Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mkorman90/webshell-protector

A small POC of defense from webshells
https://github.com/mkorman90/webshell-protector

Last synced: about 2 months ago
JSON representation

A small POC of defense from webshells

Host: GitHub
URL: https://github.com/mkorman90/webshell-protector
Owner: mkorman90
License: gpl-3.0
Created: 2018-06-23T10:05:58.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2018-06-23T10:10:43.000Z (over 6 years ago)
Last Synced: 2024-05-18T21:38:31.781Z (8 months ago)
Language: Python
Size: 766 KB
Stars: 1
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: Readme.md
- License: License.md

Awesome Lists containing this project

awesome-webshell - **1**星

README

# Webhshell Protector

A small POC of a technique to defend a webserver from malicious code execution originating from planted webshells

## How it works:
1. Using winappdbg we look for a running IIS process (w3wp.exe)
2. A breakpoint is set on `CreateProcessW`
3. The `lpCommandLine` parameter is examined, and if it looks malicious, we can null the pointer and execution will be prevented!

* Currently the way I'm checking if the process to be created is really naive, but it can be extended easily to include additional checks, for example a whitelist of file hashes permitted to execute from `w3wp.exe`, a check against VT, etc...

## Demo:
![alt text](https://github.com/mkorman90/webshell-protector/raw/master/pics/poc.gif)