python检测挖矿特征的几种方式
2020-12-12 20:33
标签:datetime ongl for traffic sock 情况 log ext pre 电脑性能上: ①cpu和内存使用率(常见): python 实时得到cpu和内存的使用情况方法_python_脚本之家 ②c盘剩余容量(有的挖矿程序会占用c盘大量内存): Python实现获取磁盘剩余空间的2种方法_python_脚本之家 ③直接对已有挖矿进程库进行杀死: Python3之查看windows下所有进程并杀死指定进程 - Quincy.Coder的博客 - CSDN博客 整理并加上其他功能(流量,端口)完成代码如下: python检测挖矿特征的几种方式 标签:datetime ongl for traffic sock 情况 log ext pre 原文地址:https://www.cnblogs.com/ljy1227476113/p/10998737.html
https://www.jb51.net/article/141835.htm
https://www.jb51.net/article/115604.htm
https://blog.csdn.net/qq_33733970/article/details/80751957 1 #!/usr/bin/python3
2 # coding:utf-8
3 from tkinter import *
4 import psutil,linecache,ctypes,wmi
5 import os,datetime,time,platform,sys,socket
6
7 def net_is_used(port,ip=‘127.0.0.1‘):#端口检测
8 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
9 try:
10 s.connect((ip,port))
11 s.shutdown(2)
12 print(‘%s:%d is used‘ % (ip,port))
13 return True
14 except:
15 print(‘%s:%d is unused‘ % (ip,port))
16 return False
17
18 def get_network_flow(os):#当前流量特征
19 if os == "Windows":
20 c = wmi.WMI()
21 for interfacePerTcp in c.Win32_PerfRawData_Tcpip_TCPv4():
22 sentflow = float(interfacePerTcp.SegmentsSentPersec) #已发送的流量
23 receivedflow = float(interfacePerTcp.SegmentsReceivedPersec) #接收的流量
24 present_flow = sentflow+receivedflow #算出当前的总流量
25 time.sleep(1)
26 for interfacePerTcp in c.Win32_PerfRawData_Tcpip_TCPv4():
27 sentflow = float(interfacePerTcp.SegmentsSentPersec) #已发送的流量
28 receivedflow = float(interfacePerTcp.SegmentsReceivedPersec) #接收的流量
29 per_last_present_flow = sentflow+receivedflow #算出1秒后当前的总流量
30 present_network_flow = (per_last_present_flow - present_flow)/1024
31 return "%.2f"%present_network_flow
32
33 def getMemCpu():
34 global n
35 data = psutil.virtual_memory()
36 total = data.total #总内存,单位为byte
37 free = data.available #可以内存
38 memory = "Memory usage:%d"%(int(round(data.percent)))+"%\n"#内存使用率
39 cpu = "CPU:%0.2f"%psutil.cpu_percent(interval=1)+"%\n"#CPU使用率
40 if int(round(data.percent))>75 and psutil.cpu_percent(interval=1) > 75:#挖矿一个特征
41 n=1#☆☆☆阈值
42 else:
43 n=0
44 return memory+cpu
45
46 def get_free_space_mb(folder):#C盘内存剩余量
47 if platform.system() == ‘Windows‘:
48 free_bytes = ctypes.c_ulonglong(0)
49 ctypes.windll.kernel32.GetDiskFreeSpaceExW(ctypes.c_wchar_p(folder), None, None, ctypes.pointer(free_bytes))
50 return free_bytes.value/1024/1024/1024
51 else:
52 st = os.statvfs(folder)
53 return st.f_bavail * st.f_frsize/1024/1024
54
55 def on_click():#开始检测按钮函数
56 global num,n,cont
57 os = platform.system()
58 label[‘text‘] = ‘正在检测···‘
59 info=getMemCpu()
