BestHub
Sign in
Information Security 9 min read

How to Detect Hidden Webshells on Windows Using Python

This guide explains four techniques for uncovering concealed webshells on Windows—NTFS alternate data streams, malformed and reserved filenames, driver‑based hiding with Easy File Locker, and provides Python scripts to locate, list, and optionally remove these malicious files.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
How to Detect Hidden Webshells on Windows Using Python

0X01 NTFS Alternate Data Streams Hidden Webshell

NTFS alternate data streams (ADS) allow a file to contain multiple data streams. Attackers can hide one‑line webshells in ADS, making them invisible to normal traversal. The following Python script scans a directory, lists all ADS files, maps included .asp files, and reports matches.

# -*- coding: cp936 -*-
import os, os.path
import re

def searchNTFS(catalog):
    resultL = []
    for root, dirs, files in os.walk(catalog):
        line = ''
        command = 'cd ' + root + '&' + 'dir /r'
        r = os.popen(command)
        info = r.readlines()
        for l in info:
            line += l
        reN = r'\s(\S+):\$DATA'
        res = re.findall(reN, line)
        for re1 in res:
            if re1 != '':
                resultL.append(root + '\\' + re1)
    return resultL

def searchInclude(catalog):
    resultD = {}
    for root, dirs, files in os.walk(catalog):
        for f in files:
            path = os.path.join(root, f)
            if path[-4:].lower() == '.asp':
                try:
                    with open(path, 'r') as fp:
                        for line in fp.readlines():
                            reN = r'<!--#include\S+="(\S+)"-->'
                            for inc in re.findall(reN, line):
                                if inc:
                                    resultD[root + '\\' + inc] = path
                except:
                    print "File :" + path + " can't be read"
    return resultD

if __name__ == "__main__":
    inc_map = searchInclude('C:\\inetpub\\wwwroot')
    ads_list = set(searchNTFS('C:\\inetpub\\wwwroot'))
    suspicious = set(inc_map.keys()).intersection(ads_list)
    if suspicious:
        for file in suspicious:
            print "[+] Suspicious ADS file: " + file
            print "[+] Included by: " + inc_map[file]
    else:
        print "[+] No suspicious ADS files found."

0X02 Malformed and Reserved Filenames Hidden Webshell

Windows allows filenames with multiple dots (malformed) and reserved names (aux, prn, con, etc.) that are inaccessible via normal UI but can be created using the \.\

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment