#!/usr/bin/env python
# -*- coding: UTF-8 -*-

'''
检测XP系统进程和系统服务
把可疑的进程和服务列出来(以我自己的电脑为参考)
启动项检测挺麻烦的,我的电脑上只有3个(只有一个ctfmon.exe是必需的,另两个是google相关的update程序),到“CCleaner-工具-启动”查看和设置可以了
使用本脚本可以一定程度上检测恶意程序,追求更高的安全还得靠杀毒软件
2011.11.07 BCCN.静夜思
'''

import os
import re

def checktask():
    '''检测系统进程'''
    print '\n'
    s = os.popen('tasklist').read()
    newtasks = re.findall('\n(.+?)\s+\d+\s+Console', s, re.I)
    #open('00.txt','w').write(str(newtasks))  #把进程列表写入00.txt,下面的oldtasks就是从这个文件里复制的
    oldtasks = ['System Idle Process', 'System', 'smss.exe', 'csrss.exe', 'winlogon.exe', 'services.exe', 'lsass.exe', 'svchost.exe', 'svchost.exe', 'svchost.exe', 'svchost.exe', 'spoolsv.exe', 'alg.exe', 'explorer.exe', 'hkcmd.exe', 'igfxpers.exe', 'igfxsrvc.exe', 'GooglePinyinDaemon.exe', 'ctfmon.exe', 'GoogleUpdate.exe', 'GooglePinyinService.exe', 'svchost.exe', 'C+WClient.exe', 'CWCleanTools.exe', 'LoginAccount.exe', 'wing.exe', 'python.exe', 'wmiprvse.exe', 'python.exe', 'cmd.exe', 'tasklist.exe', 'taskmgr.exe']
    for task in newtasks:
        if not task in oldtasks:
            print u'可疑进程:%s'%task
    for task in oldtasks:
        if not task in newtasks:
            print u'无用的oldtasks元素:%s'%task

def checkservice():
    '''检测系统服务'''
    print '\n'
    s = os.popen('sc query type= all').read()
    newservices = re.findall('\n*SERVICE_NAME: (.+?)\n', s, re.I)
    #open('00.txt','w').write(str(newservices))  #把进程列表写入00.txt,下面的oldservices就是从这个文件里复制的
    oldservices = ['ACPI', 'ACPIEC', 'AFD', 'ALG', 'AsyncMac', 'atapi', 'AudioSrv', 'audstub', 'Beep', 'BITS', 'Cdfs', 'Cdrom', 'CmBatt', 'Compbatt', 'CryptSvc', 'DcomLaunch', 'Dhcp', 'Disk', 'dmio', 'dmload', 'Dnscache', 'Eventlog', 'EventSystem', 'FastUserSwitchingCompatibility', 'Fips', 'FltMgr', 'FsVga', 'Ftdisk', 'Gpc', 'HdAudAddService', 'HDAudBus', 'HSFHWAZL', 'HSF_DPV', 'HTTP', 'hwdatacard', 'i8042prt', 'ialm', 'Imapi', 'intelppm', 'IpNat', 'IPSec', 'isapnp', 'Kbdclass', 'kmixer', 'KSecDD', 'mdmxsdk', 'mnmdd', 'Modem', 'Mouclass', 'MountMgr', 'Msfs', 'mssmbios', 'Mup', 'NDIS', 'NdisTapi', 'Ndisuio', 'NdisWan', 'NDProxy', 'NetBT', 'netfilter', 'Netman', 'Nla', 'Npfs', 'Ntfs', 'Null', 'PartMgr', 'PCI', 'PCIIde', 'Pcmcia', 'PlugPlay', 'PptpMiniport', 'ProtectedStorage', 'Ptilink', 'RasAcd', 'Rasl2tp', 'RasMan', 'RasPppoe', 'Raspti', 'rasuw', 'RDPCDD', 'rdpdr', 'redbook', 'RpcSs', 'SamSs', 'seclogon', 'SENS', 'SharedAccess', 'ShellHWDetection', 'Spooler', 'SSDPSRV', 'swenum', 'sysaudio', 'TapiSrv', 'Tcpip', 'TermDD', 'TermService', 'Themes', 'Update', 'usbccgp', 'usbehci', 'usbhub', 'USBSTOR', 'usbuhci', 'VgaSave', 'VolSnap', 'W32Time', 'Wanarp', 'wdmaud', 'winachsf', 'winmgmt', 'WmiAcpi', 'WZCSVC']
    for service in newservices:
        if not service in oldservices:
            print u'可疑服务:%s'%service
    for service in oldservices:
        if not service in newservices:
            print u'无用的oldservices元素:%s'%service


if __name__ == '__main__':
    checktask()
    checkservice()