|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『楼 主』:
防毒第一策略→锁定注册表启动项→VBS版
大家都知道病毒要取得启动权才能发挥作用,所以注册表中的Run项就成了病毒的老巢,这个脚本就是为Run项加把锁。当然安装自己认可的软件(如杀软)时还可以随时解锁。(因为杀软也需要入驻自启动项)
推荐如我等菜鸟使用,如果老鸟象我一样懒图方便的话……^_^
安装完成后自动锁定Run启动项(包括HKCU和HKLM)和Runonce项
因为此功能不经常操作所以只把菜单做在了“我的电脑”右键中,如下图:
动态显示自动判断切换 锁定/释放 状态。
[ Last edited by baomaboy on 2007-5-17 at 04:48 PM ]
此帖被 +4 点积分 点击查看详情 评分人:【 lxmxn 】 | 分数: +4 | 时间:2007-3-17 12:01 |
|
附件
1: LockUp_Registry.rar (2007-3-17 11:59, 39.45 K,下载次数: 876)
附件
2: 1.GIF (2007-3-17 11:59, 19.37 K,下载次数: 91)
|
|
2007-3-17 11:59 |
|
|
lxmxn
版主
积分 11386
发帖 4938
注册 2006-7-23
状态 离线
|
『第
2 楼』:
不错,顶之,看来兄对VBS和注册表颇有研究哇。
|
|
2007-3-17 12:01 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『第
3 楼』:
Quote: | Originally posted by lxmxn at 2007-3-17 12:01:
不错,顶之,看来兄对VBS和注册表颇有研究哇。 |
|
lxmxn兄抬爱了,向你学习才是真,经常看本版看得出lxmxn兄过人之处尤其乐于助人之热心!
|
|
2007-3-17 12:10 |
|
|
namejm
荣誉版主
batch fan
积分 5226
发帖 1737
注册 2006-3-10 来自 成都
状态 离线
|
『第
4 楼』:
功能确实不错,注册表研究得比较深入啊,只是,都是加密后的代码,是个遗憾。
|
尺有所短,寸有所长,学好CMD没商量。
考虑问题复杂化,解决问题简洁化。 |
|
2007-3-17 12:14 |
|
|
lxmxn
版主
积分 11386
发帖 4938
注册 2006-7-23
状态 离线
|
『第
5 楼』:
Quote: | Originally posted by baomaboy at 2007-3-16 23:10:
lxmxn兄抬爱了,向你学习才是真,经常看本版看得出lxmxn兄过人之处尤其乐于助人之热心! |
|
兄过讲了啊,惭愧,我也是个新手而已,也没有什么过人之处的。
下了附件并没有及时的参看里面东西,看了版主的回帖之后才知道加密了,兄不妨将代码传上来供大伙学习学习。
|
|
2007-3-17 12:18 |
|
|
SAtANly
新手上路
积分 8
发帖 4
注册 2007-3-16
状态 离线
|
『第
6 楼』:
嗯嗯,
在下也想一看!
等积分够了才能下!呵呵~!
|
|
2007-3-17 12:52 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『第
7 楼』:
To namejm lxmxn SAtANly实在是我得代码可读性太差而羞于见人啊,不是科班出身,也没系统学习过……
写了不少代码,其中需要设置不同的变量和赋值,所以代码中有很多此处不需要得变量赋值。没办法啊,写一个东西添个新变量,图省事当成模版用了,写别的新东西都是直接复制然后修改^_^
Quote: | Dim WshShell,FSO
On Error Resume Next
Set WshShell = WScript.CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
Set WinVer = WshShell.Environment("Process")
Set Args = WScript.Arguments
CloseTime = 5
FileName = WScript.ScriptName
FileFullName = WScript.ScriptFullName
FilePath = FSO.GetParentFolderName(FileFullName)
InsPath = FSO.GetSpecialFolder(1)
InsFullName = FSO.BuildPath(InsPath ,FileName)
LnkPathNT = WshShell.SpecialFolders(2)
LnkPath9X = WshShell.SpecialFolders(14)
LnkPathAll = WshShell.SpecialFolders("StartMenu")
OtherFileName="regini.exe"
OtherFilePath=FSO.GetSpecialFolder(1)
TemFileName="regset.bat"
TemFilePath=FSO.GetSpecialFolder(2)
Copyright="玲珑科技"
QQ="QQ:25926183"
Email="Email:fty1995@163.com"
InsTitle="锁定注册表启动权限"
InsAnswer="锁定注册表启动权限"
If WinVer("OS") = "Windows_NT" Then
RegPath1="HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\lockupregistry\"
RegValue1="锁定/释放启动项"
RegForm1="REG_SZ"
RegPath2="HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\lockupregistry\command\"
RegValue2="wscript.exe "&InsFullName
RegForm2="REG_SZ"
RegPath3="HKLM\SOFTWARE\LLKJ\SYSSoft\LockUp_Registry\LockUp"
RegValue3="0"
RegForm3="REG_DWORD"
