蓝队反钓鱼策略详解<\/h1>

一、前言<\/h2>
本文提供了一套完整的蓝队反钓鱼策略，通过多种技术手段检测系统中的可疑进程和潜在威胁。主要思路是通过IP查找、特殊文件名检查、文件编译器验证和启动项检查来筛选可疑进程，最终以弹窗形式呈现结果。<\/p>

二、总体思路<\/h2>

流量分析<\/strong>：获取所有进程的IP连接，筛选出可疑的外部连接<\/li>
启动项检查<\/strong>：扫描系统启动目录和任务计划中的启动项<\/li>
签名验证<\/strong>：检查进程的数字签名状态<\/li>
行为分析<\/strong>：检测进程的异常行为模式<\/li>

综合评估<\/strong>：结合以上信息判断进程风险等级<\/li> <\/ol>
三、流量分析实现<\/h2>
1. 获取所有进程的IP连接<\/h3>
#include<\/span> <iostream><\/span> <\/span><\/span><\/span>#include<\/span> <fstream><\/span> <\/span><\/span><\/span>#include<\/span> <string><\/span> <\/span><\/span><\/span>#include<\/span> <vector><\/span> <\/span><\/span><\/span>#include<\/span> <winsock2.h><\/span> <\/span><\/span><\/span>#include<\/span> <iphlpapi.h><\/span> <\/span><\/span><\/span>#include<\/span> <windows.h><\/span> <\/span><\/span><\/span>#include<\/span> <tlhelp32.h><\/span> <\/span><\/span><\/span>#include<\/span> <psapi.h><\/span> <\/span><\/span><\/span>#include<\/span> <ws2tcpip.h><\/span> <\/span><\/span><\/span>#pragma comment(lib, "iphlpapi.lib") <\/span><\/span><\/span>#pragma comment(lib, "ws2_32.lib") <\/span><\/span><\/span>#pragma comment(lib, "user32.lib") <\/span><\/span><\/span>#pragma comment(lib, "advapi32.lib") <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 获取进程名称 <\/span><\/span><\/span><\/span>std::<\/span>wstring getProcessName(DWORD pid) { <\/span><\/span> wchar_t<\/span> processName[MAX_PATH] =<\/span> L<\/span>"<未知>"<\/span>; <\/span><\/span> HANDLE hProcess =<\/span> OpenProcess(PROCESS_QUERY_INFORMATION |<\/span> PROCESS_VM_READ, FALSE, pid); <\/span><\/span> if<\/span> (hProcess !=<\/span> NULL) { <\/span><\/span> HMODULE hMod; <\/span><\/span> DWORD cbNeeded; <\/span><\/span> if<\/span> (EnumProcessModules(hProcess, &<\/span>hMod, sizeof<\/span>(hMod), &<\/span>cbNeeded)) { <\/span><\/span> GetModuleBaseNameW(hProcess, hMod, processName, sizeof<\/span>(processName) \/<\/span> sizeof<\/span>(wchar_t<\/span>)); <\/span><\/span> } <\/span><\/span> CloseHandle(hProcess); <\/span><\/span> } <\/span><\/span> return<\/span> std::<\/span>wstring(processName); <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 获取进程路径 <\/span><\/span><\/span><\/span>std::<\/span>wstring getProcessPath(DWORD pid) { <\/span><\/span> wchar_t<\/span> processPath[MAX_PATH] =<\/span> L<\/span>"<未知>"<\/span>; <\/span><\/span> HANDLE hProcess =<\/span> OpenProcess(PROCESS_QUERY_INFORMATION |<\/span> PROCESS_VM_READ, FALSE, pid); <\/span><\/span> if<\/span> (hProcess !=<\/span> NULL) { <\/span><\/span> GetModuleFileNameExW(hProcess, NULL, processPath, sizeof<\/span>(processPath) \/<\/span> sizeof<\/span>(wchar_t<\/span>)); <\/span><\/span> CloseHandle(hProcess); <\/span><\/span> } <\/span><\/span> return<\/span> std::<\/span>wstring(processPath); <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 枚举所有网络连接 <\/span><\/span><\/span><\/span>void<\/span> enumerateConnections<\/span>() { <\/span><\/span> PMIB_TCPTABLE2 tcpTable; <\/span><\/span> DWORD dwSize =<\/span> 0<\/span>; <\/span><\/span> DWORD dwRetVal =<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span> tcpTable =<\/span> (MIB_TCPTABLE2*<\/span>)malloc(sizeof<\/span>(MIB_TCPTABLE2)); <\/span><\/span> if<\/span> (tcpTable ==<\/span> NULL) { <\/span><\/span> std::<\/span>cerr <<<\/span> "分配内存时出错"<\/span> <<<\/span> std::<\/span>endl; <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> dwSize =<\/span> sizeof<\/span>(MIB_TCPTABLE2); <\/span><\/span> if<\/span> ((dwRetVal =<\/span> GetTcpTable2(tcpTable, &<\/span>dwSize, TRUE)) ==<\/span> ERROR_INSUFFICIENT_BUFFER) { <\/span><\/span> free(tcpTable); <\/span><\/span> tcpTable =<\/span> (MIB_TCPTABLE2*<\/span>)malloc(dwSize); <\/span><\/span> if<\/span> (tcpTable ==<\/span> NULL) { <\/span><\/span> std::<\/span>cerr <<<\/span> "分配内存时出错"<\/span> <<<\/span> std::<\/span>endl; <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> ((dwRetVal =<\/span> GetTcpTable2(tcpTable, &<\/span>dwSize, TRUE)) ==<\/span> NO_ERROR) { <\/span><\/span> char<\/span> ipStringBuffer[INET_ADDRSTRLEN]; <\/span><\/span> std::<\/span>wstring output; <\/span><\/span> <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> (int<\/span>)tcpTable-><\/span>dwNumEntries; i++<\/span>) { <\/span><\/span> inet_ntop(AF_INET, &<\/span>tcpTable-><\/span>table[i].dwRemoteAddr, ipStringBuffer, INET_ADDRSTRLEN); <\/span><\/span> std::<\/span>string remoteIp(ipStringBuffer); <\/span><\/span> DWORD pid =<\/span> tcpTable-><\/span>table[i].dwOwningPid; <\/span><\/span> std::<\/span>wstring processName =<\/span> getProcessName(pid); <\/span><\/span> std::<\/span>wstring processPath =<\/span> getProcessPath(pid); <\/span><\/span> <\/span><\/span> output +=<\/span> L<\/span>"程序名称: "<\/span> +<\/span> processName +<\/span> L<\/span>"<\/span>\n<\/span>连接的IP: "<\/span> +<\/span> <\/span><\/span> std::<\/span>wstring(remoteIp.begin(), remoteIp.end()) +<\/span> <\/span><\/span> L<\/span>"<\/span>\n<\/span>程序路径: "<\/span> +<\/span> processPath +<\/span> L<\/span>"<\/span>\n<\/span>--<\/span>\n<\/span>"<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>output.empty()) { <\/span><\/span> MessageBoxW(NULL, output.c_str(), L<\/span>"IP 和进程监控"<\/span>, MB_OK); <\/span><\/span> } else<\/span> { <\/span><\/span> MessageBoxW(NULL, L<\/span>"未找到任何连接信息。"<\/span>, L<\/span>"IP 和进程监控"<\/span>, MB_OK); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (tcpTable !=<\/span> NULL) { <\/span><\/span> free(tcpTable); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. IP地址过滤<\/h3> \/\/ 检查IP是否为公网IP <\/span><\/span><\/span><\/span>bool<\/span> isPublicIP<\/span>(const<\/span> std::<\/span>string&<\/span> ip) { <\/span><\/span> unsigned<\/span> int<\/span> octet1, octet2, octet3, octet4; <\/span><\/span> if<\/span> (sscanf_s(ip.c_str(), "%u.%u.%u.%u"<\/span>, &<\/span>octet1, &<\/span>octet2, &<\/span>octet3, &<\/span>octet4) !=<\/span> 4<\/span>) { <\/span><\/span> return<\/span> false; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 排除私有IP范围 <\/span><\/span><\/span><\/span> if<\/span> ((octet1 ==<\/span> 10<\/span>) ||<\/span> \/\/ 10.0.0.0\/8 <\/span><\/span><\/span><\/span> (octet1 ==<\/span> 127<\/span>) ||<\/span> \/\/ 127.0.0.0\/8 (环回地址) <\/span><\/span><\/span><\/span> (octet1 ==<\/span> 192<\/span> &&<\/span> octet2 ==<\/span> 168<\/span>) ||<\/span> \/\/ 192.168.0.0\/16 <\/span><\/span><\/span><\/span> (octet1 ==<\/span> 172<\/span> &&<\/span> (octet2 >=<\/span> 16<\/span> &&<\/span> octet2 <=<\/span> 31<\/span>)) ||<\/span> \/\/ 172.16.0.0\/12 <\/span><\/span><\/span><\/span> (octet1 ==<\/span> 0<\/span>) ||<\/span> \/\/ 0.0.0.0 (无效地址) <\/span><\/span><\/span><\/span> (octet1 ==<\/span> 169<\/span> &&<\/span> octet2 ==<\/span> 254<\/span>)) { \/\/ 169.254.0.0\/16 (APIPA) <\/span><\/span><\/span><\/span> return<\/span> false; <\/span><\/span> } <\/span><\/span> return<\/span> true; <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、启动项检查<\/h2> 1. 