[求助]那位请帮我分析以下代码! - DOS批处理 & 脚本技术（批处理室） - 中国DOS联盟论坛

那位请帮我分析以下代码! 越详细越好,因为我是菜鸟谢谢! 声明：由于万恶微软弄了些万恶的HOME版系统，取消了一堆有用的命令，包括fsutil和wmic，使得批处理的功能不见了一大截，因此批处理在那些版本的系统里面无法正常运行！所以这个东西还是用来研究学习或者充当燃眉之急，别当它是万能的^_^ 前言：经过了戒网的7天里面断断续续的初步构思，弄了个对付一般病毒的批处理专杀模板；为兼顾其他语言的系统，使用了chcp 437命名使得批处理会在各种语言系统都支持的英文状态下运行（由于转为英文后不支持中文的进程操作，所以暂时取消这个功能）；大量使用标签使得整个模板分为多个功能模块，需要指定模块时可以灵活的使用call命令调用，具有很大的扩展性，如可以写一个抑制文件重新生成的模块然后在删除文件之后调用；代码如下： @echo off title Killer of VirusName echo Killer of VirusName set PN=ProcessName1,ProcessName2,ProcessName3,,, set IP=ImPath1,ImPath2,ImPath3,,, set FN=FilePath1,FilePath2,FilePath3,,, set AI=c:\windows\system32\ddtshtk.exe rem STRAT call :ENDPROC call :DELFILE call :ANTICF call :CLEANREG call :SHOWHIDDEN call :DELTMP goto :eof rem Main Modules :ENDPROC cls echo Ending Process ... for /l %%a in (1,1,10) do call :DOENDPOC %%a goto :EOF :DOENDPOC for /f "tokens=%1 delims=," %%i in ("%PN%") do ( start "" /min /realtime ntsd /c q /pn "%%i" call :IEFO "%%i" ) goto :EOF :ENDPID cls echo Ending Process ... set IP=%IP:\=\\% for /l %%a in (1,1,10) do call :DOENDPID %%a goto :EOF :DOENDPID for /f "tokens=%1 delims=," %%a in ("%IP%") do ( for /f "skip=1" %%i in ('wmic PROCESS where ExecutablePath^="%%a" get ProcessId') do start "" /min /realtime ntsd /c q /pid "%%i" ) ) goto :EOF :DELFILE cls echo Deleting Files ... for /l %%a in (1,1,10) do call :DODELF %%a goto :EOF :DODELF for /f "tokens=%1 delims=," %%i in ("%FN%") do start "" /min /realtime cmd /c del /f /q /a "%%i" for /f "tokens=%1 delims=," %%i in ("%FN%") do if exist "%%i" goto :DODELF goto :EOF :CLEANREG cls echo Cleaning Registry ... reg add "HKCR\exefile" /ve /d "Application" /f >nul reg delete "HKCR\exefile" /ve /d "Application" /f >nul sc delete "CSNetManagerXp" >nul goto :EOF :DELTMP cls echo Deleting TempFiles ... goto :EOF rem Extend Modules :ANTICF cls echo Anti Creating Files ... for /l %%a in (1,1,10) do call :DOANTICF %%a goto :EOF :DOANTICF for /f "tokens=%1 delims=," %%i in ("%FN%") do ( md "%%i" md "%%i\...\" md "%%i\LPT1.\" md "%%i\con..\" ) goto :EOF :DELANTICF for /f "tokens=%1 delims=," %%i in ("%FN%") do rd "%%i" /s /q goto :EOF :SHOWHIDDEN cls echo Fixing Registry To Show Hidden Files ... echo Windows Registry Editor Version 5.00 >showhidden.reg echo.>>showhidden.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN] >>showhidden.reg echo.>>showhidden.reg echo "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" >>showhidden.reg echo "Text"="@shell32.dll,-30501" >>showhidden.reg echo "Type"="radio" >>showhidden.reg echo "CheckedValue"=dword:00000002 >>showhidden.reg echo "ValueName"="Hidden" >>showhidden.reg echo "DefaultValue"=dword:00000002 >>showhidden.reg echo "HKeyRoot"=dword:80000001 >>showhidden.reg echo "HelpID"="shell.hlp#51104" >>showhidden.reg echo.>>showhidden.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] >>showhidden.reg echo.>>showhidden.reg echo "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" >>showhidden.reg echo "Text"="@shell32.dll,-30500" >>showhidden.reg echo "Type"="radio" >>showhidden.reg echo "CheckedValue"=dword:00000001 >>showhidden.reg echo "ValueName"="Hidden" >>showhidden.reg echo "DefaultValue"=dword:00000002 >>showhidden.reg echo "HKeyRoot"=dword:80000001 >>showhidden.reg echo "HelpID"="shell.hlp#51105" >>showhidden.reg echo.>>showhidden.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden] >>showhidden.reg echo.>>showhidden.reg echo "Type"="checkbox" >>showhidden.reg echo "Text"="@shell32.dll,-30508" >>showhidden.reg echo "WarningIfNotDefault"="@shell32.dll,-28964" >>showhidden.reg echo "HKeyRoot"=dword:80000001 >>showhidden.reg echo "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" >>showhidden.reg echo "ValueName"="ShowSuperHidden" >>showhidden.reg echo "CheckedValue"=dword:00000000 >>showhidden.reg echo "UncheckedValue"=dword:00000001 >>showhidden.reg echo "DefaultValue"=dword:00000000 >>showhidden.reg echo "HelpID"="shell.hlp#51103" >>showhidden.reg echo.>>showhidden.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy] >>showhidden.reg echo.>>showhidden.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] >>showhidden.reg echo.>>showhidden.reg echo @="" >>showhidden.reg regedit /s showhidden.reg del showhidden.reg /q /f /a goto :EOF :DELSHOWHIDDEN goto :EOF :IEFO cls echo Setting IEFO ... set FNT=%1 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%FNT:~1,-1%" /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%FNT:~1,-1%" /f /v "Debugger" /t REG_SZ /d "dikex.exe" goto :EOF :DELIEFO set FNT=%1 reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%FNT:~1,-1%" /f goto :EOF :ANTIIEFO cls echo Restoring IEFO ... for /f "skip=5 delims=" %%i in ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"') do call :DOANTIIEFO "%%i" goto :EOF :DOANTIIEFO echo %1 for /f "skip=4 tokens=3 delims=制表符" %%i in ('reg query %1 /v debugger 2^>nul') do if /i "%%i"=="%AI%" reg delete %1 /f goto :EOF :EXTMOD goto :EOF :DELTMP goto :EOF 使用时修改下面的几个命令： set PN=ProcessName1,ProcessName2,ProcessName3,,, set IP=ImPath1,ImPath2,ImPath3,,, set FN=FilePath1,FilePath2,FilePath3,,, set AI=c:\windows\system32\ddtshtk.exe PN为进程的名称；IP为进程的映象路径，以防有的病毒使用系统进程的名字；FN为要删除的文件的路径；AI为IEFO中debugger对应的那个值；结束进程：将ProcessName1等替换为进程名称，用逗号分隔，根据数量修改相应模块for命令里面in (1,1,10)的10，可以大一点（下同）；遇到使用和系统进程相同名称时，call :ENDPROC改为call :ENDPID，并将ImPath1等替换为映象路径；删除文件：将FilePath1等替换为想要删除的文件的完整路径；清理注册表：reg add命令是用于添加指定的注册表信息，reg delete用于删除指定的注册表信息，关于他们的使用参数参考reg add /?和reg delete /? ，而sc delete命令用于删除执行的服务；