本帖最后由 bluewing009 于 2012-3-22 09:30 编辑
首先要感谢lxzzr的大力帮助~
大家都知道,批处理自身要是监控系统的话,根本就是....成功是没有问题的,就是需要占用大量的系统资源。往往系统CPU会飙升80%以上
所以,监控是一个令人伤心的问题,这篇帖子主要是通过系统自带的审核功能达到0占用监控的目的。XP系统请路过...
以注册表为例:
原有的监控写法
- :loop
- reg query
- if xxx==yyy
- goto Loop
复制代码
这是一个无条件的死循环,占用资源...同样如果加上延迟的大效果也不是很理想。
以下是改进:
第一步:
首先是配置组策略,这个主要是允许系统将我们需要的“改变”以日志的形式记录下来。
- pushad "%~dp0"
- echo [version] >check.inf
- echo signature="$CHICAGO$" >>check.inf
- echo;>>check.inf
- echo [Event Audit] >>check.inf
- echo AuditObjectAccess = 1 >>check.inf
- echo;>>check.inf
- echo [Registry Keys] >>check.inf
- echo "MACHINE\Software\Test", 2, "S:AI(AU;CISAFA;DCLC;;;WD)" >>check.inf
- echo ;HKEY_LOCAL_MACHINE\Software\Test >>check.inf
- secedit /configure /db check.sdb /cfg check.inf /log check.log /quite >nul
- del check.sdb check.inf check.log >nul
复制代码
上面的inf文件是为secedit命令服务的,大家可以运行gpedit.msc看看,先手动设置一下,然后导出,就会获得这个inf文件。现在我们把它再导入~
遇到类似的问题,大家可以先手动设置,然后导出看看,就明白我们该怎么写了~
"MACHINE\Software\Test", 2, "S:AI(AU;CISAFA;DCLC;;;WD)" 这句话是配置注册表的审核,如果发生变化就会在日志里看到...
额~根据lxzzr的资料,这个是SSDL语言就是“安全描述符”...我手头也没资料...大家找他问去~呼呼~
就照搬套过来就好~
导入完成记得加一句
复制代码
刷新一下组策略...
这样,系统配置就完成了,注册表Test 键值发生变化就会在日志里看出来~
第二步:
配置触发器,注册表变化了,要运行我们的程序~
- echo wevtutil qe Security /rd:true /c:1 /f:text ^>%windir%\Assistant\Security_Monitor.txt >%windir%\Assistant\Security_Monitor.bat
- echo start %windir%\Assistant\Security_Monitor_.bat >>%windir%\Assistant\Security_Monitor.bat
- echo @echo off >%windir%\Assistant\Security_Monitor_.bat
- echo Setlocal enabledelayedexpansion>>%windir%\Assistant\Security_Monitor_.bat
- echo for /f "tokens=3" %%%%i in ('findstr /i /c:"Event ID:" %%windir%%\Assistant\Security_Monitor.txt') do ( >>%windir%\Assistant\Security_Monitor_.bat
- echo if not %%%%i==4657 ( >>%windir%\Assistant\Security_Monitor_.bat
- echo echo;>>%windir%\Assistant\Security_Monitor_.bat
- echo echo 您的启动项目已被修改 >>%windir%\Assistant\Security_Monitor_.bat
- echo echo;>>%windir%\Assistant\Security_Monitor_.bat
- echo echo 但是由于异常情况无法获得详细信息 >>%windir%\Assistant\Security_Monitor_.bat
- echo echo;>>%windir%\Assistant\Security_Monitor_.bat
- echo echo 建议您关注系统启动项目的情况 >>%windir%\Assistant\Security_Monitor_.bat
- echo echo;>>%windir%\Assistant\Security_Monitor_.bat
- echo ping /n 4 127.1^>nul>>%windir%\Assistant\Security_Monitor_.bat
- echo exit >>%windir%\Assistant\Security_Monitor_.batecho )>>%windir%\Assistant\Security_Monitor_.batecho )>>%windir%\Assistant\Security_Monitor_.bat
- echo for /f "tokens=1,*" %%%%i in ('findstr /i /c:"对象值名称:" %%windir%%\Assistant\Security_Monitor.txt') do set Change_Key=%%%%j >>%windir%\Assistant\Security_Monitor_.bat
- echo for /f "tokens=1,*" %%%%i in ('findstr /i /c:"进程名:" %%windir%%\Assistant\Security_Monitor.txt') do set Change_Process=%%%%j >>%windir%\Assistant\Security_Monitor_.bat
- echo for /f "tokens=1,*" %%%%i in ('findstr /i /c:"旧值:" %%windir%%\Assistant\Security_Monitor.txt') do set Change_Key_Old=%%%%j >>%windir%\Assistant\Security_Monitor_.bat
- echo for /f "tokens=1,*" %%%%i in ('findstr /i /c:"新值:" %%windir%%\Assistant\Security_Monitor.txt') do set Change_Key_New=%%%%j >>%windir%\Assistant\Security_Monitor_.bat
- echo echo;>>%windir%\Assistant\Security_Monitor_.batecho echo 请注意,您的启动项目已被修改 ★ >>%windir%\Assistant\Security_Monitor_.batecho echo;>>%windir%\Assistant\Security_Monitor_.bat
- echo echo 修改进程:%%Change_Process%% >>%windir%\Assistant\Security_Monitor_.batecho echo;>>%windir%\Assistant\Security_Monitor_.batecho echo 被修改键值名称:%%Change_Key%% >>%windir%\Assistant\Security_Monitor_.batecho echo;>>%windir%\Assistant\Security_Monitor_.batecho echo 被修改键值旧值:%%Change_Key_Old%% >>%windir%\Assistant\Security_Monitor_.batecho echo;>>%windir%\Assistant\Security_Monitor_.batecho echo 被修改键值旧值:%%Change_Key_New%% >>%windir%\Assistant\Security_Monitor_.bat
- echo echo ping /n 4 127.1>nul>>%windir%\Assistant\Security_Monitor_.bat
- echo exit >>%windir%\Assistant\Security_Monitor_.bat
- SCHTASKS /Create /TN Security_Monitor /RL Highest /TR %windir%\Assistant\Security_Monitor.bat /SC ONEVENT /EC Security /MO "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4657]]" >nul
复制代码
核心是
- SCHTASKS /Create /TN Security_Monitor /RL Highest /TR %windir%\Assistant\Security_Monitor.bat /SC ONEVENT /EC Security /MO "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4657]]"
复制代码
这句话,它添加了一个计划任务,名称Security_Monitor ,以Highest权限运行,任务触发运行%windir%\Assistant\Security_Monitor.bat。/MO 后面是触发条件,这就是我们上面说的注册表变化导致日志新增的项目,事件ID4657。
以上生成两个文件。Security_Monitor.bat是读取日志,并且start 另一个bat,当然一个把俩个写成一个,不过考虑到注册表变化可能比较快,所以用start启动,避免任务挂起,导致漏记。Security_Monitor_.bat则是读取日志显示内容。
到此整个程序就完成了。不知道大家是不是明白 |