标题: [原创][安全类脚本]VBS获取系统驱动信息 [打印本页]
作者: somebody 时间: 2007-12-10 23:54 标题: [原创][安全类脚本]VBS获取系统驱动信息
先抱怨一下,论坛的所谓代码模式和所见即所得模式真不好搞.....明明结构很美观的代码贴到这里一看就跟垃圾一样难看,我不再重复编辑了,反正在notepad++里浏览我的代码是很美观的。
先推荐大家用一用这款软件:notepad++
最新版:notepad++ v4.6
下载地址:http://nchc.dl.sourceforge.net/sourceforge/notepad-plus/npp.4.6.Installer.exe
安装好后用notepad++ 打开我的浏览我的代码行了..
----------------------------------------------------------------------------------------------------------
前言:
中过毒的朋友应该中过驱动级别的病毒。
病毒作者往往会向 %systemroot%\system32\drivers 目录里添加驱动以达到免杀目的。
----------------------------------------------------------------------------
脚本主功能:
获取系统驱动部分信息以判断其安全性:
1. 通过判断驱动文件制造商
2. 通过判断驱动文件创建时间
两者结合效果最佳.
Tips:
1. 保存代码为VBS文件,双击即可使用
2. 建议执行脚本前关闭所有IE浏览器,因为执行脚本过程若你的IE浏览器是打开的,这时会弹一个空白页 about:blank
3. 执行完后,鼠标右键单击CMD窗口并且按回车键即可重复执行脚本
4. 脚本会还原对系统的任何改动,可以放心使用
5. 代码已经测试
6. 申请月精华
下载地址:http://kimhoo.lin.googlepages.com/SystemDriver.vbs- ' code by somebody
- ' LastModified: 2007-12-9 19:15
- ' 测试环境: Windows Script Host Version 5.6 & CMD@XP(sp2)
-
- const HKEY_CURRENT_USER = &H80000001
- Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
- strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
- oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
- strValueName1 = "CodePage"
- dwValue1 = 936
- strValueName2 = "ScreenBufferSize"
- dwValue2 = 98304160
- strValueName3 = "WindowSize"
- dwValue3 = 2818173
- strValueName4 = "HistoryNoDup"
- dwValue4 = 0
- strValueName5 = "FontFamily"
- dwValue5 = 48
- strValueName6 = "QuickEdit"
- dwValue6 = 2048
- strValueName7 = "FontSize"
- dwValue7 = 1048584
- strValueName8 = "FontWeight"
- dwValue8 = 400
-
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName7,dwValue7
- oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName8,dwValue8
-
- Dim objWSH, FinalVBSPath
- Set objWSH = WScript.CreateObject("WScript.Shell")
- If (LCase(Right(WScript.Fullname,11))="wscript.exe") Then
- FinalVBSPath = "'" & WScript.ScriptFullName & "'"
- objWSH.Run("cmd.exe /k cscript //nologo " &Replace(FinalVBSPath,"'",""""))
- Wscript.Quit
- End If
-
- oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
- Set oReg = nothing
-
- Wscript.Sleep 1000
- Mystr = Array(115,111,109,101,98,111,100,121)
- for i=0 to Ubound(Mystr)
- author=author&chr(Mystr(i))
- next
- Wscript.Echo vbCr
- Wscript.echo " code by " & author
- Wscript.echo " LastModified: 2007-12-9 18:50"
-
- Wscript.Sleep 2000
- Wscript.Echo vbCr
- str1 = " ╭━━╮╭━━╮╭╭━╮╭━━╮╭━━╮╭━━╮┏━━╮╭╮╭╮"
- str4 = " ╰━╮┃┃┃┃┃┃╭╮┃┃╭━╯┃╭╮╮┃┃┃┃┃┃┃┃?┃┃?"
- str6 = " ╰━━╯╰━━╯╰╯╰╯╰━━╯╰━━╯╰━━╯┗━━╯?╰╯?"
- str3 = " ┃╰━╮┃┃┃┃┃┃┃┃┃╰━╮┃╰╯╯┃┃┃┃┃┃┃┃╰╮╭╯"
- str5 = " ╭━╯┃┃╰╯┃┃┃┃┃┃╰━╮┃╰╯┃┃╰╯┃┃╰╯┃?┃┃?"
- str2 = " ┃╭━╯┃╭╮┃┃??┃┃╭━╯┃╭╮┃┃╭╮┃┃╭╮┃┃╰╯┃"
- myArray = Array(str1,str2,str3,str4,str5,str6)
- For each str in myArray
- Wscript.Echo str
- Next
- Wscript.Sleep 2000
-
- Wscript.Echo
- Dim DriverState, DriverStartMode
- DriverState = InPutBox("根据系统驱动状态进行筛选:"&chr(13)&chr(10)&chr(10)&"1. Running"&chr(13)&chr(10)&chr(10)&"2. Stopped","请输入筛选条件序号","请输入数字1或2")
- If DriverState = "1" Then
- DriverState = "Running"
- ElseIf DriverState = "2" Then
- DriverState = "Stopped"
- Else
- Msgbox " 输入超出范围!"&chr(13)&chr(10)&chr(10)& "将以默认值:Running 传递参数!"
