| 标题 | vbscript之通过对比注册表查找隐藏的服务 |
| 内容 | 系统服务有可能被 rootkit 隐藏,但有些时候我们仍可以从注册表中找到相关的信息。建议以管理员权限运行,否则有些服务列举不出来或出现错误的提示 效果图: 代码(checksvr.vbs): 代码如下: 'on error resume next const hkey_local_machine = &h80000002 set oreg=getobject(winmgmts:{impersonationlevel=impersonate}!\\.\root\default:stdregprov) strkeypath = system\currentcontrolset\services oreg.enumkey hkey_local_machine, strkeypath, arrsubkeys wscript.echo checking, please wait ... wscript.echo for each subkey in arrsubkeys oreg.getstringvalue hkey_local_machine, strkeypath & \\ & subkey, objectname, strvalue if not (strvalue = ) then '判断服务, 利用数组来比较不知道会不会快些? if not (checksvr(subkey)) then wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & [ hidden ] else wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & [ ok ] end if end if next wscript.echo wscript.echo all done. wscript.quit (0) function checksvr(strname) set owmi = getobject(winmgmts: & {impersonationlevel=impersonate}!\\.\root\cimv2) set cservice = owmi.execquery(select * from win32_service where name=' & strname & ') if (cservice.count <> 0) then checksvr = true else checksvr = false end if end function function formatouttab(strname) strlen = len(strname) select case true case strlen < 8 formatouttab = vbtab & vbtab & vbtab & vbtab & vbtab case strlen < 16 formatouttab = vbtab & vbtab & vbtab & vbtab case strlen < 24 formatouttab = vbtab & vbtab & vbtab case strlen < 32 formatouttab = vbtab & vbtab case strlen < 40 formatouttab = vbtab case else formatouttab = vbtab end select end function 利用字典,速度要快很多: 复制代码 代码如下: dim odic, oreg, owmi, arrservices const hkey_local_machine = &h80000002 wscript.echo [*] checking, please wait ... wscript.echo set odic = createobject(scripting.dictionary) set owmi = getobject(winmgmts: & {impersonationlevel=impersonate}!\\.\root\cimv2) set arrservices = owmi.execquery(select * from win32_service) for each strservice in arrservices odic.add strservice.name, strservice.name next set oreg = getobject(winmgmts:{impersonationlevel=impersonate}!\\.\root\default:stdregprov) strkeypath = system\currentcontrolset\services oreg.enumkey hkey_local_machine, strkeypath, arrsubkeys for each subkey in arrsubkeys oreg.getstringvalue hkey_local_machine, strkeypath & \\ & subkey, objectname, strvalue if not (strvalue = ) then if odic.exists(subkey) then wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & [ ok ] else wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & [ hidden ] end if end if next odic.removeall wscript.echo wscript.echo [*] all done. wscript.quit (0) function formatouttab(strname) strlen = len(strname) select case true case strlen < 8 formatouttab = vbtab & vbtab & vbtab & vbtab case strlen < 16 formatouttab = vbtab & vbtab & vbtab case strlen < 24 formatouttab = vbtab & vbtab case strlen < 32 formatouttab = vbtab case else formatouttab = vbtab end select end function |
| 随便看 |
|
在线学习网考试资料包含高考、自考、专升本考试、人事考试、公务员考试、大学生村官考试、特岗教师招聘考试、事业单位招聘考试、企业人才招聘、银行招聘、教师招聘、农村信用社招聘、各类资格证书考试等各类考试资料。