname', 1219 | 'account', 1220 | 'sql_query', 1221 | 'txtCommand1', 1222 | 'TimeZone', 1223 | 'Capacity', 1224 | 'kernel32', 1225 | 'GetValueNames', 1226 | 'DropDownList2', 1227 | 'Inetsrv', 1228 | 'SuExp', 1229 | 'GetSubKeyNames', 1230 | 'Collections', 1231 | 'FileEdit', 1232 | 'UBound', 1233 | '447px', 1234 | 'Queries', 1235 | 'Anonymous', 1236 | 'PacketCaptureWriter', 1237 | 'passtext', 1238 | 'iframe', 1239 | 'byteData', 1240 | 'maxPacketLength', 1241 | 'portnum', 1242 | 'arraynum', 1243 | 'xfilesize', 1244 | 'ushort', 1245 | 'captureTimestamp', 1246 | 'ufname', 1247 | 'modify', 1248 | 'GridView', 1249 | 'DB_eString', 1250 | 'xfilelastmodified', 1251 | 'Local', 1252 | 'Remote', 1253 | 'ADODB', 1254 | 'ListBoxPro', 1255 | 'letters', 1256 | 'stmrdr', 1257 | 'DataCStr', 1258 | 'txtAuthKey', 1259 | 'Button1_Click', 1260 | 'bin_temp', 1261 | 'Bin_TextBox_Fp', 1262 | 'ToBase64String', 1263 | 'context', 1264 | 'style2', 1265 | 'Win32_UserAccount', 1266 | 'SandBoxMode', 1267 | 'wrong', 1268 | 'DirName', 1269 | '350px', 1270 | 'Engines', 1271 | 'MemoryStream', 1272 | 'CheckAll', 1273 | 'tmpNum', 1274 | 'baidu', 1275 | 'ManagementObjectCollection', 1276 | 'DirectoryName', 1277 | 'MatchCollection', 1278 | '719BC5', 1279 | 'REG_DWORD', 1280 | 'uploaded', 1281 | 'Bin_BackButton_Click', 1282 | 'Bin_AccRadioButton_CheckedChanged', 1283 | 'Bin_AttLabel', 1284 | '0x3C256578656375746520726571756573742822422229253E', 1285 | 'Bin_BakLog', 1286 | 'Begin', 1287 | 'Bin_AttPanel', 1288 | 'Bin_BDButton_Click', 1289 | '765px', 1290 | 'Bin_BakDB', 1291 | 'OverWrite', 1292 | 'usertabdel', 1293 | '240px', 1294 | '157px', 1295 | 'omumastr', 1296 | 'onchange', 1297 | 'SetLastWriteTime', 1298 | 'getqmfilestr', 1299 | 'SetLastAccessTime', 1300 | 'XmlDocument', 1301 | 'WebRoot', 1302 | 'ServerComment', 1303 | 'output_wmi_function_data', 1304 | 'StartIp', 1305 | 'Target_copy_of_cmd', 1306 | 'SetCreationTime', 1307 | 'reglastindex', 1308 | 'EndIP', 1309 | 'FileMode', 1310 | 'getdbstra', 1311 | '68915', 1312 | 'getdbstr', 1313 | 'Create_table_row_with_supplied_colors', 1314 | 'Argument', 1315 | 'agentsql', 1316 | 'text_to_print', 1317 | 'fullpath', 1318 | 'Repair', 1319 | 'struct', 1320 | 'getacctable', 1321 | '129px', 1322 | 'Antak', 1323 | 'regindex', 1324 | 'configfilestr', 1325 | 'alignValue', 1326 | 'Structure', 1327 | 'getlistku', 1328 | '138px', 1329 | 'quite', 1330 | 'press', 1331 | 'getfolderstr', 1332 | 'getfindmm', 1333 | 'StoredProcedure', 1334 | '760px', 1335 | 'getallfilestr', 1336 | 'enctype', 1337 | '111111', 1338 | 'SA_Exec', 1339 | 'GetEnvironmentVariable', 1340 | 'Encode', 1341 | 'Automation', 1342 | 'rowItems', 1343 | 'columntype', 1344 | '140px', 1345 | 'dbsqlconn', 1346 | 'properties_', 1347 | 'ddlist', 1348 | 'Bin_CopyButton_Click', 1349 | 'gettzm', 1350 | 'IIS_list_Anon_Name_Pass', 1351 | 'Bin_SunameTextBox', 1352 | 'Bin_SuexpButton_Click', 1353 | 'Bin_SucmdTextBox', 1354 | 'Bin_SuButton_Click', 1355 | 'Bin_SQLRadioButton_CheckedChanged', 1356 | 'Bin_SQLButton_Click', 1357 | 'Bin_SetButton_Click', 1358 | 'Bin_ScanipTextBox', 1359 | 'Bin_ScancmdButton_Click', 1360 | 'Bin_Scan', 1361 | 'Bin_SbackButton_Click', 1362 | 'htmlstr', 1363 | 'Bin_SAexecButton_Click', 1364 | 'Bin_SACMDButton_Click', 1365 | 'Bin_RunButton_Click', 1366 | 'Bin_RegreadButton_Click', 1367 | 'Bin_RegButton_Click', 1368 | 'FileButton_Click', 1369 | 'Bin_Process', 1370 | 'Bin_PortsTextBox', 1371 | 'Bin_PortButton_Click', 1372 | 'f1f1f1', 1373 | 'TimeLabel', 1374 | 'Bin_NewFileButton_Click', 1375 | 'Bin_SupassTextBox', 1376 | 'Bin_SuportTextBox', 1377 | 'Bin_Table_File', 1378 | 'jksession', 1379 | 'Item_DataBound', 1380 | 'Item_Command', 1381 | 'txtEndIP', 1382 | 'txtDatabaseServer', 1383 | 'Lb_msg', 1384 | 'tv2str', 1385 | 'exesql', 1386 | 'txtPorts', 1387 | 'Bin_NewdirButton_Click', 1388 | 'Bin_ValueTextBox', 1389 | 'LoginButton_Click', 1390 | 'ToInt32', 1391 | 'loginpass', 1392 | 'loginuser', 1393 | '395px', 1394 | 'LogoutButton_Click', 1395 | 'lstRet', 1396 | 'MainButton_Click', 1397 | 'ToArray', 1398 | 'iiswebpath', 1399 | 'dataconn', 1400 | 'dirpath', 1401 | 'Bin_upButton_Click', 1402 | 'Bin_LogshellButton_Click', 1403 | 'fontColor', 1404 | 'the_Process', 1405 | 'Bin_CmdShellTextBox', 1406 | 'Bin_dbshellButton_Click', 1407 | 'Bin_ExecButton_Click', 1408 | 'Bin_ErrorLabel', 1409 | 'Bin_EditPanel', 1410 | 'Bin_EditButton_Click', 1411 | 'SQL_SumbitButton_Click', 1412 | 'Distributed', 1413 | 'Bin_Fileatt', 1414 | 'environmentVariables', 1415 | 'the_Reg', 1416 | 'Bin_listButton_Click', 1417 | 'z_index', 1418 | 'Bin_CutButton_Click', 1419 | 'HARDWARE_INFO', 1420 | 'noshade', 1421 | 'Bin_DirButton_Click', 1422 | 'Bin_DBPage', 1423 | 'newdomain', 1424 | 'Bin_Filedown', 1425 | 'txtUserId', 1426 | 'Bin_FileLabel', 1427 | 'multipart', 1428 | 'mustAdd', 1429 | 'destr', 1430 | 'txtStartIP', 1431 | 'dabaodz', 1432 | 'delfolderstr', 1433 | 'Bin_KeyTextBox', 1434 | 'Bin_FileEdit', 1435 | 'Bin_CmdButton_Click', 1436 | 'Bin_CmdPathTextBox', 1437 | 'Bin_iisLabel', 1438 | 'Bin_GoButton_Click', 1439 | 'Bin_IISButton_Click', 1440 | 'Bin_iisinfo', 1441 | 'InvokeMethod', 1442 | 'Thanks', 1443 | 'Offset', 1444 | 'edited_path', 1445 | 'example', 1446 | 'boxid', 1447 | 'Strings', 1448 | 'BorderWidth', 1449 | 'Label_Drives', 1450 | 'Sleep', 1451 | 'TextBox_FDName', 1452 | '789px', 1453 | 'active', 1454 | 'childname', 1455 | 'GetWebName', 1456 | 'UserDomainName', 1457 | 'datas', 1458 | 'proException', 1459 | '21232f297a57a5a743894a0e4a801fc3', 1460 | 'PropertyNames', 1461 | 'Timeout', 1462 | 'html_onload', 1463 | 'html_script', 1464 | 'html_title', 1465 | 'window', 1466 | '304px', 1467 | 'HttpPostedFile', 1468 | 'curfile', 1469 | 'nReceived', 1470 | 'bContinueCapturing', 1471 | 'pointer', 1472 | 'Drawing', 1473 | 'RegisterStartupScript', 1474 | 'fcont', 1475 | 'visited', 1476 | 'passw', 1477 | 'xfileopen', 1478 | 'Resume', 1479 | 'table_name', 1480 | 'html_head', 1481 | 'tbody', 1482 | 'uploadfile', 1483 | 'DBConn', 1484 | 'Exploit', 1485 | 'Subtract', 1486 | 'Cryptography', 1487 | 'Connected', 1488 | 'Bin_Textarea_Query', 1489 | 'IIS_PASS', 1490 | 'zcg_MakeADSLinkJs', 1491 | 'MySql', 1492 | 'Bin_Target', 1493 | 'AspCompat', 1494 | 'onserverclick', 1495 | 'Bin_TextArea_Search', 1496 | 'Compression', 1497 | 'GetCreationTime', 1498 | 'Bin_DataGrid_Wmi', 1499 | 'Principal', 1500 | 'IPHostEntry', 1501 | 'NumericPages', 1502 | 'found', 1503 | 'seldbname', 1504 | 'jk1986', 1505 | '______', 1506 | 'IsSqlServer', 1507 | 'IsNullOrEmpty', 1508 | 'CCCCCC', 1509 | 'BorderStyle', 1510 | 'dtKeys', 1511 | 'resultSQL', 1512 | 'Terminate', 1513 | 'objectSid', 1514 | 'NewRow', 1515 | 'SQLExec', 1516 | 'ModifyTime', 1517 | 'DllImport', 1518 | 'FileAccess', 1519 | 'ServiceName', 1520 | 'DatabaseBackup', 1521 | 'Extension', 1522 | 'Manufacturer', 1523 | 'makewebtask', 1524 | 'LoginHours', 1525 | 'InputStream', 1526 | 'LogBackup', 1527 | 'invalid', 1528 | 'TrimEnd', 1529 | 'txtport', 1530 | 'txtpackets', 1531 | 'layout', 1532 | 'extern', 1533 | 'opendatasource', 1534 | 'txtlogfile', 1535 | 'DownloadFile', 1536 | 'DefaultValue', 1537 | 'ProcessorNameString', 1538 | 'GetEnumerator', 1539 | 'Assistant', 1540 | 'SubKeyCount', 1541 | 'completed', 1542 | 'Win32_TimeZone', 1543 | 'BasePriority', 1544 | 'computer', 1545 | 'Win32_Service', 1546 | 'Framework', 1547 | 'Win32_PhysicalMemory', 1548 | 'SandBox', 1549 | 'Win32_NetworkAdapterConfiguration', 1550 | 'scanned', 1551 | 'Win32_BIOS', 1552 | 'Win32_SystemDriver', 1553 | 'TABLE_CATALOG', 1554 | 'EndConnect', 1555 | 'TABLE_SCHEMA', 1556 | 'FileList', 1557 | 'GetServices', 1558 | 'TABLE_PROPID', 1559 | 'var_value', 1560 | 'xfilesave', 1561 | 'wBind', 1562 | 'zcg_Rename', 1563 | 'UPDATE', 1564 | 'xfname', 1565 | 'xnewfile', 1566 | 'downfilestr', 1567 | 'xmldoc', 1568 | 'xnewconnect', 1569 | 'xparsefilesize', 1570 | 'tzcode', 1571 | 'dirInfo', 1572 | 'drive', 1573 | 'errReturn', 1574 | 'zcg_tbl_ADSViewer', 1575 | 'dlink', 1576 | 'txtSqlName', 1577 | 'xdname', 1578 | 'zcg_txbADSPath', 1579 | 'xnewchild', 1580 | 'zcg_txbADSType', 1581 | 'xsldoc', 1582 | 'dirstr1', 1583 | 'WorkingSet', 1584 | 'var_description', 1585 | 'xServerIP', 1586 | 'dport', 1587 | 'WinExec', 1588 | 'var_name', 1589 | 'xnewfolder', 1590 | 'jksend', 1591 | 'execution', 1592 | 'gmcode', 1593 | 'objmanage', 1594 | 'oFileSys', 1595 | 'oleda', 1596 | 'oleds', 1597 | 'Order', 1598 | 'oScript', 1599 | 'osqldatabasestr', 1600 | 'osqlnamestr', 1601 | 'osqlpassstr', 1602 | 'output_wmi_function_data_instances', 1603 | 'parentdir', 1604 | 'getqmstr', 1605 | 'getprocess', 1606 | 'pesan', 1607 | 'getmmstr', 1608 | 'plaste', 1609 | 'portarray', 1610 | 'getjkdeldomain', 1611 | 'getfilex', 1612 | 'getfilestr', 1613 | 'getfile', 1614 | 'providerObj', 1615 | 'numDataBytes', 1616 | 'nTime', 1617 | 'GridView2', 1618 | 'nodeObj', 1619 | 'iswriteable', 1620 | 'LbScan', 1621 | 'lbuffer', 1622 | 'IpList', 1623 | 'ListBox2', 1624 | 'Listen', 1625 | 'local_dir', 1626 | 'localurl', 1627 | 'Initial', 1628 | 'logNextPacket', 1629 | 'iisusername', 1630 | 'qmcode', 1631 | 'iisdk', 1632 | 'MemorySize', 1633 | 'htmlspecialchars', 1634 | 'minisizepacket', 1635 | 'holepath', 1636 | 'my_s_ftp', 1637 | 'my_s_http_post', 1638 | 'my_s_smtp', 1639 | 'myTableName', 1640 | 'names', 1641 | 'netcat', 1642 | 'newjc', 1643 | 'IIsComputerObj', 1644 | 'txtCmdIn', 1645 | 'getdelkustr', 1646 | 'rbuffer', 1647 | 'sutc1', 1648 | 'syslog', 1649 | 'SystemDirectory', 1650 | 'filemtime', 1651 | 'filelocal', 1652 | 'TableColumn', 1653 | 'filego', 1654 | 'tblPkName', 1655 | 'tblRun', 1656 | 'tempDrives', 1657 | 'filectime', 1658 | 'fileatime', 1659 | 'FileAct', 1660 | 'TextBox1', 1661 | 'TextBoxReadDir', 1662 | 'TextBoxRenameTo', 1663 | 'the_Info', 1664 | 'the_Obj', 1665 | 'thisChar', 1666 | 'thisData', 1667 | 'faction', 1668 | 'explorer', 1669 | 'TreeView4_SelectedNodeChanged', 1670 | 'Surround_by_TD_and_Bold', 1671 | 'Surround_by_TD', 1672 | 'FileShare', 1673 | 'FileUpload1', 1674 | 'getdbfileall', 1675 | 'Getdbfilea', 1676 | 'getcontent', 1677 | 'getcfile', 1678 | 'regImg', 1679 | 'getallstr', 1680 | 'RegValue', 1681 | 'remoteurl', 1682 | 'returns', 1683 | 'revstr', 1684 | 'fsize', 1685 | 'getdelfolder', 1686 | 'rowItem', 1687 | 's_driver', 1688 | 'savefile', 1689 | 'ScanPorts', 1690 | 'ScanResults', 1691 | 'sport', 1692 | 'Stack', 1693 | 'firstfield', 1694 | 'strIP', 1695 | 'final', 1696 | 'filewant', 1697 | 'fileurl', 1698 | 'rowspan', 1699 | 'directories', 1700 | '_____', 1701 | '381px', 1702 | 'center_', 1703 | 'cmdw32', 1704 | 'cmdwsh', 1705 | 'cfile', 1706 | '268px', 1707 | '274px', 1708 | '286px', 1709 | 'cfolderstr', 1710 | 'CheckBox1', 1711 | 'could', 1712 | 'BindData', 1713 | 'CheckBox2', 1714 | 'decimal', 1715 | 'CheckBox3', 1716 | 'Bin_Table_Reg', 1717 | 'AspNetHostingPermission', 1718 | '356px', 1719 | 'AspNetHostingPermissionLevel', 1720 | '_Value', 1721 | 'curpart', 1722 | 'Accounts', 1723 | '003300', 1724 | '595px', 1725 | 'catalog', 1726 | 'applog', 1727 | 'ContentLength', 1728 | 'btnLogin', 1729 | 'db_cmd', 