标题: [原创][安全类脚本]VBS版进程放大镜 [打印本页]
作者: somebody 时间: 2007-12-11 00:10 标题: [原创][安全类脚本]VBS版进程放大镜
代码结构因为论坛的原因浏览起来不美观,建议下载notepad++ 浏览效果更好。
notepadd++ 下载地址:http://nchc.dl.sourceforge.net/s ... p.4.6.Installer.exe
脚本主功能:
分析注入进程的模块信息:
1. 通过判断模块文件制造商
2. 通过判断模块文件创建时间
Tips:
1. 保存代码为ProcessMagnifier.vbs,直接双击ProcessMagnifier.vbs 即可
2. 整个过程大概需要1分钟,主要看进程个数以及CPU空闲情况而定,请尽量让脚本执行完毕不要中途退出
3. 若需要终止脚本,按 CTRL+C 即可,强烈建议不要
4. 脚本自动帮你开启了快速编辑模式,你可以很方便地进行必要复制
5. 其中对注册表的修改是为了浏览美观,任何时候退出程序都会还原对注册表的修改,放心使用
6. 脚本执行完毕后只需鼠标右键单击CMD窗口并且回车即可重复执行脚本
7. 建议执行脚本前关闭所有IE浏览器,因为执行脚本过程若你的IE浏览器是打开的,这时会弹一个空白页 about:blank
8. 代码已经测试
9. 申请月精华
下载地址:http://kimhoo.lin.googlepages.com/ProcessMagnifier.vbs- ' FileName: ProcessMagnifier.vbs
- ' Function: Capture information about the running processes in detail
- ' code by somebody
- ' QQ: 240460440
- ' LastModified: 2007-12-9 18:50
-
- const HKEY_CURRENT_USER = &H80000001
- Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
- strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
- oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
- strValueName1 = "CodePage"
- dwValue1 = 936
- strValueName2 = "ScreenBufferSize"
- dwValue2 = 98304200
- strValueName3 = "WindowSize"
- dwValue3 = 2818173
- strValueName4 = "HistoryNoDup"
- dwValue4 = 0
- strValueName5 = "WindowPosition"
- dwValue5 = 131068
- strValueName6 = "QuickEdit"
- dwValue6 = 2048
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
-
- Dim objWSH, FinalPath
- Set objWSH = WScript.CreateObject("WScript.Shell")
- If (Lcase(Right(WScript.Fullname,11))="wscript.exe") Then
- FinalPath = "'" & WScript.ScriptFullName & "'"
- objWSH.Run("cmd.exe /k cscript //nologo " &Replace(FinalPath,"'",""""))
- WScript.Quit
- End If
-
- oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
- Set oReg = nothing
-
- Wscript.Sleep 1000
- Mystr = Array(115,111,109,101,98,111,100,121)
- for i=0 to Ubound(Mystr)
- author=author&chr(Mystr(i))
- next
- Wscript.Echo vbCr
- Wscript.echo " code by " & author
- Wscript.echo " LastModified: 2007-12-9 18:50"
- Wscript.Sleep 2000
- Wscript.Echo vbCr
- str1 = " ╭━━╮╭━━╮╭╭━╮╭━━╮╭━━╮╭━━╮┏━━╮╭╮╭╮"
- str4 = " ╰━╮┃┃┃┃┃┃╭╮┃┃╭━╯┃╭╮╮┃┃┃┃┃┃┃┃?┃┃?"
- str6 = " ╰━━╯╰━━╯╰╯╰╯╰━━╯╰━━╯╰━━╯┗━━╯?╰╯?"
- str3 = " ┃╰━╮┃┃┃┃┃┃┃┃┃╰━╮┃╰╯╯┃┃┃┃┃┃┃┃╰╮╭╯"
- str5 = " ╭━╯┃┃╰╯┃┃┃┃┃┃╰━╮┃╰╯┃┃╰╯┃┃╰╯┃?┃┃?"