- DriverState = "Running"
- End If
-
- DriverStartMode = InPutBox("根据系统驱动启动模式进行筛选:"&chr(13)&chr(10)&chr(10)&"1. Auto"&chr(13)&chr(10)&chr(10)&"2. System"&chr(13)&chr(10)&chr(10)&"3. Boot"&chr(13)&chr(10)&chr(10)&"4. Manual"&chr(13)&chr(10)&chr(10)&"5. Disabled","请输入筛选条件序号","请输入数字1-5其中一个")
- If DriverStartMode = "1" Then
- DriverStartMode = "Auto"
- ElseIf DriverStartMode = "2" Then
- DriverStartMode = "System"
- ElseIf DriverStartMode = "3" Then
- DriverStartMode = "Boot"
- ElseIf DriverStartMode = "4" Then
- DriverStartMode = "Manual"
- ElseIf DriverStartMode = "5" Then
- DriverStartMode = "Disabled"
- Else
- Msgbox " 输入超出范围!"&chr(13)&chr(10)&chr(10)& "将以默认值:Auto 传递参数!"
- DriverStartMode = "Auto"
- End If
-
- colName_1 = "驱动文件名称 "
- colName_2 = "启动模式 "
- colName_3 = "驱动状态 "
- colName_4 = "驱动文件路径 "
- colName_5 = "驱动创建时间 "
- colName_6 = "驱动文件制造商"
-
- Wscript.Echo vbCrLf & colName_1 & colName_2 & colName_3 & colName_4 & colName_5 & colName_6
- Wscript.Echo "---------------------------------------------------------------------------------------------------------------------------------------"
-
- Set OBJWMI = GetObject("winmgmts:\\.\root\CIMV2")
- Set colItems = OBJWMI.ExecQuery("Select * From Win32_SystemDriver Where State='" & DriverState & "' and StartMode='" & DriverStartMode & "'")
- For Each driver In colItems
- If not IsNull(driver.PathName) Then
- WMIPathMode = Replace(Replace(driver.PathName,"\??\",""),"\","\\")
- End If
- Set colManufacturer = OBJWMI.ExecQuery("Select * From CIM_DataFile Where Name='" & WMIPathMode & "'")
- For Each OBJManufacturer In colManufacturer
- finalName = driver.Name & " "
- finalStartMode = driver.StartMode & " "
- finalState = driver.State & " "
- finalPath = LCase(OBJManufacturer.Name) & " "
- finalManufacturer = OBJManufacturer.Manufacturer
- Set FSO = CreateObject("Scripting.FileSystemObject").GetFile(OBJManufacturer.Name)
- Wscript.Echo Mid(finalName,1,20) & Mid(finalStartMode,1,10) & Mid(finalState,1,10) & Mid(finalPath,1,45) &vbTab& FSO.DateCreated &vbTab& finalManufacturer
- Next
- Next
-
- MyVBSPath = "'" & WScript.ScriptFullName & "'"
- Myclipboard = "cscript //nologo " & Replace(MyVBSPath,"'","""")
- Set objIE = CreateObject("InternetExplorer.Application")
- objIE.Navigate("about:blank")
- objIE.document.parentwindow.clipboardData.SetData "text", Myclipboard
复制代码
[ 本帖最后由 somebody 于 2007-12-11 16:14 编辑 ]
作者: 随风 时间: 2007-12-11 00:08
虽然不懂vbs但我知道你为这个作品所花的精力,和代码功能.不错.
加分
期待更好的作品.
作者: somebody 时间: 2007-12-11 00:38
哈哈,普通人不敢用一用啊,用过后才知道那才叫好东西.................................
作者: 随风 时间: 2007-12-11 01:52
我用了啊!
不过还是不明白是什么东西
作者: youxi01 时间: 2007-12-11 07:44
原帖由 somebody 于 2007-12-10 23:54 发表
先抱怨一下,论坛的所谓代码模式和所见即所得模式真不好搞.....明明结构很美观的代码贴到这里一看就跟垃圾一样难看,我不再重复编辑了,反正在notepad++里浏览我的代码是很美观的。
先推荐大家用一用这款软件:note ...
想法、代码都非常不错,不过提点建议:
在等待人家输入的时候(就是那两个inputbox),个人觉得,人家输入错误,不应该以默认值进入到下步,而应该停留在当前位置。
作者: somebody 时间: 2007-12-11 15:56
回复5楼:
我已经够仁慈了.................
连数字都会输错,并且输错了还去按回车的人,这世界上只有那种故意不给我面子的人才会做得出来.......
inputbox 那里我已经提示得够清楚了,而且我提供了重复执行脚本的功能,选择错了还可以再来一次,并不是我做得不够严密,只是故意捣乱的人我是不会管他的
回复4楼:
脚本功能我都写在上面了吖......
欢迎光临 批处理之家 (http://www.bathome.net/) |
Powered by Discuz! 7.2 |