jlygq1968
初级用户
积分 46
发帖 9
注册 2007-5-27
状态 离线
|
『楼 主』:
[求助]那位请帮我分析以下代码!
那位请帮我分析以下代码! 越详细越好,因为我是菜鸟 谢谢!
声明:由于万恶微软弄了些万恶的HOME版系统,取消了一堆有用的命令,包括fsutil和wmic,使得批处理的功能不见了一大截,因此批处理在那些版本的系统里面无法正常运行!所以这个东西还是用来研究学习或者充当燃眉之急,别当它是万能的^_^
前言:经过了戒网的7天里面断断续续的初步构思,弄了个对付一般病毒的批处理专杀模板;
为兼顾其他语言的系统,使用了chcp 437命名使得批处理会在各种语言系统都支持的英文状态下运行(由于转为英文后不支持中文的进程操作,所以暂时取消这个功能);
大量使用标签使得整个模板分为多个功能模块,需要指定模块时可以灵活的使用call命令调用,具有很大的扩展性,如可以写一个抑制文件重新生成的模块然后在删除文件之后调用;
代码如下:
@echo off
title Killer of VirusName
echo Killer of VirusName
set PN=ProcessName1,ProcessName2,ProcessName3,,,
set IP=ImPath1,ImPath2,ImPath3,,,
set FN=FilePath1,FilePath2,FilePath3,,,
set AI=c:\windows\system32\ddtshtk.exe
rem STRAT
call :ENDPROC
call :DELFILE
call :ANTICF
call :CLEANREG
call :SHOWHIDDEN
call :DELTMP
goto :eof
rem Main Modules
:ENDPROC
cls
echo Ending Process ...
for /l %%a in (1,1,10) do call :DOENDPOC %%a
goto :EOF
:DOENDPOC
for /f "tokens=%1 delims=," %%i in ("%PN%") do (
start "" /min /realtime ntsd /c q /pn "%%i"
call :IEFO "%%i"
)
goto :EOF
:ENDPID
cls
echo Ending Process ...
set IP=%IP:\=\\%
for /l %%a in (1,1,10) do call :DOENDPID %%a
goto :EOF
:DOENDPID
for /f "tokens=%1 delims=," %%a in ("%IP%") do (
for /f "skip=1" %%i in ('wmic PROCESS where ExecutablePath^="%%a" get ProcessId') do start "" /min /realtime ntsd /c q /pid "%%i"
)
)
goto :EOF
:DELFILE
cls
echo Deleting Files ...
for /l %%a in (1,1,10) do call :DODELF %%a
goto :EOF
:DODELF
for /f "tokens=%1 delims=," %%i in ("%FN%") do start "" /min /realtime cmd /c del /f /q /a "%%i"
for /f "tokens=%1 delims=," %%i in ("%FN%") do if exist "%%i" goto :DODELF
goto :EOF
:CLEANREG
cls
echo Cleaning Registry ...
reg add "HKCR\exefile" /ve /d "Application" /f >nul
reg delete "HKCR\exefile" /ve /d "Application" /f >nul
sc delete "CSNetManagerXp" >nul
goto :EOF
:DELTMP
cls
echo Deleting TempFiles ...
goto :EOF
rem Extend Modules
:ANTICF
cls
echo Anti Creating Files ...
for /l %%a in (1,1,10) do call :DOANTICF %%a
goto :EOF
:DOANTICF
for /f "tokens=%1 delims=," %%i in ("%FN%") do (
md "%%i"
md "%%i\...\"
md "%%i\LPT1.\"
md "%%i\con..\"
)
goto :EOF
:DELANTICF
for /f "tokens=%1 delims=," %%i in ("%FN%") do rd "%%i" /s /q
goto :EOF
:SHOWHIDDEN
cls
echo Fixing Registry To Show Hidden Files ...