- str2 = " ┃╭━╯┃╭╮┃┃??┃┃╭━╯┃╭╮┃┃╭╮┃┃╭╮┃┃╰╯┃"
- myArray = Array(str1,str2,str3,str4,str5,str6)
- For each str in myArray
- Wscript.Echo str
- Next
-
- WScript.Echo
- WScript.Sleep 3000
- WScript.Echo "当前正在运行的进程简要信息列表如下:"
- WScript.Echo vbCrLf
- WScript.Sleep 2000
-
- Dim MyOBJProcessName
- Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
- WScript.Echo "Name: Priority: PID: Owner:" &vbTab&vbTab&"ExecutablePath: "
- WScript.Echo "---------------------------------------------------------------------------------------"
- For Each OBJProcess in OBJWMIProcess
- MyOBJProcessName=OBJProcess.Name&" "
- colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)
- WScript.Echo Mid(MyOBJProcessName,1,20) &vbTab& OBJProcess.Priority &vbTab& OBJProcess.ProcessID &vbTab& strNameOfUser &vbTab&vbTab& OBJProcess.ExecutablePath
- Next
-
- WScript.Sleep 5000
- WScript.Echo vbCrLf
- WScript.Echo "当前正在运行的进程以及其加载的模块详细信息树状结构如下:"
- WScript.Echo vbCrLf
- WScript.Sleep 3000
- WScript.Echo vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab&vbTab& vbTab&"创建时间 文件制造商"
-
- Set OBJWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
- Set OBJRefresher = CreateObject("WbemScripting.SWbemRefresher")
- Set colItems = OBJRefresher.AddEnum(OBJWMIService,"Win32_PerfFormattedData_PerfProc_FullImage_Costly").ObjectSet
- OBJRefresher.Refresh
- For Each OBJItem In colItems
- Dim originalPath, ModulePath, WMIPathMode, FileManufacturer, LCaseModulePath
- Dim FileExtension, mark, MyLCaseModulePath, FinalModulePath
- originalPath = OBJItem.Name
- ModulePath = Split(originalPath,"/")
- WMIPathMode = Replace(ModulePath(1),"\","\\")
- Set OBJWMI = GetObject("winmgmts:\\.\root\CIMV2")
- Set colManufacturer = OBJWMI.ExecQuery("SELECT * FROM CIM_DataFile Where Name='" & WMIPathMode & "'")
- For Each OBJManufacturer In colManufacturer
- FileManufacturer=Trim(OBJManufacturer.Manufacturer)
- LCaseModulePath=LCase(Trim(OBJManufacturer.Name))
- FileExtension=Right(LCaseModulePath, 3)
- MyLCaseModulePath=LCaseModulePath & " "
- Set FSO = CreateObject("Scripting.FileSystemObject").GetFile(LCaseModulePath)
- If FileExtension="exe" Then
- mark="├—"
- FinalModulePath=Mid(MyLCaseModulePath,1,118)
- WScript.Echo "│"
- Else
- mark="│├─"
- FinalModulePath=Mid(MyLCaseModulePath,1,116)
- End If
- WScript.Echo mark & FinalModulePath & FSO.DateCreated &vbTab& FileManufacturer
- Next
- Next
-
- MyVBSPath = "'" & WScript.ScriptFullName & "'"
- Myclipboard = "cscript //nologo " & Replace(MyVBSPath,"'","""")
- Set objIE = CreateObject("InternetExplorer.Application")
- objIE.Navigate("about:blank")
- objIE.document.parentwindow.clipboardData.SetData "text", Myclipboard
复制代码
[ 本帖最后由 somebody 于 2007-12-11 16:12 编辑 ]
作者: 随风 时间: 2007-12-11 17:04
原来还有一帖在这里,我说没看见
好。
作者: youxi01 时间: 2007-12-12 13:54
年轻人就是年轻人啊,还是一片浮躁心理.
作者: novaa 时间: 2007-12-15 14:23
收藏了!
欢迎光临 批处理之家 (http://bbs.bathome.net/) |
Powered by Discuz! 7.2 |