当前位置: 首页 > 图文教程 > 脚本技术 > VBScript > 雷客图 站长安全助手 vbs版代码(asp 木马查找)

VBScript
用vbs清空iis log 中自己登录ip的记录
vbs sendmail发邮件带附件方法
用vbs通过135端口执行命令的脚本
用vbs实现的瞬间关闭多个系统进程的脚本
vbs 中调用shell.application 简单函数
vbs wmi获取电脑硬件信息实例
用vbscript实现隐藏任务栏图标的脚本
vbs正则表达式代码
vbs版IP地理位置查询小偷
超级厉害的VBS定时提醒脚本 Remind.vbs
vbs实现的支持拖动的txt文本切割器
VBS如何察看或获得剪切板内容的脚本
VBS备忘录启动代码
VBS脚本使用WMI操作注册表的代码
vbs xmldom初次实战获取QQ签名的代码
VBS破坏性应用代码
vbs生成ACCESS数据里所有表的字段
vbs实现的图片自适应表格,目前最佳解决方案!
ProcessMagnifier.vbs进程查看
用于提取网易文件的hta代码

VBScript 中的 雷客图 站长安全助手 vbs版代码(asp 木马查找)


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-09-11   浏览: 77 ::
收藏到网摘: n/a

均在命令行下使用
AntiIframe.vbs
#该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改Pattern参数指定要处理的文件名,文件名之间用|隔开(也支持vbs正则表达式)。由于要修改文件,请谨慎的使用(最好先备份文件)
#用法: CScript AntiIframe.vbs [处理的路径] [包含清除内容的文件]
#例子: CScript AntiIframe.vbs d:\Web d:\lake2.txt
----------------------------
Scan.vbs
#该脚本用于本地扫描ASP木马,速度比ASP版快很多。可能存在误报、漏报的情况,视具体情况处理
#用法: CScript Scan.vbs [扫描路径] [结果HTM文件路径]
#例子: CScript Scan.vbs d:\Web f:\my\report.html
Scan.vbs
复制代码 代码如下:

'-----------------------
'Scan ASP WebShell in vbs
'Author: lake2 (http://lake2.0x54.org)
'Date: 2007-7-29
'Version: 1.1
'-----------------------
DimFileExt = "asp,cer,asa,cdx"
Dim Report, Report2, Sun, SumFiles, SumFolders
Call ShowInfo()
If WScript.Arguments.Count = 2 Then
Sun = 0
SumFiles = 0
SumFolders = 1
If Right(WScript.Arguments.Item(0),1) = "\" Then
thePath = Mid(WScript.Arguments.Item(0),1,Len(WScript.Arguments.Item(0))-1)
Else
thePath = WScript.Arguments.Item(0)
End If
Call CheckArg(thePath)
WScript.Echo "开始扫描,请稍候……"
WScript.Sleep(1000)
StartTime = now()
Call ShowAllFile(thePath)
EndTime = now()
WScript.Echo vbcrlf & "扫描完成!" & vbcrlf
report2 = report2 & "<html><head><title>雷客图 ASP 站长安全助手vbs版扫描报告</title>"
report2 = report2 & "<meta http-equiv=""Content-Type"" content=""text/html; charset=gb2312""></head>"
report2 = report2 & "<body><b><font size=4>雷客图 ASP 站长安全助手vbs版扫描报告</font></b><br><br>"
report2 = report2 & "<font size=2>开始时间:"&StartTime&"</font><br>"
report2 = report2 & "<font size=2>结束时间:"&EndTime&"</font><br>"
report2 = report2 & "<font size=2>扫描完毕!一共检查文件夹<font color=""#FF0000"">"&SumFolders&"</font>个,文件<font color=""#FF0000"">"&SumFiles&"</font>个,发现可疑点<font color=""#FF0000"">"&Sun&"</font>个(<font color=""#FF0000"">红字</font>显示的为严重可疑)</font><br/>"
report2 = report2 & "<table width=""100%"" border=""1"" bordercolor=""blue"" style=""padding:5px;line-height:170%;clear:both;font-size:12px;word-break:break-all"">"
report2 = report2 & "<tr>"
report2 = report2 & "<td width=""20%"">文件路径</td>"
report2 = report2 & "<td width=""20%"">特征码</td>"
report2 = report2 & "<td width=""40%"">描述</td>"
report2 = report2 & "<td width=""20%"">创建/修改时间</td>"
report2 = report2 & "</tr>"
report2 = report2 & "<p>"
report2 = report2 & report
report2 = report2 & "</p>"
report2 = report2 & "</table><hr><script src=http://www.0x54.org/announce.js></script>"
report2 = report2 & "<div align=center>powered by <a href=""http://www.0x54.org"" target=_blank>0x54.org</a></div>"
report2 = report2 & "</body></html>"
Call WriteToFile()
Else
Call ShowHelp()
End If
Sub ShowInfo()
HelpStr = HelpStr & "==============================" & vbcrlf
HelpStr = HelpStr & "===== 欢迎使用雷客图 ASP 站长安全助手vbs版 =====" & vbcrlf
HelpStr = HelpStr & "===== 之 检查ASP木马 =====" & vbcrlf
HelpStr = HelpStr & "===== Author: lake2 =====" & vbcrlf
HelpStr = HelpStr & "===== Email:[email protected] =====" & vbcrlf
HelpStr = HelpStr & "===== 欢迎访问 www.0x54.org 得到更多信息 =====" & vbcrlf
HelpStr = HelpStr & "==============================" & vbcrlf
HelpStr = HelpStr & vbcrlf
WScript.Echo HelpStr
End Sub
Sub ShowHelp()
HelpStr = HelpStr & "#用法: CScript Scan.vbs [扫描路径] [结果HTM文件路径]" & vbcrlf
HelpStr = HelpStr & "#例子: CScript Scan.vbs d:\Web f:\my\report.html" & vbcrlf
HelpStr = HelpStr & vbcrlf
WScript.Echo HelpStr
End Sub
Sub CheckArg(arg)
tmpPath = arg
tmpPath2 = Left(WScript.Arguments.Item(1), InStrRev(WScript.Arguments.Item(1),"\")-1)
Set objFSO = WScript.CreateObject ("Scripting.FileSystemObject")
If Not objFSO.FolderExists(tmpPath2) Then
WScript.Echo "Error:错误的路径“" & tmpPath2 & "”!"
WScript.Quit
ElseIf Not objFSO.FolderExists(tmpPath) Then
WScript.Echo "Error:错误的路径“" & tmpPath & "”!"
WScript.Quit
End If
Set objFSO = Nothing
End Sub
'遍历处理path及其子目录所有文件
Sub ShowAllFile(Path)
WScript.Echo "正在检查目录" & path
Set FSO = CreateObject("Scripting.FileSystemObject")
Set f = FSO.GetFolder(Path)
Set fc2 = f.files
For Each myfile in fc2
If CheckExt(FSO.GetExtensionName(path&"\"&myfile.name)) Then
'WScript.Echo "正在检查文件" & path&"\"&myfile.name
Call ScanFile(Path&Temp&"\"&myfile.name, "")
SumFiles = SumFiles + 1
End If
Next
Set fc = f.SubFolders
For Each f1 in fc
ShowAllFile path&"\"&f1.name
SumFolders = SumFolders + 1
Next
Set FSO = Nothing
End Sub
'检查文件后缀,如果与预定的匹配即返回TRUE
Function CheckExt(FileExt)
If DimFileExt = "*" Then CheckExt = True
Ext = Split(DimFileExt,",")
For i = 0 To Ubound(Ext)
If Lcase(FileExt) = Ext(i) Then
CheckExt = True
Exit Function
End If
Next
End Function
'检测文件
Sub ScanFile(FilePath, InFile)
If InFile <> "" Then
Infiles = "<font color=red>该文件被"& InFile & "文件包含执行</font>"
End If
temp = FilePath
On Error Resume Next
Set tStream = WScript.CreateObject("ADODB.Stream")
tStream.type = 1
tStream.mode = 3
tStream.open
tStream.Position=0
tStream.LoadFromFile FilePath
If err Then Exit Sub end if
tStream.type = 2