1730 | 'DB_DataGrid', 1731 | 'btnLogin_Click', 1732 | 'db_ds', 1733 | '211px', 1734 | 'Bin_List_SelectedIndexChanged', 1735 | 'Bin_List_Connstr', 1736 | 'Bin_TextBox_Sp', 1737 | 'Bin_TextBox_Sp1', 1738 | 'db_schemaTable', 1739 | 'ADSSettings', 1740 | 'daboml', 1741 | 'ADSUserName', 1742 | 'cmdshow', 1743 | 'dbowner', 1744 | '153px', 1745 | '270px', 1746 | '560px', 1747 | '170px', 1748 | 'CommandEventArgs', 1749 | '_CaptureTimestamp', 1750 | '174px', 1751 | '154px', 1752 | 'checkname', 1753 | 'CheckBox4', 1754 | '_BaseStream', 1755 | '160px', 1756 | '155px', 1757 | 'DictionaryEntry', 1758 | '169px', 1759 | 'auser', 1760 | 'Unknow', 1761 | 'OREpx', 1762 | '258px', 1763 | 'details', 1764 | 'JJjbW', 1765 | 'admin', 1766 | 'ImportRow', 1767 | 'nDrive', 1768 | 'RsqhW', 1769 | 'ZSnXu', 1770 | 'ParseControl', 1771 | 'DataGridPageChangedEventArgs', 1772 | 'Started', 1773 | 'subpath', 1774 | 'WriteLine', 1775 | 'GetDriveTypeA', 1776 | 'VARIABLES', 1777 | 'DataTextField', 1778 | 'JEaxV', 1779 | 'xaGwl', 1780 | 'DataAvailable', 1781 | 'KHbEd', 1782 | 'enter', 1783 | 'readreg_Click', 1784 | 'EntryPoint', 1785 | 'FindControl', 1786 | '666px', 1787 | 'PageSize', 1788 | 'RegStack', 1789 | 'CDRom', 1790 | 'JIAKU', 1791 | 'CommandEventHandler', 1792 | 'wmgnK', 1793 | 'OLJFp', 1794 | 'CmUCh', 1795 | 'Removable', 1796 | 'NewPageIndex', 1797 | 'permission', 1798 | 'QcZPA', 1799 | 'baVJV', 1800 | 'CompareMethod', 1801 | '950px', 1802 | 'Creat', 1803 | 'OnPageIndexChanged', 1804 | 'JScript', 1805 | 'CommandLine', 1806 | 'timeSpent' 1807 | } 1808 | 1809 | -- Define heuristic rules for heuristic analysis 1810 | local heuristicRules = { 1811 | { pattern = 'eval%(', description = 'Use of eval function' }, 1812 | { pattern = 'base64_decode%(', description = 'Use of base64_decode function' }, 1813 | { pattern = 'shell_exec%(', description = 'Use of shell_exec function' }, 1814 | { pattern = 'proc_open%(', description = 'Use of proc_open function' }, 1815 | { pattern = 'popen%(', description = 'Use of popen function' }, 1816 | { pattern = 'passthru%(', description = 'Use of passthru function' }, 1817 | { pattern = 'system%(', description = 'Use of system function' }, 1818 | { pattern = 'exec%(', description = 'Use of exec function' }, 1819 | { pattern = 'assert%(', description = 'Use of assert function' }, 1820 | { pattern = 'preg_replace%("/e"', description = 'Use of preg_replace with /e modifier' }, 1821 | { pattern = 'create_function%(', description = 'Use of create_function' }, 1822 | { pattern = 'include%(', description = 'Use of include function' }, 1823 | { pattern = 'require%(', description = 'Use of require function' }, 1824 | { pattern = 'include_once%(', description = 'Use of include_once function' }, 1825 | { pattern = 'require_once%(', description = 'Use of require_once function' }, 1826 | { pattern = 'file_get_contents%(', description = 'Use of file_get_contents function' }, 1827 | { pattern = 'fopen%(', description = 'Use of fopen function' }, 1828 | { pattern = 'fread%(', description = 'Use of fread function' }, 1829 | { pattern = 'fwrite%(', description = 'Use of fwrite function' }, 1830 | { pattern = 'curl_exec%(', description = 'Use of curl_exec function' }, 1831 | { pattern = 'curl_multi_exec%(', description = 'Use of curl_multi_exec function' }, 1832 | { pattern = 'parse_ini_file%(', description = 'Use of parse_ini_file function' }, 1833 | { pattern = 'show_source%(', description = 'Use of show_source function' }, 1834 | { pattern = 'gzinflate%(', description = 'Use of gzinflate function' }, 1835 | { pattern = 'str_rot13%(', description = 'Use of str_rot13 function' }, 1836 | { pattern = 'gzuncompress%(', description = 'Use of gzuncompress function' }, 1837 | { pattern = 'gzdecode%(', description = 'Use of gzdecode function' }, 1838 | { pattern = 'preg_replace_callback%(', description = 'Use of preg_replace_callback function' }, 1839 | { pattern = 'call_user_func%(', description = 'Use of call_user_func function' }, 1840 | { pattern = 'call_user_func_array%(', description = 'Use of call_user_func_array function' }, 1841 | { pattern = 'array_map%(', description = 'Use of array_map function' }, 1842 | { pattern = 'array_walk%(', description = 'Use of array_walk function' }, 1843 | { pattern = 'array_filter%(', description = 'Use of array_filter function' }, 1844 | { pattern = 'array_reduce%(', description = 'Use of array_reduce function' }, 1845 | { pattern = 'register_shutdown_function%(', description = 'Use of register_shutdown_function' }, 1846 | { pattern = 'register_tick_function%(', description = 'Use of register_tick_function' }, 1847 | { pattern = 'ob_start%(', description = 'Use of ob_start function' }, 1848 | { pattern = 'ob_get_contents%(', description = 'Use of ob_get_contents function' }, 1849 | { pattern = 'ob_get_clean%(', description = 'Use of ob_get_clean function' }, 1850 | { pattern = 'ob_end_clean%(', description = 'Use of ob_end_clean function' }, 1851 | { pattern = 'ob_flush%(', description = 'Use of ob_flush function' }, 1852 | { pattern = 'base64_encode%(', description = 'Use of base64_encode function' }, 1853 | { pattern = 'strrev%(', description = 'Use of strrev function' }, 1854 | { pattern = 'str_replace%(', description = 'Use of str_replace function' }, 1855 | { pattern = 'preg_match%(', description = 'Use of preg_match function' }, 1856 | { pattern = 'preg_split%(', description = 'Use of preg_split function' }, 1857 | { pattern = 'preg_grep%(', description = 'Use of preg_grep function' }, 1858 | { pattern = 'preg_filter%(', description = 'Use of preg_filter function' }, 1859 | { pattern = 'file_put_contents%(', description = 'Use of file_put_contents function' }, 1860 | { pattern = 'file%(', description = 'Use of file function' }, 1861 | { pattern = 'readfile%(', description = 'Use of readfile function' }, 1862 | { pattern = 'unlink%(', description = 'Use of unlink function' }, 1863 | { pattern = 'rename%(', description = 'Use of rename function' }, 1864 | { pattern = 'copy%(', description = 'Use of copy function' }, 1865 | { pattern = 'move_uploaded_file%(', description = 'Use of move_uploaded_file function' }, 1866 | { pattern = 'chmod%(', description = 'Use of chmod function' }, 1867 | { pattern = 'chown%(', description = 'Use of chown function' }, 1868 | { pattern = 'chgrp%(', description = 'Use of chgrp function' }, 1869 | { pattern = 'touch%(', description = 'Use of touch function' }, 1870 | { pattern = 'header%(', description = 'Use of header function' }, 1871 | { pattern = 'setcookie%(', description = 'Use of setcookie function' }, 1872 | { pattern = 'session_start%(', description = 'Use of session_start function' }, 1873 | { pattern = 'session_destroy%(', description = 'Use of session_destroy function' }, 1874 | { pattern = 'session_regenerate_id%(', description = 'Use of session_regenerate_id function' }, 1875 | { pattern = 'ini_set%(', description = 'Use of ini_set function' }, 1876 | { pattern = 'ini_get%(', description = 'Use of ini_get function' }, 1877 | { pattern = 'putenv%(', description = 'Use of putenv function' }, 1878 | { pattern = 'getenv%(', description = 'Use of getenv function' }, 1879 | { pattern = 'mail%(', description = 'Use of mail function' }, 1880 | { pattern = 'mb_send_mail%(', description = 'Use of mb_send_mail function' }, 1881 | { pattern = 'fsockopen%(', description = 'Use of fsockopen function' }, 1882 | { pattern = 'pfsockopen%(', description = 'Use of pfsockopen function' }, 1883 | { pattern = 'stream_socket_client%(', description = 'Use of stream_socket_client function' }, 1884 | { pattern = 'stream_socket_server%(', description = 'Use of stream_socket_server function' }, 1885 | { pattern = 'stream_context_create%(', description = 'Use of stream_context_create function' }, 1886 | { pattern = 'stream_context_set_option%(', description = 'Use of stream_context_set_option function' }, 1887 | { pattern = 'stream_context_get_options%(', description = 'Use of stream_context_get_options function' }, 1888 | { pattern = 'stream_filter_append%(', description = 'Use of stream_filter_append function' }, 1889 | { pattern = 'stream_filter_prepend%(', description = 'Use of stream_filter_prepend function' }, 1890 | { pattern = 'stream_get_contents%(', description = 'Use of stream_get_contents function' }, 1891 | { pattern = 'stream_set_blocking%(', description = 'Use of stream_set_blocking function' }, 1892 | { pattern = 'stream_set_timeout%(', description = 'Use of stream_set_timeout function' }, 1893 | { pattern = 'stream_set_write_buffer%(', description = 'Use of stream_set_write_buffer function' }, 1894 | { pattern = 'stream_socket_enable_crypto%(', description = 'Use of stream_socket_enable_crypto function' }, 1895 | { pattern = 'stream_socket_shutdown%(', description = 'Use of stream_socket_shutdown function' }, 1896 | { pattern = 'eval%(base64_decode%(', description = 'Use of eval with base64_decode' }, 1897 | { pattern = 'phpinfo%(', description = 'Use of phpinfo function' }, 1898 | { pattern = 'get_defined_vars%(', description = 'Use of get_defined_vars function' }, 1899 | { pattern = 'get_defined_functions%(', description = 'Use of get_defined_functions function' }, 1900 | { pattern = 'get_included_files%(', description = 'Use of get_included_files function' }, 1901 | { pattern = 'get_required_files%(', description = 'Use of get_required_files function' }, 1902 | { pattern = 'extract%(', description = 'Use of extract function' }, 1903 | { pattern = 'parse_str%(', description = 'Use of parse_str function' }, 1904 | { pattern = 'mb_ereg_replace%(.*/e', description = 'Use of mb_ereg_replace with /e modifier' }, 1905 | { pattern = 'mb_eregi_replace%(.