目录
一、限定死白名单
二、增加自定义白名单文件
需求:孩子在家用电脑上网课,总是悄悄打开游戏或视频软件
方案:指定白名单exe,打开非白名单的就自动被杀死,并记录日志供查看
一、限定死白名单
import psutil
import time
import logging
# 配置日志记录,禁用缓冲
logging.basicConfig(filename='killed_exes.log', level=logging.INFO, format='%(asctime)s - %(message)s', filemode='a',
force=True)
# 允许访问的EXE名称清单
# allowed_exes = ['notepad++.exe','SgrmBroker.exe', 'TextInputHost.exe', 'ChsIME.exe', 'HPPrintScanDoctorService.exe', 'esif_uf.exe', 'OfficeClickToRun.exe', 'smartscreen.exe', 'dllhost.exe', 'System Idle Process', 'spoolsv.exe', 'wlanext.exe', 'fontdrvhost.exe', 'PhoneExperienceHost.exe', 'FMService64.exe', 'lkads.exe', 'msedgewebview2.exe', 'WmiApSrv.exe', 'LAVService.exe', 'Lenovo.Modern.ImController.exe', 'NisSrv.exe', 'explorer.exe', 'NVDisplay.Container.exe', 'dasHost.exe', 'Lsf.exe', 'System', 'MSOfficePLUSService.exe', 'AggregatorHost.exe', 'ldnews.exe', 'SogouCloud.exe', 'DAX3API.exe', 'usysdiag.exe', 'audiodg.exe', 'tagsrv.exe', 'csrss.exe', 'StartMenuExperienceHost.exe', 'NvTelemetryContainer.exe', 'SecurityHealthService.exe', 'rundll32.exe', 'MemCompression', 'svchost.exe', 'nimxs.exe', 'crashpad_handler.exe', 'IShowServer.exe', 'service.exe', 'sihost.exe', 'chrome.exe', 'MsMpEng.exe', 'dwm.exe', 'pdfServer.exe', 'PdsClientsDaemon.exe', 'LenovoTray.exe', 'Locator.exe', 'DSRHost.exe', 'RtkAudUService64.exe', 'Registry', 'Everything.exe', 'SearchIndexer.exe', 'Lenovo.Modern.ImController.PluginHost.Device.exe', 'lktsrv.exe', 'SecurityHealthSystray.exe', 'IShowSU.exe', 'SunloginClient.exe', 'nidmsrv.exe', 'RuntimeBroker.exe', 'unsecapp.exe', 'LenovoInternetSoftwareFramework.exe', 'python.exe', 'PDFEngine.exe', 'SearchApp.exe', 'ctfmon.exe', 'sqlwriter.exe', 'CastSrv.exe', 'taskhostw.exe', 'WmiPrvSE.exe', 'mDNSResponder.exe', 'niauth_daemon.exe', 'CompPkgSrv.exe', 'LISFService.exe', 'TestStandService.exe', 'LnvSvcFdn.exe', 'MSPCManagerService.exe', 'jhi_service.exe', 'fsnotifier.exe', 'smss.exe', 'conhost.exe', 'MpDefenderCoreService.exe', 'LenovoPcManagerService.exe', 'WUDFHost.exe', 'LockApp.exe', 'MSPCManager.exe', 'services.exe', 'lsass.exe', 'rsSyncSvc.exe', 'pycharm64.exe', 'wininit.exe', 'aDrive.exe', 'winlogon.exe', 'SyncAppServer.exe', 'LMS.exe', 'SogouImeBroker.exe']
allowed_exes = ['LnvSvcFdn.exe', 'services.exe', 'LenovoPcManagerService.exe', 'SogouImeBroker.exe',
'SyncAppServer.exe', 'Lenovo.Modern.ImController.PluginHost.Device.exe', 'PDFEngine.exe', 'Locator.exe',
'winlogon.exe', 'SgrmBroker.exe', 'taskhostw.exe', 'Typora.exe', 'nidmsrv.exe', 'DAX3API.exe',
'WINWORD.EXE', 'CalculatorApp.exe', 'aDrive.exe', '猿辅导.exe', 'SecurityHealthSystray.exe',
'MSPCManager.exe', 'WmiApSrv.exe', 'SunloginClient.exe', 'WmiPrvSE.exe', 'dwm.exe', 'sqlwriter.exe',
'SearchIndexer.exe', 'fontdrvhost.exe', 'WUDFHost.exe', 'rundll32.exe', 'smss.exe', 'FMService64.exe',
'YunDetectService.exe', 'iPDF Viewer.exe', 'wininit.exe', 'tagsrv.exe', 'dllhost.exe', 'NisSrv.exe',
'CodeSetup-stable-ea1445cc7016315d0f5728f8e8b12a45dc0a7286.tmp', 'MindMaster.exe', 'usysdiag.exe',
'System', 'iPDFUpg.exe', 'TestStandService.exe', 'Everything.exe', 'StartMenuExperienceHost.exe',
