URL의 EXE 파일이 있는 경우 체크하는 소스

URL에 EXE 파일이 있는 경우를 체크하여, 실제 존재하는지 확인하고, 존재할 경우, 해당 URL를 DB에 저장 함. 이렇게 추출한 EXE 확장자 명이 포함될 URL에 대해서는 행위기반 악성코드 솔루션에서 분석하도록 구현(필요한 기능만큼만, 허접하지만… ^^) 했던 적이 있음….

/*
* HttpListDownload.c
* written by franc3sco
* best view tapstop 4
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#include <stdio.h>
#include <curl/curl.h>

#include “mysql/mysql.h”

#define REQUEST_COUNT_LIMIT 20000
#define LINEBUF_LEN 1024
#define MBYTE 1048576
#define TB_NAME “tb_exeurl”
#define MYSQL_SERVER “localhost”
#define MYSQL_USER “DBªÁøο⁄ ∏Ì ¿‘∑¬”
#define MYSQL_PASSWD “DBªÁøο⁄ ∆–Ω∫øˆµÂ¿‘∑¬”
#define MYSQL_DB “DB∏Ì ¿‘∑¬”

typedef struct _HTTPDOWNLOADLIST {
char sz_REQUESTURL[1024];
char sz_Date[16];
int FileSize;
int count;
int is_target;
} HTTPDOWNLOADLIST;

char* trim(char *s);
char* rtrim(char *s);
char* ltrim(char *s);

int MakeURLINFO(char *filename, HTTPDOWNLOADLIST *);
int CheckDuplication(char *buf, HTTPDOWNLOADLIST *);
int NONDUPLICATELIST(HTTPDOWNLOADLIST *);
int CheckFileSize(HTTPDOWNLOADLIST *);
int TARGETLIST(HTTPDOWNLOADLIST *);
int SaveToDB(HTTPDOWNLOADLIST *);
HTTPDOWNLOADLIST *global_p_HTTPDOWNLOADLIST = NULL;

int
main(int argc, char*argv[]) {

int d_rs = 0;

HTTPDOWNLOADLIST *p_HTTPDOWNLOADLIST = NULL;

p_HTTPDOWNLOADLIST = (HTTPDOWNLOADLIST *) malloc(sizeof(HTTPDOWNLOADLIST) * REQUEST_COUNT_LIMIT);

if ( ! p_HTTPDOWNLOADLIST ) {
printf(“Memory Allocation Failed\n”);
return 0;
}

memset(p_HTTPDOWNLOADLIST, ‘\0’, sizeof(HTTPDOWNLOADLIST) * REQUEST_COUNT_LIMIT);

global_p_HTTPDOWNLOADLIST = p_HTTPDOWNLOADLIST;

MakeURLINFO(argv[1], p_HTTPDOWNLOADLIST);
// NONDUPLICATELIST(p_HTTPDOWNLOADLIST);
CheckFileSize(global_p_HTTPDOWNLOADLIST);
TARGETLIST(p_HTTPDOWNLOADLIST);

SaveToDB(p_HTTPDOWNLOADLIST);

free(p_HTTPDOWNLOADLIST);
}

int
MakeURLINFO(char *filename, HTTPDOWNLOADLIST *p_HTTPDOWNLOADLIST) {

int b_duplicate = 0;
FILE *fp = NULL;
char sz_buf[LINEBUF_LEN] = {0};

fp = fopen(filename, “r”);

if ( !fp ) {
printf(“file open failed\n”);
exit(0);
}

while ( fgets(sz_buf, sizeof(sz_buf)-1, fp) != NULL ) {
p_HTTPDOWNLOADLIST = global_p_HTTPDOWNLOADLIST;

trim(sz_buf);

if ( sz_buf[strlen(sz_buf)-1] == ‘\n’) sz_buf[strlen(sz_buf)-1] = ‘\0’;
if ( sz_buf[strlen(sz_buf)-1] == ‘\r’) sz_buf[strlen(sz_buf)-1] = ‘\0’;

b_duplicate = CheckDuplication(sz_buf, p_HTTPDOWNLOADLIST);