*/e', description = 'Use of mb_eregi_replace with /e modifier' }, 1906 | { pattern = 'ReflectionFunction%(', description = 'Use of ReflectionFunction' }, 1907 | { pattern = 'ReflectionMethod%(', description = 'Use of ReflectionMethod' }, 1908 | { pattern = 'ReflectionClass%(', description = 'Use of ReflectionClass' }, 1909 | { pattern = 'ReflectionObject%(', description = 'Use of ReflectionObject' }, 1910 | { pattern = 'ReflectionProperty%(', description = 'Use of ReflectionProperty' }, 1911 | { pattern = 'ReflectionParameter%(', description = 'Use of ReflectionParameter' }, 1912 | { pattern = 'ReflectionExtension%(', description = 'Use of ReflectionExtension' }, 1913 | { pattern = 'ReflectionZendExtension%(', description = 'Use of ReflectionZendExtension' } 1914 | } 1915 | -- Calculate the entropy of a given string 1916 | local function getEntropy(str) 1917 | local length = #str 1918 | local symbolFrequency = {} 1919 | for i = 1, length do 1920 | local symbol = str:sub(i, i) 1921 | symbolFrequency[symbol] = (symbolFrequency[symbol] or 0) + 1 1922 | end 1923 | 1924 | local entropy = 0 1925 | for _, frequency in pairs(symbolFrequency) do 1926 | local freq = frequency / length 1927 | entropy = entropy - (freq * math.log(freq, 2)) 1928 | end 1929 | 1930 | return entropy 1931 | end 1932 | 1933 | -- Detect webshell patterns in file content 1934 | local function detectWebshellPatterns(fileContent) 1935 | local matchedPatterns = {} 1936 | for _, pattern in ipairs(suspiciousPatterns) do 1937 | if fileContent:match(pattern) then 1938 | table.insert(matchedPatterns, pattern) 1939 | end 1940 | end 1941 | return matchedPatterns 1942 | end 1943 | 1944 | -- Perform heuristic analysis on file content 1945 | local function performHeuristicAnalysis(fileContent) 1946 | local matchedHeuristics = {} 1947 | for _, rule in ipairs(heuristicRules) do 1948 | if fileContent:match(rule.pattern) then 1949 | table.insert(matchedHeuristics, rule.description) 1950 | end 1951 | end 1952 | return matchedHeuristics 1953 | end 1954 | 1955 | -- Adjust confidence score based on matched patterns and heuristics 1956 | local function adjustConfidenceScore(baseScore, matchedPatterns, matchedHeuristics) 1957 | local confidenceScore = baseScore * 100 1958 | 1959 | if #matchedPatterns > 0 then 1960 | local scoreAdjustment = 0.25 * #matchedPatterns 1961 | confidenceScore = confidenceScore + scoreAdjustment * 100 1962 | end 1963 | 1964 | if #matchedHeuristics > 0 then 1965 | local scoreAdjustment = 0.25 * #matchedHeuristics 1966 | confidenceScore = confidenceScore + scoreAdjustment * 100 1967 | end 1968 | 1969 | if confidenceScore > 100 then confidenceScore = 100 end 1970 | 1971 | return confidenceScore 1972 | end 1973 | 1974 | -- Create result object 1975 | local function createResultObject(path, entropy, sdForExt, hash, lastModified, detectionMethod, confidenceScore, matchedPatterns, matchedHeuristics) 1976 | local result = { 1977 | FilePath = path, 1978 | Entropy = entropy, 1979 | StDev = sdForExt, 1980 | Hash = hash, 1981 | LastModified = lastModified, 1982 | DetectionMethod = detectionMethod, 1983 | ConfidenceScore = confidenceScore, 1984 | suspiciousKeywords = table.concat(matchedPatterns, ', '), 1985 | matchedHeuristics = table.concat(matchedHeuristics, ', ') 1986 | } 1987 | return result 1988 | end 1989 | 1990 | local function scanDirectories(directoryPaths, excludePaths, ignoreHashes) 1991 | local webshellFound = false 1992 | local totalFilesScanned = 0 1993 | local potentialWebshells = 0 1994 | local scanStartTime = os.time() 1995 | 1996 | for _, directoryPath in ipairs(directoryPaths) do 1997 | for file in io.popen('find "'..directoryPath..'" -type f'):lines() do 1998 | totalFilesScanned = totalFilesScanned + 1 1999 | local exclude = false 2000 | for _, excludePath in ipairs(excludePaths) do 2001 | if file:find('^'..excludePath) then 2002 | exclude = true 2003 | break 2004 | end 2005 | end 2006 | 2007 | local extension = file:match('^.+(%..+)$') 2008 | if extension and fileExtensions[extension] and not exclude then 2009 | local f = io.open(file, 'r') 2010 | if f then 2011 | local content = f:read('*all') 2012 | f:close() 2013 | 2014 | local entropy = getEntropy(content) 2015 | local hash = io.popen('sha256sum "'..file..'" 2>/dev/null'):read() 2016 | if hash then 2017 | hash = hash:match('^([%w%d]+)') 2018 | end 2019 | 2020 | if hash then 2021 | for _, condition in ipairs(fileExtensions[extension]) do 2022 | local operation = condition.operation 2023 | local value = condition.value 2024 | local metCondition = false 2025 | 2026 | if operation == 'gt' then 2027 | if entropy > value then 2028 | metCondition = true 2029 | end 2030 | elseif operation == 'lt' then 2031 | if entropy < value then 2032 | metCondition = true 2033 | end 2034 | elseif operation == 'eq' then 2035 | if entropy == value then 2036 | metCondition = true 2037 | end 2038 | end 2039 | 2040 | if metCondition and not ignoreHashes[hash] then 2041 | local matchedPatterns = detectWebshellPatterns(content) 2042 | local matchedHeuristics = performHeuristicAnalysis(content) 2043 | local confidenceScore = adjustConfidenceScore(0.5, matchedPatterns, matchedHeuristics) 2044 | local lastModified = os.date("%Y-%m-%dT%H:%M:%SZ", os.time()) -- Replace lfs.attributes with os.time() 2045 | local result = createResultObject(file, entropy, nil, hash, lastModified, "Entropy-based", confidenceScore, matchedPatterns, matchedHeuristics) 2046 | print('Possible webshell found: '..file..', Entropy: '..entropy..', Hash: '..hash..', Patterns: '..table.concat(matchedPatterns, ', ')..', Heuristics: '..table.concat(matchedHeuristics, ', ')) 2047 | webshellFound = true 2048 | potentialWebshells = potentialWebshells + 1 2049 | end 2050 | end 2051 | else 2052 | print('Error calculating hash for file: '..file) 2053 | end 2054 | end 2055 | end 2056 | end 2057 | end 2058 | 2059 | if not webshellFound then 2060 | print('No evil identified today.') 2061 | end 2062 | 2063 | local scanEndTime = os.time() 2064 | local scanDuration = os.difftime(scanEndTime, scanStartTime) 2065 | local scanStats = { 2066 | TotalFilesScanned = totalFilesScanned, 2067 | PotentialWebshells = potentialWebshells, 2068 | ScanDuration = scanDuration 2069 | } 2070 | 2071 | print('Scan completed. Statistics:') 2072 | for k, v in pairs(scanStats) do 2073 | print(k .. ': ' .. v) 2074 | end 2075 | end 2076 | 2077 | -- Directories to scan 2078 | local directoryPaths = { 2079 | '/opt/shellsweeps/webshells' 2080 | } 2081 | 2082 | -- Directories to exclude 2083 | local excludePaths = { 2084 | '/path/to/exclude1', 2085 | '/path/to/exclude2', 2086 | '/path/to/exclude3' 2087 | } 2088 | 2089 | -- File hashes to ignore 2090 | local ignoreHashes = { 2091 | 'FE3F0B4326FF9754CB8B61AA3CEFB465A5308658064EE51C41B0A8B50027728D', 2092 | 'B6675117A7B174C3AA2510DDDEFF4221BA6E31005333F47C7239ED5D055BBBDD', 2093 | '54EFA324203B762A03033879057F8A9DB0F7B45C83C8E1A40529CAFF1EB18004', 2094 | '71FE41C6CCB0023576483A1C89929255480A4F5F0F07CFF9A8D2030ECF70E7AE' 2095 | } 2096 | 2097 | -- Read the hashes from the file into an array (if needed) 2098 | local ignoreHashesFilePath = 'path_to_your_file.txt' 2099 | local file = io.open(ignoreHashesFilePath, 'r') 2100 | if file then 2101 | ignoreHashes = {} 2102 | for line in file:lines() do 2103 | table.insert(ignoreHashes, line) 2104 | end 2105 | file:close() 2106 | end 2107 | 2108 | -- Start the scan 2109 | scanDirectories(directoryPaths, excludePaths, ignoreHashes) 2110 | -------------------------------------------------------------------------------- /ShellSweepPlus.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | ########################################################################### 3 | Script Name: ShellSweepPlus.ps1 4 | Authors: Michael Haag 5 | 6 | Version: 2.3 7 | Last Modified: 06-18-2024 8 | 9 | Description: 10 | ShellSweepPlus is the ultimate guardian for your web environments, meticulously designed to detect and neutralize webshells with unparalleled precision. Here are the enhanced features: 11 | 12 | - Dynamic Scans: Customize scans with `$DirectoryPaths`, `$excludePaths`, and `$ignoreHashes` to fine-tune the search parameters. 13 | 14 | - Precision Entropy Thresholds: Leverage a sophisticated nested hashtable `$fileExtensions` for tailored entropy thresholds across various file extensions, ensuring pinpoint accuracy in detections. 15 | 16 | - Multi-layered Detection: Integrates 'Entropy-based', 'Standard Deviation-based', and 'Mixed Mode' methods with dynamic weights. This multi-pronged strategy significantly boosts detection reliability. 17 | 18 | - Advanced Static Code Analysis: Utilizes `$suspiciousPatterns` for in-depth pattern-based detections, refining the detection process to catch even the most elusive threats. 19 | 20 | - Entropy Analysis: Employs the `Get-Entropy` function to measure content randomness, aiding in the identification of encrypted or obfuscated malicious content. 21 | 22 | - Enhanced Pattern Detection: Implements `Detect-WebshellPatterns` to identify known malicious patterns, fortifying the security framework. 23 | 24 | - Detailed Result Presentation: Potential threats are displayed in a structured JSON format, simplifying parsing and downstream processing. 25 | 26 | - Comprehensive Logging: Integrated `Write-Verbose` commands offer detailed insights into the script's operations, invaluable for debugging and operational transparency. 27 | 28 | - Heuristic Analysis: Introduces `Perform-HeuristicAnalysis` to detect anomalies based on heuristic rules, enhancing the detection of zero-day webshells. 29 | 30 | Usage: 31 | Specify directories in `$DirectoryPaths` for scanning. 32 | Modify `$suspiciousPatterns` as needed. 33 | Exclude specific directories using `$excludePaths`. 34 | Ignore certain file hashes using `$ignoreHashes` or specify a path with `$ignoreHashesFilePath`. 35 | Execute the script in PowerShell. 36 | 37 | Dependencies: 38 | - PowerShell 5.1 or later 39 | 40 | Notes: 41 | - Execute this script in a test environment initially to understand its behavior and outputs. 42 | - Always backup crucial data before implementing any automated action based on this script's results. 43 | - Regularly update the suspicious patterns, entropy thresholds to effectively counter evolving threats. 44 | ########################################################################### 45 | #> 46 | 47 | Write-Output @" 48 | ____ _ _ _ ____ ____ _ 49 | / ___|| |__ ___| | / ___|_ _____ ___ _ __ | _ \| |_ _ ___ 50 | \___ \| '_ \ / _ \ | \___ \ \ /\ / / _ \/ _ \ '_ \| |_) | | | | / __| 51 | ___) | | | | __/ | |___) \ V V / __/ __/ |_) | __/| | |_| \__ \ 52 | |____/|_| |_|\___|_|_|____/ \_/\_/ \___|\___| .__/|_| |_|\__,_|___/ 53 | |_| 54 | "@ 55 | 56 | # Entropy thresholds and operations for each file extension using nested array of hashtables, each containing an 'operation' and a 'value'. 