echo Windows Registry Editor Version 5.00 >showhidden.reg
echo.>>showhidden.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN] >>showhidden.reg
echo.>>showhidden.reg
echo "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" >>showhidden.reg
echo "Text"="@shell32.dll,-30501" >>showhidden.reg
echo "Type"="radio" >>showhidden.reg
echo "CheckedValue"=dword:00000002 >>showhidden.reg
echo "ValueName"="Hidden" >>showhidden.reg
echo "DefaultValue"=dword:00000002 >>showhidden.reg
echo "HKeyRoot"=dword:80000001 >>showhidden.reg
echo "HelpID"="shell.hlp#51104" >>showhidden.reg
echo.>>showhidden.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] >>showhidden.reg
echo.>>showhidden.reg
echo "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" >>showhidden.reg
echo "Text"="@shell32.dll,-30500" >>showhidden.reg
echo "Type"="radio" >>showhidden.reg
echo "CheckedValue"=dword:00000001 >>showhidden.reg
echo "ValueName"="Hidden" >>showhidden.reg
echo "DefaultValue"=dword:00000002 >>showhidden.reg
echo "HKeyRoot"=dword:80000001 >>showhidden.reg
echo "HelpID"="shell.hlp#51105" >>showhidden.reg
echo.>>showhidden.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden] >>showhidden.reg
echo.>>showhidden.reg
echo "Type"="checkbox" >>showhidden.reg
echo "Text"="@shell32.dll,-30508" >>showhidden.reg
echo "WarningIfNotDefault"="@shell32.dll,-28964" >>showhidden.reg
echo "HKeyRoot"=dword:80000001 >>showhidden.reg
echo "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" >>showhidden.reg
echo "ValueName"="ShowSuperHidden" >>showhidden.reg
echo "CheckedValue"=dword:00000000 >>showhidden.reg
echo "UncheckedValue"=dword:00000001 >>showhidden.reg
echo "DefaultValue"=dword:00000000 >>showhidden.reg
echo "HelpID"="shell.hlp#51103" >>showhidden.reg
echo.>>showhidden.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy] >>showhidden.reg
echo.>>showhidden.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] >>showhidden.reg
echo.>>showhidden.reg
echo @="" >>showhidden.reg
regedit /s showhidden.reg
del showhidden.reg /q /f /a
goto :EOF
:DELSHOWHIDDEN
goto :EOF
:IEFO
cls
echo Setting IEFO ...
set FNT=%1
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%FNT:~1,-1%" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%FNT:~1,-1%" /f /v "Debugger" /t REG_SZ /d "dikex.exe"
goto :EOF
:DELIEFO
set FNT=%1
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%FNT:~1,-1%" /f
goto :EOF
:ANTIIEFO
cls
echo Restoring IEFO ...
for /f "skip=5 delims=" %%i in ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"') do call :DOANTIIEFO "%%i"
goto :EOF
:DOANTIIEFO
echo %1
for /f "skip=4 tokens=3 delims=制表符" %%i in ('reg query %1 /v debugger 2^>nul') do if /i "%%i"=="%AI%" reg delete %1 /f
goto :EOF
:EXTMOD
goto :EOF
:DELTMP
goto :EOF
使用时修改下面的几个命令:
set PN=ProcessName1,ProcessName2,ProcessName3,,,
set IP=ImPath1,ImPath2,ImPath3,,,
set FN=FilePath1,FilePath2,FilePath3,,,
set AI=c:\windows\system32\ddtshtk.exe
PN为进程的名称;IP为进程的映象路径,以防有的病毒使用系统进程的名字;FN为要删除的文件的路径;AI为IEFO中debugger对应的那个值;
结束进程:将ProcessName1等替换为进程名称,用逗号分隔,根据数量修改相应模块for命令里面in (1,1,10)的10,可以大一点(下同);遇到使用和系统进程相同名称时,call :ENDPROC改为call :ENDPID,并将ImPath1等替换为映象路径;
删除文件:将FilePath1等替换为想要删除的文件的完整路径;
清理注册表:reg add命令是用于添加指定的注册表信息,reg delete用于删除指定的注册表信息,关于他们的使用参数参考reg add /?和reg delete /? ,而sc delete命令用于删除执行的服务;
|
|