}/*while loop end */
}
int
CheckDuplication(char * p_buf, HTTPDOWNLOADLIST *p_HTTPDOWNLOADLIST) {

int b_duplicate = 0;
char sz_date[16] = {0};
char *x_token = NULL;
char sz_url[1024] = {0};
char sz_buf[1024] = {0};
strcpy(sz_buf, p_buf);

x_token = (char *)strtok(sz_buf, ” “);
if ( x_token != NULL ) {
x_token = (char *) strtok(NULL, ” “);
strcpy(sz_url, x_token);
}

x_token = NULL;

while (p_HTTPDOWNLOADLIST->sz_REQUESTURL[0] != ‘\0’) {
if ( ! strcmp(p_HTTPDOWNLOADLIST->sz_REQUESTURL, sz_url) ) {
b_duplicate = 1;
p_HTTPDOWNLOADLIST->count++;
// printf(“Duplicate[%d] %s\n”, p_HTTPDOWNLOADLIST->count, p_HTTPDOWNLOADLIST->sz_REQUESTURL);
}

p_HTTPDOWNLOADLIST++;
}

if ( ! b_duplicate ) {

x_token = (char *)strtok(p_buf, ” “);

if ( x_token != NULL ) {
strcpy(p_HTTPDOWNLOADLIST->sz_Date, x_token);
}

x_token = (char *) strtok(NULL, ” “);

if ( x_token != NULL ) {
strcpy(p_HTTPDOWNLOADLIST->sz_REQUESTURL, x_token);
}

p_HTTPDOWNLOADLIST->count = 1;
}
}
int
NONDUPLICATELIST(HTTPDOWNLOADLIST *p_HTTPDOWNLOADLIST) {

int count = 0;
while (p_HTTPDOWNLOADLIST->sz_REQUESTURL[0] != ‘\0’) {
printf(“[idx:%d] dup:%d, date: %s, URL:%s”, count, p_HTTPDOWNLOADLIST->count, p_HTTPDOWNLOADLIST->sz_Date, p_HTTPDOWNLOADLIST->sz_REQUESTURL);
p_HTTPDOWNLOADLIST++;
count++;
}
}
int
CheckFileSize(HTTPDOWNLOADLIST *p_HTTPDOWNLOADLIST) {

int count = 0;
CURL *curl = NULL;
long code = 0;
double contentlength = -1;
FILE *fp = NULL;
struct curl_slist *chunk = NULL;

fp = fopen(“/dev/null”, “w”);

if (! fp ) {
printf(“/dev/null errror\n”);
return 0;
}
while (p_HTTPDOWNLOADLIST->sz_REQUESTURL[0] != ‘\0’) {

curl = curl_easy_init();

if ( curl ) {
chunk = NULL;
chunk = curl_slist_append(chunk, “Accept: application/json, text/javascript, */*; q=0.01”);
chunk = curl_slist_append(chunk, “User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”);
chunk = curl_slist_append(chunk, “Accept-Language: ko”);
chunk = curl_slist_append(chunk, “Accept-Encoding: gzip, deflate”);
chunk = curl_slist_append(chunk, “Cache-Control: no-cache”);
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, chunk);
curl_easy_setopt(curl , CURLOPT_HEADER, 1);
curl_easy_setopt(curl , CURLOPT_NOBODY, 1);
curl_easy_setopt(curl , CURLOPT_TIMEOUT,3);
// curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);

curl_easy_setopt(curl, CURLOPT_URL, trim(p_HTTPDOWNLOADLIST->sz_REQUESTURL));

curl_easy_perform(curl);

curl_easy_getinfo(curl,CURLINFO_RESPONSE_CODE, &code);

if(code == 200 || code == 302) {
curl_easy_getinfo(curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &contentlength);
p_HTTPDOWNLOADLIST->FileSize = (int)contentlength;