'nimxs.exe', 'ldnews.exe', 'DSRHost.exe', 'LenovoInternetSoftwareFramework.exe', 'LockApp.exe',
'wlanext.exe', 'IShowSU.exe', 'csrss.exe', 'LAVService.exe', 'SGTool.exe', 'MsMpEng.exe',
'Lenovo.Modern.ImController.exe', 'notepad++.exe', 'BaiduNetdiskUnite.exe', 'RtkAudUService64.exe',
'SearchFilterHost.exe', 'Registry', 'rsSyncSvc.exe', '小猿优课.exe', 'lsass.exe',
'mmcrashpad_handler64.exe', 'Video.UI.exe', 'PdsClientsDaemon.exe', 'pdfServer.exe', 'sihost.exe',
'Code.exe', 'OfficeClickToRun.exe', 'explorer.exe', 'svchost.exe', 'WiseOS.exe', 'BaiduNetdisk.exe',
'WeChatOCR.exe', 'smartscreen.exe', 'CompPkgSrv.exe', 'jhi_service.exe', 'LenovoTray.exe', 'ctfmon.exe',
'SearchApp.exe', 'Lsf.exe', 'PhoneExperienceHost.exe',
'CodeSetup-stable-ea1445cc7016315d0f5728f8e8b12a45dc0a7286.exe', 'AggregatorHost.exe', 'wemeetapp.exe',
'niauth_daemon.exe', 'msedgewebview2.exe', 'SnippingTool.exe', 'dasHost.exe', 'unsecapp.exe',
'IShowServer.exe', 'baidunetdiskhost.exe', 'lkads.exe', 'WeChat.exe', 'lktsrv.exe',
'NVDisplay.Container.exe', 'pycharm64.exe', 'audiodg.exe', 'esif_uf.exe', 'System Idle Process',
'WeChatAppEx.exe', 'SearchProtocolHost.exe', 'MemCompression', 'python.exe', 'plugin_host.exe',
'MpDefenderCoreService.exe', 'LISFService.exe', 'EXCEL.EXE', 'WeChatUtility.exe',
'crashpad_handler.exe', 'ai.exe', 'WeChatPlayer.exe', 'fsnotifier.exe', 'TextInputHost.exe',
'spoolsv.exe', 'splwow64.exe', 'NvTelemetryContainer.exe', 'ChsIME.exe', 'conhost.exe',
'MSPCManagerService.exe', 'MSOfficePLUSService.exe', 'SogouCloud.exe', 'UserOOBEBroker.exe',
'HPPrintScanDoctorService.exe', 'RuntimeBroker.exe', 'service.exe', 'FSCapture-动态截图工具.exe',
'xnnexternal.exe', 'SecurityHealthService.exe', 'ApplicationFrameHost.exe', 'mDNSResponder.exe',
'sublime_text.exe', 'LMS.exe', 'CastSrv.exe','cmd.exe','wemeetcrashhandler.exe','backgroundTaskHost.exe',
'WMIC.exe','Appvant.exe']
def is_allowed_exe(exe_name):
"""检查EXE名称是否在允许访问的清单中"""
return exe_name.lower() in [name.lower() for name in allowed_exes]
def kill_process(process_name):
"""杀死某个进程并记录到日志文件中"""
for proc in psutil.process_iter():
try:
if process_name.lower() == proc.name().lower():
proc.kill()
logging.info(f"{process_name} killed")
print(f"{process_name} 已被杀死")
# 手动刷新缓冲区
logging.getLogger().handlers[0].flush()
except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
pass
def monitor_and_kill_unallowed_exes(interval=1):
"""监控并杀死不在允许访问清单中的EXE"""
while True:
for proc in psutil.process_iter():
try:
exe_name = proc.name()
if not is_allowed_exe(exe_name):
print(f"{exe_name} 不在允许访问清单中")
kill_process(exe_name)
except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
pass
time.sleep(interval)
if __name__ == "__main__":
monitor_and_kill_unallowed_exes()
二、增加自定义白名单文件
考虑到适用性,除了默认的白名单文件,增加了自定义白名单文件
# -*- coding: utf-8 -*-
# @Author: GraceJiang
# @Date: 2024/7/5
# @Description:
import psutil
import time
import logging
import os
# 配置日志记录,禁用缓冲
logging.basicConfig(filename='killed_exes.log', level=logging.INFO, format='%(asctime)s - %(message)s', filemode='a',