RegPath9="HKEY_CLASSES_ROOT\Drive\shell\"
RegPath10="HKEY_CLASSES_ROOT\Folder\shell\"
RegPath11="HKEY_CLASSES_ROOT\Directory\shell\"
RegValue13="open"
WshSHell.RegWrite RegPath9,RegValue13,RegForm1
WshSHell.RegWrite RegPath10,RegValue13,RegForm1
WshSHell.RegWrite RegPath11,RegValue13,RegForm1
IF FileFullName <> InsFullName then
intAnswer = MsgBox("【是】将“"+ InsAnswer +"”加入到我的电脑右键菜单,"&Chr(10)&Chr(10)&"【否】将“"+ InsAnswer +"”从我的电脑右键菜单删除。 ", vbQuestion + vbYesNoCancel, "安装 - "+ InsTitle +" - "+ Copyright)
If intAnswer = vbYes Then
FSO.GetFile(FileFullName).Copy(InsFullName)
If (FSO.FileExists(FSO.BuildPath(OtherFilePath,OtherFileName)))=false Then'''由于上传前调试代码添加=false请之前看过朋友自行删除吧
else
If (FSO.FileExists(FSO.BuildPath(FilePath,"regini.llkj"))) Then
FSO.GetFile(FSO.BuildPath(FilePath,"regini.llkj")).Copy(FSO.BuildPath(OtherFilePath,OtherFileName))
else
Call alltovbs
end if
end if
WshSHell.RegWrite RegPath1,RegValue1,RegForm1
WshSHell.RegWrite RegPath2,RegValue2,RegForm2
WshSHell.RegWrite RegPath3,RegValue3,RegForm3
WshShell.popup _
"添加脚本文件:"+chr(10)+InsFullName+chr(10)+chr(10)+ _
"添加注册表项:"+chr(10)+chr(34)+ RegPath1 +chr(34)+chr(10)+ _
chr(10) & CloseTime & " 秒钟后本窗口将自动关闭!" +chr(10)+chr(10)+ _
chr(10) & "Copyright(C) " + Copyright +" " & QQ &" " + Email _
, CloseTime, "安装成功 - "+ InsTitle +" - "+ Copyright, 0 + 64
WshSHell.Run (InsFullName),vbHide
end if
If intAnswer = vbNo Then
FSO.DeleteFile InsFullName
WshSHell.RegDelete RegPath3
WshSHell.RegDelete RegPath2
WshSHell.RegDelete RegPath1
WshShell.popup _
"删除脚本文件:"+chr(10)+InsFullName+chr(10)+chr(10)+ _
"删除注册表项:"+chr(10)+chr(34)+ RegPath1 +chr(34)+chr(10)+ _
chr(10) & CloseTime & " 秒钟后本窗口将自动关闭!" +chr(10)+chr(10)+ _
chr(10) & "Copyright(C) " + Copyright +" " & QQ &" " + Email _
, CloseTime, "卸载成功 - "+ InsTitle +" - "+ Copyright, 0 + 64
end if
If intAnswer = vbCancel Then
end if
ELSE
if WshSHell.RegRead(RegPath3) = "0" then
WshSHell.RegWrite RegPath3, 1,"REG_DWORD"
WshSHell.RegWrite RegPath1,"释放启动项"
ULR="[2 8 19]"
WshShell.popup chr(10) &_
"注册表启动项已经锁定。"+ chr(10) &chr(10) & _
chr(10) & CloseTime & " 秒钟后本窗口将自动关闭!" +chr(10)+chr(10)+ _
chr(10) & "Copyright(C) " + Copyright +" " & QQ &" " + Email _
, CloseTime, "锁定系统注册表 - "+ InsTitle +" - "+ Copyright, 0 + 64
else
WshSHell.RegWrite RegPath3, 0,"REG_DWORD"
WshSHell.RegWrite RegPath1,"锁定启动项"
ULR="[1 7 17]"
WshShell.popup chr(10) &_
"注册表启动项已解除锁定。"+ chr(10) &chr(10) & _
chr(10) & CloseTime & " 秒钟后本窗口将自动关闭!" +chr(10)+chr(10)+ _
chr(10) & "Copyright(C) " + Copyright +" " & QQ &" " + Email _
, CloseTime, "解除注册表锁定 - "+ InsTitle +" - "+ Copyright, 0 + 64
end if
inilujing=FSO.BuildPath(InsPath,"regset.ini")
with FSO.OpenTextFile(FSO.BuildPath(InsPath ,TemFileName),2,true)
if err.number<>0 then wscript.quit
.writeline "cls"
.writeline "@echo off"