扫描启动目录<\/h3> \/\/ 获取目录中的所有文件 <\/span><\/span><\/span><\/span>std::<\/span>vector<<\/span>std::<\/span>wstring><\/span> getFilesInDirectory(const<\/span> std::<\/span>wstring&<\/span> directoryPath) { <\/span><\/span> std::<\/span>vector<<\/span>std::<\/span>wstring><\/span> filePaths; <\/span><\/span> WIN32_FIND_DATA findFileData; <\/span><\/span> HANDLE hFind =<\/span> FindFirstFile((directoryPath +<\/span> L<\/span>"<\/span>\\<\/span>*"<\/span>).c_str(), &<\/span>findFileData); <\/span><\/span> <\/span><\/span> if<\/span> (hFind ==<\/span> INVALID_HANDLE_VALUE) { <\/span><\/span> return<\/span> filePaths; <\/span><\/span> } <\/span><\/span> <\/span><\/span> do<\/span> { <\/span><\/span> const<\/span> std::<\/span>wstring fileOrDirName =<\/span> findFileData.cFileName; <\/span><\/span> if<\/span> (fileOrDirName !=<\/span> L<\/span>"."<\/span> &&<\/span> fileOrDirName !=<\/span> L<\/span>".."<\/span>) { <\/span><\/span> const<\/span> std::<\/span>wstring fullPath =<\/span> directoryPath +<\/span> L<\/span>"<\/span>\\<\/span>"<\/span> +<\/span> fileOrDirName; <\/span><\/span> if<\/span> (!<\/span>(findFileData.dwFileAttributes &<\/span> FILE_ATTRIBUTE_DIRECTORY)) { <\/span><\/span> filePaths.push_back(fullPath); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } while<\/span> (FindNextFile(hFind, &<\/span>findFileData) !=<\/span> 0<\/span>); <\/span><\/span> <\/span><\/span> FindClose(hFind); <\/span><\/span> return<\/span> filePaths; <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 检查启动目录 <\/span><\/span><\/span><\/span>void<\/span> checkStartupDirectories<\/span>() { <\/span><\/span> wchar_t<\/span>*<\/span> userName =<\/span> nullptr<\/span>; <\/span><\/span> size_t len =<\/span> 0<\/span>; <\/span><\/span> _wdupenv_s(&<\/span>userName, &<\/span>len, L<\/span>"USERNAME"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 常见启动目录 <\/span><\/span><\/span><\/span> std::<\/span>wstring startupDirectories[] =<\/span> { <\/span><\/span> L<\/span>"C:<\/span>\\<\/span>ProgramData<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>Start Menu<\/span>\\<\/span>Programs<\/span>\\<\/span>Startup"<\/span>, <\/span><\/span> L<\/span>"C:<\/span>\\<\/span>Users<\/span>\\<\/span>"<\/span> +<\/span> std::<\/span>wstring(userName) +<\/span> L<\/span>"<\/span>\\<\/span>AppData<\/span>\\<\/span>Roaming<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>Start Menu<\/span>\\<\/span>Programs<\/span>\\<\/span>Startup"<\/span>, <\/span><\/span> L<\/span>"C:<\/span>\\<\/span>Users<\/span>\\<\/span>"<\/span> +<\/span> std::<\/span>wstring(userName) +<\/span> L<\/span>"<\/span>\\<\/span>AppData<\/span>\\<\/span>Local<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>Startup"<\/span>, <\/span><\/span> L<\/span>"C:<\/span>\\<\/span>Users<\/span>\\<\/span>"<\/span> +<\/span> std::<\/span>wstring(userName) +<\/span> L<\/span>"<\/span>\\<\/span>AppData<\/span>\\<\/span>Roaming<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>Startup"<\/span> <\/span><\/span> }; <\/span><\/span> <\/span><\/span> free(userName); <\/span><\/span> std::<\/span>wstring message =<\/span> L<\/span>""<\/span>; <\/span><\/span> <\/span><\/span> for<\/span> (const<\/span> auto<\/span>&<\/span> directory : startupDirectories) { <\/span><\/span> std::<\/span>vector<<\/span>std::<\/span>wstring><\/span> files =<\/span> getFilesInDirectory(directory); <\/span><\/span> if<\/span> (!