�组保留的标签 余下为需要删除的标签
                unset($oldtag[$key]);
            }
        }
    }
    

    if (!empty($oldtag)) {
        $tagids = array();
        foreach ($oldtag as $tagid => $tagname) {
            $tagids[] = $tagid;
        }

        well_oldtag_delete($tagids, $tid);
    }

    $r = well_tag_process($tid, $fid, $create_tag, $tagarr);

    

    return $r;
}

// 删除标签和绑定的主题
function well_oldtag_delete($tagids, $tid)
{
    

    $pagesize = count($tagids);
    $arrlist = well_tag_find_by_tagids($tagids, 1, $pagesize);

    

    $delete_tagids = array(); // 删除
    $tagids = array();
    $n = 0;
    foreach ($arrlist as $val) {
        ++$n;
        
        if (1 == $val['count']) {
            // 只有一个主题
            $delete_tagids[] = $val['tagid'];
            
        } else {
            $tagids[] = $val['tagid'];
        }
        
    }

    

    !empty($delete_tagids) and well_tag_delete($delete_tagids);

    $arlist = well_tag_thread_find_by_tid($tid, 1, $n);
    if ($arlist) {
        $ids = array();
        foreach ($arlist as $val) $ids[] = $val['id'];

        well_tag_thread_delete($ids);
    }

    !empty($tagids) and well_tag_update($tagids, array('count-' => 1));

    
}

// 标签数据处理 $arr=新提交的数组 $tagarr=保留的旧标签
function well_tag_process($tid, $fid, $new_tags = array(), $tagarr = array())
{
    if (empty($tid)) return '';

    

    // 新标签处理入库
    if ($new_tags) {

        

        $threadarr = array();
        $tagids = array();
        $i = 0;
        $size = 5;
        $n = count($tagarr);
        $n = $n > $size ? $size : $size - $n;

        

        foreach ($new_tags as $name) {
            ++$i;
            $name = trim($name);
            $name = stripslashes($name);
            $name = strip_tags($name);
            $name = str_replace(array('&nbsp;', '#', "@", "$", "%", "^", '&', '·', '<', '>', '；', '`', '~', '!', '￥', '……', ';', '?', '？', '-', '—', '_', '=', '+', '.', '{', '}', '|', ':', '：', '、', '/', '。', '[', ']', '【', '】', '‘', '	', '    ', '  ', '   ', '    '), '', $name);
            $name = htmlspecialchars($name, ENT_QUOTES);
            if ($name && $i <= $n) {
                
                // 查询标签
                $read = well_tag_read_name($name);
                
                if ($read) {
                    // 存在 count+1
                    $tagids[] = $read['tagid'];
                    
                } else {
                    // 入库
                    $arr = array('name' => $name, 'count' => 1);
                    
                    $tagid = well_tag_create($arr);
                    FALSE === $tagid and message(-1, lang('create_failed'));
                    $read = array('tagid' => $tagid, 'name' => $name);
                    
                }

                $tag_thread = array('tagid' => $read['tagid'], 'tid' => $tid);

                

                $threadarr[] = $tag_thread;

                

                $tagarr[$read['tagid']] = $read['name'];
            }
        }

        

        !empty($threadarr) and tag_thread_big_insert($threadarr);

        !empty($tagids) and well_tag_update($tagids, array('count+' => 1));
    }

    

    $json = empty($tagarr) ? '' : xn_json_encode($tagarr);

    

    return $json;
}




?>   $v = implode(",", $v);
        $temp[] = $v;
    }
    // 去掉重复的字符串,也就是重复的一维数组
    $temp = array_unique($temp);
    // 再将拆开的数组重新组装
    $output = array();
    foreach ($temp as $k => $v) {
        if ($stkeep) $k = $starr[$k];
        if ($ndformat) {
            $temparr = explode(",", $v);
            foreach ($temparr as $ndkey => $ndval) $output[$k][$ndarr[$ndkey]] = $ndval;
        } else $output[$k] = explode(",", $v);
    }
    return $output;
}