if(contentlength > MBYTE || contentlength < 1024) {
p_HTTPDOWNLOADLIST->is_target = 0;
} else {
p_HTTPDOWNLOADLIST->is_target = 1;
}
} else {
p_HTTPDOWNLOADLIST->is_target = 0;
p_HTTPDOWNLOADLIST->FileSize = 0;
}
printf(“idx[%d:code:%d], size:%d, target:%d, URL:%s\n”, ++count, code, p_HTTPDOWNLOADLIST->FileSize,p_HTTPDOWNLOADLIST->is_target, p_HTTPDOWNLOADLIST->sz_REQUESTURL);
curl_easy_cleanup(curl);
curl_slist_free_all(chunk);

} /* if end */
p_HTTPDOWNLOADLIST++;
} /* while loop end */

// if ( curl ) curl_easy_cleanup(curl);

fclose(fp);
}
int
TARGETLIST(HTTPDOWNLOADLIST *p_HTTPDOWNLOADLIST) {
int count = 0;
while (p_HTTPDOWNLOADLIST->sz_REQUESTURL[0] != ‘\0’) {
printf(“[idx:%d] size:%d, target:%d, URL:%s\n”, count, p_HTTPDOWNLOADLIST->FileSize,p_HTTPDOWNLOADLIST->is_target, p_HTTPDOWNLOADLIST->sz_REQUESTURL);
p_HTTPDOWNLOADLIST++;
count++;
}
}
int
SaveToDB(HTTPDOWNLOADLIST *p_HTTPDOWNLOADLIST) {
int res;
MYSQL_RES *result;
MYSQL my_connection;
char sz_buf[1024] = {0};
char sz_escapebuf[1024] = {0};
mysql_init(&my_connection);
if ( mysql_real_connect(&my_connection, MYSQL_SERVER, MYSQL_USER, MYSQL_PASSWD, MYSQL_DB, 0, NULL, 0)) {

while (p_HTTPDOWNLOADLIST->sz_REQUESTURL[0] != ‘\0′) {
memset(sz_buf,’\0′, sizeof(sz_buf));
memset(sz_escapebuf,’\0’, sizeof(sz_escapebuf));
mysql_real_escape_string(&my_connection, sz_escapebuf, p_HTTPDOWNLOADLIST->sz_REQUESTURL, strlen(p_HTTPDOWNLOADLIST->sz_REQUESTURL));
sprintf(sz_buf, “INSERT INTO %s(date, filesize, target, count, url) VALUES(‘%s’, %d, %d, %d, ‘%s’)”, \
TB_NAME,p_HTTPDOWNLOADLIST->sz_Date ,p_HTTPDOWNLOADLIST->FileSize, p_HTTPDOWNLOADLIST->is_target,\
p_HTTPDOWNLOADLIST->count, sz_escapebuf);

res = mysql_query(&my_connection, sz_buf);

if (!res) {
mysql_affected_rows(&my_connection);
}else {
printf(“error %s\n”, mysql_error(&my_connection));
}
p_HTTPDOWNLOADLIST++;

}/* while loop end */
} /* if end */
mysql_close(&my_connection);
}
char* rtrim(char* s) {
char t[LINEBUF_LEN];
char *end;

strcpy(t, s);
end = t + strlen(t) – 1;

while (end != t && isspace(*end))
end–;
*(end + 1) = ‘\0’;

s = t;
return s;
}

char* ltrim(char *s) {
char* begin;
begin = s;

while (*begin != ‘\0’) {
if (isspace(*begin)) {
begin++;
} else {
s = begin;
break;
}
}

return s;
}
char* trim(char *s) {
return rtrim(ltrim(s));
}

Advertisements

답글 남기기

아래 항목을 채우거나 오른쪽 아이콘 중 하나를 클릭하여 로그 인 하세요:

WordPress.com 로고

WordPress.com의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Google+ photo

Google+의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Twitter 사진

Twitter의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Facebook 사진

Facebook의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

%s에 연결하는 중

%d 블로거가 이것을 좋아합니다: