目 录
1 引言 1
2 Web服务器所受的威胁及防御 1
2.1 缓冲区溢出 1
2.2 SQL注入攻击 1
2.3 基于脚本的DDos攻击 2
2.4 其他的不安全因素 3
3 Web的木马检测系统的设计 4
3.1 体系结构 4
3.2 处理流程 5
3.3 对客户端访问的响应 7
3.4 策略引擎的设计 8
3.4.1 策略的属性 8
3.4.2 策略的加载 9
3.4.3 策略的调度 10
3.4.4 策略的接口 10
4 Web的木马检测系统的实现 11
4.1 基于ISAPI 的解析及响应模块的实现 11
4.1.1 使用ISAPI Filter获取Http报文信息 11
4.1.2 使用ISAPI进行Http响应 13
4.1.3 在服务器上的安装配置ISAPI Filter 14
4.2 基于Lua的策略实现 15
4.2.1 对策略的封装 15
4.2.2 Lua策略脚本示例 15
4.3 基于xml的策略管理 16
5 系统运行过程及测试 16
结 论 18
参考文献 19
致 谢 20
3Web的木马检测系统的设计
由于系统要对客户端发送的Http报文进行分析，这需要对Http报文进行解析，Http报文解析的方式主要有两种：
(1)自解析：系统对原始数据报文自行解析；
(2)由Web服务器进行解析，需要时系统通过Web服务器提供的接口查询。
方式(1)可以提供比方式(2)更好的移植性，但这种报文解析的方式需要一种截获下层原始报文的能力，这可以通过截获传输层或网际层报文的实现，由于我们将这套系统定位于仅针对Web访问的木马检测，我们对Http协议外的报文并不关心，所以我们选择方式（2）作为我们的Http报文解析方案，即通过Web服务器提供的接口仅仅截获应用层的Http报文。
要对客户端发起的请求进行完全的监控光靠检测客户端的行为是不够的，因为这样我们只知道客户端发起什么样的请求但无法知道服务器端是如何对客户端进行响应的。一次完整的Http会话既然包括客户端发送请求和服务器端对请求的响应，那么只有监控服务器端响应的内容后，才能知道这次Http会话何时结束。如果Web服务器提供Http报文封装的接口，则在对客户端进行响应时我们也尽量调用Web服务器的这些接口而不是自己组装Http报文。
这样，这套木马检测系统的核心便是其策略引擎， 通过强大而灵活的策略引擎来实现特征检测或者异常检测。下面将介绍这个Web的木马检测系统的具体体系结构和处理流程。
3.1体系结构
通常一个系统会采用多层或者单层的体系结构。多层的结构将不同功能的模块进行了划分，层与层之间靠定义好的接口进行通信，单层的结构将模块都紧耦合在一起，模块与模块间有交叉调用。多层的结构比单层的结构具有良好的扩展性，而单层结构可以模块间的交互更加高效。为了能使系统适合不同的Web服务器平台，综合以上的因素考虑后，本系统采用分层的体系结构。图1为本系统的体系结构图。

如图1所示，这个Web的木马检测系统主要分层了以下三层：
(1)解析及响应层
这一层为整个防御系统提供对客户端发送的Http报文请求的解析及服务器响应时Http报文封装的接口。当有客户端访问服务器时，通知策略引擎调度策略检测客户端的访问信息，并为策略引擎提供响应的实现。按照前面的分析，这一层是由服务器提供的接口封装实现。
(2)策略引擎
这一层的作用是策略的调度，在策略中通过“解析及响应”层提供的接口获取客户端的信息，具体的响应也交给“解析及响应”层完成。同时策略引擎还需要调度数据管理层完成策略的加载，以及日志记录的功能。
(3)数据管理
这一层提供日志记录、配置管理及策略脚本解析的功能。所以对数据进行处理的过程都是在这一层里完成。
每一层都完成相对独立的功能，当某一层的实现发生变化时，只要提供的接口没有变化，对其他几层就没有影响。这样整个结构就有很大的扩展性，例如：我们可以把解析和响应层的具体实现是由调用Web服务器自身接口的方式替换为直接截获传输层网络层封包的方式等等。下面将介绍具体的处理流程。
3.2处理流程
Web IPS的处理流程如图2所示，具体流程如下：当客户端发送Http请求时，原始的数据报文经Http报文解析模块解析，报文解析模块会通知策略引擎模块对客户端的信息进行检测，策略引擎会依据策略脚本中编写的策略，通知Http响应模块对客户端的行为做出响应，并依据策略脚本中的策略，通知日志记录模块记录相应的日志。
依据Web IPS系统的体系结构及处理流程，系统主要模块和作用如下：
(1)IPS管理模块
负责管理和连接各个模块，管理数据流，读取配置文件后完成整个系统的初始化，对整个系统的状态进行管理：运行，停止，重新加载。当Http报文解析模块通知有客户端的访问时，调用策略引擎对客户端的行为及信息进行检测，对策略引擎返回的结果通知Http响应模块进行响应。
(2)配置文件模块
主要完成配置文件的读取及保存。提供统一的接口，具体实现可以根据需要而作修改。
(3)Http报文的解析模块
利用Web服务器提供的接口，对客户端访问Web服务器时提交的原始数据进行解析，并通知IPS管理模块收到客户端的访问请求，请求策略引擎检测客户端的访问行为。
Http报文的解析模块中会为每一个客户端生成一个实现了能检测客户端相关信息的接口的对象。在一般的Web脚本（例如：ASP、ASP.NET、PHP等等）中也会有这样一种获取客户端信息的接口。

#include 
#include 
#include #define ldo_c
#define LUA_CORE#include "lua.h"#include "ldebug.h"
#include "ldo.h"
#include "lfunc.h"
#include "lgc.h"
#include "lmem.h"
#include "lobject.h"
#include "lopcodes.h"
#include "lparser.h"
#include "lstate.h"
#include "lstring.h"
#include "ltable.h"
#include "ltm.h"
#include "lundump.h"
#include "lvm.h"
#include "lzio.h"/*
** {======================================================
** Error-recovery functions
** =======================================================
*//* chain list of long jump buffers */
