|
- 帖子
- 125
- 积分
- 463
- 技术
- 2
- 捐助
- 0
- 注册时间
- 2008-7-30
|
cls
@echo off
Color 3F
goto Check_Updates
:Main
Setlocal enabledelayedexpansion
Mode con cols=46 lines=12
Title 危险等级分析工具
cls
echo;
echo ★☆★☆★☆★☆★☆★☆★☆★☆★☆★☆★
echo ☆ ☆
echo ★ 批处理危险等级分析助工具 ★
echo ☆ ☆
echo ★ V 1.3 ★
echo ☆ ☆
echo ★ bluewing009 ★
echo ☆ QQ :961881006 ☆
echo ★☆★☆★☆★☆★☆★☆★☆★☆★☆★☆★
ping /n 3 127.1>nul
:Target_Get
cls
echo;
echo 请选择要分析的批处理(Q=退出):
echo;
echo 拖动或输入均可
echo;
set /p Target_File=
set "Target_File=%Target_File:"=%"
if /i "%Target_File%"=="q" exit
if /i "%Target_File:~-4%"==".bat" if exist "%Target_File%" goto Prepare
if /i "%Target_File:~-4%"==".cmd" if exist "%Target_File%" goto Prepare
echo 目标文件不是批处理文件(*.bat *.cmd)
ping /n 3 127.1>nul
goto Target_Get
 repare
for /f "delims=" %%i in ("%Target_File%") do (
set Target_File_Name=%%~ni
set Target_File_Path=%%~dpi
)
call :Bat_Decrypt "%Target_File%"
:Analyze
cls
set /a NO.=Risk_level_=Key_NO.=0
echo 批处理可疑程度分析报告>%temp%\详细分析_1.txt
echo By bluewing009 QQ 961881006 >>%temp%\详细分析_1.txt
echo;>>%temp%\详细分析_1.txt
echo 分析文件:%Target_File% >>%temp%\详细分析_1.txt
findstr /i /b /v "echo set pause : rem" "%temp%\decrypt.txt">%temp%\key_code.txt
findstr /i /b "echo" "%Target_File%" |find ">" >%temp%\key_code_output.txt
findstr /i /b "for if" "%temp%\key_code.txt">%temp%\key_code_special.txt
for /f "usebackq tokens=1* delims=:" %%i in (`findstr /n .* "%temp%\key_code.txt"`) do set /a Key_NO.=%%i
for %%m in (
"5 : format : 格式化磁盘"
"5 : debug : 内存修改"
"5 : ftp : 传输未知文件"
"4 : assoc : 修改文件关联"
"4 : start : 调用未知文件"
"4 : cscript : 调用未知脚本"
"4 : mshta : 调用未知脚本"
"4 : reg : 操作注册表键值"
"4 : cacls : 修改文件访问控制"
"4 : icacls : 修改文件访问控制"
"4 : Bootcfg : 修改系统加载项目"
"4 : ntsd : 进程调试"
"4 : regsvr32 : 注册dll文件"
"4 : route : 路由操作"
"4 : sc : 服务操作"
"4 : arp : 修改地址解析协议(ARP)"
"3 : del : 删除文件"
"3 : erase : 删除文件"
"3 : rd : 删除目录"
"3 : rmdir : 删除目录"
"3 : cprofile : 清除配置文件"
"3 : ftype : 修改文件关联扩展"
"3 : replace : 替换文件"
"2 : attrib : 修改文件属性"
"2 : convert : 修改卷类型"
"2 : device : 加载设备驱动"
"2 : schtasks : 修改计划任务"
"2 : shutdown : 关闭计算机"
"2 : subst : 虚拟驱动器"
"2 : taskkill : 结束任务或进程"
"2 : tskill : 结束任务或进程"
"1 : copy : 复制文件"
"1 : xcopy : 复制文件夹"
"1 : mkdir : 创建目录或子目录"
"1 : md : 创建目录或子目录"
"1 : move : 移动文件"
"1 : ren : 修改文件名"
"1 : rename : 修改文件名"
) do (
set /a NO._Doing+=26
set /a NO._Doing_Check1=!NO._Doing:~0,2!
set /a NO._Doing_Check2=!NO._Doing:~-2!
if !NO._Doing_Check1!==!NO._Doing_Check2! (
set /a NO._Doing_Number=!NO._Doing:~0,1!
set /a NO._Doing_Point=!NO._Doing:~-1!
) else (
set /a NO._Doing_Number=!NO._Doing:~0,2!
set /a NO._Doing_Point=!NO._Doing:~-1!