57 | $fileExtensions = @{ 58 | '.asp' = @( 59 | @{ 'operation' = 'lt'; 'value' = 0.805376867704514 }, 60 | @{ 'operation' = 'gt'; 'value' = 5.51268104400858 } 61 | ) 62 | '.ashx' = @(@{ 'operation' = 'gt'; 'value' = 3.75840459657413 }) 63 | '.asax' = @(@{ 'operation' = 'gt'; 'value' = 3.7288741494524 }) 64 | '.jspx' = @(@{ 'operation' = 'gt'; 'value' = 4.87651397975203 }) 65 | '.html' = @(@{ 'operation' = 'gt'; 'value' = 4.8738392644771 }) 66 | '.aspx' = @( 67 | @{ 'operation' = 'lt'; 'value' = 0.805376867704514 }, 68 | @{ 'operation' = 'gt'; 'value' = 4.15186444439319 } 69 | ) 70 | } 71 | 72 | # Define weights for detection methods 73 | $weights = @{ 74 | 'Entropy-based' = 0.5 75 | 'Standard Deviation-based' = 0.25 76 | 'Mixed Mode' = 0.15 77 | 'Heuristic-based' = 0.1 78 | } 79 | 80 | # Define suspicious patterns for static code analysis 81 | $suspiciousPatterns = @( 82 | 'server', 83 | 'String', 84 | 'DeflateStream', 85 | 'runat', 86 | 'width', 87 | 'eval', 88 | 'base64_decode', 89 | 'exec', 90 | 'shell_exec', 91 | 'passthru', 92 | 'system', 93 | 'popen', 94 | 'proc_open', 95 | 'false', 96 | 'Value', 97 | 'style', 98 | 'Visible', 99 | 'ToString', 100 | 'Response', 101 | 'PUBLIC', 102 | 'TableCell', 103 | 'table', 104 | 'TextBox', 105 | 'Write', 106 | 'Request', 107 | 'object', 108 | 'protected', 109 | 'sender', 110 | 'System', 111 | 'align', 112 | 'onclick', 113 | 'catch', 114 | 'EventArgs', 115 | 'height', 116 | 'input', 117 | 'Exception', 118 | 'return', 119 | 'class', 120 | 'ERROR', 121 | 'Button', 122 | 'color', 123 | 'Label', 124 | 'script', 125 | 'center', 126 | 'Message', 127 | 'CssClass', 128 | 'border', 129 | 'Controls', 130 | 'Replace', 131 | 'fileName', 132 | 'TableRow', 133 | 'Length', 134 | 'Session', 135 | 'Namespace', 136 | 'Import', 137 | 'Attributes', 138 | 'Close', 139 | 'ListItem', 140 | 'instr', 141 | 'DataTable', 142 | 'select', 143 | 'directory', 144 | 'action', 145 | 'function', 146 | 'Checked', 147 | 'Count', 148 | 'xseuB', 149 | 'break', 150 | 'foreach', 151 | 'LinkButton', 152 | 'margin', 153 | 'private', 154 | 'javascript', 155 | 'solid', 156 | 'ServerVariables', 157 | 'Cells', 158 | 'QueryString', 159 | 'EnableViewState', 160 | 'Append', 161 | 'className', 162 | 'title', 163 | 'Items', 164 | 'Panel', 165 | 'Bin_Files', 166 | 'Process', 167 | 'Parse', 168 | 'AXSbb', 169 | '100px', 170 | 'innerText', 171 | 'SqlCommand', 172 | 'Dispose', 173 | 'TreeNode', 174 | 'encoding', 175 | 'cellspacing', 176 | 'colspan', 177 | 'command', 178 | 'background', 179 | 'Result', 180 | 'Password', 181 | 'Bin_PostBack', 182 | 'alert', 183 | 'SqlConnection', 184 | 'Substring', 185 | 'Registry', 186 | 'Database', 187 | 'Bin_DataGrid', 188 | 'FileInfo', 189 | 'Bin_H2_Title', 190 | 'default', 191 | 'Version', 192 | 'Properties', 193 | 'DirectoryInfo', 194 | 'IndexOf', 195 | 'SelectedItem', 196 | 'Empty', 197 | 'padding', 198 | 'Success', 199 | 'UrlEncode', 200 | 'Hidden', 201 | 'master', 202 | 'InnerHtml', 203 | 'CheckBox', 204 | 'target', 205 | 'delete', 206 | 'DirectoryEntry', 207 | 'Focus', 208 | 'CellPadding', 209 | 'Environment', 210 | 'Reg_Path', 211 | 'Bin_Error', 212 | 'submit', 213 | 'WICxe', 214 | 'onmouseover', 215 | 'DropDownList', 216 | 'location', 217 | 'StartInfo', 218 | 'FileAttributes', 219 | 'Columns', 220 | 'StreamWriter', 221 | 'onmouseout', 222 | 'Bin_FileList', 223 | 'Query', 224 | 'MapPath', 225 | 'Content', 226 | 'regkey', 227 | 'right', 228 | 'DataGridItem', 229 | 'Buffer', 230 | 'XP_CmdShell', 231 | 'Regex', 232 | 'OpenSubKey', 233 | 'Exists', 234 | 'Stream', 235 | 'child', 236 | 'DataBind', 237 | 'Bin_Request', 238 | 'TcpClient', 239 | 'FileSize', 240 | 'CommandType', 241 | 'error_x', 242 | 'FullName', 243 | 'datetime', 244 | 'ByVal', 245 | 'INDEX', 246 | 'StreamReader', 247 | 'Microsoft', 248 | 'Language', 249 | 'Convert', 250 | 'Start', 251 | 'bin_cmd', 252 | 'fname', 253 | 'filepath', 254 | 'StringBuilder', 255 | 'textarea', 256 | 'SetAttributes', 257 | 'GetAttributes', 258 | 'DB_NAME', 259 | 'Split', 260 | 'Tables', 261 | 'fpath', 262 | 'ForeColor', 263 | 'newdir', 264 | 'Execute', 265 | 'option', 266 | 'RegistryKey', 267 | 'Bin_upTextBox', 268 | 'LastIndexOf', 269 | 'bottom', 270 | 'SelectedNode', 271 | 'decoration', 272 | 'create', 273 | 'xcleanpath', 274 | 'DataSet', 275 | 'ReadOnly', 276 | 'sp_configure', 277 | 'RECONFIGURE', 278 | 'getall', 279 | 'buttom', 280 | 'clear', 281 | 'UEbTI', 282 | 'rename', 283 | 'Upload', 284 | '_blank', 285 | 'float', 286 | 'Shell', 287 | 'Int32', 288 | 'Transitional', 289 | 'sqlstr', 290 | 'tblname', 291 | 'contents', 292 | 'declare', 293 | 'Format', 294 | 'param', 295 | 'static', 296 | 'ReadToEnd', 297 | 'StartsWith', 298 | 'instream', 299 | 'Nodes', 300 | 'getocmd', 301 | 'Bin_folder', 302 | 'Socket', 303 | 'Bin_path', 304 | 'xhtml1', 305 | 'goaction', 306 | 'Assembly', 307 | 'strResult', 308 | 'SelectedValue', 309 | 'DataSource', 310 | 'XHTML', 311 | 'ElseIf', 312 | 'Arguments', 313 | 'Culture', 314 | 'OleDbConnection', 315 | 'neutral', 316 | 'PublicKeyToken', 317 | 'AutoPostBack', 318 | 'tmpstr', 319 | 'GetValue', 320 | 'White', 321 | 'Please', 322 | 'ltcpClient', 323 | 'Windows', 324 | 'ExecuteNonQuery', 325 | 'while', 326 | 'AsyncCallback', 327 | 'HKEY_LOCAL_MACHINE', 328 | 'ToLower', 329 | 'Bin_Scroll', 330 | 'GetFileName', 331 | 'SELECTED', 332 | 'B03F5F7F11D50A3A', 333 | 'files', 334 | 'Thread', 335 | 'NVarChar', 336 | 'document', 337 | 'TreeView4', 338 | 'tqstr', 339 | 'AddHeader', 340 | 'history', 341 | 'OleDb', 342 | 'UserName', 343 | 'Bin_DataTable', 344 | 'summary', 345 | 'OleDbDataAdapter', 346 | 'Sp_Oacreate', 347 | 'ToDateTime', 348 | 'Archive', 349 | 'Bin_Action', 350 | 'IpParts1', 351 | 'getselfurl', 352 | 'Bin_DBinfoLabel', 353 | 'Parameters', 354 | 'display', 355 | 'DataGrid', 356 | '009900', 357 | 'rtcpClient', 358 | 'zcg_ShowError', 359 | 'Cmdpro', 360 | 'State', 361 | 'NetworkStream', 362 | 'rootkey', 363 | 'xfile', 364 | 'mydir', 365 | 'where', 366 | 'TextMode', 367 | 'Charset', 368 | 'MSSQL', 369 | 'CloneTime', 370 | 'Bin_IISPanel', 371 | 'myProcessStartInfo', 372 | 'formatpath', 373 | '631px', 374 | 'iisinfo', 375 | 'OleDbCommand', 376 | 'Label_Files', 377 | 'Driver', 378 | 'STATUS', 379 | 'subkey', 380 | 'ArrayList', 381 | 'sysname', 382 | 'chkall', 383 | 'rootkit', 384 | 'accstr', 385 | 'Expanded', 386 | 'backup', 387 | 'LocalMachine', 388 | 'prompt', 389 | 'CONNECT', 390 | 'Bin_LoginPanel', 391 | 'Bin_RegPanel', 392 | 'Bin_SQLPanel', 393 | 'Bin_PortPanel', 394 | 'Bin_SuPanel', 395 | 'Bin_CmdPanel', 396 | 'Bin_AccPanel', 397 | 'Bin_DBmenuPanel', 398 | 'Options', 399 | 'confirm', 400 | 'family', 401 | 'IAsyncResult', 402 | 'SocketFlags', 403 | 'iaMKl', 404 | 'Output', 405 | 'recResult', 406 | '172px', 407 | 'Domain', 408 | 'Bin_dir', 409 | 'Console', 410 | 'Bin_Msg', 411 | 'application', 412 | '52521', 413 | 'Parent', 414 | 'Children', 415 | 'Access', 416 | 'INSERT', 417 | 'overflow', 418 | 'Remove', 419 | 'weight', 420 | 'folder', 421 | 'Provider', 422 | 'SqlDataAdapter', 423 | 'Cookies', 424 | 'scanport', 425 | 'DirectoryServices', 426 | 'Image', 427 | 'PortForward', 428 | 'prostr', 429 | 'TreeView2', 430 | 'Bin_Table', 431 | 'Bin_file', 432 | 'information', 433 | 'bgcolor', 434 | 'Bin_MenuPanel', 435 | 'Bin_dirPanel', 436 | 'Diagnostics', 437 | 'Upfile', 438 | 'GetFiles', 439 | 'localhost', 440 | 'GetDirectories', 441 | 'CommandText', 442 | 'green', 443 | 'Array', 444 | 'source', 445 | 'xmlns', 446 | 'packet', 447 | 'system32', 448 | 'BackColor', 449 | 'continue', 450 | 'Sysinfo', 451 | 'getspyrootfolder', 452 | 'TreeView3', 453 | 'advanced', 454 | 'Wmi_Function', 455 | '__EVENTTARGET', 456 | 'DOCTYPE', 457 | 'IsMatch', 458 | 'SqlClient', 459 | 'jXkaE', 460 | 'DPrPL', 461 | 'SQL2005', 462 | 'RaTGr', 463 | 'click', 464 | 'sqlrootkit', 465 | 'Bin_Regread', 466 | 'strValueName', 467 | 'Integer', 468 | 'd_file', 469 | 'Connection', 470 | 'AsyncState', 471 | 'objfile', 472 | 'Users', 473 | 'Bin_FilePanel', 474 | 'tempFile', 475 | 'RadioButton', 476 | 'ContentType', 477 | 'ManagementObjectSearcher', 478 | 'uppath', 479 | 'RegexOptions', 480 | 'myprocess', 481 | 'IgnoreCase', 482 | 'LOCAL_ADDR', 483 | 'SqlDbType', 484 | 'MultiLine', 485 | 'Bin_ExecSql', 486 | 'const', 487 | 'PostedFile', 488 | 'HKEY_CLASSES_ROOT', 489 | 'HKEY_CURRENT_USER', 490 | 'ProcessStartInfo', 491 | 'HKEY_USERS', 492 | 'HKEY_CURRENT_CONFIG', 493 | 'filepath2', 494 | 'RawLength', 495 | 'TreeView5', 496 | 'GetParent', 497 | 'Description', 498 | '084B8E', 499 | 'foldername', 500 | 'Getparentdir', 501 | 'DropDownList1', 502 | 'switch', 503 | 'program', 504 | 'OnSelectedIndexChanged', 505 | 'FFFFFF', 506 | 'LastWriteTime', 507 | 'Bin_TextBox_Path', 508 | 'ListBox', 509 | 'change', 510 | 'GetString', 511 | 'method', 512 | 'Sendstr', 513 | 'Bin_Listdir', 514 | 'theform', 515 | 'getjkrev', 516 | 'Page_Load', 517 | 'VALUES', 518 | 'ProcessID', 519 | 'BoundColumn', 520 | 'Match', 521 | 'allfile', 522 | 'AUTHKEY', 523 | 'adoConn', 524 | 'vbhLn', 525 | 'UseShellExecute', 526 | 'PATH_TRANSLATED', 527 | 'Tahoma', 528 | 'Params', 529 | 'PhysicalApplicationPath', 530 | 'dAJTD', 531 | 'RedirectStandardOutput', 532 | 'StandardOutput', 533 | 'dQIIF', 534 | 'About', 535 | 'OpenConnection', 536 | 'cmdstr', 537 | 'iisstr', 538 | 'PATH_INFO', 539 | 'ShowError', 540 | 'shell_color', 541 | 'Bin_Databind', 542 | 'Black', 543 | 'ConnectionString', 544 | 'GetBytes', 545 | 'hover', 546 | 'MachineName', 547 | 'TableName', 548 | 'dColumn', 549 | '000000', 550 | 'BeginReceive', 551 | 'commandargument', 552 | 'newdir1', 553 | 'oEnum', 554 | 'sp_oamethod', 555 | 'Arial', 556 | 'Control', 557 | 'GetLogicalDrives', 558 | 'current', 559 | 'myString', 560 | 'config', 561 | 'newfile', 562 | 'HttpUtility', 563 | 'OSVersion', 564 | 'SaveAs', 565 | 'Security', 566 | 'ServiceProcess', 567 | 'SelectCommand', 568 | 'TEMP2', 569 | 'getElementById', 570 | 'finally', 571 | 'validateRequest', 572 | 'ToolTip', 573 | '300px', 574 | 'Bin_CopytoTextBox', 575 | 'Login', 576 | 'Bin_SQLRadioButton', 577 | 'form1', 578 | 'modified', 579 | 'patharray', 580 | 'Flush', 581 | 'Disposition', 582 | '763px', 583 | 'Debug', 584 | 'Bin_DBstrTextBox', 585 | 'Threading', 586 | 'getjksend', 587 | 'attachment', 588 | 'ASPXSpy', 589 | 'acctable', 590 | '43958', 591 | 'nowrap', 592 | 'ListBox3', 593 | 'fields_split', 594 | 'mysession', 595 | 'getport', 596 | 'FF0000', 597 | 'Bin_Createfile', 598 | 'SqlDataReader', 599 | 'CreateDirectory', 600 | 'RegularExpressions', 601 | 'Maintenance', 602 | 'PortNo', 603 | 'GetStream', 604 | 'zcg_GetTableRow', 605 | 'Sockets', 606 | 'download', 607 | 'tmpbyte', 608 | 'IPEndPoint', 609 | 'sfile', 610 | 'wscript', 611 | 'GridView1', 612 | 'ClassesRoot', 613 | 'ComputerName', 614 | 'FileManager', 615 | 'UnixTime', 616 | 'Caption', 617 | 'ProcessName', 618 | 'Nothing', 619 | 'DdmPl', 620 | 'Search', 621 | 'showfolder', 622 | 'ListBox4', 623 | 'kQmRu', 624 | 'connstr', 625 | 'Redirect', 626 | 'kRXgt', 627 | 'TEMP1', 628 | 'lyTOK', 629 | 'Win32', 630 | 'oJiym', 631 | 'drivers', 632 | '119px', 633 | 'hwJeS', 634 | 'ljtzC', 635 | 'Bin_Td_Res', 636 | 'ConnectionState', 637 | 'AllowPaging', 638 | 'Verdana', 639 | 'block', 640 | 'HEADER', 641 | 'FileStream', 642 | 'Boolean', 643 | 'FOOTER', 644 | 'PacketCapture', 645 | 'using', 646 | 'addextendedproc', 647 | 'Timestamp', 648 | 'sp_makewebtask', 649 | 'm_Writer', 650 | 'db_owner', 651 | '0x62696E', 652 | 'GetSize', 653 | 'style3', 654 | 'LastAccessTime', 655 | 'Bin_login', 656 | 'GroupName', 657 | 'DataRow', 658 | 'CreationTime', 659 | 'SQLOLEDB', 660 | 'sysobjects', 661 | 'LocalPort', 662 | 'Localaddress', 663 | 'Clone', 664 | 'ExecuteReader', 665 | 'CurrentUser', 666 | 'Management', 667 | 'IISSpy', 668 | '__File', 669 | 'mywrite', 670 | 'CurrentConfig', 671 | 'fileconfigpath', 672 | 'strTmp', 673 | 'strong', 674 | 'getfs', 675 | 'Bin_ToBase64', 676 | 'Trace', 677 | 'Bin_MainPanel', 678 | 'TreeView1', 679 | 'Bin_CopyTextBox', 680 | 'db_info', 681 | 'TreeView', 682 | 'SERVER_PORT', 683 | 'Bin_SAexecButton', 684 | 'Bin_Accbind', 685 | 'ASCII', 686 | 'oleconn', 687 | 'typeof', 688 | 'is_dir', 689 | '150px', 690 | 'ULOGIN', 691 | 'GetType', 692 | 'normal', 693 | 'innerSubKey', 694 | 'Bin_CFile', 695 | 'Bin_Editfile', 696 | 'LinkLayerType', 697 | 'RemotePort', 698 | 'GetProcesses', 699 | 'Bin_Style_Login', 700 | 'RemoteAddress', 701 | 'ServerIP', 702 | 'PathName', 703 | 'Double', 704 | 'SETDOMAIN', 705 | 'Int64', 