struct lua_longjmp {struct lua_longjmp *previous;luai_jmpbuf b;volatile int status;  /* error code */
};void luaD_seterrorobj (lua_State *L, int errcode, StkId oldtop) {switch (errcode) {case LUA_ERRMEM: {setsvalue2s(L, oldtop, luaS_newliteral(L, MEMERRMSG));break;}case LUA_ERRERR: {setsvalue2s(L, oldtop, luaS_newliteral(L, "error in error handling"));break;}case LUA_ERRSYNTAX:case LUA_ERRRUN: {setobjs2s(L, oldtop, L->top - 1);  /* error message on current top */break;}}L->top = oldtop + 1;
}static void restore_stack_limit (lua_State *L) {lua_assert(L->stack_last - L->stack == L->stacksize - EXTRA_STACK - 1);if (L->size_ci > LUAI_MAXCALLS) {  /* there was an overflow? */int inuse = cast_int(L->ci - L->base_ci);if (inuse + 1 < LUAI_MAXCALLS)  /* can `undo' overflow? */luaD_reallocCI(L, LUAI_MAXCALLS);}
}static void resetstack (lua_State *L, int status) {L->ci = L->base_ci;L->base = L->ci->base;luaF_close(L, L->base);  /* close eventual pending closures */luaD_seterrorobj(L, status, L->base);L->nCcalls = 0;L->allowhook = 1;restore_stack_limit(L);L->errfunc = 0;L->errorJmp = NULL;
}void luaD_throw (lua_State *L, int errcode) {if (L->errorJmp) {L->errorJmp->status = errcode;LUAI_THROW(L, L->errorJmp);}else {L->status = cast_byte(errcode);if (G(L)->panic) {resetstack(L, errcode);lua_unlock(L);G(L)->panic(L);}exit(EXIT_FAILURE);}
}int luaD_rawrunprotected (lua_State *L, Pfunc f, void *ud) {struct lua_longjmp lj;lj.status = 0;lj.previous = L->errorJmp;  /* chain new error handler */L->errorJmp = &lj;LUAI_TRY(L, &lj,(*f)(L, ud););L->errorJmp = lj.previous;  /* restore old error handler */return lj.status;
}/* }====================================================== */static void correctstack (lua_State *L, TValue *oldstack) {CallInfo *ci;GCObject *up;L->top = (L->top - oldstack) + L->stack;for (up = L->openupval; up != NULL; up = up->gch.next)gco2uv(up)->v = (gco2uv(up)->v - oldstack) + L->stack;for (ci = L->base_ci; ci <= L->ci; ci++) {ci->top = (ci->top - oldstack) + L->stack;ci->base = (ci->base - oldstack) + L->stack;ci->func = (ci->func - oldstack) + L->stack;}L->base = (L->base - oldstack) + L->stack;
}void luaD_reallocstack (lua_State *L, int newsize) {TValue *oldstack = L->stack;int realsize = newsize + 1 + EXTRA_STACK;lua_assert(L->stack_last - L->stack == L->stacksize - EXTRA_STACK - 1);luaM_reallocvector(L, L->stack, L->stacksize, realsize, TValue);L->stacksize = realsize;L->stack_last = L->stack+newsize;correctstack(L, oldstack);
}void luaD_reallocCI (lua_State *L, int newsize) {CallInfo *oldci = L->base_ci;luaM_reallocvector(L, L->base_ci, L->size_ci, newsize, CallInfo);L->size_ci = newsize;L->ci = (L->ci - oldci) + L->base_ci;L->end_ci = L->base_ci + L->size_ci - 1;
