当前位置:DOS资源站资料中心VBS脚本 → 一个vbs+一个bat机器狗免疫

一个vbs+一个bat机器狗免疫

减小字体 增大字体 作者:佚名  来源:本站整理  发布时间:2008-5-18 21:24:22

原理就是封启动和禁止临时文件下载vbs,exe,bat等直接运行文件。使用了快3个月了至今没有出过问题。当然有人要是恶意搞,我还没试过,还原用的讯闪快速还原。。

bat文件:

echo y| cacls "C:\Documents and Settings\All Users\「开始」菜单\程序\启动" /c /p Everyone:r
echo y| cacls "%USERPROFILE%\「开始」菜单\程序\启动" /c /p Everyone:r

if not exist %systemroot%\system32\drivers\pcihdd2.sys md %systemroot%\system32\drivers\pcihdd2.sys 
echo y|cacls %systemroot%\system32\drivers\pcihdd2.sys /d everyone

if not exist %systemroot%\system32\drivers\ati32srv.sys md %systemroot%\system32\drivers\ati32srv.sys
echo y|cacls %systemroot%\system32\drivers\ati32srv.sys /d everyone

vbs文件:防临时文件运行exe,bat,vbs的,我人懒,大家复制过去改成vbs吧。

功能:禁止在临时目录%temp%\*.*、%ietemp%\Content.IE5\*.*及其它指定路径中运行指定的后缀名
'如果与某个游戏不兼容时,也就是某个游戏会自动生成执行文件到被禁的目录,请把路径加到白名单中
'程序本身已兼容梦幻西游、大话西游更新,并自动取系统的临时目录和IE临时目录加入黑名单列表。
'                                                               - 浩月.net 编写

On Error Resume Next
setupgpedit()

Function setupgpedit() '利用组策略的软件安全防止网站木马和恶意程序
On Error Resume Next
Dim WshShell, IETempPath, hjmlist, keypath, pathlist,num8
'------------------------------------------------------------------------↓开放运行的程序路径(白名单)
'------------------------------------------------------------------------↓支持多路径,以分号隔开
filepath="%temp%\gpatch.exe;AutoPatch.exe;%temp%\AutoPatch.exe;%temp%\FFBTUpdate.exe;%temp%\QQMusicInstall.exe"
'------------------------------------------------------------------------↓路径列表(黑名单路径)
'------------------------------------------------------------------------↓支持多路径,以分号隔开

'------------------------------------------------------------------------↓支持多路径,以分号隔开
pathlist = "C:\Test\;"
'------------------------------------------------------------------------↓要禁止的后缀名列表(黑名单后缀)
'------------------------------------------------------------------------↓支持多路径,以分号隔开
hjmlist = "exe;com;bat;cmd;vbs;vbe;"
'------------------------------------------------------------------------↓禁止运行默认路径
keypath="HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\"
'------------------------------------------------------------------------↓开放运行默认路径
keyfile="HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\"
'------------------------------------------------------------------------↓分割后缀后列表
namelist=Split(hjmlist,";")
Set WshShell = WScript.CreateObject("WScript.Shell")
'------------------------------------------------------------------------↓取IE缓存路径并加入路径列表
pathlist=WshShell.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache") & "\Content.IE5\;"&pathlist
pathlist=WshShell.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache") & "\Content.IE5\*\;"&pathlist
'------------------------------------------------------------------------↓取临时目录路径并加入路径列表
pathlist=WshShell.RegRead("HKEY_CURRENT_USER\Environment\Temp")&"\;"&pathlist
pathlist=WshShell.RegRead("HKEY_CURRENT_USER\Environment\Temp")&"\*\;"&pathlist
'------------------------------------------------------------------------↓分割路径列表
pathlists=Split(pathlist,";")
'------------------------------------------------------------------------↓分割开放运行的列表
filepaths=Split(filepath,";")

'------------------------------------------------------------------------↓循环路径列表
WshShell.RegDelete keypath

'------------------------------------------------------------------------↓开始写开放策略
For w = 1 to int(UBound(filepaths)) step 1
'------------------------------------------------------------------------↓置随机种子
     Randomize
'------------------------------------------------------------------------↓取6位随机数并转成16进制
     num6=Str2Hex(Int((899999 * Rnd) + 100000))
'------------------------------------------------------------------------↓写注册表
     WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}\",,"REG_SZ"
     WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}\LastModified",0,"REG_BINARY"
     WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}\Description","开放运行文件"&filepaths(w-1),"REG_SZ"
     WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}\SaferFlags",0,"REG_DWORD"
     WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}\ItemData",filepaths(w-1),"REG_EXPAND_SZ"
Next
'------------------------------------------------------------------------↓开放策略完毕

'------------------------------------------------------------------------↓开始写禁止策略
For o = 1 to int(UBound(pathlists)) step 1
'------------------------------------------------------------------------↓循环后缀名列表
   For p = 1 to int(UBound(namelist)) step 1
'------------------------------------------------------------------------↓置随机种子
     Randomize
'------------------------------------------------------------------------↓取6位随机数并转成16进制
     num6=Str2Hex(Int((899999 * Rnd) + 100000))
'------------------------------------------------------------------------↓写注册表
     WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}\",,"REG_SZ"
     WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}\LastModified",0,"REG_BINARY"
     WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}\Description","禁止运行本路径中的"&namelist(p-1)&"文件","REG_SZ"
     WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}\SaferFlags",0,"REG_DWORD"
     WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}\ItemData",pathlists(o-1)&"*."&namelist(p-1),"REG_EXPAND_SZ"
   Next
Next
'------------------------------------------------------------------------↓结束指定进程
exitprocess("explorer.exe")
'------------------------------------------------------------------------↓更新组策略
WshShell.Run ("gpupdate /force"),0
'------------------------------------------------------------------------↓刷新桌面
WshShell.Run ("RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters")
End Function

Function exitprocess(exename)'结束指定进程,可以是程序名或程序路径
     strComputer="."
     Set objWMIService = GetObject ("winmgmts:\\" & strComputer & "\root\cimv2")
     Set colItems = objWMIService.ExecQuery ("SELECT * FROM Win32_process")
     For Each objItem in colItems
         if objitem.ExecutablePath<>"" then '=========================先判断命令路径是否符合
             if instrs(objitem.ExecutablePath,exename) = False then '命令路径符合就结束
               objItem.Terminate()
             else
               if instrs(objitem.Name,exename) = False then '命令路径不符合时判断程序名
                   objItem.Terminate()
               end if
             end if
           else
             if instrs(objitem.Name,exename) = False then '命令路径为空时直接判断程序名是否符合
                 objItem.Terminate()
             end if
           end if
       Next
End Function

Function instrs(patrn, strng) '搜索指定字符是否存在
   Dim regEx, retVal
   Set regEx = New RegExp
   regEx.Pattern = patrn
   regEx.IgnoreCase = True         ' 是否区分大小写。
   retVal = regEx.Test(strng)
   If retVal Then
     instrs = False
   Else
     instrs = True
   End If
End Function

Function Str2Hex(ByVal strHex) '返回16进制字符串
Dim sHex,tempnum
For i = 1 To Len(strHex)
   sHex = sHex & Hex(Asc(Mid(strHex,i,1)))
Next
   Str2Hex = sHex
End Function
 

[] [返回上一页] [打 印]

文章评论评论内容只代表网友观点,与本站立场无关!

频道栏目导航

本类热门阅览

相关文章