VBScript之通過對比注冊表查找隱藏的服務

字號:


    系統(tǒng)服務有可能被 rootkit 隱藏,但有些時候我們?nèi)钥梢詮淖员碇姓业较嚓P的信息。建議以管理員權限運行,否則有些服務列舉不出來或出現(xiàn)錯誤的提示
    效果圖:
    
1.jpg

    代碼(checksvr.vbs):
    代碼如下:
    'On Error Resume Next
    Const HKEY_LOCAL_MACHINE = &H80000002
    Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
    strKeyPath = "SYSTEM\CurrentControlSet\Services"
    oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
    Wscript.Echo "Checking, please wait ..."
    Wscript.Echo ""
    For Each subkey In arrSubKeys
    oReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath & "\\" & subkey, "ObjectName", strValue
    If Not (strValue = "") Then
    '判斷服務, 利用數(shù)組來比較不知道會不會快些?
    If Not (CheckSvr(subkey)) Then
    Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ Hidden ]"
    Else
    Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ OK ]"
    End If
    End If
    Next
    Wscript.Echo ""
    Wscript.Echo "All done."
    Wscript.Quit (0)
    Function CheckSvr(strName)
    Set oWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")
    Set cService = oWMI.ExecQuery("Select * from Win32_Service WHERE Name='" & strName & "'")
    If (cService.count <> 0) Then
    CheckSvr = True
    Else
    CheckSvr = False
    End If
    End Function
    Function FormatOutTab(strName)
    strLen = Len(strName)
    Select Case True
    Case strLen < 8
    FormatOutTab = vbTab & vbTab & vbTab & vbTab & vbTab
    Case strLen < 16
    FormatOutTab = vbTab & vbTab & vbTab & vbTab
    Case strLen < 24
    FormatOutTab = vbTab & vbTab & vbTab
    Case strLen < 32
    FormatOutTab = vbTab & vbTab
    Case strLen < 40
    FormatOutTab = vbTab
    Case Else
    FormatOutTab = vbTab
    End Select
    End Function
    利用字典,速度要快很多:
    復制代碼 代碼如下:
    Dim oDic, oReg, oWmi, arrServices
    Const HKEY_LOCAL_MACHINE = &H80000002
    Wscript.Echo "[*] Checking, please wait ..."
    Wscript.Echo ""
    Set oDic = CreateObject("Scripting.Dictionary")
    Set oWmi = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")
    Set arrServices = oWmi.ExecQuery("Select * from Win32_Service")
    For Each strService In arrServices
    oDic.Add strService.Name, strService.Name
    Next
    Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
    strKeyPath = "SYSTEM\CurrentControlSet\Services"
    oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
    For Each subkey In arrSubKeys
    oReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath & "\\" & subkey, "ObjectName", strValue
    If Not (strValue = "") Then
    If oDic.Exists(subkey) Then
    Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ OK ]"
    Else
    Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ Hidden ]"
    End If
    End If
    Next
    oDic.RemoveAll
    Wscript.Echo ""
    Wscript.Echo "[*] All done."
    Wscript.Quit (0)
    Function FormatOutTab(strName)
    strLen = Len(strName)
    Select Case True
    Case strLen < 8
    FormatOutTab = vbTab & vbTab & vbTab & vbTab
    Case strLen < 16
    FormatOutTab = vbTab & vbTab & vbTab
    Case strLen < 24
    FormatOutTab = vbTab & vbTab
    Case strLen < 32
    FormatOutTab = vbTab
    Case Else
    FormatOutTab = vbTab
    End Select
    End Function