vbscript之通過對(duì)比注冊(cè)表查找隱藏的服務(wù)

字號(hào):


    系統(tǒng)服務(wù)有可能被 rootkit 隱藏,但有些時(shí)候我們?nèi)钥梢詮淖?cè)表中找到相關(guān)的信息。建議以管理員權(quán)限運(yùn)行,否則有些服務(wù)列舉不出來或出現(xiàn)錯(cuò)誤的提示
    效果圖:
    代碼(checksvr.vbs):
    代碼如下:
    'on error resume next
    const hkey_local_machine = &h80000002
    set oreg=getobject(winmgmts:{impersonationlevel=impersonate}!\\.\root\default:stdregprov)
    strkeypath = system\currentcontrolset\services
    oreg.enumkey hkey_local_machine, strkeypath, arrsubkeys
    wscript.echo checking, please wait ...
    wscript.echo
    for each subkey in arrsubkeys
    oreg.getstringvalue hkey_local_machine, strkeypath & \\ & subkey, objectname, strvalue
    if not (strvalue = ) then
    '判斷服務(wù), 利用數(shù)組來比較不知道會(huì)不會(huì)快些?
    if not (checksvr(subkey)) then
    wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & [ hidden ]
    else
    wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & [ ok ]
    end if
    end if
    next
    wscript.echo
    wscript.echo all done.
    wscript.quit (0)
    function checksvr(strname)
    set owmi = getobject(winmgmts: & {impersonationlevel=impersonate}!\\.\root\cimv2)
    set cservice = owmi.execquery(select * from win32_service where name=' & strname & ')
    if (cservice.count <> 0) then
    checksvr = true
    else
    checksvr = false
    end if
    end function
    function formatouttab(strname)
    strlen = len(strname)
    select case true
    case strlen < 8
    formatouttab = vbtab & vbtab & vbtab & vbtab & vbtab
    case strlen < 16
    formatouttab = vbtab & vbtab & vbtab & vbtab
    case strlen < 24
    formatouttab = vbtab & vbtab & vbtab
    case strlen < 32
    formatouttab = vbtab & vbtab
    case strlen < 40
    formatouttab = vbtab
    case else
    formatouttab = vbtab
    end select
    end function
    利用字典,速度要快很多:
    復(fù)制代碼 代碼如下:
    dim odic, oreg, owmi, arrservices
    const hkey_local_machine = &h80000002
    wscript.echo [*] checking, please wait ...
    wscript.echo
    set odic = createobject(scripting.dictionary)
    set owmi = getobject(winmgmts: & {impersonationlevel=impersonate}!\\.\root\cimv2)
    set arrservices = owmi.execquery(select * from win32_service)
    for each strservice in arrservices
    odic.add strservice.name, strservice.name
    next
    set oreg = getobject(winmgmts:{impersonationlevel=impersonate}!\\.\root\default:stdregprov)
    strkeypath = system\currentcontrolset\services
    oreg.enumkey hkey_local_machine, strkeypath, arrsubkeys
    for each subkey in arrsubkeys
    oreg.getstringvalue hkey_local_machine, strkeypath & \\ & subkey, objectname, strvalue
    if not (strvalue = ) then
    if odic.exists(subkey) then
    wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & [ ok ]
    else
    wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & [ hidden ]
    end if
    end if
    next
    odic.removeall
    wscript.echo
    wscript.echo [*] all done.
    wscript.quit (0)
    function formatouttab(strname)
    strlen = len(strname)
    select case true
    case strlen < 8
    formatouttab = vbtab & vbtab & vbtab & vbtab
    case strlen < 16
    formatouttab = vbtab & vbtab & vbtab
    case strlen < 24
    formatouttab = vbtab & vbtab
    case strlen < 32
    formatouttab = vbtab
    case else
    formatouttab = vbtab
    end select
    end function