// 合并二维数组 如重复 值以第一个数组值为准
function array2_merge($array1, $array2, $key = '')
{
    if (empty($array1) || empty($array2)) return NULL;
    $arr = array();
    foreach ($array1 as $k => $v) {
        isset($v[$key]) ? $arr[$v[$key]] = array_merge($v, $array2[$k]) : $arr[] = array_merge($v, $array2[$k]);
    }
    return $arr;
}

/*
 * 对二维数组排序 两个数组必须有一个相同的键值
 * $array1 需要排序数组
 * $array2 按照该数组key排序
 * */
function array2_sort_key($array1, $array2, $key = '')
{
    if (empty($array1) || empty($array2)) return NULL;
    $arr = array();
    foreach ($array2 as $k => $v) {
        if (isset($v[$key]) && $v[$key] == $array1[$v[$key]][$key]) {
            $arr[$v[$key]] = $array1[$v[$key]];
        } else {
            $arr[] = $v;
        }
    }

    return $arr;
}




?><!DOCTYPE html><html lang="zh-cn"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta http-equiv="Cache-Control" content="no-transform" /><meta http-equiv="Cache-Control" content="no-siteapp" /><meta name="viewport"
          content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no"><meta name="referrer" content="origin-when-cross-origin"><meta name="applicable-device" content="pc,mobile" /><meta name="MobileOptimized" content="width" /><meta name="HandheldFriendly" content="true" /><meta name="renderer" content="webkit" /><meta name="keywords" content="在Windows日志里发现入侵痕迹" /><meta name="description" content="在Windows日志里发现入侵痕迹" /><title>在Windows日志里发现入侵痕迹编程频道|福州电脑网
</title><link rel="shortcut icon" href="/view/img/favicon.ico" /><link rel="icon" sizes="32x32" href="/view/img/favicon.ico"><link rel="Bookmark" href="/view/img/favicon.ico" /><link rel="stylesheet" href="/view/template/mitiqin/css/style.css?2.3.0"><link rel="stylesheet" href="/view/template/mitiqin/css/iconfont.css?2.3.0"><script src="/view/template/mitiqin/js/jquery-2.2.4.min.js?2.3.0" type="text/javascript"></script></head><body><div id="header"><div class="header container"><div class="logo"><a href="/"  title="福州电脑网_福州电脑维修_福州电脑之家_福州iThome"><img src="/view/template/mitiqin/img/logo.png" alt="福州电脑网_福州电脑维修_福州电脑之家_福州iThome"></a></div><div id="monavber" class="nav" data-type="index" data-infoid><ul id="nav" class="navbar"><li class="navbar-item" data-active="fid-0"><a href="/">首页</a></li><li class="navbar-item" fid="5" data-active="fid-5"><a href="/biancheng">编程之家</a></li><li class="navbar-item" fid="4" data-active="fid-4"><a href="/xitong">系统教程</a></li><li class="navbar-item" fid="12" data-active="fid-12"><a href="/shuma">数码周边</a></li><li class="navbar-item" fid="13" data-active="fid-13"><a href="/pc">电脑</a></li></ul></div><div id="mnav"><i class="iconfont icon-app"></i></div><div id="search"><i class="iconfont icon-search"></i></div><div class="search"><form id="form-search" action="/operate/search.html"><input type="text" name="keyword" placeholder="关键词" value=""/><button type="submit" value="搜索"><i class="iconfont icon-search"></i></button><input type="hidden" name="range" value="1"></form></div></div></div>
<div class="fzithome-com breadcrumb2 container-w"><div id="b" class="cl"><div class="fzithome-com fl"><i class="iconfont icon-home"></i><a href="/">首页</a>&nbsp;>&nbsp;