706 | 'Label1', 707 | 'packetData', 708 | 'Address', 709 | 'valign', 710 | 'Bin_main', 711 | 'Position', 712 | 'CmdShell', 713 | 'W3SVC', 714 | 'GetLastWriteTime', 715 | 'CreateObject', 716 | 'dbname', 717 | 'OnCheckedChanged', 718 | 'binftp', 719 | 'dirstr', 720 | 'showatt', 721 | 'space', 722 | 'HostName', 723 | 'LogFile', 724 | 'OleDbSchemaGuid', 725 | 'Threads', 726 | 'FromBase64String', 727 | 'GetOleDbSchemaTable', 728 | 'PortScan', 729 | 'SOFTWARE', 730 | 'Matches', 731 | 'operation', 732 | 'Hide_Div', 733 | 'getpath', 734 | 'iisend', 735 | 'AnonymousUserName', 736 | 'scanres', 737 | 'tnQRF', 738 | 'existdir', 739 | 'ListBox5', 740 | 'HTTP_X_FORWARDED_FOR', 741 | 'urldecode', 742 | 'server_name', 743 | 'varchar', 744 | 'vbcrlf', 745 | 'logIt', 746 | 'Label2', 747 | 'file_name', 748 | 'iisstart', 749 | 'PortMap', 750 | 'mWGEm', 751 | 'sqlname', 752 | 'fileObject', 753 | 'Paste', 754 | 'unknown', 755 | 'Drives', 756 | 'Services', 757 | 'msxsl', 758 | 'SERVER_SOFTWARE', 759 | 'YFcNP', 760 | 'ports', 761 | 'forms', 762 | 'Rport', 763 | 'Documents', 764 | 'Abandon', 765 | 'HttpCookie', 766 | 'XP_dirtree', 767 | 'RegShell', 768 | 'cutboard', 769 | 'lRavM', 770 | 'strQuery', 771 | 'Terminal', 772 | 'openrowset', 773 | 'TdgGU', 774 | 'baseStream', 775 | 'throw', 776 | 'HczyN', 777 | '_timeSpent', 778 | 'zKvOw', 779 | 'ZhWSK', 780 | 'kDgkX', 781 | '120px', 782 | 'FgzeQ', 783 | 'Dstog', 784 | 'VisualBasic', 785 | 'uXevN', 786 | 'lFAvw', 787 | 'Closed', 788 | 'IPAddress', 789 | 'loadpath', 790 | 'lblInfo', 791 | 'oZnZV', 792 | 'nGroup', 793 | 'iDgmL', 794 | 'FTBtf', 795 | 'mtoJb', 796 | 'procedures', 797 | 'ArraySegment', 798 | 'SessionName', 799 | 'aYRwo', 800 | 'pathfile', 801 | 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 802 | 'hOWTm', 803 | 'MyFileStream', 804 | 'dbporta', 805 | 'check', 806 | 'getdataport', 807 | 'lblStatus', 808 | 'vbnewline', 809 | 'objProcessInfo', 810 | 'Bin_ReadOnlyCheckBox', 811 | 'Bin_ResLabel', 812 | 'Bin_DriveList', 813 | 'Bin_AccessTimeTextBox', 814 | 'Bin_AccRadioButton', 815 | 'ConnString', 816 | 'vertical', 817 | 'Bin_Filedel', 818 | 'Bin_CreateTextBox', 819 | 'Bin_CreationTimeTextBox', 820 | 'cellContents', 821 | 'jktest', 822 | 'job_name', 823 | 'GetFileSystemEntries', 824 | 'Bin_DirTextBox', 825 | 'nowdir', 826 | 'Win32_Process', 827 | 'processes', 828 | 'Bin_HiddenCheckBox', 829 | 'kusqlpass', 830 | 'kusqlportstr', 831 | 'DriveInfo', 832 | 'winObj', 833 | 'Bin_Option', 834 | 'kusqlname', 835 | '289px', 836 | 'Bin_Change', 837 | 'subdir', 838 | 'Bin_SystemCheckBox', 839 | 'tblsDt', 840 | 'sqlpass', 841 | 'Bin_ExecButton', 842 | 'ServerBindings', 843 | 'parstr', 844 | '500px', 845 | 'InfoLabel', 846 | 'Bin_SqlDir', 847 | 'Bin_ArchiveCheckBox', 848 | 'Sqlcmd', 849 | 'Fields_to_Show', 850 | 'Bin_SQLconnTextBox', 851 | 'Bin_LastWriteTimeTextBox', 852 | 'lport', 853 | 'HeaderText', 854 | 'Fields_to_load', 855 | 'RunTable', 856 | 'copystr', 857 | 'copyto', 858 | 'ProtocolType', 859 | 'AddressFamily', 860 | 'InterNetwork', 861 | '200px', 862 | 'Manager', 863 | 'IsPostBack', 864 | 'xtype', 865 | 'SocketType', 866 | 'monospace', 867 | 'lportC', 868 | 'outstr', 869 | 'sqlEx', 870 | 'packets', 871 | 'HARDWARE', 872 | 'IIsWebVirtualDir', 873 | 'deldir', 874 | 'db_conn', 875 | 'Client', 876 | 'Logout', 877 | 'AddressList', 878 | 'uname', 879 | 'ManagementObject', 880 | 'CIMV2', 881 | 'octet', 882 | 'filecontent', 883 | 'absolute', 884 | 'is_file', 885 | 'elements', 886 | 'bportC', 887 | 'object_id', 888 | 'dbport', 889 | 'cursor', 890 | 'Bin_Createdir', 891 | 'dbpass', 892 | 'Courier', 893 | 'WinNT', 894 | 'Xp_Regwrite', 895 | 'running', 896 | 'event', 897 | 'SYSDATABASES', 898 | 'kusqlport', 899 | 'Bin_Span_Drv', 900 | 'network', 901 | 'ChangeDatabase', 902 | 'jkregstr', 903 | 'regstr', 904 | 'EventHandler', 905 | 'fail_description', 906 | 'thisfile', 907 | 'the_StartInfo', 908 | 'RedirectStandardError', 909 | 'Webshell', 910 | 'thatfile', 911 | 'dddddd', 912 | 'TC_USER', 913 | 'CurrentControlSet', 914 | 'oregstr', 915 | 'CloseConnection', 916 | 'PMCacheName', 917 | 's_inf', 918 | 'PreRender', 919 | '759px', 920 | 'Settings', 921 | 'sqlshow', 922 | 'Copyright', 923 | 'Scanner', 924 | 'base64String', 925 | 'CurrentPageIndex', 926 | 'filed', 927 | 'PropertyValueCollection', 928 | 'Refresh', 929 | 'SocketException', 930 | 'PhysicalPath', 931 | 'mycon', 932 | 'Equals', 933 | 'Button1', 934 | 'NewLine', 935 | 'BeginSend', 936 | 'SCRIPT_NAME', 937 | 'CentralProcessor', 938 | 'CanWrite', 939 | 'dpath', 940 | 'bbbbbb', 941 | 'SqlException', 942 | 'GetLastWriteTimeUtc', 943 | 'GetLastAccessTimeUtc', 944 | 'Bin_Data', 945 | 'HtmlEncode', 946 | 'Bin_List_DB', 947 | 'RegisterHiddenField', 948 | 'MACAddress', 949 | 'Priority', 950 | 'PropertyData', 951 | 'PropertyDataCollection', 952 | 'PropertyDataEnumerator', 953 | 'getElementsByTagName', 954 | 'Bin_Span_FrameVersion', 955 | 'ColumnSpan', 956 | 'SetLastWriteTimeUtc', 957 | 'created', 958 | 'BeginConnect', 959 | 'zcg_WmiDataTable', 960 | 'Bin_H2_Mac', 961 | 'eventArgument', 962 | 'Hashtable', 963 | 'Bin_Button_KillMe', 964 | 'SetCreationTimeUtc', 965 | 'spath', 966 | 'eventTarget', 967 | '333333', 968 | 'IIS_USER', 969 | 'Bin_Button_CreateFile', 970 | 'GetCreationTimeUtc', 971 | 'Bin_Button_CreateDir', 972 | 'PagerStyle', 973 | 'EndSend', 974 | 'ThreadCount', 975 | 'EndReceive', 976 | 'SetLastAccessTimeUtc', 977 | 'ServiceController', 978 | 'LastWriteTimeUtc', 979 | 'Bin_Ul_Sys', 980 | 'Bin_Ul_NetConfig', 981 | 'Bin_Ul_Driver', 982 | 'MD5Pass', 983 | 'Bin_H2_Driver', 984 | 'StartMode', 985 | 'Bin_RegresLabel', 986 | 'https', 987 | 'TimeSpan', 988 | 'EndsWith', 989 | 'underline', 990 | 'RedirectStandardInput', 991 | 'Bin_Span_Sname', 992 | 'Bin_SuresLabel', 993 | 'MaxCount', 994 | 'ShowFolders', 995 | 'FormsAuthentication', 996 | 'selectedIndex', 997 | 'formatfile', 998 | 'RunCmd', 999 | 'HashPasswordForStoringInConfigFile', 1000 | 'IISversion', 1001 | 'jkstream', 1002 | 'kbconn', 1003 | 'disabled', 1004 | 'Demand', 1005 | 'ItemArray', 1006 | 'IsUserTable', 1007 | 'deldomain', 1008 | 'Label_Info', 1009 | 'xdateformat', 1010 | 'WriteFile', 1011 | 'lastvalue', 1012 | 'IpParts2', 1013 | 'ListBox1', 1014 | 'intext', 1015 | 'DataField', 1016 | 'the_rar', 1017 | 'Bin_UpFile', 1018 | 'inline', 1019 | 'strlen', 1020 | 'strIPAddr', 1021 | 'Lucida', 1022 | 'mainSocket', 1023 | 'sql_dir', 1024 | '888px', 1025 | 'resultbox', 1026 | 'separator', 1027 | 'Restr', 1028 | 'oFile', 1029 | 'pconn', 1030 | 'oportstr', 1031 | 'Bin_EditpathTextBox', 1032 | 'Bin_EditTextBox', 1033 | 'Bin_AccinfoLabel', 1034 | 'getdrname', 1035 | 'pcount', 1036 | 'changedata', 1037 | 'Millseconds', 1038 | 'reglaststr', 1039 | 'Bin_FileRN', 1040 | 'getdelneiku', 1041 | 'cboSps', 1042 | 'HorizontalAlign', 1043 | 'Bin_ScanresLabel', 1044 | 'HeaderStyle', 1045 | 'Bin_FilelistLabel', 1046 | 'MoveNext', 1047 | 'renamedir', 1048 | 'Resolve', 1049 | 'postdata', 1050 | 'checker', 1051 | 'agentcmd', 1052 | 'CheckIsNumber', 1053 | 'Head1', 1054 | 'GridLines', 1055 | 'OBJECTPROPERTY', 1056 | 'htmlend', 1057 | 'conns', 1058 | 'getname', 1059 | 'getzhi', 1060 | 'Bin_CmdLabel', 1061 | 'HHzcY', 1062 | 'HideHidden', 1063 | 'LoginMesFile', 1064 | 'Sumbit', 1065 | 'powershell', 1066 | 'PasswordType', 1067 | 'equiv', 1068 | 'Expire', 1069 | 'BinaryWrite', 1070 | 'owner', 1071 | 'TZOEnable', 1072 | 'TZOKey', 1073 | 'ChangePassword', 1074 | 'enabled', 1075 | 'WebClient', 1076 | 'NeedSecure', 1077 | 'DELETEDOMAIN', 1078 | 'Keyword', 1079 | '0000FF', 1080 | 'Disable', 1081 | 'NoneRN', 1082 | 'LocalAdministrator', 1083 | 'Fixed', 1084 | 'ReceiveBufferSize', 1085 | 'QuotaCurrent', 1086 | 'bytes', 1087 | 'CanRead', 1088 | 'MaxNrUsers', 1089 | 'IdleTimeOut', 1090 | 'SessionTimeOut', 1091 | 'REMOTE_ADDR', 1092 | 'Regular', 1093 | 'AlwaysAllowLogin', 1094 | 'SETUSERSETUP', 1095 | 'MaxUsersLoginPerIP', 1096 | 'HomeDir', 1097 | 'SpeedLimitDown', 1098 | 'SpeedLimitUp', 1099 | 'RatiosCredit', 1100 | 'Ratios', 1101 | 'RelPaths', 1102 | 'RWAMELCDP', 1103 | 'RatioDown', 1104 | 'QuotaEnable', 1105 | 'QuotaMaximum', 1106 | 'raquo', 1107 | 'UDLvA', 1108 | 'Starts', 1109 | 'lRfRj', 1110 | 'PcAnywhere', 1111 | 'mHbjB', 1112 | 'lDODR', 1113 | 'dfile', 1114 | 'ADSPath', 1115 | 'EnableViewStateMac', 1116 | 'vJNsE', 1117 | 'vNCHZ', 1118 | 'SelectQuery', 1119 | 'dbhost', 1120 | 'myStreamReader', 1121 | 'lbjLD', 1122 | 'Renamed', 1123 | 'dtFields', 1124 | 'dbuser', 1125 | 'stNPw', 1126 | 'Cancel', 1127 | 'ADCpk', 1128 | 'XXrLw', 1129 | 'dNohJ', 1130 | 'ORUgV', 1131 | 'iiGFO', 1132 | 'iLVUT', 1133 | 'ArgumentOutOfRangeException', 1134 | 'Bin_Parent', 1135 | 'nxeDR', 1136 | 'tIykC', 1137 | 'IKjwH', 1138 | 'Bin_Button_Driv', 1139 | 'ToUpper', 1140 | 'time1', 1141 | 'PhQTd', 1142 | 'txtDatabase', 1143 | 'DGCoW', 1144 | 'outType', 1145 | 'CmdPath', 1146 | 'fhAEn', 1147 | 'txtPassword', 1148 | 'Bin_FromBase64', 1149 | 'time2', 1150 | 'myread', 1151 | 'Runtime', 1152 | 'xfileperms', 1153 | 'nbyte', 1154 | 'xparentfolder', 1155 | 'thePath', 1156 | 'FromDateTime', 1157 | 'xplog70', 1158 | 'SRVROLEMEMBER', 1159 | 'stoptime', 1160 | 'copydir', 1161 | 'IS_SRVROLEMEMBER', 1162 | 'sysadmin', 1163 | '600px', 1164 | 'DIFFERENTIAL', 1165 | 'outputfile', 1166 | 'InteropServices', 1167 | '65500', 1168 | 'literal', 1169 | 'GetStartedTime', 1170 | 'gb2312', 1171 | 'no_truncate', 1172 | 'LbReg', 1173 | 'WebAdmin', 1174 | 'tblbox', 1175 | 'IS_MEMBER', 1176 | 'odsole70', 1177 | 'UserInfo', 1178 | 'HTTP_HOST', 1179 | 'jkkudr', 1180 | 'gridResults', 1181 | 'Entries', 1182 | 'deldr', 1183 | 'connku', 1184 | 'getwz', 1185 | 'dData', 1186 | 'editpath', 1187 | 'ClearHeaders', 1188 | 'dbcmda', 1189 | 'exist', 1190 | 'ExpandDepth', 1191 | 'getattstr', 1192 | 'getIP', 1193 | 'gridParameters', 1194 | 'getself', 1195 | 'NewName', 1196 | 'xexistdir', 1197 | 'myscanner', 1198 | 'PortNumber', 1199 | 'local_copy_of_cmd', 1200 | 'jksdr', 1201 | 'PRIMARY', 1202 | 'ThreadStart', 1203 | 'TreeNodeEventArgs', 1204 | 'Login_click', 1205 | 'woanware', 1206 | 'webname', 1207 | 'middle', 1208 | '114px', 1209 | 'rdpwd', 1210 | 'agentdr', 1211 | 'refilename', 1212 | 'STYLE1', 1213 | 'AnonymousUserPass', 1214 | '194px', 1215 | 'zcg_lbtnADS_Click', 1216 | 'Notice', 1217 | 'txtSqlcmd', 1218 | 'OnSelectedNodeChanged', 1219 | 'OnTreeNodeExpanded', 1220 | 'Operate', 1221 | '312px', 1222 | 'btnExecute_Click', 1223 | 'txtcommand2', 1224 | 'shellcmd', 1225 | 'kProcessStartInfo', 1226 | '147px', 1227 | 'kProcess', 1228 | 'kname', 1229 | 'account', 1230 | 'sql_query', 1231 | 'txtCommand1', 1232 | 'TimeZone', 1233 | 'Capacity', 1234 | 'kernel32', 1235 | 'GetValueNames', 1236 | 'DropDownList2', 1237 | 'Inetsrv', 1238 | 'SuExp', 1239 | 'GetSubKeyNames', 1240 | 'Collections', 1241 | 'FileEdit', 1242 | 'UBound', 1243 | '447px', 1244 | 'Queries', 1245 | 'Anonymous', 1246 | 'PacketCaptureWriter', 1247 | 'passtext', 1248 | 'iframe', 1249 | 'byteData', 1250 | 'maxPacketLength', 1251 | 'portnum', 1252 | 'arraynum', 1253 | 'xfilesize', 1254 | 'ushort', 1255 | 'captureTimestamp', 