<\/span>files.empty()) { <\/span><\/span> message +=<\/span> L<\/span>"在目录 "<\/span> +<\/span> directory +<\/span> L<\/span>" 中找到以下启动项:<\/span>\n<\/span>"<\/span>; <\/span><\/span> for<\/span> (const<\/span> auto<\/span>&<\/span> file : files) { <\/span><\/span> message +=<\/span> L<\/span>" - "<\/span> +<\/span> file +<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } <\/span><\/span> message +=<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>message.empty()) { <\/span><\/span> MessageBoxW(NULL, message.c_str(), L<\/span>"启动项检查"<\/span>, MB_OK |<\/span> MB_ICONINFORMATION); <\/span><\/span> } else<\/span> { <\/span><\/span> MessageBoxW(NULL, L<\/span>"未检测到各启动目录中的启动项文件。"<\/span>, L<\/span>"启动项检查"<\/span>, MB_OK |<\/span> MB_ICONINFORMATION); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 检查任务计划启动项<\/h3> void<\/span> checkTaskSchedulerStartupItems<\/span>() { <\/span><\/span> std::<\/span>wstring command =<\/span> L<\/span>"schtasks \/query \/fo LIST \/v"<\/span>; <\/span><\/span> std::<\/span>wstring result =<\/span> L<\/span>""<\/span>; <\/span><\/span> <\/span><\/span> FILE*<\/span> pipe =<\/span> _wpopen(command.c_str(), L<\/span>"r"<\/span>); <\/span><\/span> if<\/span> (!<\/span>pipe) { <\/span><\/span> MessageBoxW(NULL, L<\/span>"无法执行任务计划程序查询命令!"<\/span>, L<\/span>"错误"<\/span>, MB_OK |<\/span> MB_ICONERROR); <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> wchar_t<\/span> buffer[1024<\/span>]; <\/span><\/span> while<\/span> (fgetws(buffer, sizeof<\/span>(buffer) \/<\/span> sizeof<\/span>(wchar_t<\/span>), pipe) !=<\/span> NULL) { <\/span><\/span> result +=<\/span> buffer; <\/span><\/span> } <\/span><\/span> _pclose(pipe); <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>result.empty()) { <\/span><\/span> MessageBoxW(NULL, result.c_str(), L<\/span>"任务计划启动项"<\/span>, MB_OK |<\/span> MB_ICONINFORMATION); <\/span><\/span> } else<\/span> { <\/span><\/span> MessageBoxW(NULL, L<\/span>"未检测到任务计划中的启动项。"<\/span>, L<\/span>"任务计划启动项"<\/span>, MB_OK |<\/span> MB_ICONINFORMATION); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>五、签名验证<\/h2> 1. 检查进程签名状态<\/h3> enum<\/span> ProcessSignatureStatus<\/span> { <\/span><\/span> SIGNED_AND_TRUSTED, <\/span><\/span> SIGNED_BUT_NOT_TRUSTED, <\/span><\/span> NOT_SIGNED <\/span><\/span>}; <\/span><\/span> <\/span><\/span>ProcessSignatureStatus checkProcessSignature<\/span>(const<\/span> std::<\/span>wstring&<\/span> processPath) { <\/span><\/span> WINTRUST_FILE_INFO fileInfo =<\/span> { 0<\/span> }; <\/span><\/span> fileInfo.cbStruct =<\/span> sizeof<\/span>(fileInfo); <\/span><\/span> fileInfo.pcwszFilePath =<\/span> processPath.c_str(); <\/span><\/span> <\/span><\/span> WINTRUST_DATA winTrustData =<\/span> { 0<\/span> }; <\/span><\/span> winTrustData.cbStruct =<\/span> sizeof<\/span>(winTrustData); <\/span><\/span> winTrustData.dwUIChoice =<\/span> WTD_UI_NONE; <\/span><\/span> winTrustData.fdwRevocationChecks =<\/span> WTD_REVOKE_NONE; <\/span><\/span> winTrustData.dwUnionChoice =<\/span> WTD_CHOICE_FILE; <\/span><\/span> winTrustData.dwStateAction =<\/span> WTD_STATEACTION_VERIFY; <\/span><\/span> winTrustData.pFile =<\/span> &<\/span>fileInfo; <\/span><\/span> <\/span><\/span> GUID policyGUID =<\/span> WINTRUST_ACTION_GENERIC_VERIFY_V2; <\/span><\/span> LONG status =<\/span> WinVerifyTrust(NULL, &<\/span>policyGUID, &<\/span>winTrustData); <\/span><\/span> <\/span><\/span> winTrustData.dwStateAction =<\/span> WTD_STATEACTION_CLOSE; <\/span><\/span> WinVerifyTrust(NULL, &<\/span>policyGUID, &<\/span>winTrustData); <\/span><\/span> <\/span><\/span> if<\/span> (status ==<\/span> ERROR_SUCCESS) { <\/span><\/span> return<\/span> SIGNED_AND_TRUSTED; <\/span><\/span> } else<\/span> if<\/span> (status ==<\/span> TRUST_E_NOSIGNATURE) { <\/span><\/span> return<\/span> NOT_SIGNED; <\/span><\/span> } else<\/span> { <\/span><\/span> return<\/span> SIGNED_BUT_NOT_TRUSTED; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 检查启动目录中的无签名文件<\/h3> void<\/span> checkStartupDirectoriesForUnsignedFiles<\/span>() { <\/span><\/span> wchar_t<\/span>*<\/span> userName =<\/span> nullptr<\/span>; <\/span><\/span> size_t len =<\/span> 0<\/span>; <\/span><\/span> _wdupenv_s(&<\/span>userName, &<\/span>len, L<\/span>"USERNAME"<\/span>); <\/span><\/span> <\/span><\/span> std::<\/span>wstring startupDirectories[] =<\/span> { <\/span><\/span> L<\/span>"C:<\/span>\\<\/span>ProgramData<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>Start Menu<\/span>\\<\/span>Programs<\/span>\\<\/span>Startup"<\/span>, <\/span><\/span> L<\/span>"C:<\/span>\\<\/span>Users<\/span>\\<\/span>"<\/span> +<\/span> std::<\/span>wstring(userName) +<\/span> L<\/span>"<\/span>\\<\/span>AppData<\/span>\\<\/span>Roaming<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>Start Menu<\/span>\\<\/span>Programs<\/span>\\<\/span>Startup"<\/span> <\/span><\/span> }; <\/span><\/span> <\/span><\/span> free(userName); <\/span><\/span> std::<\/span>wstring message =<\/span> L<\/span>""<\/span>; <\/span><\/span> <\/span><\/span> for<\/span> (const<\/span> auto<\/span>&<\/span> directory : startupDirectories) { <\/span><\/span> std::<\/span>vector<<\/span>std::<\/span>wstring><\/span> files =<\/span> getFilesInDirectory(directory); <\/span><\/span> for<\/span> (const<\/span> auto<\/span>&<\/span> file : files) { <\/span><\/span> if<\/span> (checkProcessSignature(file) ==<\/span> NOT_SIGNED) { <\/span><\/span> message +=<\/span> L<\/span>"无签名文件: "<\/span> +<\/span> file +<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>message.empty()) { <\/span><\/span> MessageBoxW(NULL, message.c_str(), L<\/span>"无签名启动项"<\/span>, MB_OK |<\/span> MB_ICONWARNING); <\/span><\/span> } else<\/span> { <\/span><\/span> MessageBoxW(NULL, L<\/span>"未检测到启动目录中存在无签名文件。"<\/span>, L<\/span>"无签名启动项"<\/span>, MB_OK |<\/span> MB_ICONINFORMATION); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>六、行为分析与综合检测<\/h2> 1. 检测系统进程伪装<\/h3> bool<\/span> isSystemProcess<\/span>(HANDLE hProcess) { <\/span><\/span> HANDLE hToken =<\/span> NULL; <\/span><\/span> if<\/span> (!<\/span>OpenProcessToken(hProcess, TOKEN_QUERY, &<\/span>hToken)) { <\/span><\/span> return<\/span> false; <\/span><\/span> } <\/span><\/span> <\/span><\/span> DWORD dwSize =<\/span> 0<\/span>; <\/span><\/span> GetTokenInformation(hToken, TokenUser, NULL, 0<\/span>, &<\/span>dwSize); <\/span><\/span> PTOKEN_USER pTokenUser =<\/span> (PTOKEN_USER)malloc(dwSize); <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>GetTokenInformation(hToken, TokenUser, pTokenUser, dwSize, &<\/span>dwSize)) { <\/span><\/span> free(pTokenUser); <\/span><\/span> CloseHandle(hToken); <\/span><\/span> return<\/span> false; <\/span><\/span> } <\/span><\/span> <\/span><\/span> WCHAR szName[MAX_PATH]; <\/span><\/span> WCHAR