}void luaD_growstack (lua_State *L, int n) {if (n <= L->stacksize)  /* double size is enough? */luaD_reallocstack(L, 2*L->stacksize);elseluaD_reallocstack(L, L->stacksize + n);
}static CallInfo *growCI (lua_State *L) {if (L->size_ci > LUAI_MAXCALLS)  /* overflow while handling overflow? */luaD_throw(L, LUA_ERRERR);else {luaD_reallocCI(L, 2*L->size_ci);if (L->size_ci > LUAI_MAXCALLS)luaG_runerror(L, "stack overflow");}return ++L->ci;
}void luaD_callhook (lua_State *L, int event, int line) {lua_Hook hook = L->hook;if (hook && L->allowhook) {ptrdiff_t top = savestack(L, L->top);ptrdiff_t ci_top = savestack(L, L->ci->top);lua_Debug ar;ar.event = event;ar.currentline = line;if (event == LUA_HOOKTAILRET)ar.i_ci = 0;  /* tail call; no debug information about it */elsear.i_ci = cast_int(L->ci - L->base_ci);luaD_checkstack(L, LUA_MINSTACK);  /* ensure minimum stack size */L->ci->top = L->top + LUA_MINSTACK;lua_assert(L->ci->top <= L->stack_last);L->allowhook = 0;  /* cannot call hooks inside a hook */lua_unlock(L);(*hook)(L, &ar);lua_lock(L);lua_assert(!L->allowhook);L->allowhook = 1;L->ci->top = restorestack(L, ci_top);L->top = restorestack(L, top);}
}static StkId adjust_varargs (lua_State *L, Proto *p, int actual) {int i;int nfixargs = p->numparams;Table *htab = NULL;StkId base, fixed;for (; actual < nfixargs; ++actual)setnilvalue(L->top++);
#if defined(LUA_COMPAT_VARARG)if (p->is_vararg & VARARG_NEEDSARG) { /* compat. with old-style vararg? */int nvar = actual - nfixargs;  /* number of extra arguments */lua_assert(p->is_vararg & VARARG_HASARG);luaC_checkGC(L);htab = luaH_new(L, nvar, 1);  /* create `arg' table */for (i=0; itop - nvar + i);/* store counter in field `n' */setnvalue(luaH_setstr(L, htab, luaS_newliteral(L, "n")), cast_num(nvar));}
#endif/* move fixed parameters to final position */fixed = L->top - actual;  /* first fixed argument */base = L->top;  /* final position of first argument */for (i=0; isetobjs2s(L, L->top++, fixed+i);setnilvalue(fixed+i);}/* add `arg' parameter */if (htab) {sethvalue(L, L->top++, htab);lua_assert(iswhite(obj2gco(htab)));}return base;
}static StkId tryfuncTM (lua_State *L, StkId func) {const TValue *tm = luaT_gettmbyobj(L, func, TM_CALL);StkId p;ptrdiff_t funcr = savestack(L, func);if (!ttisfunction(tm))luaG_typeerror(L, func, "call");/* Open a hole inside the stack at `func' */for (p = L->top; p > func; p--) setobjs2s(L, p, p-1);incr_top(L);func = restorestack(L, funcr);  /* previous call may change stack */setobj2s(L, func, tm);  /* tag method is the new function to be called */return func;