1256 | 'ufname', 1257 | 'modify', 1258 | 'GridView', 1259 | 'DB_eString', 1260 | 'xfilelastmodified', 1261 | 'Local', 1262 | 'Remote', 1263 | 'ADODB', 1264 | 'ListBoxPro', 1265 | 'letters', 1266 | 'stmrdr', 1267 | 'DataCStr', 1268 | 'txtAuthKey', 1269 | 'Button1_Click', 1270 | 'bin_temp', 1271 | 'Bin_TextBox_Fp', 1272 | 'ToBase64String', 1273 | 'context', 1274 | 'style2', 1275 | 'Win32_UserAccount', 1276 | 'SandBoxMode', 1277 | 'wrong', 1278 | 'DirName', 1279 | '350px', 1280 | 'Engines', 1281 | 'MemoryStream', 1282 | 'CheckAll', 1283 | 'tmpNum', 1284 | 'baidu', 1285 | 'ManagementObjectCollection', 1286 | 'DirectoryName', 1287 | 'MatchCollection', 1288 | '719BC5', 1289 | 'REG_DWORD', 1290 | 'uploaded', 1291 | 'Bin_BackButton_Click', 1292 | 'Bin_AccRadioButton_CheckedChanged', 1293 | 'Bin_AttLabel', 1294 | '0x3C256578656375746520726571756573742822422229253E', 1295 | 'Bin_BakLog', 1296 | 'Begin', 1297 | 'Bin_AttPanel', 1298 | 'Bin_BDButton_Click', 1299 | '765px', 1300 | 'Bin_BakDB', 1301 | 'OverWrite', 1302 | 'usertabdel', 1303 | '240px', 1304 | '157px', 1305 | 'omumastr', 1306 | 'onchange', 1307 | 'SetLastWriteTime', 1308 | 'getqmfilestr', 1309 | 'SetLastAccessTime', 1310 | 'XmlDocument', 1311 | 'WebRoot', 1312 | 'ServerComment', 1313 | 'output_wmi_function_data', 1314 | 'StartIp', 1315 | 'Target_copy_of_cmd', 1316 | 'SetCreationTime', 1317 | 'reglastindex', 1318 | 'EndIP', 1319 | 'FileMode', 1320 | 'getdbstra', 1321 | '68915', 1322 | 'getdbstr', 1323 | 'Create_table_row_with_supplied_colors', 1324 | 'Argument', 1325 | 'agentsql', 1326 | 'text_to_print', 1327 | 'fullpath', 1328 | 'Repair', 1329 | 'struct', 1330 | 'getacctable', 1331 | '129px', 1332 | 'Antak', 1333 | 'regindex', 1334 | 'configfilestr', 1335 | 'alignValue', 1336 | 'Structure', 1337 | 'getlistku', 1338 | '138px', 1339 | 'quite', 1340 | 'press', 1341 | 'getfolderstr', 1342 | 'getfindmm', 1343 | 'StoredProcedure', 1344 | '760px', 1345 | 'getallfilestr', 1346 | 'enctype', 1347 | '111111', 1348 | 'SA_Exec', 1349 | 'GetEnvironmentVariable', 1350 | 'Encode', 1351 | 'Automation', 1352 | 'rowItems', 1353 | 'columntype', 1354 | '140px', 1355 | 'dbsqlconn', 1356 | 'properties_', 1357 | 'ddlist', 1358 | 'Bin_CopyButton_Click', 1359 | 'gettzm', 1360 | 'IIS_list_Anon_Name_Pass', 1361 | 'Bin_SunameTextBox', 1362 | 'Bin_SuexpButton_Click', 1363 | 'Bin_SucmdTextBox', 1364 | 'Bin_SuButton_Click', 1365 | 'Bin_SQLRadioButton_CheckedChanged', 1366 | 'Bin_SQLButton_Click', 1367 | 'Bin_SetButton_Click', 1368 | 'Bin_ScanipTextBox', 1369 | 'Bin_ScancmdButton_Click', 1370 | 'Bin_Scan', 1371 | 'Bin_SbackButton_Click', 1372 | 'htmlstr', 1373 | 'Bin_SAexecButton_Click', 1374 | 'Bin_SACMDButton_Click', 1375 | 'Bin_RunButton_Click', 1376 | 'Bin_RegreadButton_Click', 1377 | 'Bin_RegButton_Click', 1378 | 'FileButton_Click', 1379 | 'Bin_Process', 1380 | 'Bin_PortsTextBox', 1381 | 'Bin_PortButton_Click', 1382 | 'f1f1f1', 1383 | 'TimeLabel', 1384 | 'Bin_NewFileButton_Click', 1385 | 'Bin_SupassTextBox', 1386 | 'Bin_SuportTextBox', 1387 | 'Bin_Table_File', 1388 | 'jksession', 1389 | 'Item_DataBound', 1390 | 'Item_Command', 1391 | 'txtEndIP', 1392 | 'txtDatabaseServer', 1393 | 'Lb_msg', 1394 | 'tv2str', 1395 | 'exesql', 1396 | 'txtPorts', 1397 | 'Bin_NewdirButton_Click', 1398 | 'Bin_ValueTextBox', 1399 | 'LoginButton_Click', 1400 | 'ToInt32', 1401 | 'loginpass', 1402 | 'loginuser', 1403 | '395px', 1404 | 'LogoutButton_Click', 1405 | 'lstRet', 1406 | 'MainButton_Click', 1407 | 'ToArray', 1408 | 'iiswebpath', 1409 | 'dataconn', 1410 | 'dirpath', 1411 | 'Bin_upButton_Click', 1412 | 'Bin_LogshellButton_Click', 1413 | 'fontColor', 1414 | 'the_Process', 1415 | 'Bin_CmdShellTextBox', 1416 | 'Bin_dbshellButton_Click', 1417 | 'Bin_ExecButton_Click', 1418 | 'Bin_ErrorLabel', 1419 | 'Bin_EditPanel', 1420 | 'Bin_EditButton_Click', 1421 | 'SQL_SumbitButton_Click', 1422 | 'Distributed', 1423 | 'Bin_Fileatt', 1424 | 'environmentVariables', 1425 | 'the_Reg', 1426 | 'Bin_listButton_Click', 1427 | 'z_index', 1428 | 'Bin_CutButton_Click', 1429 | 'HARDWARE_INFO', 1430 | 'noshade', 1431 | 'Bin_DirButton_Click', 1432 | 'Bin_DBPage', 1433 | 'newdomain', 1434 | 'Bin_Filedown', 1435 | 'txtUserId', 1436 | 'Bin_FileLabel', 1437 | 'multipart', 1438 | 'mustAdd', 1439 | 'destr', 1440 | 'txtStartIP', 1441 | 'dabaodz', 1442 | 'delfolderstr', 1443 | 'Bin_KeyTextBox', 1444 | 'Bin_FileEdit', 1445 | 'Bin_CmdButton_Click', 1446 | 'Bin_CmdPathTextBox', 1447 | 'Bin_iisLabel', 1448 | 'Bin_GoButton_Click', 1449 | 'Bin_IISButton_Click', 1450 | 'Bin_iisinfo', 1451 | 'InvokeMethod', 1452 | 'Thanks', 1453 | 'Offset', 1454 | 'edited_path', 1455 | 'example', 1456 | 'boxid', 1457 | 'Strings', 1458 | 'BorderWidth', 1459 | 'Label_Drives', 1460 | 'Sleep', 1461 | 'TextBox_FDName', 1462 | '789px', 1463 | 'active', 1464 | 'childname', 1465 | 'GetWebName', 1466 | 'UserDomainName', 1467 | 'datas', 1468 | 'proException', 1469 | '21232f297a57a5a743894a0e4a801fc3', 1470 | 'PropertyNames', 1471 | 'Timeout', 1472 | 'html_onload', 1473 | 'html_script', 1474 | 'html_title', 1475 | 'window', 1476 | '304px', 1477 | 'HttpPostedFile', 1478 | 'curfile', 1479 | 'nReceived', 1480 | 'bContinueCapturing', 1481 | 'pointer', 1482 | 'Drawing', 1483 | 'RegisterStartupScript', 1484 | 'fcont', 1485 | 'visited', 1486 | 'passw', 1487 | 'xfileopen', 1488 | 'Resume', 1489 | 'table_name', 1490 | 'html_head', 1491 | 'tbody', 1492 | 'uploadfile', 1493 | 'DBConn', 1494 | 'Exploit', 1495 | 'Subtract', 1496 | 'Cryptography', 1497 | 'Connected', 1498 | 'Bin_Textarea_Query', 1499 | 'IIS_PASS', 1500 | 'zcg_MakeADSLinkJs', 1501 | 'MySql', 1502 | 'Bin_Target', 1503 | 'AspCompat', 1504 | 'onserverclick', 1505 | 'Bin_TextArea_Search', 1506 | 'Compression', 1507 | 'GetCreationTime', 1508 | 'Bin_DataGrid_Wmi', 1509 | 'Principal', 1510 | 'IPHostEntry', 1511 | 'NumericPages', 1512 | 'found', 1513 | 'seldbname', 1514 | 'jk1986', 1515 | '______', 1516 | 'IsSqlServer', 1517 | 'IsNullOrEmpty', 1518 | 'CCCCCC', 1519 | 'BorderStyle', 1520 | 'dtKeys', 1521 | 'resultSQL', 1522 | 'Terminate', 1523 | 'objectSid', 1524 | 'NewRow', 1525 | 'SQLExec', 1526 | 'ModifyTime', 1527 | 'DllImport', 1528 | 'FileAccess', 1529 | 'ServiceName', 1530 | 'DatabaseBackup', 1531 | 'Extension', 1532 | 'Manufacturer', 1533 | 'makewebtask', 1534 | 'LoginHours', 1535 | 'InputStream', 1536 | 'LogBackup', 1537 | 'invalid', 1538 | 'TrimEnd', 1539 | 'txtport', 1540 | 'txtpackets', 1541 | 'layout', 1542 | 'extern', 1543 | 'opendatasource', 1544 | 'txtlogfile', 1545 | 'DownloadFile', 1546 | 'DefaultValue', 1547 | 'ProcessorNameString', 1548 | 'GetEnumerator', 1549 | 'Assistant', 1550 | 'SubKeyCount', 1551 | 'completed', 1552 | 'Win32_TimeZone', 1553 | 'BasePriority', 1554 | 'computer', 1555 | 'Win32_Service', 1556 | 'Framework', 1557 | 'Win32_PhysicalMemory', 1558 | 'SandBox', 1559 | 'Win32_NetworkAdapterConfiguration', 1560 | 'scanned', 1561 | 'Win32_BIOS', 1562 | 'Win32_SystemDriver', 1563 | 'TABLE_CATALOG', 1564 | 'EndConnect', 1565 | 'TABLE_SCHEMA', 1566 | 'FileList', 1567 | 'GetServices', 1568 | 'TABLE_PROPID', 1569 | 'var_value', 1570 | 'xfilesave', 1571 | 'wBind', 1572 | 'zcg_Rename', 1573 | 'UPDATE', 1574 | 'xfname', 1575 | 'xnewfile', 1576 | 'downfilestr', 1577 | 'xmldoc', 1578 | 'xnewconnect', 1579 | 'xparsefilesize', 1580 | 'tzcode', 1581 | 'dirInfo', 1582 | 'drive', 1583 | 'errReturn', 1584 | 'zcg_tbl_ADSViewer', 1585 | 'dlink', 1586 | 'txtSqlName', 1587 | 'xdname', 1588 | 'zcg_txbADSPath', 1589 | 'xnewchild', 1590 | 'zcg_txbADSType', 1591 | 'xsldoc', 1592 | 'dirstr1', 1593 | 'WorkingSet', 1594 | 'var_description', 1595 | 'xServerIP', 1596 | 'dport', 1597 | 'WinExec', 1598 | 'var_name', 1599 | 'xnewfolder', 1600 | 'jksend', 1601 | 'execution', 1602 | 'gmcode', 1603 | 'objmanage', 1604 | 'oFileSys', 1605 | 'oleda', 1606 | 'oleds', 1607 | 'Order', 1608 | 'oScript', 1609 | 'osqldatabasestr', 1610 | 'osqlnamestr', 1611 | 'osqlpassstr', 1612 | 'output_wmi_function_data_instances', 1613 | 'parentdir', 1614 | 'getqmstr', 1615 | 'getprocess', 1616 | 'pesan', 1617 | 'getmmstr', 1618 | 'plaste', 1619 | 'portarray', 1620 | 'getjkdeldomain', 1621 | 'getfilex', 1622 | 'getfilestr', 1623 | 'getfile', 1624 | 'providerObj', 1625 | 'numDataBytes', 1626 | 'nTime', 1627 | 'GridView2', 1628 | 'nodeObj', 1629 | 'iswriteable', 1630 | 'LbScan', 1631 | 'lbuffer', 1632 | 'IpList', 1633 | 'ListBox2', 1634 | 'Listen', 1635 | 'local_dir', 1636 | 'localurl', 1637 | 'Initial', 1638 | 'logNextPacket', 1639 | 'iisusername', 1640 | 'qmcode', 1641 | 'iisdk', 1642 | 'MemorySize', 1643 | 'htmlspecialchars', 1644 | 'minisizepacket', 1645 | 'holepath', 1646 | 'my_s_ftp', 1647 | 'my_s_http_post', 1648 | 'my_s_smtp', 1649 | 'myTableName', 1650 | 'names', 1651 | 'netcat', 1652 | 'newjc', 1653 | 'IIsComputerObj', 1654 | 'txtCmdIn', 1655 | 'getdelkustr', 1656 | 'rbuffer', 1657 | 'sutc1', 1658 | 'syslog', 1659 | 'SystemDirectory', 1660 | 'filemtime', 1661 | 'filelocal', 1662 | 'TableColumn', 1663 | 'filego', 1664 | 'tblPkName', 1665 | 'tblRun', 1666 | 'tempDrives', 1667 | 'filectime', 1668 | 'fileatime', 1669 | 'FileAct', 1670 | 'TextBox1', 1671 | 'TextBoxReadDir', 1672 | 'TextBoxRenameTo', 1673 | 'the_Info', 1674 | 'the_Obj', 1675 | 'thisChar', 1676 | 'thisData', 1677 | 'faction', 1678 | 'explorer', 1679 | 'TreeView4_SelectedNodeChanged', 1680 | 'Surround_by_TD_and_Bold', 1681 | 'Surround_by_TD', 1682 | 'FileShare', 1683 | 'FileUpload1', 1684 | 'getdbfileall', 1685 | 'Getdbfilea', 1686 | 'getcontent', 1687 | 'getcfile', 1688 | 'regImg', 1689 | 'getallstr', 1690 | 'RegValue', 1691 | 'remoteurl', 1692 | 'returns', 1693 | 'revstr', 1694 | 'fsize', 1695 | 'getdelfolder', 1696 | 'rowItem', 1697 | 's_driver', 1698 | 'savefile', 1699 | 'ScanPorts', 1700 | 'ScanResults', 1701 | 'sport', 1702 | 'Stack', 1703 | 'firstfield', 1704 | 'strIP', 1705 | 'final', 1706 | 'filewant', 1707 | 'fileurl', 1708 | 'rowspan', 1709 | 'directories', 1710 | '_____', 1711 | '381px', 1712 | 'center_', 1713 | 'cmdw32', 1714 | 'cmdwsh', 1715 | 'cfile', 1716 | '268px', 1717 | '274px', 1718 | '286px', 1719 | 'cfolderstr', 1720 | 'CheckBox1', 1721 | 'could', 1722 | 'BindData', 1723 | 'CheckBox2', 1724 | 'decimal', 1725 | 'CheckBox3', 1726 | 'Bin_Table_Reg', 1727 | 'AspNetHostingPermission', 1728 | '356px', 1729 | 'AspNetHostingPermissionLevel', 1730 | '_Value', 1731 | 'curpart', 1732 | 'Accounts', 1733 | '003300', 1734 | '595px', 1735 | 'catalog', 1736 | 'applog', 1737 | 'ContentLength', 1738 | 'btnLogin', 1739 | 'db_cmd', 1740 | 'DB_DataGrid', 1741 | 'btnLogin_Click', 1742 | 'db_ds', 1743 | '211px', 1744 | 'Bin_List_SelectedIndexChanged', 1745 | 'Bin_List_Connstr', 1746 | 'Bin_TextBox_Sp', 1747 | 'Bin_TextBox_Sp1', 1748 | 'db_schemaTable', 1749 | 'ADSSettings', 1750 | 'daboml', 1751 | 'ADSUserName', 1752 | 'cmdshow', 1753 | 'dbowner', 1754 | '153px', 1755 | '270px', 1756 | '560px', 1757 | '170px', 1758 | 'CommandEventArgs', 1759 | '_CaptureTimestamp', 1760 | '174px', 1761 | '154px', 1762 | 'checkname', 1763 | 'CheckBox4', 1764 | '_BaseStream', 1765 | '160px', 1766 | '155px', 1767 | 'DictionaryEntry', 1768 | '169px', 1769 | 'auser', 1770 | 'Unknow', 1771 | 'OREpx', 1772 | '258px', 1773 | 'details', 1774 | 'JJjbW', 1775 | 'admin', 1776 | 'ImportRow', 1777 | 'nDrive', 1778 | 'RsqhW', 1779 | 'ZSnXu', 1780 | 'ParseControl', 1781 | 'DataGridPageChangedEventArgs', 1782 | 'Started', 1783 | 'subpath', 1784 | 'WriteLine', 1785 | 'GetDriveTypeA', 1786 | 'VARIABLES', 1787 | 'DataTextField', 1788 | 'JEaxV', 1789 | 'xaGwl', 1790 | 'DataAvailable', 1791 | 'KHbEd', 1792 | 'enter', 1793 | 'readreg_Click', 1794 | 'EntryPoint', 1795 | 'FindControl', 1796 | '666px', 1797 | 'PageSize', 1798 | 'RegStack', 1799 | 'CDRom', 1800 | 'JIAKU', 1801 | 'CommandEventHandler', 1802 | 'wmgnK', 1803 | 'OLJFp', 1804 | 'CmUCh', 1805 | 'Removable', 1806 | 'NewPageIndex', 1807 | 'permission', 1808 | 'QcZPA', 1809 | 'baVJV', 1810 | 'CompareMethod', 1811 | '950px', 1812 | 'Creat', 1813 | 'OnPageIndexChanged', 1814 | 'JScript', 1815 | 'CommandLine', 1816 | 'timeSpent' 1817 | ) 1818 | 1819 | # Define heuristic rules for heuristic analysis 1820 | $heuristicRules = @( 1821 | @{ 'pattern' = 'eval\('; 'description' = 'Use of eval function' }, 1822 | @{ 'pattern' = 'base64_decode\('; 'description' = 'Use of base64_decode function' }, 1823 | @{ 'pattern' = 'shell_exec\('; 'description' = 'Use of shell_exec function' }, 1824 | @{ 'pattern' = 'proc_open\('; 'description' = 'Use of proc_open function' }, 1825 | @{ 'pattern' = 'popen\('; 'description' = 'Use of popen function' }, 1826 | @{ 'pattern' = 'passthru\('; 'description' = 'Use of passthru function' }, 1827 | @{ 'pattern' = 'system\('; 'description' = 'Use of system function' }, 1828 | @{ 'pattern' = 'exec\('; 'description' = 'Use of exec function' }, 1829 | @{ 'pattern' = 'assert\('; 'description' = 'Use of assert function' }, 1830 | @{ 'pattern' = 'preg_replace\("/e"'; 'description' = 'Use of preg_replace with /e modifier' }, 1831 | @{ 'pattern' = 'create_function\('; 'description' = 'Use of create_function' }, 1832 | @{ 'pattern' = 'include\('; 'description' = 'Use of include function' }, 1833 | @{ 'pattern' = 'require\('; 'description' = 'Use of require function' }, 1834 | @{ 'pattern' = 'include_once\('; 'description' = 'Use of include_once function' }, 1835 | @{ 'pattern' = 'require_once\('; 'description' = 'Use of require_once function' }, 1836 | @{ 'pattern' = 'file_get_contents\('; 'description' = 'Use of file_get_contents function' }, 1837 | @{ 'pattern' = 'fopen\('; 'description' = 'Use of fopen function' }, 1838 | @{ 'pattern' = 'fread\('; 'description' = 'Use of fread function' }, 1839 | @{ 'pattern' = 'fwrite\('; 'description' = 'Use of fwrite function' }, 1840 | @{ 'pattern' = 'curl_exec\('; 'description' = 'Use of curl_exec function' }, 1841 | @{ 'pattern' = 'curl_multi_exec\('; 'description' = 'Use of curl_multi_exec function' }, 1842 | @{ 'pattern' = 'parse_ini_file\('; 'description' = 'Use of parse_ini_file function' }, 1843 | @{ 'pattern' = 'show_source\('; 'description' = 'Use of show_source function' } 1844 | @{ 'pattern' = 'gzinflate\('; 'description' = 'Use of gzinflate function' }, 1845 | @{ 'pattern' = 'str_rot13\('; 'description' = 'Use of str_rot13 function' }, 1846 | @{ 'pattern' = 'gzuncompress\('; 'description' = 'Use of gzuncompress function' }, 1847 | @{ 'pattern' = 'gzdecode\('; 'description' = 'Use of gzdecode function' }, 1848 | @{ 'pattern' = 'preg_replace_callback\('; 'description' = 'Use of preg_replace_callback function' }, 1849 | @{ 'pattern' = 'call_user_func\('; 'description' = 'Use of call_user_func function' }, 1850 | @{ 'pattern' = 'call_user_func_array\('; 'description' = 'Use of call_user_func_array function' }, 1851 | @{ 'pattern' = 'array_map\('; 'description' = 'Use of array_map function' }, 1852 | @{ 'pattern' = 'array_walk\('; 'description' = 'Use of array_walk function' }, 1853 | @{ 'pattern' = 'array_filter\('; 'description' = 'Use of array_filter function' }, 1854 | @{ 'pattern' = 'array_reduce\('; 'description' = 'Use of array_reduce function' }, 1855 | @{ 'pattern' = 'create_function\('; 'description' = 'Use of create_function function' }, 1856 | @{ 'pattern' = 'register_shutdown_function\('; 'description' = 'Use of register_shutdown_function' }, 1857 | @{ 'pattern' = 'register_tick_function\('; 'description' = 'Use of register_tick_function' }, 1858 | @{ 'pattern' = 'ob_start\('; 'description' = 'Use of ob_start function' }, 1859 | @{ 'pattern' = 'ob_get_contents\('; 'description' = 'Use of ob_get_contents function' }, 1860 | @{ 'pattern' = 'ob_get_clean\('; 'description' = 'Use of ob_get_clean function' }, 1861 | @{ 'pattern' = 'ob_end_clean\('; 'description' = 'Use of ob_end_clean function' }, 1862 | @{ 'pattern' = 'ob_flush\('; 'description' = 'Use of ob_flush function' } 1863 | @{ 'pattern' = 'base64_encode\('; 'description' = 'Use of base64_encode function' }, 1864 | @{ 'pattern' = 'strrev\('; 'description' = 'Use of strrev function' }, 1865 | @{ 'pattern' = 'str_replace\('; 'description' = 'Use of str_replace function' }, 1866 | @{ 'pattern' = 'preg_match\('; 'description' = 'Use of preg_match function' }, 1867 | @{ 'pattern' = 'preg_split\('; 'description' = 'Use of preg_split function' }, 1868 | @{ 'pattern' = 'preg_grep\('; 'description' = 'Use of preg_grep function' }, 1869 | @{ 'pattern' = 'preg_filter\('; 'description' = 'Use of preg_filter function' }, 1870 | @{ 'pattern' = 'file_put_contents\('; 'description' = 'Use of file_put_contents function' }, 1871 | @{ 'pattern' = 'file\('; 'description' = 'Use of file function' }, 1872 | @{ 'pattern' = 'readfile\('; 'description' = 'Use of readfile function' }, 1873 | @{ 'pattern' = 'unlink\('; 'description' = 'Use of unlink function' }, 1874 | @{ 'pattern' = 'rename\('; 'description' = 'Use of rename function' }, 1875 | @{ 'pattern' = 'copy\('; 'description' = 'Use of copy function' }, 1876 | @{ 'pattern' = 'move_uploaded_file\('; 'description' = 'Use of move_uploaded_file function' }, 1877 | @{ 'pattern' = 'chmod\('; 'description' = 'Use of chmod function' }, 1878 | @{ 'pattern' = 'chown\('; 'description' = 'Use of chown function' }, 1879 | @{ 'pattern' = 'chgrp\('; 'description' = 'Use of chgrp function' }, 1880 | @{ 'pattern' = 'touch\('; 'description' = 'Use of touch function' }, 1881 | @{ 'pattern' = 'header\('; 'description' = 'Use of header function' }, 1882 | @{ 'pattern' = 'setcookie\('; 'description' = 'Use of setcookie function' }, 1883 | @{ 'pattern' = 'session_start\('; 'description' = 'Use of session_start function' }, 1884 | @{ 'pattern' = 'session_destroy\('; 'description' = 'Use of session_destroy function' }, 1885 | @{ 'pattern' = 'session_regenerate_id\('; 'description' = 'Use of session_regenerate_id function' }, 1886 | @{ 'pattern' = 'ini_set\('; 'description' = 'Use of ini_set function' }, 1887 | @{ 'pattern' = 'ini_get\('; 'description' = 'Use of ini_get function' }, 1888 | @{ 'pattern' = 'putenv\('; 'description' = 'Use of putenv function' }, 1889 | @{ 'pattern' = 'getenv\('; 'description' = 'Use of getenv function' }, 1890 | @{ 'pattern' = 'mail\('; 'description' = 'Use of mail function' }, 1891 | @{ 'pattern' = 'mb_send_mail\('; 'description' = 'Use of mb_send_mail function' }, 1892 | @{ 'pattern' = 'fsockopen\('; 'description' = 'Use of fsockopen function' }, 1893 | @{ 'pattern' = 'pfsockopen\('; 'description' = 'Use of pfsockopen function' }, 1894 | @{ 'pattern' = 'stream_socket_client\('; 'description' = 'Use of stream_socket_client function' }, 1895 | @{ 'pattern' = 'stream_socket_server\('; 'description' = 'Use of stream_socket_server function' }, 1896 | @{ 'pattern' = 'stream_context_create\('; 'description' = 'Use of stream_context_create function' }, 1897 | @{ 'pattern' = 'stream_context_set_option\('; 'description' = 'Use of stream_context_set_option function' }, 1898 | @{ 'pattern' = 'stream_context_get_options\('; 'description' = 'Use of stream_context_get_options function' }, 1899 | @{ 'pattern' = 'stream_filter_append\('; 'description' = 'Use of stream_filter_append function' }, 1900 | @{ 'pattern' = 'stream_filter_prepend\('; 'description' = 'Use of stream_filter_prepend function' }, 1901 | @{ 'pattern' = 'stream_get_contents\('; 'description' = 'Use of stream_get_contents function' }, 1902 | @{ 'pattern' = 'stream_set_blocking\('; 'description' = 'Use of stream_set_blocking function' }, 1903 | @{ 'pattern' = 'stream_set_timeout\('; 'description' = 'Use of stream_set_timeout function' }, 1904 | @{ 'pattern' = 'stream_set_write_buffer\('; 'description' = 'Use of stream_set_write_buffer function' }, 1905 | @{ 'pattern' = 'stream_socket_enable_crypto\('; 'description' = 'Use of stream_socket_enable_crypto function' }, 1906 | @{ 'pattern' = 'stream_socket_shutdown\('; 'description' = 'Use of stream_socket_shutdown function' } 1907 | @{ 'pattern' = 'eval\(base64_decode\('; 'description' = 'Use of eval with base64_decode' }, 1908 | @{ 'pattern' = 'preg_replace\(.*/e'; 'description' = 'Use of preg_replace with /e modifier' }, 1909 | @{ 'pattern' = 'create_function\('; 'description' = 'Use of create_function' }, 1910 | @{ 'pattern' = 'assert\('; 'description' = 'Use of assert function' }, 1911 | @{ 'pattern' = 'system\('; 'description' = 'Use of system function' }, 1912 | @{ 'pattern' = 'shell_exec\('; 'description' = 'Use of shell_exec function' }, 1913 | @{ 'pattern' = 'passthru\('; 'description' = 'Use of passthru function' }, 1914 | @{ 'pattern' = 'exec\('; 'description' = 'Use of exec function' }, 1915 | @{ 'pattern' = 'popen\('; 'description' = 'Use of popen function' }, 1916 | @{ 'pattern' = 'proc_open\('; 'description' = 'Use of proc_open function' }, 1917 | @{ 'pattern' = 'phpinfo\('; 'description' = 'Use of phpinfo function' }, 1918 | @{ 'pattern' = 'get_defined_vars\('; 'description' = 'Use of get_defined_vars function' }, 1919 | @{ 'pattern' = 'get_defined_functions\('; 'description' = 'Use of get_defined_functions function' }, 1920 | @{ 'pattern' = 'get_included_files\('; 'description' = 'Use of get_included_files function' }, 1921 | @{ 'pattern' = 'get_required_files\('; 'description' = 'Use of get_required_files function' }, 1922 | @{ 'pattern' = 'getenv\('; 'description' = 'Use of getenv function' }, 1923 | @{ 'pattern' = 'putenv\('; 'description' = 'Use of putenv function' }, 1924 | @{ 'pattern' = 'extract\('; 'description' = 'Use of extract function' }, 1925 | @{ 'pattern' = 'parse_str\('; 'description' = 'Use of parse_str function' }, 1926 | @{ 'pattern' = 'mb_ereg_replace\(.*/e'; 'description' = 'Use of mb_ereg_replace with /e modifier' }, 1927 | @{ 'pattern' = 'mb_eregi_replace\(.