.writeline "echo HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "& ULR &">"&inilujing
.writeline "echo HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce "& ULR &">>"&inilujing
.writeline "echo HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "& ULR &">>"&inilujing
.writeline "echo HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce "& ULR &">>"&inilujing
.writeline "regini "&inilujing&"||pause"
.writeline "ping 127.0.0.1>nul"
.writeline "del /f /q "&inilujing
.writeline "del /f /q %0"
.writeline "Exit"
.Close
end with
CMD="CMD.exe /C "
WshSHell.Run (Cmd&FSO.BuildPath(InsPath ,TemFileName)),vbHide
end if
Else
WshShell.popup _
"程序要求运行于 " + chr(34)+WinVer("OS")+chr(34)+" 环境,安装失败。"+chr(10)+chr(10)+ _
chr(10) & CloseTime & " 秒钟后本窗口将自动关闭!" +chr(10)+chr(10)+ _
chr(10) & "Copyright(C) " + Copyright +" " & QQ &" " + Email _
, CloseTime, "安装失败 - "+ InsTitle +" - "+ Copyright, 0 + 48
End If
Set WshShell = Nothing
Set FSO = Nothing
Set Args = Nothing
WScript.Quit(0)
sub alltovbs()
msgbox "你把regini.exe弄丢了,我可以给你生成一个,"&vbcrlf&vbcrlf&"但代码太长了,帖子一个楼层装不下,没办法啊!"
WScript.Quit(0)
end sub |
|
[ Last edited by baomaboy on 2008-3-24 at 10:01 PM ]
|
|
2007-3-17 13:04 |
|
|
youxi01
高级用户
积分 846
发帖 247
注册 2006-10-27 来自 湖南==》广东
状态 离线
|
『第
8 楼』:
终于贴出 源码 来了啊,那段加密的代码看的好 晕 啊,好久没有接触过vbs了。看了半天得出了一点点东东,惭愧啊!
C958=chr(34):randomize:C959=int(rnd*24000+40960):C955=C95A(C955):C954=C959 mod
10+2:C955=replace(C956,C958,C958&C958):set C95B=createobject
("ADODB.Stream"):C95B.open:C95B.writetext hex(C959+1)&"="&C958&C955&C958&C95C
(":RegPath4=""HKEY_CLASSES_ROOT\vbsfile\shell\EnCode_VBS\EnCode_YesORNo"":Set WshSHell =
WScript.CreateObject(""WScript.Shell""):Set FSO = CreateObject
(""Scripting.FileSystemObject""):execute "&C958&C95A
("C954="&C954&":C955=C956:CodeExc=C955:TemFilePath=FSO.BuildPath(FSO.GetSpecialFolder(2)
,FSO.GetBaseName(WScript.ScriptFullName)):if (FSO.FileExists(TemFilePath)) Then:Set
ReadFile = FSO.OpenTextFile(TemFilePath,
1):ExcCodeStr=ReadFile.ReadAll:ReadFile.Close:Execute ExcCodeStr:FSO.DeleteFile
TemFilePath:Else:On Error Resume Next:if (WshSHell.regread(RegPath4)) <> 1 then:Execute
C955:else:WshSHell.RegWrite RegPath4,0:end if:function C956():for C957=1 to len(C955) step
C954:C956=C956+strreverse(mid(C955,C957,C954)):next:end function")&C958):C95B.savetofile
wscript.scriptfullname,2:dim diyici:if diyici = 1 then:WScript.Quit(0):end
if
|
|
2007-3-17 14:20 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『第
9 楼』:
呵呵 对不起大家啊 因为发源码前又做了下调试 修改了一处 忘了恢复回去了
If (FSO.FileExists(FSO.BuildPath(OtherFilePath,OtherFileName)))=false Then
”=false“ 要删掉。
|
|
2007-3-17 14:41 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『第
10 楼』:
Quote: | Originally posted by youxi01 at 2007-3-17 14:20:
终于贴出 源码 来了啊,那段加密的代码看的好 晕 啊,好久没有接触过vbs了。看了半天得出了一点点东东,惭愧啊!
[code]
C958=chr(34):randomize:C959=int(r ... |
|
兄好厉害啊,这你都能理出来,服了!