force=True)
# 默认允许访问的EXE名称清单
# allowed_exes = ['notepad++.exe','SgrmBroker.exe', 'TextInputHost.exe', 'ChsIME.exe', 'HPPrintScanDoctorService.exe', 'esif_uf.exe', 'OfficeClickToRun.exe', 'smartscreen.exe', 'dllhost.exe', 'System Idle Process', 'spoolsv.exe', 'wlanext.exe', 'fontdrvhost.exe', 'PhoneExperienceHost.exe', 'FMService64.exe', 'lkads.exe', 'msedgewebview2.exe', 'WmiApSrv.exe', 'LAVService.exe', 'Lenovo.Modern.ImController.exe', 'NisSrv.exe', 'explorer.exe', 'NVDisplay.Container.exe', 'dasHost.exe', 'Lsf.exe', 'System', 'MSOfficePLUSService.exe', 'AggregatorHost.exe', 'ldnews.exe', 'SogouCloud.exe', 'DAX3API.exe', 'usysdiag.exe', 'audiodg.exe', 'tagsrv.exe', 'csrss.exe', 'StartMenuExperienceHost.exe', 'NvTelemetryContainer.exe', 'SecurityHealthService.exe', 'rundll32.exe', 'MemCompression', 'svchost.exe', 'nimxs.exe', 'crashpad_handler.exe', 'IShowServer.exe', 'service.exe', 'sihost.exe', 'chrome.exe', 'MsMpEng.exe', 'dwm.exe', 'pdfServer.exe', 'PdsClientsDaemon.exe', 'LenovoTray.exe', 'Locator.exe', 'DSRHost.exe', 'RtkAudUService64.exe', 'Registry', 'Everything.exe', 'SearchIndexer.exe', 'Lenovo.Modern.ImController.PluginHost.Device.exe', 'lktsrv.exe', 'SecurityHealthSystray.exe', 'IShowSU.exe', 'SunloginClient.exe', 'nidmsrv.exe', 'RuntimeBroker.exe', 'unsecapp.exe', 'LenovoInternetSoftwareFramework.exe', 'python.exe', 'PDFEngine.exe', 'SearchApp.exe', 'ctfmon.exe', 'sqlwriter.exe', 'CastSrv.exe', 'taskhostw.exe', 'WmiPrvSE.exe', 'mDNSResponder.exe', 'niauth_daemon.exe', 'CompPkgSrv.exe', 'LISFService.exe', 'TestStandService.exe', 'LnvSvcFdn.exe', 'MSPCManagerService.exe', 'jhi_service.exe', 'fsnotifier.exe', 'smss.exe', 'conhost.exe', 'MpDefenderCoreService.exe', 'LenovoPcManagerService.exe', 'WUDFHost.exe', 'LockApp.exe', 'MSPCManager.exe', 'services.exe', 'lsass.exe', 'rsSyncSvc.exe', 'pycharm64.exe', 'wininit.exe', 'aDrive.exe', 'winlogon.exe', 'SyncAppServer.exe', 'LMS.exe', 'SogouImeBroker.exe']
default_allowed_exes = ['LnvSvcFdn.exe', 'services.exe', 'LenovoPcManagerService.exe', 'SogouImeBroker.exe',
'SyncAppServer.exe', 'Lenovo.Modern.ImController.PluginHost.Device.exe', 'PDFEngine.exe', 'Locator.exe',
'winlogon.exe', 'SgrmBroker.exe', 'taskhostw.exe', 'Typora.exe', 'nidmsrv.exe', 'DAX3API.exe',
'WINWORD.EXE', 'CalculatorApp.exe', 'aDrive.exe', '猿辅导.exe', 'SecurityHealthSystray.exe',
'MSPCManager.exe', 'WmiApSrv.exe', 'SunloginClient.exe', 'WmiPrvSE.exe', 'dwm.exe', 'sqlwriter.exe',
'SearchIndexer.exe', 'fontdrvhost.exe', 'WUDFHost.exe', 'rundll32.exe', 'smss.exe', 'FMService64.exe',
'YunDetectService.exe', 'iPDF Viewer.exe', 'wininit.exe', 'tagsrv.exe', 'dllhost.exe', 'NisSrv.exe',
'CodeSetup-stable-ea1445cc7016315d0f5728f8e8b12a45dc0a7286.tmp', 'MindMaster.exe', 'usysdiag.exe',
'System', 'iPDFUpg.exe', 'TestStandService.exe', 'Everything.exe', 'StartMenuExperienceHost.exe',
'nimxs.exe', 'ldnews.exe', 'DSRHost.exe', 'LenovoInternetSoftwareFramework.exe', 'LockApp.exe',
'wlanext.exe', 'IShowSU.exe', 'csrss.exe', 'LAVService.exe', 'SGTool.exe', 'MsMpEng.exe',