<a href="/biancheng">编程之家</a><a href="/biancheng/1729009946a861954.html" title="首页">在Windows日志里发现入侵痕迹</a></div></div></div><div class="fzithome-com main container-w cl"><div class="fzithome-com mainl"><div class="fzithome-com art-post"><div class="fzithome-com title"><h1>在Windows日志里发现入侵痕迹</h1><div class="fzithome-com info"><span><a href="/biancheng"><i class="iconfont icon-crossborder-fill"></i>编程之家</a></span><span><i class="iconfont icon-browse"></i>73</span><span><i class="iconfont icon-message-fill"></i>0</span><span>
                        更新时间：2026-04-03 20:26:40</span></div></div><div class="fzithome-com art-content"><article class="single-post"><div class="fzithome-com entry"><p>有小伙伴问：Windows系统日志分析大多都只是对恶意登录事件进行分析的案例，可以通过系统日志找到其他入侵痕迹吗？</p> 
 <p>答案肯定是可以的，当攻击者获取webshell后，会通过各种方式来执行系统命令。所有的web攻击行为会存留在web访问日志里，而执行操作系统命令的行为也会存在在系统日志。</p> 
 <p>不同的攻击场景会留下不一样的系统日志痕迹，不同的Event ID代表了不同的意义，需要重点关注一些事件ID，来分析攻击者在系统中留下的攻击痕迹。</p> 
 <p>我们通过一个攻击案例来进行windows日志分析，从日志里识别出攻击场景，发现恶意程序执行痕迹，甚至还原攻击者的行为轨迹。</p> 
 <hr> 
 <p><strong>1、信息收集</strong></p> 
 <p>攻击者在获取webshell权限后，会尝试查询当前用户权限，收集系统版本和补丁信息，用来辅助权限提升。</p> 
 <pre ><code >whoamisysteminfo
</code></pre> 
 <p><strong>Windows日志分析：</strong></p> 
 <p>在本地安全策略中，需开启审核进程跟踪，可以跟踪进程创建/终止。关键进程跟踪事件和说明，如：</p> 
 <pre ><code >4688 </code></pre></div></article></div><div class="fzithome-com info"><div><span>本文发布于:2024-10-16，感谢您对本站的认可！</span></div><div><span>本文链接:</span><a href="https://www.fzithome.com/biancheng/1729009946a861954.html" title="在Windows日志里发现入侵痕迹">https://www.fzithome.com/biancheng/1729009946a861954.html</a></div><div><span>版权声明:本站内容均来自互联网，仅供演示用，请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系，我们将在24小时内删除。</span></div></div><span class="tag"><i class="iconfont icon-discount" style="font-size:12px;font-weight:bold;opacity:.7;">本文标签：</i><a href="/tag/1119.html" target="_blank">痕迹</a><a href="/tag/327.html" target="_blank">发现</a><a href="/tag/1052.html" target="_blank">日志</a><a href="/tag/67861.html" target="_blank">Windows</a></span></div><div class="fzithome-com post_comments" id="comments"><div id="comt-respond" class="commentpost"><h4>发布评论
<span><a rel="nofollow" id="cancel-reply" href="#comment" style="display:none;"><small>取消回复</small></a></span></h4><form action="/comment/create/861954.html?safe_token=dBTf2agLF_2BpXS7XqhDvcw_2F_2B5lTaX_2BRZdAUcWUQEaYKI1iPGLRwcGUdkYam4Y2TACLJbANo3Yjj5pG0sNFh_2BdUw_3D_3D" method="post" name="saypl" id="frmSumbit"><input type="hidden" name="doctype" value="1" /><input type="hidden" name="quotepid" value="0" /><div id="comment-tools"><div class="fzithome-com tools_text"><textarea placeholder="请在这里留言..." name="message" id="txaArticle" class="text input-block-level comt-area" cols="50" rows="4" tabindex="5"></textarea></div></div><div class="fzithome-com psumbit"><input name="sumbit" type="submit" tabindex="6" value="发布" class="button" /></div></form></div><div class="fzithome-com commentlist"><div class="fzithome-com comment-tab"><div class="fzithome-com come-comt">评论列表<span id="comment_count">（有<span id="infocommentnumarea" style="color:#c81111">0</span>条评论）</span></div></div><ul class="diy-comment"></ul></div></div></div><div class="fzithome-com mainr"><section id="aside_about" class="widget widget_aside_about sb br mb"><div class="avatar"><img class="img" src="/view/template/mitiqin/img/tx.jpg"
