VBScript之通過對(duì)比注冊(cè)表查找隱藏的服務(wù)

2020-06-26 18:35:34

字體：大中小

供稿：網(wǎng)友

系統(tǒng)服務(wù)有可能被 rootkit 隱藏，但有些時(shí)候我們?nèi)钥梢詮淖?cè)表中找到相關(guān)的信息。建議以管理員權(quán)限運(yùn)行，否則有些服務(wù)列舉不出來或出現(xiàn)錯(cuò)誤的提示

效果圖：

代碼（checksvr.vbs）：

復(fù)制代碼代碼如下:

'On Error Resume Next

Const HKEY_LOCAL_MACHINE = &H80000002

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!//./root/default:StdRegProv")

strKeyPath = "SYSTEM/CurrentControlSet/Services"
oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

Wscript.Echo "Checking, please wait ..."
Wscript.Echo ""

For Each subkey In arrSubKeys
oReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath & "//" & subkey, "ObjectName", strValue

If Not (strValue = "") Then
  '判斷服務(wù), 利用數(shù)組來比較不知道會(huì)不會(huì)快些？
  If Not (CheckSvr(subkey)) Then
   Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ Hidden ]"
  Else
   Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[   OK   ]"
  End If

End If
Next
Wscript.Echo ""
Wscript.Echo "All done."
Wscript.Quit (0)

Function CheckSvr(strName)
Set oWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!//./root/cimv2")
Set cService = oWMI.ExecQuery("Select * from Win32_Service WHERE Name='" & strName & "'")
If (cService.count <> 0) Then
CheckSvr = True
Else
CheckSvr = False
End If
End Function

Function FormatOutTab(strName)
strLen = Len(strName)
Select Case True
  Case strLen < 8
   FormatOutTab = vbTab & vbTab & vbTab & vbTab & vbTab

  Case strLen < 16
   FormatOutTab = vbTab & vbTab & vbTab & vbTab

  Case strLen < 24
   FormatOutTab = vbTab & vbTab & vbTab

  Case strLen < 32
   FormatOutTab = vbTab & vbTab

  Case strLen < 40
   FormatOutTab = vbTab

  Case Else
   FormatOutTab = vbTab
  End Select
End Function

利用字典，速度要快很多：

復(fù)制代碼代碼如下:

Dim oDic, oReg, oWmi, arrServices
Const HKEY_LOCAL_MACHINE = &H80000002

Wscript.Echo "[*] Checking, please wait ..."
Wscript.Echo ""

Set oDic = CreateObject("Scripting.Dictionary")

Set oWmi = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!//./root/cimv2")
Set arrServices = oWmi.ExecQuery("Select * from Win32_Service")
For Each strService In arrServices
oDic.Add strService.Name, strService.Name
Next

Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!//./root/default:StdRegProv")
strKeyPath = "SYSTEM/CurrentControlSet/Services"
oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

For Each subkey In arrSubKeys
oReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath & "//" & subkey, "ObjectName", strValue
If Not (strValue = "") Then
  If oDic.Exists(subkey) Then
   Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[   OK   ]"
  Else
   Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ Hidden ]"
  End If
End If
Next

oDic.RemoveAll

Wscript.Echo ""
Wscript.Echo "[*] All done."
Wscript.Quit (0)

Function FormatOutTab(strName)
strLen = Len(strName)
Select Case True
  Case strLen < 8
   FormatOutTab = vbTab & vbTab & vbTab & vbTab

  Case strLen < 16
   FormatOutTab = vbTab & vbTab & vbTab

  Case strLen < 24
   FormatOutTab = vbTab & vbTab

Case strLen < 32
FormatOutTab = vbTab

  Case Else
   FormatOutTab = vbTab
  End Select
End Function

來自： enun.net

上一篇：可以修改腳本自身運(yùn)行次數(shù)的vbs(Self modifying script)

下一篇：VBScript 監(jiān)控并結(jié)束指定進(jìn)程的代碼