当前位置: 首页 > 图文教程 > 脚本技术 > VBScript > ntiIframe.vbs用于批量清除被添加到文件中的恶意代码

VBScript
vbs在网页中显示服务
vbs得没公开对象
unpack.vbs
使用批处理文件异地备份数据库(最近几天的数据)
VBScript 中的字节数据操作函数
切换dos并dir的vbs
杀毒的对vbs相当敏感 免杀
多进程的vbs脚本
Windows管理脚本学习
15分钟提醒一次,珍惜时间啊
从一个VBS脚本学习一点点东西
exe2swf 工具(Adodb.Stream版)
使用脚本自动修改ip设置
深入挖掘Windows脚本技术
用VBSCRIPT控制ONSUBMIT事件
VBS中Select CASE的其它用法
vbscript 可以按引用传递参数吗?
下载文件到本地运行的vbs
飘叶千夫指源代码,又称qq刷屏器
SendKeys参考文档

VBScript 中的 ntiIframe.vbs用于批量清除被添加到文件中的恶意代码


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-09-11   浏览: 47 ::
收藏到网摘: n/a

AntiIframe.vbs
#该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改Pattern参数指定要处理的文件名,文件名之间用|隔开(也支持vbs正则表达式)。由于要修改文件,请谨慎的使用(最好先备份文件)
#用法: CScript AntiIframe.vbs [处理的路径] [包含清除内容的文件]
#例子: CScript AntiIframe.vbs d:\Web d:\lake2.txt
复制代码 代码如下:

'-----------------------
'Anti-Iframe in vbs
'Author: lake2 (http://lake2.0x54.org)
'Date: 2007-2-27
'Version: 1.1
'-----------------------
'-------- Config Start --------------
'配置要处理的文件名,可使用vbs正则表达式;也可以使用“(index.asp|index.htm|index.html)”枚举格式
Pattern = "^.+\.(htm|html|asp|aspx|php)$"
'-------- Config End --------------

Call ShowInfo()
If WScript.Arguments.Count = 2 Then
If Right(WScript.Arguments.Item(0),1) = "\" Then
if len(WScript.Arguments.Item(0))>3 then
thePath = Mid(WScript.Arguments.Item(0),1,Len(WScript.Arguments.Item(0))-1)
else
thePath = WScript.Arguments.Item(0)
end if
Else
thePath = WScript.Arguments.Item(0)
End If
Call CheckArg(thePath)
WScript.Echo "开始清理,请稍候……"
Call ShowAllFile(thePath)
WScript.Echo vbcrlf & "清理完成!" & vbcrlf
Else
Call ShowHelp()
End If
Sub ShowInfo()
HelpStr = HelpStr & "==============================" & vbcrlf
HelpStr = HelpStr & "===== 欢迎使用雷客图 ASP 站长安全助手vbs版 =====" & vbcrlf
HelpStr = HelpStr & "===== 之 Anti-批量挂马 =====" & vbcrlf
HelpStr = HelpStr & "===== Author: lake2 =====" & vbcrlf
HelpStr = HelpStr & "===== Email:[email protected] =====" & vbcrlf
HelpStr = HelpStr & "===== 欢迎访问 www.0x54.org 得到更多信息 =====" & vbcrlf
HelpStr = HelpStr & "==============================" & vbcrlf
HelpStr = HelpStr & vbcrlf
WScript.Echo HelpStr
End Sub
Sub ShowHelp()
HelpStr = HelpStr & "#用法: CScript AntiIframe.vbs [处理的路径] [包含清除内容的文件]" & vbcrlf
HelpStr = HelpStr & "#例子: CScript AntiIframe.vbs d:\Web d:\lake2.txt" & vbcrlf
HelpStr = HelpStr & vbcrlf
WScript.Echo HelpStr
End Sub
Sub CheckArg(arg)
tmpPath = arg
Set objFSO = WScript.CreateObject ("Scripting.FileSystemObject")
If Not objFSO.FileExists(WScript.Arguments.Item(1)) Then
WScript.Echo "Error:未找到配置文件“" & WScript.Arguments.Item(1) & "”!"
WScript.Quit
ElseIf Not objFSO.FolderExists(tmpPath) Then
WScript.Echo "Error:错误的路径“" & tmpPath & "”!"
WScript.Quit
End If
Set objFSO = Nothing
End Sub
'遍历处理path及其子目录所有文件
Sub ShowAllFile(Path)
Set FSO = CreateObject("Scripting.FileSystemObject")
Set g = FSO.GetFile(WScript.Arguments.Item(1))
If g.Size > 0 Then
Set ts2 = g.OpenAsTextStream(1, -2)
filecon = ts2.ReadAll
ts2.Close
Set ts2 = Nothing
Else
WScript.Echo "Error:配置文件" & WScript.Arguments.Item(1) & "大小为0!"
WScript.Quit
End If
Set g = Nothing
Set f = FSO.GetFolder(Path)
Set fc2 = f.files
On Error Resume Next
For Each myfile in fc2
If Err Then WScript.Echo "权限不足,不能检查目录"&thePath:exit sub
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = Pattern
If regEx.Test(myfile.name) Then
CheckFile path&"\"&myfile.name, filecon
End If
Set regEx = Nothing
Next
Set fc = f.SubFolders
For Each f1 in fc
ShowAllFile path&"\"&f1.name
Next
Set FSO = Nothing
End Sub
Sub CheckFile(filepath, filecon2)
xSet = GetCharSet(filepath)
Set tStream = CreateObject("ADODB.Stream")
tStream.type = 1
tStream.mode = 3
tStream.open
tStream.Position=0
tStream.LoadFromFile FilePath
If err Then Exit Sub end if
tStream.type = 2
tStream.charset = xSet
Do Until tStream.EOS
filecon = filecon & LCase(tStream.ReadText(102400))
Loop
tStream.close()
Set tStream = Nothing
If InStr(filecon, filecon2) > 0 Then
filecon = Replace(filecon, filecon2, "")
Set tStream = CreateObject("ADODB.Stream")
tStream.type = 2
tStream.mode = 3
tStream.charset = xSet
tStream.open
tStream.Position=0
tStream.WriteText filecon
tStream.SaveToFile filepath, 2
tStream.close()
Set tStream = Nothing
WScript.Echo "已经修复文件: "&filepath&" ..."
End If
End Sub
Function GetCharSet(xPath)
Set tStream = CreateObject("ADODB.Stream")
tStream.type = 1
tStream.mode = 3
tStream.open
tStream.Position = 0
tStream.LoadFromFile xPath
byte1 = ascB(tStream.Read(1))
byte2 = ascB(tStream.Read(1))
byte3 = ascB(tStream.Read(1))
tStream.close()
Set tStream = Nothing
If byte1=239 and byte2=187 and byte3=191 Then
GetCharSet = "UTF-8"
Else
GetCharSet = "GB2312"
End If
End Function