AntiIframe.vbs
#该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改Pattern参数指定要处理的文件名,文件名之间用|隔开(也支持vbs正则表达式)。由于要修改文件,请谨慎的使用(最好先备份文件)
#用法:CScriptAntiIframe.vbs[处理的路径][包含清除内容的文件]
#例子:CScriptAntiIframe.vbsd:Webd:lake2.txt
复制代码 代码如下:
'-----------------------
'Anti-Iframeinvbs
'Author:lake2(http://lake2.0x54.org)
'Date:2007-2-27
'Version:1.1
'-----------------------
'--------ConfigStart--------------
'配置要处理的文件名,可使用vbs正则表达式;也可以使用“(index.asp|index.htm|index.html)”枚举格式
Pattern="^.+.(htm|html|asp|aspx|php)$"
'--------ConfigEnd--------------
CallShowInfo()
IfWScript.Arguments.Count=2Then
IfRight(WScript.Arguments.Item(0),1)=""Then
iflen(WScript.Arguments.Item(0))>3then
thePath=Mid(WScript.Arguments.Item(0),1,Len(WScript.Arguments.Item(0))-1)
else
thePath=WScript.Arguments.Item(0)
endif
Else
thePath=WScript.Arguments.Item(0)
EndIf
CallCheckArg(thePath)
WScript.Echo"开始清理,请稍候……"
CallShowAllFile(thePath)
WScript.Echovbcrlf&"清理完成!"&vbcrlf
Else
CallShowHelp()
EndIf
SubShowInfo()
HelpStr=HelpStr&"=============================="&vbcrlf
HelpStr=HelpStr&"=====欢迎使用雷客图ASP站长安全助手vbs版====="&vbcrlf
HelpStr=HelpStr&"=====之Anti-批量挂马====="&vbcrlf
HelpStr=HelpStr&"=====Author:lake2====="&vbcrlf
HelpStr=HelpStr&"=====Email:lake2@mail.csdn.net====="&vbcrlf
HelpStr=HelpStr&"=====欢迎访问www.0x54.org得到更多信息====="&vbcrlf
HelpStr=HelpStr&"=============================="&vbcrlf
HelpStr=HelpStr&vbcrlf
WScript.EchoHelpStr
EndSub
SubShowHelp()
HelpStr=HelpStr&"#用法:CScriptAntiIframe.vbs[处理的路径][包含清除内容的文件]"&vbcrlf
HelpStr=HelpStr&"#例子:CScriptAntiIframe.vbsd:Webd:lake2.txt"&vbcrlf
HelpStr=HelpStr&vbcrlf
WScript.EchoHelpStr
EndSub
SubCheckArg(arg)
tmpPath=arg
SetobjFSO=WScript.CreateObject("Scripting.FileSystemObject")
IfNotobjFSO.FileExists(WScript.Arguments.Item(1))Then
WScript.Echo"Error:未找到配置文件“"&WScript.Arguments.Item(1)&"”!"
WScript.Quit
ElseIfNotobjFSO.FolderExists(tmpPath)Then
WScript.Echo"Error:错误的路径“"&tmpPath&"”!"
WScript.Quit
EndIf
SetobjFSO=Nothing
EndSub
'遍历处理path及其子目录所有文件
SubShowAllFile(Path)
SetFSO=CreateObject("Scripting.FileSystemObject")
Setg=FSO.GetFile(WScript.Arguments.Item(1))
Ifg.Size>0Then
Setts2=g.OpenAsTextStream(1,-2)
filecon=ts2.ReadAll
ts2.Close
Setts2=Nothing
Else
WScript.Echo"Error:配置文件"&WScript.Arguments.Item(1)&"大小为0!"
WScript.Quit
EndIf
Setg=Nothing
Setf=FSO.GetFolder(Path)
Setfc2=f.files
OnErrorResumeNext
ForEachmyfileinfc2
IfErrThenWScript.Echo"权限不足,不能检查目录"&thePath:exitsub
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=Pattern
IfregEx.Test(myfile.name)Then
CheckFilepath&""&myfile.name,filecon
EndIf
SetregEx=Nothing
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFilepath&""&f1.name
Next
SetFSO=Nothing
EndSub
SubCheckFile(filepath,filecon2)
xSet=GetCharSet(filepath)
SettStream=CreateObject("ADODB.Stream")
tStream.type=1
tStream.mode=3
tStream.open
tStream.Position=0
tStream.LoadFromFileFilePath
IferrThenExitSubendif
tStream.type=2
tStream.charset=xSet
DoUntiltStream.EOS
filecon=filecon&LCase(tStream.ReadText(102400))
Loop
tStream.close()
SettStream=Nothing
IfInStr(filecon,filecon2)>0Then
filecon=Replace(filecon,filecon2,"")
SettStream=CreateObject("ADODB.Stream")
tStream.type=2
tStream.mode=3
tStream.charset=xSet
tStream.open
tStream.Position=0
tStream.WriteTextfilecon
tStream.SaveToFilefilepath,2
tStream.close()
SettStream=Nothing
WScript.Echo"已经修复文件:"&filepath&"..."
EndIf
EndSub
FunctionGetCharSet(xPath)
SettStream=CreateObject("ADODB.Stream")
tStream.type=1
tStream.mode=3
tStream.open
tStream.Position=0
tStream.LoadFromFilexPath
byte1=ascB(tStream.Read(1))
byte2=ascB(tStream.Read(1))
byte3=ascB(tStream.Read(1))
tStream.close()
SettStream=Nothing
Ifbyte1=239andbyte2=187andbyte3=191Then
GetCharSet="UTF-8"
Else
GetCharSet="GB2312"
EndIf
EndFunction
【ntiIframe.vbs用于批量清除被添加到文件中的恶意代码】相关文章:
★ 用vbs实现解除注册表CMD、Regedit、Taskmgr限制的脚本代码
★ 用VBS修改远程桌面3389端口并添加到Windows防火墙的代码
★ reg2vbs.vbs 将Reg文件转换为VBS文件保存 脚本之家修正版本