)
cls
echo;
echo;
echo 正在解析,请稍后
echo;
echo;
echo !NO._Doing_Number!.!NO._Doing_Point! %%%
for /f "tokens=1,2,* delims=:" %%i in ("%%m") do (
set Risk_level_temp=%%i
set Risk_level_temp=!Risk_level_temp:~1,-1!
set Code_temp=%%j
set Code=!Code_temp:~1,-1!
set Exegesis_temp=%%k
set Exegesis=!Exegesis_temp:~1,-1!
for /f "usebackq tokens=1* delims=:" %%u in (`findstr /n /i /b "!code! @!code!" "%temp%\decrypt.txt"`) do (
echo 第%%u行 !Exegesis! %%v >>%temp%\详细分析_2.txt
set /a NO.+=1
if !Risk_level_! leq !Risk_level_temp! set /a Risk_level_=!Risk_level_temp!
)
for /f "usebackq tokens=1* delims=:" %%u in (`findstr /n /i /C:"!code! " "%temp%\key_code_special.txt"`) do (
echo 第%%u行 !Exegesis! %%v >>%temp%\详细分析_2.txt
set /a NO.+=1
if !Risk_level_! leq !Risk_level_temp! set /a Risk_level_=!Risk_level_temp!
)
for /f "usebackq tokens=1* delims=:" %%u in (`findstr /n /i /C:"!code! " "%temp%\key_code_output.txt"`) do (
echo 第%%u行 !Exegesis! %%v >>%temp%\详细分析_2.txt
set /a NO.+=1
if !Risk_level_! leq !Risk_level_temp! set /a Risk_level_=!Risk_level_temp!
)
)
)
if !Risk_level_!==5 set Risk_level=★★★★★ & set Risk_=极度危险
if !Risk_level_!==4 set Risk_level=★★★★☆ & set Risk_=中度危险
if !Risk_level_!==3 set Risk_level=★★★☆☆ & set Risk_=轻度危险
if !Risk_level_!==2 set Risk_level=★★☆☆☆ & set Risk_=需要关注
if !Risk_level_!==1 set Risk_level=★☆☆☆☆ & set Risk_=需要注意
if !Risk_level_!==0 set Risk_level=☆☆☆☆☆ & set Risk_=没有危险
set /a Suspicious_level=!NO.!*100/!Key_NO.!
del "%temp%\result.txt" "%temp%\decrypt.txt" "%temp%\key_code.txt" "%temp%\key_code_special.txt" "%temp%\key_code_output.txt" >nul
echo ============================================== >>%temp%\详细分析_1.txt
echo 危险等级: !Risk_level! !Risk_! >>%temp%\详细分析_1.txt
echo 可疑程度: !Suspicious_level!%%>>%temp%\详细分析_1.txt
echo ============================================== >>%temp%\详细分析_1.txt
copy /b %temp%\详细分析_1.txt+%temp%\详细分析_2.txt "%Target_File_Path%%Target_File_Name%_详细分析.txt"
del %temp%\详细分析_1.txt %temp%\详细分析_2.txt >nul
cls
echo;
echo 分 析 结 果
echo ==============================================
echo;
echo 可疑程度越高则说明目标为恶意批处理的可能越大
echo 可疑程度: !Suspicious_level!%%
echo;
echo 危险等级越高则说明可能造成的危害程度越大
echo 危险等级: !Risk_level!
echo;
ping /n 3 127.1>nul
start "" "%Target_File_Path%%Target_File_Name%_详细分析.txt"
pause>nul
exit
rem 以下为调用组件
:Bat_Decrypt
rem 该组件为批处理解密组件,考虑到批处理加密一般为保护作品,请慎重发布解密后的文件,尊重作者也是尊重自己。
rem 入口参数 %1 为需要解密的文件路径 By Bluewing009
cls
del /f /s /q %temp%\decrypt.txt >nul 2>nul
echo;
echo;
echo 正在尝试解密
echo;
echo 耗时与文件大小有关
echo;
echo ... 请耐心等待 ...
ping /n 2 127.1>nul
setlocal enabledelayedexpansion
rem 下面两行空行必需保存,用于将&替换为换行
set Change_Line=^
set /a NO._Now=0
for /f "usebackq tokens=1* delims=:" %%i in (`findstr/n .* "%~1"`) do set NO._all=%%i
for /f "usebackq delims=" %%a in ("%~1") do (
set var_change=%%a
set /a NO._Now+=1
cls
echo;
echo;
echo 正在解析 !NO._Now!/!NO._all!
set var_change=!var_change:^|=#_1_#!
set var_change=!var_change:^<=#_2_#!
set var_change=!var_change:^>=#_3_#!
set var_change=!var_change:^(=#_4_#!
set var_change=!var_change:^)=#_5_#!
set var_change=!var_change:^"=#_6_#!
set var_change=!var_change:^^=^^^^!
for %%l in ("!Change_Line!") do set var_change=!var_change:^&=%%~l!
call :Bat_Decrypt_Key "!var_change!"