60 info = info +"C free space:%0.2f"%get_free_space_mb(‘C:\\‘) + "G\n"
61 flow=get_network_flow(os)
62 if float(flow) > 3000:#病毒一般占用3033KB/s☆☆☆阈值
63 n=1
64 info = info + "traffic:" + flow + "KB/s"
65 conte=linecache.getlines(‘port.txt‘)#端口在port文件中
66 for i in range(len(conte)):#病毒一般占用4位数端口,端口范围可选,或针对端口关闭
67 if net_is_used(int(conte[i])):
68 n=1
69 #if net_is_used(xxx):xxx为指定端口
70 # n=1
71 if get_free_space_mb(‘C:\\‘) :
72 n=1
73 pids = psutil.pids()
74 cont=linecache.getlines(‘process.txt‘)
75 for j in range(len(cont)):
76 cont[j]=cont[j][:len(cont[j])-1]
77 for pid in pids:
78 p = psutil.Process(pid)
79 #print(p.name())
80 for j in range(len(cont)):
81 if p.name() == cont[j]:
82 n=1
83 myfile=open(‘test.txt‘,‘a‘)
84 if n==0:
85 message[‘text‘] = ‘本系统现未遭受挖矿攻击\n‘+info
86 middle=time.strftime(‘%Y%m%d%H%M‘,time.localtime(time.time()))+‘ normal ‘ + str("%.2f"%get_free_space_mb(‘C:\\‘)) + ‘ ‘ + flow
87 message[‘bg‘] = ‘green‘
88 myfile.write(‘\n‘+middle)
89 if n==1:
90 message[‘text‘] = ‘本系统正在遭受挖矿,紧急!\n‘+info
91 middle=time.strftime(‘%Y%m%d%H%M‘,time.localtime(time.time()))+‘ warning ‘+ str("%.2f"%get_free_space_mb(‘C:\\‘)) + ‘ ‘ + flow
92 message[‘bg‘] = ‘yellow‘
93 myfile.write(‘\n‘+middle)
94 myfile.close()
95 label[‘text‘] = ‘完成检测!‘
96
97 def on_click2():#读取日志按钮函数
98 label[‘text‘] = ‘日志读取‘
99 content=linecache.getlines(‘test.txt‘)
100 logs=‘‘
101 for i in range(len(content)):
102 mid=‘‘
103 mid=content[i][0:4]+‘.‘+content[i][4:6]+‘.‘+content[i][6:8]+‘ ‘+content[i][8:10]+‘:‘+content[i][10:]
104 logs=logs+mid
105 message[‘text‘] = logs
106
107 def on_click3():#重置按钮函数
108 message[‘text‘] = ‘‘
109 label[‘text‘] = ‘欢迎使用本反挖矿系统‘
110 message[‘bg‘] = ‘white‘
111
112 def on_click4():#杀死文件中进程函数
113 global n,cont
114 pids = psutil.pids()
115 #cont=linecache.getlines(‘process.txt‘)
116 for pid in pids:
117 p = psutil.Process(pid)
118 #print(p.name())
119 for j in range(len(cont)):
120 if p.name() == cont[j]:
121 cmd = ‘taskkill /f /t /im ‘+ ‘"‘+cont[j]+‘"‘
122 os.system(cmd)
123 message[‘text‘] = ‘指定文件中进程已清除‘
124 message[‘bg‘] = ‘green‘
125
126 n=0
127 root=Tk(className=‘反挖矿系统‘)
128 root.geometry(‘400x300‘)
129 label = Label(root)
130 label[‘text‘] = ‘欢迎使用本反挖矿系统‘
131 message = Label(root,text=‘‘)
132 label.pack()
133 button = Button(root,text=‘开始使用‘,command=on_click)
134 button.pack()
135 button2 = Button(root,text=‘查看日志‘,command=on_click2)
136 button2.pack()
137 button3 = Button(root,text=‘重置界面‘,command=on_click3)
138 button3.pack()
139 button4 = Button(root,text=‘杀死进程‘,command=on_click4)
140 button4.pack()
141 message.pack()
142 root.mainloop()