Skip to content

mkorman90/webshell-protector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
pics
pics
 
 
.gitignore
.gitignore
 
 
License.md
License.md
 
 
Readme.md
Readme.md
 
 
main.py
main.py
 
 

Repository files navigation

Webhshell Protector

A small POC of a technique to defend a webserver from malicious code execution originating from planted webshells

How it works:

  1. Using winappdbg we look for a running IIS process (w3wp.exe)
  2. A breakpoint is set on CreateProcessW
  3. The lpCommandLine parameter is examined, and if it looks malicious, we can null the pointer and execution will be prevented!
  • Currently the way I'm checking if the process to be created is really naive, but it can be extended easily to include additional checks, for example a whitelist of file hashes permitted to execute from w3wp.exe, a check against VT, etc...

Demo:

alt text

About

A small POC of defense from webshells

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages