Board logo

标题: [文本处理] [已解决]如何用批处理对文本砍头去尾保留有用信息? [打印本页]

作者: batpro    时间: 2011-7-5 20:46     标题: [已解决]如何用批处理对文本砍头去尾保留有用信息?

本帖最后由 batpro 于 2011-7-6 08:12 编辑

在1.txt中
  1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  3. \360tray
  4. \360safe
  5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  6. \StormCodec_Helper
  7. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  8. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  9. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  10. HKEY_CURRENT_USER\Control Panel\Desktop
复制代码
如何用bat砍头去尾,保留有用信息,生成2.txt:
  1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  2. \360tray
  3. \360safe
  4. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  5. \StormCodec_Helper
复制代码
说明:去除下行无键值的[key_行]
保留其他部分
作者: CrLf    时间: 2011-7-5 22:12

看了楼主在卡饭的帖子,很为楼主的执着和分享精神感动,可是想帮忙却不知从何帮起,主要是搞不清楚几个问题:
  1. 1、楼主说的规则是“去除下行无键值的[key_行]”,但是所举的例子并没有很明显的迎合这条规则之处
  2. 2、第一部分的第1行为什么在第二部分中被挪到第7行?感觉根本没有规律啊
  3. 3、\360safe 这个键值为何在第二部分里出现了两次呢?
复制代码
不管是否符合楼主题意,这里先提供一个砍头去尾的常用办法:
  1. @echo off
  2. (for /f "skip=1 delims=" %%a in (1.txt) do (
  3.    if defined str echo;!str:~1!
  4.    endlocal
  5.    set "str=#%%a"
  6.    setlocal enabledelayedexpansion
  7. ))>2.txt
复制代码
如果楼主觉得用颜色、字体来发帖更利于表达,那请在3楼发一贴不用code的,虽然这有违版规,但是对于开发实用批处理项目的爱好者,本人绝对支持,如因此被扣分,算我头上。
仅此一次,下不为例哦
作者: ArdentMan    时间: 2011-7-5 22:17

本帖最后由 ArdentMan 于 2011-7-5 22:49 编辑
  1. @Echo Off&SetLocal EnableDelyaedExpansion
  2. (For /F %%I IN ('Type 1.txt^&Echo End') Do (
  3.   Set "Str=%%I"
  4.   If "!Var:~,1!" EQU "\" (
  5.     Echo !Var!
  6.     ) Else (
  7.     If "!Str:~,1!" EQU "\" Echo !Var!
  8.   )
  9.   Set "Var=%%I"
  10. ))>2.txt
  11. Start 2.txt
复制代码

作者: CrLf    时间: 2011-7-5 22:23

3# ArdentMan


这种非常特殊的情况下,可以用 %%~pa 来代替 !Str:~,1!,以简化代码、提高效率
作者: batpro    时间: 2011-7-5 22:46

2# zm900612


这点抱歉,一直在看帖子没留言自己发重复了
作者: batpro    时间: 2011-7-5 23:18

我正在写SrengLOG智能分析助手一键查杀版,但查杀时要对注册表项进行处理生成完整的注册表键值
所以对于任何一个中毒的Windows操作系统扫描出来的日志如附件一:SRengLOG.LOG