*/e'; 'description' = 'Use of mb_eregi_replace with /e modifier' }, 1928 | @{ 'pattern' = 'call_user_func\('; 'description' = 'Use of call_user_func function' }, 1929 | @{ 'pattern' = 'call_user_func_array\('; 'description' = 'Use of call_user_func_array function' }, 1930 | @{ 'pattern' = 'ReflectionFunction\('; 'description' = 'Use of ReflectionFunction' }, 1931 | @{ 'pattern' = 'ReflectionMethod\('; 'description' = 'Use of ReflectionMethod' }, 1932 | @{ 'pattern' = 'ReflectionClass\('; 'description' = 'Use of ReflectionClass' }, 1933 | @{ 'pattern' = 'ReflectionObject\('; 'description' = 'Use of ReflectionObject' }, 1934 | @{ 'pattern' = 'ReflectionProperty\('; 'description' = 'Use of ReflectionProperty' }, 1935 | @{ 'pattern' = 'ReflectionParameter\('; 'description' = 'Use of ReflectionParameter' }, 1936 | @{ 'pattern' = 'ReflectionExtension\('; 'description' = 'Use of ReflectionExtension' }, 1937 | @{ 'pattern' = 'ReflectionZendExtension\('; 'description' = 'Use of ReflectionZendExtension' } 1938 | ) 1939 | 1940 | # Calculate the entropy of a given string 1941 | function Get-Entropy { 1942 | param( 1943 | [Parameter(Mandatory=$true, Position=0)] [string] $String 1944 | ) 1945 | 1946 | $length = $String.Length 1947 | $symbolFrequency = @{} 1948 | foreach ($symbol in $String.ToCharArray()) { 1949 | if ($symbolFrequency.ContainsKey($symbol)) { 1950 | $symbolFrequency[$symbol]++ 1951 | } else { 1952 | $symbolFrequency.Add($symbol, 1) 1953 | } 1954 | } 1955 | 1956 | $entropy = 0 1957 | $symbolFrequency.Values | foreach { 1958 | $freq = $_ / $length 1959 | $entropy -= $freq * [Math]::Log($freq, 2) 1960 | } 1961 | 1962 | return $entropy 1963 | } 1964 | 1965 | function Detect-WebshellPatterns { 1966 | param( 1967 | [Parameter(Mandatory=$true)] [string] $FileContent 1968 | ) 1969 | 1970 | $matchedPatterns = @() 1971 | 1972 | foreach ($pattern in $suspiciousPatterns) { 1973 | if ($FileContent -match $pattern) { 1974 | $matchedPatterns += $pattern 1975 | } 1976 | } 1977 | 1978 | return $matchedPatterns 1979 | } 1980 | 1981 | function Perform-HeuristicAnalysis { 1982 | param( 1983 | [Parameter(Mandatory=$true)] [string] $FileContent 1984 | ) 1985 | 1986 | $matchedHeuristics = @() 1987 | 1988 | foreach ($rule in $heuristicRules) { 1989 | if ($FileContent -match $rule.pattern) { 1990 | $matchedHeuristics += $rule.description 1991 | } 1992 | } 1993 | 1994 | return $matchedHeuristics 1995 | } 1996 | 1997 | function Create-ResultObject { 1998 | param( 1999 | [string] $path, 2000 | [double] $entropy, 2001 | [double] $sdForExt, 2002 | [string] $hash, 2003 | [string] $lastModified, 2004 | [string] $detectionMethod, 2005 | [double] $confidenceScore, 2006 | [array] $matchedPatterns = @(), 2007 | [array] $matchedHeuristics = @() 2008 | ) 2009 | 2010 | $result = New-Object PSObject -Property @{ 2011 | 'FilePath' = $path 2012 | 'Entropy' = $entropy 2013 | 'StDev' = $sdForExt 2014 | 'Hash' = $hash 2015 | 'LastModified' = $lastModified 2016 | 'DetectionMethod' = $detectionMethod 2017 | 'ConfidenceScore' = $confidenceScore 2018 | } 2019 | 2020 | if ($matchedPatterns.Count -gt 0) { 2021 | $result | Add-Member -MemberType NoteProperty -Name 'suspiciousKeywords' -Value ($matchedPatterns -join ', ') 2022 | } 2023 | 2024 | if ($matchedHeuristics.Count -gt 0) { 2025 | $result | Add-Member -MemberType NoteProperty -Name 'matchedHeuristics' -Value ($matchedHeuristics -join ', ') 2026 | } 2027 | 2028 | return $result 2029 | } 2030 | 2031 | function Adjust-ConfidenceScore { 2032 | param( 2033 | [double] $baseScore, 2034 | [array] $matchedPatterns, 2035 | [array] $matchedHeuristics 2036 | ) 2037 | 2038 | $confidenceScore = $baseScore * 100 2039 | 2040 | if ($matchedPatterns.Count -gt 0) { 2041 | $scoreAdjustment = 0.25 * $matchedPatterns.Count 2042 | $confidenceScore += $scoreAdjustment * 100 2043 | } 2044 | 2045 | if ($matchedHeuristics.Count -gt 0) { 2046 | $scoreAdjustment = 0.25 * $matchedHeuristics.Count 2047 | $confidenceScore += $scoreAdjustment * 100 2048 | } 2049 | 2050 | if ($confidenceScore -gt 100) { $confidenceScore = 100 } 2051 | 2052 | return $confidenceScore 2053 | } 2054 | 2055 | function Process-File { 2056 | param( 2057 | [hashtable] $file, 2058 | [string] $detectionMethod, 2059 | [double] $baseScore, 2060 | [double] $sdForExt = $null 2061 | ) 2062 | 2063 | $entropy = $file['Entropy'] 2064 | $path = $file['Path'] 2065 | $hash = $file['Hash'] 2066 | $extension = [System.IO.Path]::GetExtension($path) 2067 | 2068 | if (Test-Path $path) { 2069 | $lastModified = (Get-Item $path).LastWriteTime.ToString("yyyy-MM-ddTHH:mm:ssZ") 2070 | $content = Get-Content $path -Raw -ErrorAction SilentlyContinue 2071 | } else { 2072 | $lastModified = "" 2073 | $content = "" 2074 | } 2075 | 2076 | if (-not [string]::IsNullOrEmpty($content)) { 2077 | $matchedPatterns = Detect-WebshellPatterns -FileContent $content 2078 | $matchedHeuristics = Perform-HeuristicAnalysis -FileContent $content 2079 | $confidenceScore = Adjust-ConfidenceScore -baseScore $baseScore -matchedPatterns $matchedPatterns -matchedHeuristics $matchedHeuristics 2080 | 2081 | $result = Create-ResultObject -path $path -entropy $entropy -sdForExt $sdForExt -hash $hash -lastModified $lastModified -detectionMethod $detectionMethod -confidenceScore $confidenceScore -matchedPatterns $matchedPatterns -matchedHeuristics $matchedHeuristics 2082 | 2083 | $result | ConvertTo-Json -Compress 2084 | } else { 2085 | Write-Verbose "Skipping file $path as it could not be read." 2086 | } 2087 | } 2088 | 2089 | # Directories to scan 2090 | $DirectoryPaths = @('C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\oab','C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\','C:\inetpub\wwwroot') 2091 | 2092 | # Directories to exclude 2093 | $excludePaths = @('C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.1.1713\scripts','C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium','C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\','C:\Windows\WinSxS','C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\Current2\version\debug\scripts\','C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\Current\scripts\') 2094 | 2095 | # File hashes to ignore. If the list is too long, use the txt file next. 2096 | $ignoreHashes = @('FE3F0B4326FF9754CB8B61AA3CEFB465A5308658064EE51C41B0A8B50027728D','B6675117A7B174C3AA2510DDDEFF4221BA6E31005333F47C7239ED5D055BBBDD', '54EFA324203B762A03033879057F8A9DB0F7B45C83C8E1A40529CAFF1EB18004','71FE41C6CCB0023576483A1C89929255480A4F5F0F07CFF9A8D2030ECF70E7AE') 2097 | 2098 | # Path to a txt file containing hashes to ignore 2099 | $ignoreHashesFilePath = Join-Path $PSScriptRoot "ignore.txt" 2100 | 2101 | if (-not (Test-Path $ignoreHashesFilePath)) { 2102 | New-Item -ItemType File -Path $ignoreHashesFilePath -Force 2103 | } 2104 | 2105 | $fileHashes = Get-Content $ignoreHashesFilePath 2106 | 2107 | if ($fileHashes) { 2108 | $ignoreHashes = $fileHashes 2109 | } 2110 | 2111 | $webshellFound = $false 2112 | $allEntropies = @() 2113 | $allFiles = @() 2114 | $entropiesPerExtension = @{} 2115 | $potentialWebshells = 0 2116 | $totalFilesScanned = 0 2117 | $scanStartTime = Get-Date 2118 | 2119 | Write-Verbose "Gathering entropies from specified files..." 2120 | foreach ($DirectoryPath in $DirectoryPaths) { 2121 | if ($DirectoryPath -notin $excludePaths) { 2122 | Get-ChildItem $DirectoryPath -Recurse -File | Where-Object { $_.Extension -in $fileExtensions.Keys } | ForEach-Object { 2123 | $content = [System.IO.File]::ReadAllText($_.FullName) 2124 | if (-not [string]::IsNullOrEmpty($content)) { 2125 | $entropy = Get-Entropy -String $content 2126 | $hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash 2127 | $extension = $_.Extension 2128 | 2129 | # Add the entropy to the corresponding extension's list 2130 | if (-not $entropiesPerExtension.ContainsKey($extension)) { 2131 | $entropiesPerExtension[$extension] = @() 2132 | } 2133 | $entropiesPerExtension[$extension] += $entropy 2134 | 2135 | $fileInfo = @{ 2136 | 'Path' = $_.FullName 2137 | 'Entropy' = $entropy 2138 | 'Hash' = $hash 2139 | } 2140 | $allFiles += $fileInfo 2141 | $totalFilesScanned++ 2142 | } else { 2143 | Write-Verbose "Skipping file $($_.FullName) as it could not be read." 2144 | } 2145 | } 2146 | } 2147 | } 2148 | 2149 | $statsPerExtension = @{} 2150 | 2151 | foreach ($extension in $entropiesPerExtension.Keys) { 2152 | $entropies = $entropiesPerExtension[$extension] 2153 | Write-Verbose "Calculating mean entropy for $extension files..." 2154 | $meanEntropy = ($entropies | Measure-Object -Sum).Sum / $entropies.Count 2155 | $squaredDifferences = $entropies | ForEach-Object { 2156 | $difference = $_ - $meanEntropy 2157 | return [Math]::Pow($difference, 2) 2158 | } 2159 | $meanOfSquaredDifferences = ($squaredDifferences | Measure-Object -Sum).Sum / $squaredDifferences.Count 2160 | Write-Verbose "Calculating standard deviation for entropy of $extension files..." 2161 | $sdEntropy = [Math]::Sqrt($meanOfSquaredDifferences) 2162 | 2163 | $statsPerExtension[$extension] = @{ 2164 | 'Mean' = $meanEntropy 2165 | 'StandardDeviation' = $sdEntropy 2166 | } 2167 | } 2168 | $x = 2 2169 | 2170 | Write-Verbose "Performing entropy-based detection..." 2171 | 2172 | foreach ($file in $allFiles) { 2173 | $result = Process-File -file $file -detectionMethod "Entropy-based" -baseScore $weights["Entropy-based"] 2174 | if ($result) { 2175 | $webshellFound = $true 2176 | $potentialWebshells++ 2177 | Write-Output $result 2178 | } 2179 | } 2180 | 2181 | Write-Verbose "Performing standard deviation-based detection..." 2182 | foreach ($file in $allFiles) { 2183 | $extension = [System.IO.Path]::GetExtension($file['Path']) 2184 | $sdForExt = $statsPerExtension[$extension]['StandardDeviation'] 2185 | Process-File -file $file -detectionMethod "Standard Deviation-based" -baseScore $weights["Standard Deviation-based"] -sdForExt $sdForExt 2186 | } 2187 | 2188 | Write-Verbose "Performing mixed mode detection..." 2189 | foreach ($file in $allFiles) { 2190 | $extension = [System.IO.Path]::GetExtension($file['Path']) 2191 | $sdForExt = $statsPerExtension[$extension]['StandardDeviation'] 2192 | Process-File -file $file -detectionMethod "Mixed Mode" -baseScore $weights["Mixed Mode"] -sdForExt $sdForExt 2193 | } 2194 | 2195 | Write-Verbose "Performing heuristic-based detection..." 2196 | 2197 | foreach ($file in $allFiles) { 2198 | $result = Process-File -file $file -detectionMethod "Heuristic-based" -baseScore $weights["Heuristic-based"] 2199 | if ($result) { 2200 | $webshellFound = $true 2201 | $potentialWebshells++ 2202 | Write-Output $result 2203 | } 2204 | } 2205 | 2206 | if (-not $webshellFound) { 2207 | Write-Output "No potential web shells detected." 2208 | } 2209 | 2210 | $scanEndTime = Get-Date 2211 | $scanDuration = $scanEndTime - $scanStartTime 2212 | $scanStats = @{ 2213 | 'TotalFilesScanned' = $totalFilesScanned 2214 | 'PotentialWebshells' = $potentialWebshells 2215 | 'ScanDuration' = $scanDuration 2216 | } 2217 | 2218 | Write-Output "Scan completed. Statistics:" 2219 | Write-Output $scanStats | ConvertTo-Json -Compress -------------------------------------------------------------------------------- /src/sweep.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MHaggis/ShellSweep/f08226917d62b44c042507ee198ac27cd3d0a5d6/src/sweep.png --------------------------------------------------------------------------------