tStream.charset = "GB2312"
Do Until tStream.EOS
filetxt = filetxt & LCase(replace(tStream.ReadText(102400), Chr(0), ""))
Loop
tStream.close()
Set tStream = Nothing
Set FSOs = WScript.CreateObject("Scripting.FileSystemObject")
if len(filetxt) >0 then
'特征码检查
filetxt = vbcrlf & filetxt
'Check "WScr"&DoMyBest&"ipt.Shell"
If Instr( filetxt, Lcase("WScr"&DoMyBest&"ipt.Shell") ) or Instr( filetxt, Lcase("clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8") ) then
Report = Report&"<tr><td>"&temp&"</td><td>WScr"&DoMyBest&"ipt.Shell 或者 clsid:72C24DD5-D70A"&DoMyBest&"-438B-8A42-98424B88AFB8</td><td><font color=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End if
'Check "She"&DoMyBest&"ll.Application"
If Instr( filetxt, Lcase("She"&DoMyBest&"ll.Application") ) or Instr( filetxt, Lcase("clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000") ) then
Report = Report&"<tr><td>"&temp&"</td><td>She"&DoMyBest&"ll.Application 或者 clsid:13709620-C27"&DoMyBest&"9-11CE-A49E-444553540000</td><td><font color=red>危险组件,一般被ASP木马利用</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Encode
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "\bLANGUAGE\s*=\s*[""]?\s*(vbscript|jscript|javascript).encode\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>(vbscript|jscript|javascript).Encode</td><td><font color=red>似乎脚本被加密了,一般ASP文件是不会加密的</font>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check my ASP backdoor :(
regEx.Pattern = "\bEv"&"al\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Ev"&"al</td><td>e"&"val()函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ev"&"al(X)<br>但是javascript代码中也可以使用,有可能是误报。"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check exe&cute backdoor
regEx.Pattern = "[^.]\bExe"&"cute(Global)?\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Exec"&"ute()或者Exe"&"cuteGlobal()</td><td><font color=red>该函数可以执行任意ASP代码,被一些后门利用。其形式一般是:ex"&"ecute(X)</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check Script.Control
regEx.Pattern = "\.Execu"&"teStatement\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Exec"&"uteStatement</td><td><font color=red>发现MSScriptControl.ScriptControl的.Execut"&"eStatement函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .(Open|Create)TextFile
regEx.Pattern = "\.(Open|Create)TextFile\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Crea"&"teTextFile|.O"&"penTextFile</td><td>使用了FSO的CreateTextFile|OpenTextFile函数读写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .SaveT&oFile
regEx.Pattern = "\.SaveT"&"oFile\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Sa"&"veToFile</td><td>使用了Stream或者JMail的SaveToFile函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .&Save|.&SaveAs
regEx.Pattern = "\.Sa"&"ve(As)?\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Sa"&"ve或者.Sa"&"veAs</td><td>使用了Save或SaveAs函数写文件"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check set Server
regEx.Pattern = "set\s*.*\s*=\s*server\s"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Set xxx=Se"&"rver</td><td><font color=red>发现Set xxx=Ser" & jj & "ver,请管理员仔细检查是否调用.execute</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check Server.(Transfer|Ex&ecute)
regEx.Pattern = "Server.(Ex"&"ecute|Transfer)([ \t]*|\()[^""]\)"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>Server.Ex"&"ecute</td><td><font color=red>不能跟踪检查Server.e"&"xecute()函数执行的文件。请管理员自行检查</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Ru&n
regEx.Pattern = "\.R"&"un\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Ru"&"n</td><td><font color=red>发现 WScript 的 Run 函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Exe&c
regEx.Pattern = "\.Ex"&"ec\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Ex"&"ec</td><td><font color=red>发现 WScript 的 Exec 函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .Shel&lExecute
regEx.Pattern = "\.Shel"&"lExecute\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.ShellE"&"xecute</td><td><font color=red>发现 Application 的 ShellExecute 函数</font><br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
'Check .&create
regEx.Pattern = "\.Cre"&"ate\b"
If regEx.Test(filetxt) Then
Report = Report&"<tr><td>"&temp&"</td><td>.Crea"&"te</td><td>发现 Create 函数<br>"&infiles&"</td><td>"&GetDateCreate(filepath)&"<br>"&GetDateModify(filepath)&"</td></tr>"
Sun = Sun + 1
End If
Set regEx = Nothing