运行
  1. @echo off&setlocal enabledelayedexpansion
  2. set n2===================================
  3. for /f "tokens=1 delims=:" %%a in ('findstr /b /n "注册表" SREngLOG.log') do set/a n1=%%a-1
  4. >a.txt (for /f "tokens=*" %%a in ('more +!n1! SREngLOG.log') do if not %%a==!n2! (echo.%%a) else (goto v))
  5. :v
  6. cd.>注册表.txt
  7. cd.>注册表黑名单.txt
  8. setlocal enabledelayedexpansion
  9. for /f "tokens=*" %%i in (a.txt) do (
  10. set var=%%i
  11. set "var=!var:注册表=%正常!"
  12. set "var=!var:(Infected)=%正常!"
  13. set "var=!var:(Verified)=%正常!"
  14. set "var=!var:<run><>=%正常!"
  15. set "var=!var:<WebCheck><>=%正常!"
  16. set "var=!var:<load><>=%正常!"
  17. set "var=!var:<N>=%正常!"
  18. set "var=!var:biroas.dll=C:\WINDOWS\system32\biroas.dll!"
  19. set "var=!var:<Userinit>=%正常!"
  20. set "var=!var:<AppInit_DLLs><>=%正常!"
  21. set "var=!var:<>=%!"
  22. set "var=!var:<AsusServiceProvider>=%正常!"
  23. set "var=!var:<; "D:\softwares\杀毒软件\Macfee\Common Framework\UdaterUI.exe" /StartedFromRunKey>=%正常!"
  24. set "var=!var:[File is missing]=%   [注册表残留项]!"
  25. set "var=!var:<KernelFaultCheck>=%正常!"
  26. set "var=!var:<Microsoft Windows>=%正常!"
  27. set "var=!var:<NetMeeting 3.01>=%正常!"
  28. set "var=!var:<Microsoft Windows Media Player>=%正常!"
  29. set "var=!var:AdobeUpdateManager.exe=%正常!"
  30. set "var=!var:Gemini\H3C\gmMgr_h3c.exe=%正常!"
  31. set "var=!var:<Microsoft Windows Media Player 11>=%正常!"
  32. set "var=!var:<msnmsgr><"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background>=%正常!"
  33. set "var=!var:<Microsoft Windows Mail 7>=%正常!"
  34. set "var=!var:system32\PSDrvCheck.exe=%正常!"
  35. set "var=!var:<WrtMon.exe>=%正常!"
  36. set "var=!var:CCBComponents\DMWZ\CCBCertificate.exe=%正常!"
  37. set "var=!var:system32\shmgrate.exe =%正常!"
  38. set "var=!var:system32\themeui.dll=%正常!"
  39. set "var=!var:<; "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1>=%正常!"
  40. set "var=!var:<SunJavaUpdateSched><C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe>=%正常!"
  41. set "var=!var:<nwiz><nwiz.exe /installquiet /keeploaded /nodetect>=%正常!"   
  42. set "var=!var:<nwiz><nwiz.exe /install>=%正常!"
  43. set "var=!var:\WPS Office Personal\downloads\wpsupdate.vbs=%正常!"
  44. set "var=!var:<nwiz><; nwiz.exe /install>=%正常!"
  45. set "var=!var:<SCRNSAVE.EXE><C:\WINDOWS\LITTLE~1.SCR>=%正常!"   
  46. set "var=!var:<WinlogonNotify: Antiwpa><antiwpa.dll>=%正常!"
  47. set "var=!var:<bgswitch><; C:\WINDOWS\system32\bgswitch.exe>=%正常!"
  48. set "var=!var:<PHIME2002A>=%正常!"
  49. set "var=!var:<BC_MGR><"C:\Program Files\交通银行\bcmgr.exe" -r>=%正常!"
  50. set "var=!var:<IMJPMIG8.1>=%正常!"
  51. set "var=!var:<\\192.168.0.252\run$\jws.exe>=正常!"
  52. set "var=!var:Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe=%正常!"
  53. set "var=!var:ThinkPad\ConnectUtilities\=%正常!"
  54. set "var=!var:<PHIME2002ASync>=%正常!"  
  55. set "var=!var:<BigDogPath>=%正常!"
  56. set "var=!var:<iPhone PC Suite>=%正常!"
  57. set "var=!var:<WebThunder>=%正常!"
  58. set "var=!var:Outlook=%正常!"
  59. set "var=!var:ACNotify.dll=%正常!"
  60. set "var=!var:bin\WinGUI.exe=%正常!"
  61. set "var=!var:<; C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe>=%正常!"  
  62. set "var=!var:ssMgr_ccb=%正常!"
  63. set "var=!var:<Vopclient>=%正常!"
  64. set "var=!var:菜单\程序\启动=%正常!"
  65. set "var=!var:\ATI Technologies\=%正常!"
  66. set "var=!var:\ASUS\ASUS Live Update\ALU.exe=%正常!"
  67. set "var=!var:\kloehk.dll>=%正常!"
  68. set "var=!var:<PSDrvCheck>=%正常!"
  69. set "var=!var:<VMware hqtray>=%正常!"
  70. set "var=!var:<; C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER>=%正常!"
  71. set "var=!var:PCHealth=%正常!"
  72. set "var=!var:<EPSON Stylus Photo 1390 Series>=%正常!"
  73. set "var=!var:<renzheng><C:\renzheng\webaClient.exe>=%正常!"
  74. set "var=!var:<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>=%正常!"
  75. set "var=!var:<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit>=%正常!"
  76. set "var=!var:<WinlogonNotify: tpfnf2><notifyf2.dll>=%正常!"
  77. set "var=!var:<WinlogonNotify: igfxcui><igfxdev.dll>=%正常!"
  78. set "var=!var:<WinlogonNotify: tphotkey><tphklock.dll>=%正常!"
  79. set "var=!var:<switch><c:\windows\system32\壁纸自动换.exe>=%正常!"
  80. set "var=!var:<switch><c:\windows\system32\bgswitch.exe>=%正常!"
  81. set "var=!var:<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>=%正常!"
  82. set "var=!var:<AppInit_DLLs><APIHookDll.dll>=%正常!"
  83. set "var=!var:<domino><C:\WINDOWS\domino.exe>=%正常!"
  84. set "var=!var:<VMSnap1><C:\WINDOWS\VMSnap1.exe>=%正常!"
  85. set "var=!var:<HTpatch><C:\WINDOWS\htpatch.exe>=%正常!"            
  86. set "var=!var:<WinlogonNotify: DfLogon><LogonDll.dll>=%正常!"
  87. set "var=!var:system32/themeui.dll=%正常!"
  88. set "var=!var:<EQSysSecure>=%正常!"
  89. set "var=!var:<WinlogonNotify: WgaLogon>=%正常!"
  90. set "var=!var:<Resume copy><; copyfstq.exe /startup>=%正常!"
  91. set "var=!var:<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>=%正常!"
  92. set "var=!var:{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}=%正常!"
  93. set "var=!var:{60B49E34-C7CC-11D0-8953-00A0C90347FF}=%正常!"
  94. set "var=!var:{60B49E34-C7CC-11D0-8953-00A0C90347FF}=%正常!"
  95. set "var=!var:{26923b43-4d38-484f-9b9e-de460746276c}=%正常!"
  96. set "var=!var:{881dd1c5-3dcf-431b-b061-f3f88e8be88a}=%正常!"
  97. set "var=!var:{2C7339CF-2B09-4501-B3F3-F3508C9228ED}=%正常!"
  98. set "var=!var:{44BBA840-CC51-11CF-AAFA-00AA00B6015C}=%正常!"
  99. set "var=!var:{44BBA842-CC51-11CF-AAFA-00AA00B6015B}=%正常!"
  100. set "var=!var:{5945c046-1e7d-11d1-bc44-00c04fd912be}=%正常!"
  101. set "var=!var:{6BF52A52-394A-11d3-B153-00C04F79FAA6}=%正常!"
  102. set "var=!var:{7790769C-0471-11d2-AF11-00C04FA35D02}=%正常!"
  103. set "var=!var:{22d6f312-b0f6-11d0-94ab-0080c74c7e95}=%正常!"
  104. set "var=!var:{89820200-ECBD-11cf-8B85-00AA005B4340}=%正常!"
  105. set "var=!var:{89820200-ECBD-11cf-8B85-00AA005B4383}=%正常!"
  106. set "var=!var:{89B4C1CD-B018-4511-B0A1-5476DBF70820}=%正常!"
  107. set "var=!var:Winlogon\Notify\crypt32chain=正常!"
  108. set "var=!var:Winlogon\Notify\cryptnet=正常!"
  109. set "var=!var:Winlogon\Notify\cscdll=正常!"
  110. set "var=!var:Winlogon\Notify\dimsntfy=正常!"
  111. set "var=!var:Winlogon\Notify\igfxcui=正常!"
  112. set "var=!var:Winlogon\Notify\ScCertProp=正常!"
  113. set "var=!var:Winlogon\Notify\Schedule=正常!"
  114. set "var=!var:Winlogon\Notify\sclgntfy=正常!"
  115. set "var=!var:Winlogon\Notify\SensLogn=正常!"
  116. set "var=!var:Winlogon\Notify\termsrv=正常!"
  117. set "var=!var:Winlogon\Notify\wlballoon=正常!"
  118. set "var=!var:\Image File Execution Options\=正常!"
  119. set "var=!var:\Windows NT\CurrentVersion\Windows=正常!"
  120. set "var=!var:\Windows NT\CurrentVersion\Winlogon=正常!"
  121. set "var=!var:Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks=正常!"
  122. set "var=!var:ShellServiceObjectDelayLoad=正常!"
  123. set "var=!var:[Microsoft Corporation]=正常!"
  124. set "var=!var:CurrentVersion\Explorer\SharedTaskSchedule=正常!"
  125. set "var=!var:HKEY_CURRENT_USER\Control Panel=正常!"
  126. set "var=!var:<WangWang>=正常!"
  127. set "var=!var:[VMware, Inc.]=正常!"
  128. set "var=!var:{=正常!"
  129. set "var=!var:IFEO=正常!"
  130. set "var=!var:注册表残留项=%!"
  131. set "var=!var:[]=%!"
  132. set "var=!var:<=%\!"
  133. echo !var! >>注册表.txt
  134. )
  135. @findstr /v "正常" 注册表.txt >>注册表黑名单.txt
  136. cd.>1.txt
  137. for /f "tokens=1,2 delims=>" %%i in (注册表黑名单.txt) do echo %%i >>1.txt
  138. del /q a.txt
  139. del /q 注册表.txt
复制代码
会生成 不含有“{”的木马注册表键值
==========================================================
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Explorer><C:\WINDOWS\system32\drivers\TXP1atform.exe>   