}#define inc_ci(L) \((L->ci == L->end_ci) ? growCI(L) : \(condhardstacktests(luaD_reallocCI(L, L->size_ci)), ++L->ci))int luaD_precall (lua_State *L, StkId func, int nresults) {LClosure *cl;ptrdiff_t funcr;if (!ttisfunction(func)) /* `func' is not a function? */func = tryfuncTM(L, func);  /* check the `function' tag method */funcr = savestack(L, func);cl = &clvalue(func)->l;L->ci->savedpc = L->savedpc;if (!cl->isC) {  /* Lua function? prepare its call */CallInfo *ci;StkId st, base;Proto *p = cl->p;luaD_checkstack(L, p->maxstacksize);func = restorestack(L, funcr);if (!p->is_vararg) {  /* no varargs? */base = func + 1;if (L->top > base + p->numparams)L->top = base + p->numparams;}else {  /* vararg function */int nargs = cast_int(L->top - func) - 1;base = adjust_varargs(L, p, nargs);func = restorestack(L, funcr);  /* previous call may change the stack */}ci = inc_ci(L);  /* now `enter' new function */ci->func = func;L->base = ci->base = base;ci->top = L->base + p->maxstacksize;lua_assert(ci->top <= L->stack_last);L->savedpc = p->code;  /* starting point */ci->tailcalls = 0;ci->nresults = nresults;for (st = L->top; st < ci->top; st++)setnilvalue(st);L->top = ci->top;if (L->hookmask & LUA_MASKCALL) {L->savedpc++;  /* hooks assume 'pc' is already incremented */luaD_callhook(L, LUA_HOOKCALL, -1);L->savedpc--;  /* correct 'pc' */}return PCRLUA;}else {  /* if is a C function, call it */CallInfo *ci;int n;luaD_checkstack(L, LUA_MINSTACK);  /* ensure minimum stack size */ci = inc_ci(L);  /* now `enter' new function */ci->func = restorestack(L, funcr);L->base = ci->base = ci->func + 1;ci->top = L->top + LUA_MINSTACK;lua_assert(ci->top <= L->stack_last);ci->nresults = nresults;if (L->hookmask & LUA_MASKCALL)luaD_callhook(L, LUA_HOOKCALL, -1);lua_unlock(L);n = (*curr_func(L)->c.f)(L);  /* do the actual call */lua_lock(L);if (n < 0)  /* yielding? */return PCRYIELD;else {luaD_poscall(L, L->top - n);return PCRC;}}
}static StkId callrethooks (lua_State *L, StkId firstResult) {ptrdiff_t fr = savestack(L, firstResult);  /* next call may change stack */luaD_callhook(L, LUA_HOOKRET, -1);if (f_isLua(L->ci)) {  /* Lua function? */while (L->ci->tailcalls--)  /* call hook for eventual tail calls */luaD_callhook(L, LUA_HOOKTAILRET, -1);}return restorestack(L, fr);
}int luaD_poscall (lua_State *L, StkId firstResult) {StkId res;int wanted, i;CallInfo *ci;if (L->hookmask & LUA_MASKRET)firstResult = callrethooks(L, firstResult);ci = L->ci--;res = ci->func;  /* res == final position of 1st result */wanted = ci->nresults;L->base = (ci - 1)->base;  /* restore base */L->savedpc = (ci - 1)->savedpc;  /* restore savedpc *//* move results to correct place */for (i = wanted; i != 0 && firstResult < L->top; i--)setobjs2s(L, res++, firstResult++);while (i-- > 0)setnilvalue(res++);L->top = res;return (wanted - LUA_MULTRET);  /* 0 iff wanted == LUA_MULTRET */