'Lenovo.Modern.ImController.exe', 'notepad++.exe', 'BaiduNetdiskUnite.exe', 'RtkAudUService64.exe',
'SearchFilterHost.exe', 'Registry', 'rsSyncSvc.exe', '小猿优课.exe', 'lsass.exe',
'mmcrashpad_handler64.exe', 'Video.UI.exe', 'PdsClientsDaemon.exe', 'pdfServer.exe', 'sihost.exe',
'Code.exe', 'OfficeClickToRun.exe', 'explorer.exe', 'svchost.exe', 'WiseOS.exe', 'BaiduNetdisk.exe',
'WeChatOCR.exe', 'smartscreen.exe', 'CompPkgSrv.exe', 'jhi_service.exe', 'LenovoTray.exe', 'ctfmon.exe',
'SearchApp.exe', 'Lsf.exe', 'PhoneExperienceHost.exe',
'CodeSetup-stable-ea1445cc7016315d0f5728f8e8b12a45dc0a7286.exe', 'AggregatorHost.exe', 'wemeetapp.exe',
'niauth_daemon.exe', 'msedgewebview2.exe', 'SnippingTool.exe', 'dasHost.exe', 'unsecapp.exe',
'IShowServer.exe', 'baidunetdiskhost.exe', 'lkads.exe', 'WeChat.exe', 'lktsrv.exe',
'NVDisplay.Container.exe', 'pycharm64.exe', 'audiodg.exe', 'esif_uf.exe', 'System Idle Process',
'WeChatAppEx.exe', 'SearchProtocolHost.exe', 'MemCompression', 'python.exe', 'plugin_host.exe',
'MpDefenderCoreService.exe', 'LISFService.exe', 'EXCEL.EXE', 'WeChatUtility.exe',
'crashpad_handler.exe', 'ai.exe', 'WeChatPlayer.exe', 'fsnotifier.exe', 'TextInputHost.exe',
'spoolsv.exe', 'splwow64.exe', 'NvTelemetryContainer.exe', 'ChsIME.exe', 'conhost.exe',
'MSPCManagerService.exe', 'MSOfficePLUSService.exe', 'SogouCloud.exe', 'UserOOBEBroker.exe',
'HPPrintScanDoctorService.exe', 'RuntimeBroker.exe', 'service.exe', 'FSCapture-动态截图工具.exe',
'xnnexternal.exe', 'SecurityHealthService.exe', 'ApplicationFrameHost.exe', 'mDNSResponder.exe',
'sublime_text.exe', 'LMS.exe', 'CastSrv.exe', 'cmd.exe', 'wemeetcrashhandler.exe',
'backgroundTaskHost.exe',
'WMIC.exe', 'Appvant.exe','Taskmgr.exe','exemonitoring2.exe','Uedit32.exe']
# 从文件中读取允许的EXE名称
allowed_exes_file = 'allowed_exes.txt'
additional_allowed_exes = []
# 检查文件是否存在,如果不存在则创建空文件
if not os.path.exists(allowed_exes_file):
with open(allowed_exes_file, 'w') as file:
pass
else:
with open(allowed_exes_file, 'r') as file:
additional_allowed_exes = [line.strip().lower() for line in file if line.strip()]
# 合并默认允许的EXE名称和从文件中读取的EXE名称
allowed_exes = default_allowed_exes + additional_allowed_exes
def is_allowed_exe(exe_name):
"""检查EXE名称是否在允许访问的清单中"""
return exe_name.lower() in [name.lower() for name in allowed_exes]
def kill_process(process_name):
"""杀死某个进程并记录到日志文件中"""
for proc in psutil.process_iter():
try:
if process_name.lower() == proc.name().lower():
proc.kill()
logging.info(f"{process_name} killed")
print(f"{process_name} 已被杀死")
# 手动刷新缓冲区
logging.getLogger().handlers[0].flush()
except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
pass
def monitor_and_kill_unallowed_exes(interval=1):
"""监控并杀死不在允许访问清单中的EXE"""
while True:
for proc in psutil.process_iter():
try:
exe_name = proc.name()
if not is_allowed_exe(exe_name):
print(f"{exe_name} 不在允许访问清单中")
kill_process(exe_name)
except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
pass
time.sleep(interval)
if __name__ == "__main__":
monitor_and_kill_unallowed_exes()程序打包:pyinstaller --onefile --noconsole exemonitoring2.py
打包后的文件名为exemonitoring2.exe,这个也需要加入白名单的哦
