November 20, 2014

DETEKT:檢查電腦是否被安裝間諜程式

Tags: DETEKTcomputer caresecurity | (2 min read)

看到朋友分享一個叫Detekt的軟件,據說是用來掃描Windows系統的電腦,看看有沒有被什麼間諜軟件悄悄監控着。官網說明倒是煞有其事,它主要是針對保護人權鬥士、記者、宗教人士等進行RESIST SURVEILLANCE,這同時也是一個python開源項目

下載exe文件後用管理員運行,等上很長一段時間就可以看結果了,它會在EXE文件存放目錄中生成一個LOG文件。

Y.CHEUNG的檢查結果如下:

Looks good.

I wasn't able to identify the presence of any obvious spyware. Please note that this does not necessarily mean your computer is clean. If you have strong suspicion of being targeted, please do seek assistance.

You can find additional instructions at https://www.resistsurveillance.org/emergency

顯而易見的是,沒人有興趣監控我的電腦喇~

log記錄:

2014-11-20 20:12:23,377 - detector - INFO - Starting with process ID 2156
2014-11-20 20:12:23,391 - detector - INFO - Selected Profile Name: Win7SP1x64
2014-11-20 20:12:23,397 - detector - INFO - Selected Driver: C:\Users\yukino\AppData\Local\Temp\_MEI60882\drivers\winpmem64.sys
2014-11-20 20:12:23,398 - detector.service - INFO - Launching service destroyer...
2014-11-20 20:12:23,398 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-20 20:12:23,400 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-20 20:12:23,436 - detector.service - INFO - Trying to start the winpmem service...
2014-11-20 20:12:23,444 - detector - INFO - Service started
2014-11-20 20:12:23,444 - detector - INFO - Selected Yara signature file at C:\Users\yukino\AppData\Local\Temp\_MEI60882\rules\signatures.yar
2014-11-20 20:12:23,444 - detector - INFO - Obtaining address space and generating config for volatility
2014-11-20 20:12:24,520 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x08E9C4D0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x081D5AF0>
2014-11-20 20:12:24,520 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x081D5C30>, DTB: 0x187000
2014-11-20 20:12:24,522 - detector - INFO - Starting yara scanner...
2014-11-20 22:04:17,398 - detector - INFO - Scanning finished
2014-11-20 22:04:17,398 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-20 22:04:17,398 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-20 22:04:17,398 - detector - INFO - Service stopped
2014-11-20 22:04:17,398 - detector - INFO - Analysis finished