}/*
** Call a function (C or Lua). The function to be called is at *func.
** The arguments are on the stack, right after the function.
** When returns, all the results are on the stack, starting at the original
** function position.
*/ 
void luaD_call (lua_State *L, StkId func, int nResults) {if (++L->nCcalls >= LUAI_MAXCCALLS) {if (L->nCcalls == LUAI_MAXCCALLS)luaG_runerror(L, "C stack overflow");else if (L->nCcalls >= (LUAI_MAXCCALLS + (LUAI_MAXCCALLS>>3)))luaD_throw(L, LUA_ERRERR);  /* error while handing stack error */}if (luaD_precall(L, func, nResults) == PCRLUA)  /* is a Lua function? */luaV_execute(L, 1);  /* call it */L->nCcalls--;luaC_checkGC(L);
}static void resume (lua_State *L, void *ud) {StkId firstArg = cast(StkId, ud);CallInfo *ci = L->ci;if (L->status != LUA_YIELD) {  /* start coroutine */lua_assert(ci == L->base_ci && firstArg > L->base);if (luaD_precall(L, firstArg - 1, LUA_MULTRET) != PCRLUA)return;}else {  /* resuming from previous yield */if (!f_isLua(ci)) {  /* `common' yield? *//* finish interrupted execution of `OP_CALL' */lua_assert(GET_OPCODE(*((ci-1)->savedpc - 1)) == OP_CALL ||GET_OPCODE(*((ci-1)->savedpc - 1)) == OP_TAILCALL);if (luaD_poscall(L, firstArg))  /* complete it... */L->top = L->ci->top;  /* and correct top if not multiple results */}else  /* yielded inside a hook: just continue its execution */L->base = L->ci->base;}L->status = 0;luaV_execute(L, cast_int(L->ci - L->base_ci));
}static int resume_error (lua_State *L, const char *msg) {L->top = L->ci->base;setsvalue2s(L, L->top, luaS_new(L, msg));incr_top(L);lua_unlock(L);return LUA_ERRRUN;
}LUA_API int lua_resume (lua_State *L, int nargs) {int status;lua_lock(L);if (L->status != LUA_YIELD) {if (L->status != 0)return resume_error(L, "cannot resume dead coroutine");else if (L->ci != L->base_ci)return resume_error(L, "cannot resume non-suspended coroutine");}luai_userstateresume(L, nargs);lua_assert(L->errfunc == 0 && L->nCcalls == 0);status = luaD_rawrunprotected(L, resume, L->top - nargs);if (status != 0) {  /* error? */L->status = cast_byte(status);  /* mark thread as `dead' */luaD_seterrorobj(L, status, L->top);L->ci->top = L->top;}elsestatus = L->status;lua_unlock(L);return status;
}LUA_API int lua_yield (lua_State *L, int nresults) {luai_userstateyield(L, nresults);lua_lock(L);if (L->nCcalls > 0)luaG_runerror(L, "attempt to yield across metamethod/C-call boundary");L->base = L->top - nresults;  /* protect stack slots below */L->status = LUA_YIELD;lua_unlock(L);return -1;
}int luaD_pcall (lua_State *L, Pfunc func, void *u,ptrdiff_t old_top, ptrdiff_t ef) {int status;unsigned short oldnCcalls = L->nCcalls;ptrdiff_t old_ci = saveci(L, L->ci);lu_byte old_allowhooks = L->allowhook;ptrdiff_t old_errfunc = L->errfunc;L->errfunc = ef;status = luaD_rawrunprotected(L, func, u);if (status != 0) {  /* an error occurred? */StkId oldtop = restorestack(L, old_top);luaF_close(L, oldtop);  /* close eventual pending closures */luaD_seterrorobj(L, status, oldtop);L->nCcalls = oldnCcalls;L->ci = restoreci(L, old_ci);L->base = L->ci->base;L->savedpc = L->ci->savedpc;L->allowhook = old_allowhooks;restore_stack_limit(L);}L->errfunc = old_errfunc;return status;
}/*
** Execute a protected parser.
*/
struct SParser {  /* data to `f_parser' */ZIO *z;Mbuffer buff;  /* buffer to be used by the scanner */const char *name;
};static void f_parser (lua_State *L, void *ud) {int i;Proto *tf;Closure *cl;struct SParser *p = cast(struct SParser *, ud);int c = luaZ_lookahead(p->z);luaC_checkGC(L);tf = ((c == LUA_SIGNATURE[0]) ? luaU_undump : luaY_parser)(L, p->z,&p->buff, p->name);cl = luaF_newLclosure(L, tf->nups, hvalue(gt(L)));cl->l.p = tf;for (i = 0; i < tf->nups; i++)  /* initialize eventual upvalues */cl->l.upvals[i] = luaF_newupval(L);setclvalue(L, L->top, cl);incr_top(L);
}int luaD_protectedparser (lua_State *L, ZIO *z, const char *name) {struct SParser p;int status;p.z = z; p.name = name;luaZ_initbuffer(L, &p.buff);status = luaD_pcall(L, f_parser, &p, savestack(L, L->top), L->errfunc);luaZ_freebuffer(L, &p.buff);return status;
}