'Check include file not with "&'
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "<!--\s*#include\s+(file|virtual)\s*=\s*.*-->"
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Trim(Mid(Match.Value, Instr(Match.Value, "=") + 1, Len(Match.Value) - Instr(Match.Value, "=") - 1)),"/","\")
If Left(tFile, 1)="'" Then
tFile = Mid(tFile, 2, InStr(2, tFile, "'", 1) - 2)
ElseIf Left(tFile, 1)="""" Then
tFile = Mid(tFile, 2, InStr(2, tFile, """", 1) - 2)
Else
tFile = Replace(tFile, Chr(9), " ")
If InStr(tFile, " ") <> 0 Then
tFile = Left(tFile, InStr( tFile, " ") - 1)
Else
tFile = Left(tFile, InStr( tFile, "-") - 1)
End If
End If
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile, FilePath)
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check Server&.Execute|Transfer
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "Server.(Exec"&"ute|Transfer)([ \t]*|\()"".*?"""
Set Matches = regEx.Execute(filetxt)
For Each Match in Matches
tFile = Replace(Mid(Match.Value, Instr(Match.Value, """") + 1, Len(Match.Value) - Instr(Match.Value, """") - 1),"/","\")
If Not CheckExt(FSOs.GetExtensionName(tFile)) Then
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tFile, FilePath)
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
'Check RunatScript
Set XregEx = New RegExp
XregEx.IgnoreCase = True
XregEx.Global = True
XregEx.Pattern = "<scr"&"ipt\s*(.|\n)*?runat\s*=\s*""?server""?(.|\n)*?>"
Set XMatches = XregEx.Execute(filetxt)
For Each Match in XMatches
tmpLake2 = Mid(Match.Value, 1, InStr(Match.Value, ">"))
srcSeek = InStr(1, tmpLake2, "src", 1)
If srcSeek > 0 Then
srcSeek2 = instr(srcSeek, tmpLake2, "=")
For i = 1 To 50
tmp = Mid(tmpLake2, srcSeek2 + i, 1)
If tmp <> " " and tmp <> chr(9) and tmp <> vbCrLf Then
Exit For
End If
Next
If tmp = """" Then
tmpName = Mid(tmpLake2, srcSeek2 + i + 1, Instr(srcSeek2 + i + 1, tmpLake2, """") - srcSeek2 - i - 1)
Else
If InStr(srcSeek2 + i + 1, tmpLake2, " ") > 0 Then tmpName = Mid(tmpLake2, srcSeek2 + i, Instr(srcSeek2 + i + 1, tmpLake2, " ") - srcSeek2 - i) Else tmpName = tmpLake2
If InStr(tmpName, chr(9)) > 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, chr(9)) - 1)
If InStr(tmpName, vbCrLf) > 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, vbcrlf) - 1)
If InStr(tmpName, ">") > 0 Then tmpName = Mid(tmpName, 1, Instr(1, tmpName, ">") - 1)
End If
Call ScanFile( Mid(FilePath,1,InStrRev(FilePath,"\"))&tmpName , FilePath)
SumFiles = SumFiles + 1
End If
Next
Set Matches = Nothing
Set regEx = Nothing
end if
set fsos = nothing
End Sub
Function GetDateModify(filepath)
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
s = f.DateLastModified
set f = nothing
set fso = nothing
GetDateModify = s
End Function
Function GetDateCreate(filepath)
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(filepath)
s = f.DateCreated
set f = nothing
set fso = nothing
GetDateCreate = s
End Function
Sub WriteToFile()
Set FSO = CreateObject("Scripting.FileSystemObject")
Set theFile = FSO.OpenTextFile(WScript.Arguments.Item(1), 2, True)
theFile.Write(Report2)
theFile.Close
Set FSO = Nothing
WScript.Echo "扫描结果已经写入文件“"&WScript.Arguments.Item(1)&"”,请查看之!"
End Sub

因代码比较多,特打包给大家学习使用。http://wt.ruanchen.com/00907/yuanma/vbs_aspmuma.rar