             alt="福州电脑网_福州电脑维修_福州电脑之家_福州iThome"/></div><div class="wrap pd"><p class="title">福州电脑网_福州电脑维修_福州电脑之家_福州iThome</p><p class="info">福州电脑维修网(fzithome.com)专业的电脑维修,笔记本维修,上门维修各种电脑,笔记本,平板等,快速上门.电脑知识频道内容覆盖:计算机资讯,电脑基础应用知识,各种电脑故障维修学习,电脑外设产品维修维护,病毒，软件,硬件,常识.</p><ul class="ul clearfix"></ul></div></section><div class="fzithome-com clear"></div><div class="fzithome-com widgets"><h4 class="bar">相关推荐</h4><div class="fzithome-com hot-post"><ul class="clearfix"><li><a href="/biancheng/1755062394a2666479.html"title='Windows自动安装工具包（Windows AIK）中文版（转）' aria-label='Windows自动安装工具包（Windows AIK）中文版（转）'><span class="sptit">Windows自动安装工具包（Windows AIK）中文版（转）</span></a></li><li><a href="/biancheng/1755062462a2666484.html"title='Windows 10 安装FileZilla server 中文版 0.9.46 局域网FTP' aria-label='Windows 10 安装FileZilla server 中文版 0.9.46 局域网FTP'><span class="sptit">Windows 10 安装FileZilla server 中文版 0.9.46 局域网FTP</span></a></li><li><a href="/biancheng/1755063074a2666538.html"title='下载windows版的redis及redis客户端' aria-label='下载windows版的redis及redis客户端'><span class="sptit">下载windows版的redis及redis客户端</span></a></li><li><a href="/biancheng/1755064439a2666653.html"title='windows上安装虚拟机及搭建Linux环境' aria-label='windows上安装虚拟机及搭建Linux环境'><span class="sptit">windows上安装虚拟机及搭建Linux环境</span></a></li><li><a href="/biancheng/1755065256a2666724.html"title='Windows 通过 Docker 安装 GitLab' aria-label='Windows 通过 Docker 安装 GitLab'><span class="sptit">Windows 通过 Docker 安装 GitLab</span></a></li><li><a href="/biancheng/1755065345a2666731.html"title='HP LoadRunner11 Windows版官方中文使用教程' aria-label='HP LoadRunner11 Windows版官方中文使用教程'><span class="sptit">HP LoadRunner11 Windows版官方中文使用教程</span></a></li><li><a href="/biancheng/1755065520a2666744.html"title='【最佳实践】瀚高数据库 Windows企业版v6.0.4 的安装' aria-label='【最佳实践】瀚高数据库 Windows企业版v6.0.4 的安装'><span class="sptit">【最佳实践】瀚高数据库 Windows企业版v6.0.4 的安装</span></a></li><li><a href="/biancheng/1755065959a2666778.html"title='CARLA在Windows上的安装与运行' aria-label='CARLA在Windows上的安装与运行'><span class="sptit">CARLA在Windows上的安装与运行</span></a></li><li><a href="/biancheng/1755066012a2666782.html"title='【Windows版】配置CC++开发环境' aria-label='【Windows版】配置CC++开发环境'><span class="sptit">【Windows版】配置CC++开发环境</span></a></li><li><a href="/biancheng/1755066394a2666808.html"title='Windows安装TensorFlow2.3.1GPU版' aria-label='Windows安装TensorFlow2.3.1GPU版'><span class="sptit">Windows安装TensorFlow2.3.1GPU版</span></a></li><li><a href="/biancheng/1755066600a2666824.html"title='Docker Desktop 在 Windows 上的安装和使用' aria-label='Docker Desktop 在 Windows 上的安装和使用'><span class="sptit">Docker Desktop 在 Windows 上的安装和使用</span></a></li><li><a href="/biancheng/1755066661a2666829.html"title='解决WINDOWS挂载NFS后文件中文名显示乱码问题' aria-label='解决WINDOWS挂载NFS后文件中文名显示乱码问题'><span class="sptit">解决WINDOWS挂载NFS后文件中文名显示乱码问题</span></a></li><li><a href="/biancheng/1755066891a2666846.html"title='C++ windows.h详解' aria-label='C++ windows.h详解'><span class="sptit">C++ windows.h详解</span></a></li><li><a href="/biancheng/1755067322a2666881.html"title='【你好，windows】windows 10 x86x64 Enterprise 2016 LTSB纯净版2020.1.11' aria-label='【你好，windows】windows 10 x86x64 Enterprise 2016 LTSB纯净版2020.1.11'><span class="sptit">【你好，windows】windows 10 x86x64 Enterprise 2016 LTSB纯净版2020.1.11</span></a></li><li><a href="/biancheng/1755067380a2666885.html"title='Windows 10 20H2 (Updated 2021-01-24 v19042.746)' aria-label='Windows 10 20H2 (Updated 2021-01-24 v19042.746)'><span class="sptit">Windows 10 20H2 (Updated 2021-01-24 v19042.746)</span></a></li><li><a href="/biancheng/1755067446a2666888.html"title='Windows 下安装与使用 vscode' aria-label='Windows 下安装与使用 vscode'><span class="sptit">Windows 下安装与使用 vscode</span></a></li><li><a href="/biancheng/1755068655a2666978.html"title='如何在 Windows 命令提示符下使用被动 FTP 模式？' aria-label='如何在 Windows 命令提示符下使用被动 FTP 模式？'><span class="sptit">如何在 Windows 命令提示符下使用被动 FTP 模式？</span></a></li><li><a href="/xitong/1767334730a2675814.html"title='检测与仿真程序冲突排查指南' aria-label='检测与仿真程序冲突排查指南'><span class="sptit">检测与仿真程序冲突排查指南</span></a></li><li><a href="/xitong/1771764009a2689941.html"title='当IDEA的Local Changes和settings遇到障碍，如何顺利前进？' aria-label='当IDEA的Local Changes和settings遇到障碍，如何顺利前进？'><span class="sptit">当IDEA的Local Changes和settings遇到障碍，如何顺利前进？</span></a></li><li><a href="/xitong/1773639414a2703555.html"title='U盘感染，System Volume Information撑住不删？实用清除策略！' aria-label='U盘感染，System Volume Information撑住不删？实用清除策略！'><span class="sptit">U盘感染，System Volume Information撑住不删？实用清除策略！</span></a></li></ul></div></div><div class="fzithome-com clear"></div><div class="widget widget_tags"><h4 class="bar">标签列表</h4><ul><li class="submenu"><a target="_blank" href="/tag/244941.html">再困扰你</a></li><li class="submenu"><a target="_blank" href="/tag/244912.html">分区格式</a></li><li class="submenu"><a target="_blank" href="/tag/244878.html">小米推出</a></li><li class="submenu"><a target="_blank" href="/tag/244814.html">如果量产</a></li><li class="submenu"><a target="_blank" href="/tag/244785.html">忘记怎么</a></li><li class="submenu"><a target="_blank" href="/tag/244775.html">插件教程</a></li><li class="submenu"><a target="_blank" href="/tag/244744.html">核心上运</a></li><li class="submenu"><a target="_blank" href="/tag/244709.html">战绩数据</a></li><li class="submenu"><a target="_blank" href="/tag/244663.html">反斜杠</a></li><li class="submenu"><a target="_blank" href="/tag/244658.html">使用反斜</a></li><li class="submenu"><a target="_blank" href="/tag/244641.html">键盘自带</a></li><li class="submenu"><a target="_blank" href="/tag/244611.html">迅雷任务</a></li><li class="submenu"><a target="_blank" href="/tag/244588.html">播放量</a></li><li class="submenu"><a target="_blank" href="/tag/244568.html">句柄的窗</a></li><li class="submenu"><a target="_blank" href="/tag/244560.html">有的文件</a></li><li class="submenu"><a target="_blank" href="/tag/244558.html">到的一篇</a></li><li class="submenu"><a target="_blank" href="/tag/244548.html">清除微信</a></li><li class="submenu"><a target="_blank" href="/tag/244523.html">把无线网</a></li><li class="submenu"><a target="_blank" href="/tag/244522.html">器花屏了</a></li><li class="submenu"><a target="_blank" href="/tag/244478.html">类调用</a></li></ul></div><div class="fzithome-com clear"></div></div></div>