szDomain[MAX_PATH]; <\/span><\/span> DWORD dwNameSize =<\/span> MAX_PATH; <\/span><\/span> DWORD dwDomainSize =<\/span> MAX_PATH; <\/span><\/span> SID_NAME_USE sidType; <\/span><\/span> <\/span><\/span> if<\/span> (LookupAccountSidW(NULL, pTokenUser-><\/span>User.Sid, szName, &<\/span>dwNameSize, szDomain, &<\/span>dwDomainSize, &<\/span>sidType)) { <\/span><\/span> if<\/span> (wcscmp(szName, L<\/span>"SYSTEM"<\/span>) ==<\/span> 0<\/span>) { <\/span><\/span> free(pTokenUser); <\/span><\/span> CloseHandle(hToken); <\/span><\/span> return<\/span> true; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> free(pTokenUser); <\/span><\/span> CloseHandle(hToken); <\/span><\/span> return<\/span> false; <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 检测高风险进程名称<\/h3> bool<\/span> isHighRiskProcess<\/span>(const<\/span> std::<\/span>wstring&<\/span> processName, const<\/span> std::<\/span>wstring&<\/span> processPath) { <\/span><\/span> std::<\/span>vector<<\/span>std::<\/span>wstring><\/span> keywords =<\/span> { <\/span><\/span> L<\/span>"PC"<\/span>, L<\/span>"财务"<\/span>, L<\/span>"CW"<\/span>, L<\/span>"2024"<\/span>, L<\/span>"2023"<\/span>, <\/span><\/span> L<\/span>"工资"<\/span>, L<\/span>"报表"<\/span>, L<\/span>"调整"<\/span> <\/span><\/span> }; <\/span><\/span> <\/span><\/span> std::<\/span>wregex extensionPattern(L<\/span>".*<\/span>\\<\/span>.(com|exe|bat)"<\/span>, std::<\/span>regex_constants::<\/span>icase); <\/span><\/span> <\/span><\/span> for<\/span> (const<\/span> auto<\/span>&<\/span> keyword : keywords) { <\/span><\/span> if<\/span> (processName.find(keyword) !=<\/span> std::<\/span>wstring::<\/span>npos &&<\/span> <\/span><\/span> std::<\/span>regex_match(processPath, extensionPattern)) { <\/span><\/span> return<\/span> true; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> false; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 检测进程自启动<\/h3> bool<\/span> isProcessInAutostart<\/span>(const<\/span> std::<\/span>wstring&<\/span> processPath) { <\/span><\/span> HKEY hKey; <\/span><\/span> LPCWSTR runKeys[] =<\/span> { <\/span><\/span> L<\/span>"SOFTWARE<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>CurrentVersion<\/span>\\<\/span>Run"<\/span>, <\/span><\/span> L<\/span>"SOFTWARE<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>CurrentVersion<\/span>\\<\/span>RunOnce"<\/span>, <\/span><\/span> L<\/span>"SOFTWARE<\/span>\\<\/span>Wow6432Node<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>CurrentVersion<\/span>\\<\/span>Run"<\/span>, <\/span><\/span> L<\/span>"SOFTWARE<\/span>\\<\/span>Wow6432Node<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>CurrentVersion<\/span>\\<\/span>RunOnce"<\/span>, <\/span><\/span> L<\/span>"SYSTEM<\/span>\\<\/span>CurrentControlSet<\/span>\\<\/span>Services"<\/span> <\/span><\/span> }; <\/span><\/span> <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> sizeof<\/span>(runKeys) \/<\/span> sizeof<\/span>(runKeys[0<\/span>]); i++<\/span>) { <\/span><\/span> if<\/span> (RegOpenKeyEx(HKEY_LOCAL_MACHINE, runKeys[i], 0<\/span>, KEY_READ, &<\/span>hKey) ==<\/span> ERROR_SUCCESS) { <\/span><\/span> DWORD index =<\/span> 0<\/span>; <\/span><\/span> wchar_t<\/span> valueName[MAX_PATH]; <\/span><\/span> wchar_t<\/span> data[MAX_PATH]; <\/span><\/span> DWORD valueNameSize =<\/span> MAX_PATH; <\/span><\/span> DWORD dataSize =<\/span> sizeof<\/span>(data); <\/span><\/span> <\/span><\/span> while<\/span> (RegEnumValue(hKey, index, valueName, &<\/span>valueNameSize, NULL, NULL, <\/span><\/span> (LPBYTE)data, &<\/span>dataSize) ==<\/span> ERROR_SUCCESS) { <\/span><\/span> std::<\/span>wstring dataStr(data); <\/span><\/span> if<\/span> (dataStr.find(processPath) !=<\/span> std::<\/span>wstring::<\/span>npos) { <\/span><\/span> RegCloseKey(hKey); <\/span><\/span> return<\/span> true; <\/span><\/span> } <\/span><\/span> index++<\/span>; <\/span><\/span> valueNameSize =<\/span> MAX_PATH; <\/span><\/span> dataSize =<\/span> sizeof<\/span>(data); <\/span><\/span> } <\/span><\/span> RegCloseKey(hKey); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> false; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 综合监控进程<\/h3> void<\/span> monitorProcesses<\/span>() { <\/span><\/span> HANDLE hProcessSnap; <\/span><\/span> PROCESSENTRY32 pe32; <\/span><\/span> pe32.dwSize =<\/span> sizeof<\/span>(PROCESSENTRY32); <\/span><\/span> <\/span><\/span> hProcessSnap =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0<\/span>); <\/span><\/span> if<\/span> (hProcessSnap ==<\/span> INVALID_HANDLE_VALUE) { <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>Process32First(hProcessSnap, &<\/span>pe32)) { <\/span><\/span> CloseHandle(hProcessSnap); <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> std::<\/span>wstring message =<\/span> L<\/span>""<\/span>; <\/span><\/span> <\/span><\/span> do<\/span> { <\/span><\/span> DWORD pid =<\/span> pe32.th32ProcessID; <\/span><\/span> if<\/span> (pid ==<\/span> 0<\/span>) continue<\/span>; <\/span><\/span> <\/span><\/span> HANDLE hProcess =<\/span> OpenProcess(PROCESS_QUERY_INFORMATION |<\/span> PROCESS_VM_READ, FALSE, pid); <\/span><\/span> if<\/span> (hProcess ==<\/span> NULL) continue<\/span>; <\/span><\/span> <\/span><\/span> std::<\/span>wstring processPath =<\/span> getProcessPath(pid); <\/span><\/span> if<\/span> (processPath.find(L<\/span>"C:<\/span>\\<\/span>Windows"<\/span>) !=<\/span> std::<\/span>wstring::<\/span>npos) { <\/span><\/span> CloseHandle(hProcess); <\/span><\/span> continue<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> std::<\/span>wstring processName =<\/span> getProcessName(pid); <\/span><\/span> bool<\/span> isHighRisk =<\/span> isHighRiskProcess(processName, processPath); <\/span><\/span> ProcessSignatureStatus signatureStatus =<\/span> checkProcessSignature(processPath); <\/span><\/span> <\/span><\/span> if<\/span> (signatureStatus ==<\/span> SIGNED_AND_TRUSTED) { <\/span><\/span> CloseHandle(hProcess); <\/span><\/span> continue<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> std::<\/span>vector<<\/span>std::<\/span>wstring><\/span> externalIPs =<\/span> getExternalIPs(pid); <\/span><\/span> if<\/span> (externalIPs.empty()) { <\/span><\/span> CloseHandle(hProcess); <\/span><\/span> continue<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> bool<\/span> hasSuspiciousBehavior =<\/span> detectTrojanBehavior(pid, processPath); <\/span><\/span> bool<\/span> inAutostart =<\/span> isProcessInAutostart(processPath); <\/span><\/span> CloseHandle(hProcess); <\/span><\/span> <\/span><\/span> std::<\/span>wstring processInfo; <\/span><\/span> if<\/span> (isHighRisk) { <\/span><\/span> processInfo =<\/span> L<\/span>"名称伪造高危进程: "<\/span> +<\/span> processName +<\/span> L<\/span>" (PID: "<\/span> +<\/span> <\/span><\/span> std::<\/span>to_wstring(pid) +<\/span> L<\/span>")<\/span>\n<\/span>路径: "<\/span> +<\/span> processPath +<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } else<\/span> if<\/span> (signatureStatus ==<\/span> SIGNED_BUT_NOT_TRUSTED) { <\/span><\/span> processInfo =<\/span> L<\/span>"签名伪造高危进程: "<\/span> +<\/span> processName +<\/span> L<\/span>" (PID: "<\/span> +<\/span> <\/span><\/span> std::<\/span>to_wstring(pid) +<\/span> L<\/span>")<\/span>\n<\/span>路径: "<\/span> +<\/span> processPath +<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } else<\/span> if<\/span> (signatureStatus ==<\/span> NOT_SIGNED) { <\/span><\/span> processInfo =<\/span> L<\/span>"无签名高危进程: "<\/span> +<\/span> processName +<\/span> L<\/span>" (PID: "<\/span> +<\/span> <\/span><\/span> std::<\/span>to_wstring(pid) +<\/span> L<\/span>")<\/span>\n<\/span>路径: "<\/span> +<\/span> processPath +<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } else<\/span> { <\/span><\/span> processInfo =<\/span> L<\/span>"进程: "<\/span> +<\/span> processName +<\/span> L<\/span>" (PID: "<\/span> +<\/span> <\/span><\/span> std::<\/span>to_wstring(pid) +<\/span> L<\/span>")<\/span>\n<\/span>路径: "<\/span> +<\/span> processPath +<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> processInfo +=<\/span> L<\/span>" - 检测到外部IP连接:<\/span>\n<\/span>"<\/span>; <\/span><\/span> for<\/span> (const<\/span> auto<\/span>&<\/span> ip : externalIPs) { <\/span><\/span> processInfo +=<\/span> L<\/span>" "<\/span> +<\/span> ip +<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (hasSuspiciousBehavior) { <\/span><\/span> processInfo +=<\/span> L<\/span>" - 检测到异常行为<\/span>\n<\/span>"<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> (inAutostart) { <\/span><\/span> processInfo +=<\/span> L<\/span>" - 已加启动<\/span>\n<\/span>"<\/span>; <\/span><\/span> } else<\/span> { <\/span><\/span> processInfo +=<\/span> L<\/span>" - 未发现自启动<\/span>\n<\/span>"<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> message +=<\/span> processInfo +<\/span> L<\/span>"<\/span>\n<\/span>"<\/span>; <\/span><\/span> } while<\/span> (Process32Next(hProcessSnap, &<\/span>pe32)); <\/span><\/span> <\/span><\/span> CloseHandle(hProcessSnap); <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>message.empty()) { <\/span><\/span> MessageBoxW(NULL, message.c_str(), L<\/span>"高危进程监控"<\/span>, MB_OK |<\/span> MB_ICONWARNING); <\/span><\/span> } else<\/span> { <\/span><\/span> MessageBoxW(NULL, L<\/span>"未检测到可疑进程。"<\/span>, L<\/span>"高危进程监控"<\/span>, MB_OK |<\/span> MB_ICONINFORMATION); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>七、主程序逻辑<\/h2> int<\/span> main<\/span>() { <\/span><\/span> \/\/ 检查管理员权限 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>isRunningAsAdmin()) { <\/span><\/span> restartAsAdmin(); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 监控进程 <\/span><\/span><\/span><\/span> monitorProcesses(); <\/span><\/span> <\/span><\/span> \/\/ 检查启动目录中的无签名文件 <\/span><\/span><\/span><\/span> checkStartupDirectoriesForUnsignedFiles(); <\/span><\/span> <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>八、关键点总结<\/h2> 管理员权限检查<\/strong>：确保程序以管理员权限运行，才能获取完整的系统信息<\/li> IP连接分析<\/strong>：获取所有进程的网络连接，过滤掉内网IP，重点关注外部连接<\/li> 启动项检查<\/strong>：扫描系统启动目录和注册表启动项，检测异常启动程序<\/li> 数字签名验证<\/strong>：使用WinVerifyTrust API验证进程签名状态<\/li> 行为分析<\/strong>：检测进程是否伪装系统进程、是否有异常行为模式<\/li> 综合评估<\/strong>：结合进程名称、路径、签名状态、网络连接和行为特征判断风险等级<\/li> <\/ol> 这套策略可以有效检测常见的钓鱼攻击和恶意软件行为，特别是那些伪装成正常程序、试图建立外部连接或设置自启动的恶意进程。<\/p>