)
goto :eof
:Bat_Decrypt_Key
set str_get=%~1
if "!str_get:set =!" neq "!str_get!" (echo;|call %~1&set var_change_back=%~1) else (set var_change_back=%~1)
set var_change_back=!var_change_back:#_1_#=^|!
set var_change_back=!var_change_back:#_2_#=^<!
set var_change_back=!var_change_back:#_3_#=^>!
set var_change_back=!var_change_back:#_4_#=^(!
set var_change_back=!var_change_back:#_5_#=^)!
set var_change_back=!var_change_back:#_6_#=^"!
echo !var_change_back!>>%temp%\decrypt.txt
goto :eof
:Check_Updates
Setlocal enabledelayedexpansion
Mode con cols=50 lines=10
Title 在线更新
set version_New=未知
cls
echo.
echo.
echo.
echo 正在检查更新
echo.
echo ...请稍后...
echo on error resume next >%temp%\Updates_.vbs.vbs
echo set arg=wscript.arguments >>%temp%\Updates_.vbs.vbs
echo if arg.count=0 then wscript.quit >>%temp%\Updates_.vbs.vbs
echo Set Message = CreateObject("CDO.Message") >>%temp%\Updates_.vbs.vbs
echo Message.CreateMHTMLBody arg(0),31 >>%temp%\Updates_.vbs.vbs
echo DownLoad= Message.HTMLBody >>%temp%\Updates_.vbs.vbs
echo Set Message = Nothing >>%temp%\Updates_.vbs.vbs
echo Set DownRecord=CreateObject("ADODB.Recordset") >>%temp%\Updates_.vbs.vbs
echo Length=Len(DownLoad)/2 >>%temp%\Updates_.vbs.vbs
echo DownRecord.Fields.Append "Content",205,Length>>%temp%\Updates_.vbs.vbs
echo DownRecord.Open ownRecord.AddNew >>%temp%\Updates_.vbs.vbs
echo DownRecord("Content")=DownLoad^&ChrB(0) >>%temp%\Updates_.vbs.vbs
echo DownRecord.Update >>%temp%\Updates_.vbs.vbs
echo DownLoad=DownRecord("Content").GetChunk(Length) >>%temp%\Updates_.vbs.vbs
echo Set DownContent=CreateObject("ADODB.Stream") >>%temp%\Updates_.vbs.vbs
echo With DownContent >>%temp%\Updates_.vbs.vbs
echo .Mode = 3 >>%temp%\Updates_.vbs.vbs
echo .Type = 1 >>%temp%\Updates_.vbs.vbs
echo .Open() >>%temp%\Updates_.vbs.vbs
echo .Write DownLoad >>%temp%\Updates_.vbs.vbs
echo .SaveToFile arg(1),2 >>%temp%\Updates_.vbs.vbs
echo End with>>%temp%\Updates_.vbs.vbs
cscript %temp%\Updates_.vbs.vbs http://www.bluewing009.co.cc/批处理危险等级_版本标记.htm %temp%/批处理危险等级_版本标记.txt >nul
ping /n 1 127.1>nul
for /f %%i in (%temp%\批处理危险等级_版本标记.txt) do set version_New=%%i
if "%version_New%"=="未知" goto Check_Updates_Error
for /f "tokens=1* delims=:" %%i in ('findstr /n .* %0') do if %%i==18 for /f "tokens=3" %%m in ('%%j') do set version_Now=%%m
if %version_Now%==%version_New% goto Main else Check_Updates_Do
:Check_Updates_Do
cls
echo.
echo.
echo.
echo 正在下载更新
echo.
echo ...请稍后...
cscript %temp%\Updates_.vbs.vbs http://www.bluewing009.co.cc/批处理危险等级_代码.htm %temp%\批处理危险等级.bat >nul
ping /n 3 127.1>nul
echo @echo off>%temp%\批处理危险等级_更新.bat
echo Mode con cols=50 lines=10>>%temp%\批处理危险等级_更新.bat
echo Color 3F>>%temp%\批处理危险等级_更新.bat
echo Title 在线更新>>%temp%\批处理危险等级_更新.bat
echo echo.>>%temp%\批处理危险等级_更新.bat
echo echo.>>%temp%\批处理危险等级_更新.bat
echo echo.>>%temp%\批处理危险等级_更新.bat
echo echo.>>%temp%\批处理危险等级_更新.bat
echo echo ...重新启动...>>%temp%\批处理危险等级_更新.bat
echo ping /n 3 127.1^>nul>>%temp%\批处理危险等级_更新.bat
echo copy /y "%temp%\批处理危险等级.bat" "%~dp0\%~n0.bat"^>nul >>%temp%\批处理危险等级_更新.bat
echo start "" "%~dp0\%~n0.bat">>%temp%\批处理危险等级_更新.bat
echo Exit>>%temp%\批处理危险等级_更新.bat
start %temp%\批处理危险等级_更新.bat
exit
:Check_Updates_Error
cls
echo.
echo.
echo 无法连接更新服务器
echo.
echo 请下载更新
ping /n 3 127.1>nul
goto Main |
|
发表于 2012-2-27 20:28
|