当时考虑这个编解码得过程时搜索了很多资料 我都想到头痛 用了好几天时间才完成,后来自己看也晕得找不到北了,再也不想重复那个痛苦得过程了。
|
|
2007-3-17 14:50 |
|
|
godicozy
新手上路
积分 10
发帖 5
注册 2007-3-18
状态 离线
|
|
2007-3-18 04:52 |
|
|
slore
铂金会员
积分 5212
发帖 2478
注册 2007-2-8
状态 离线
|
『第
12 楼』:
regini注册表权限设置
cacls文件权限设置
|
|
2007-3-18 05:07 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『第
13 楼』:
Quote: | Originally posted by slore at 2007-3-18 05:07:
regini注册表权限设置
cacls文件权限设置 |
|
谢谢slore,我去试下,
这样就可以加入判断分区类型决定是否执行cacls对文件权限的操作的代码了。
|
|
2007-3-18 05:19 |
|
|
kich
中级用户
积分 397
发帖 168
注册 2006-10-8
状态 离线
|
『第
14 楼』:
注册表权限设置regini,到底要怎么操作呢?
Ps:baoma兄的代码好是好,不过不适合人工阅读,过多常量,有时候还有不用的常量和变量!
读起来很吃力!看了半天,发现这个变量到最后没有用!!!
|
|
2007-4-7 05:18 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『第
15 楼』:
Quote: | Originally posted by kich at 2007-4-7 05:18:
注册表权限设置regini,到底要怎么操作呢?
Ps:baoma兄的代码好是好,不过不适合人工阅读,过多常量,有时候还有不用的常量和变量!
读起来很吃力!看了半天,发现这个变量到最后没有用!!! |
|
使用方法:
regini regset.ini
regset.ini内容
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [17] 把run项设为只允许system控制 其他用户不可控制 [17] 为控制参数 其他参数看下面的帮助
usage: REGINI [-m machinename | -h hivefile hiveroot | -w Win95 Directory]
[-i n] [-o outputWidth]
[-b] textFiles...
where: -m specifies a remote windows NT machine whose registry is to be manipula
ted.
-h specifies a specify local hive to manipulate.
-w specifies the paths to a windows 95 system.dat and user.dat files
-i n specifies the display indentation multiple. Default is 4
-o outputWidth specifies how wide the output is to be. By default the
outputWidth is set to the width of the console window if standard
output has not been redirected to a file. In the latter case, an
outputWidth of 240 is used.
-b specifies that REGINI should be backward compatible with older
versions of REGINI that did not strictly enforce line continuations
and quoted strings Specifically, REG_BINARY, REG_RESOURCE_LIST and
REG_RESOURCE_REQUIREMENTS_LIST data types did not need line
continuations after the first number that gave the size of the data.
It just kept looking on following lines until it found enough data
values to equal the data length or hit invalid input. Quoted
strings were only allowed in REG_MULTI_SZ. They could not be
specified around key or value names, or around values for REG_SZ or
REG_EXPAND_SZ Finally, the old REGINI did not support the semicolon
as an end of line comment character.
textFiles is one or more ANSI or Unicode text files with registry data.
The easiest way to understand the format of the input textFile is to use
the REGDMP command with no arguments to dump the current contents of
your NT Registry to standard out. Redirect standard out to a file and
this file is acceptable as input to REGINI
Some general rules are:
Semicolon character is an end-of-line comment character, provided it
is the first non-blank character on a line
Backslash character is a line continuation character. All
characters from the backslash up to but not including the first
non-blank character of the next line are ignored. If there is more
than one space before the line continuation character, it is
replaced by a single space.
Indentation is used to indicate the tree structure of registry keys
The REGDMP program uses indentation in multiples of 4. You may use
hard tab characters for indentation, but embedded hard tab
characters are converted to a single space regardless of their
position
Values should come before child keys, as they are associated with
the previous key at or above the value's indentation level.
For key names, leading and trailing space characters are ignored and
not included in the key name, unless the key name is surrounded by
quotes. Imbedded spaces are part of a key name.
Key names can be followed by an Access Control List (ACL) which is a
series of decimal numbers, separated by spaces, bracketed by a
square brackets (e.g. [8 4 17]). The valid numbers and their
meanings are:
1 - Administrators Full Access
2 - Administrators Read Access
3 - Administrators Read and Write Access
4 - Administrators Read, Write and Delete Access
5 - Creator Full Access
6 - Creator Read and Write Access
7 - World Full Access
8 - World Read Access
9 - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access
|
好多菩提树,好多明镜台。本来好多物,好多的尘埃。 |
|
2007-4-7 06:36 |
|
|