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<updater><C:\WINDOWS\system32\updater.exe>     []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
[HKEY_CURRENT_USER\Control Panel\Desktop]                           
<SCRNSAVE.EXE><C:\WINDOWS\system32\透明七~1.SCR>  [Microsoft Corporation] (这是正常的,可以添加白名单排除)
=====================================================================




现在需要对他进行处理

生成一个完整的注册表键比如:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\updater


这是要得到的结果

由于我想不通怎么才能得到,所有问了两天都没提出个好问题来

作者: batpro    时间: 2011-7-5 23:24

本帖最后由 batpro 于 2011-7-5 23:27 编辑

如果一定要说特征的话就是要求在要处理的文本中
HKEY_~~~任意注册表路径~~~~+~~~~~任意键值~~~~~
作者: jsbba    时间: 2011-7-5 23:45

郁闷啊 ,看不懂 ,好气人
作者: CrLf    时间: 2011-7-5 23:47

先来一个比较不通用的,借用 3 楼框架:
  1. @Echo Off&SetLocal EnableDelayedExpansion
  2. set hh=^
  3. For /F "skip=1 delims=" %%I IN (1.txt) Do (
  4.   If "%%~pI" neq "\" (
  5.     set str=!hh!%%I
  6.   ) else (
  7.     set var=!var!!str!!hh!%%I
  8.     set str=
  9.   )
  10. )
  11. for /f "delims=" %%a in ("!var!") do echo %%a
  12. pause
复制代码

作者: CrLf    时间: 2011-7-5 23:53

这个是通用性强的:
  1. @Echo Off
  2. (For /F "skip=1 delims=" %%I IN (1.txt) Do (
  3.   for /f "tokens=1* delims=;" %%a in ("!var!;!str!") do (
  4.     endlocal
  5.     set var=%%a
  6.     set str=%%b
  7.   )
  8.   set var=%%I
  9.   setlocal enabledelayedexpansion
  10.   If "%%~pI" neq "\" (
  11.     set str=!var!
  12.   ) else (
  13.     if defined str echo !str!
  14.     set str=
  15.     echo !var!
  16.   )
  17. ))>2.txt
  18. pause
复制代码

作者: batpro    时间: 2011-7-6 00:12

谢谢大家的辛苦


我继续测试,过几天在换个思路问一问
作者: terse    时间: 2011-7-6 02:22

以我的判断 这样处理不知可行不
  1. @Echo Off&SetLocal EnableDelayedExpansion
  2. For /F "tokens=*" %%i IN (1.txt) Do (
  3.     set "str=%%i"
  4.     if "!str:~,1!" equ "\" (
  5.        if defined var (echo !var!&set var=&echo %%i) ELSE echo %%i
  6.     ) else set var=%%i
  7. )
  8. pause
复制代码

作者: batpro    时间: 2011-7-6 08:12

12# terse

高手,
经过少量日志分析,此代码貌似可以实现这个功能
谢谢,以后还望多学习学习




欢迎光临 批处理之家 (http://www.bathome.net/) Powered by Discuz! 7.2