{"id":13778479,"url":"https://github.com/mkorman90/webshell-protector","last_synced_at":"2025-05-11T12:30:34.855Z","repository":{"id":90494007,"uuid":"138390839","full_name":"mkorman90/webshell-protector","owner":"mkorman90","description":"A small POC of defense from webshells","archived":false,"fork":false,"pushed_at":"2018-06-23T10:10:43.000Z","size":784,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-05-18T21:38:31.781Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mkorman90.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"License.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-06-23T10:05:58.000Z","updated_at":"2022-06-06T06:18:22.000Z","dependencies_parsed_at":"2024-01-15T07:55:09.418Z","dependency_job_id":null,"html_url":"https://github.com/mkorman90/webshell-protector","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorman90%2Fwebshell-protector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorman90%2Fwebshell-protector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorman90%2Fwebshell-protector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkorman90%2Fwebshell-protector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mkorman90","download_url":"https://codeload.github.com/mkorman90/webshell-protector/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224708951,"owners_count":17356521,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T18:00:54.126Z","updated_at":"2024-11-17T14:30:28.630Z","avatar_url":"https://github.com/mkorman90.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"faa91844951d2c29b7b571c6e8a3eb54\"\u003e\u003c/a\u003e新添加"],"sub_categories":[],"readme":"# Webhshell Protector\n\nA small POC of a technique to defend a webserver from malicious code execution originating from planted webshells\n\n## How it works:\n1. Using winappdbg we look for a running IIS process (w3wp.exe)\n2. A breakpoint is set on `CreateProcessW`\n3. The `lpCommandLine` parameter is examined, and if it looks malicious, we can null the pointer and execution will be prevented!\n\n* Currently the way I'm checking if the process to be created is really naive, but it can be extended easily to include additional checks, for example a whitelist of file hashes permitted to execute from `w3wp.exe`, a check against VT, etc...\n\n## Demo:\n![alt text](https://github.com/mkorman90/webshell-protector/raw/master/pics/poc.gif)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmkorman90%2Fwebshell-protector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmkorman90%2Fwebshell-protector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmkorman90%2Fwebshell-protector/lists"}