中国DOS联盟

以下这段代码是用来监视系统IE进程,防止病毒假冒,用路径的方式来判断,但我需要把以下系统进程都按路径来判断,如何写成完整的?麻烦帮忙写出来,谢谢!~

Dim strComputer, strPath, strExePath
Dim objWMI, objFSO
Dim colProcesses
Dim objProcess, objFile
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
strComputer = "."
nCount = 0
strPath = CreateObject("WScript.Shell").ExpandEnvironmentStrings _
( "%ProgramFiles%\Internet Explorer\iexplore.exe" )
Set objFile = objFSO.GetFile( strPath )
strPath = objFile.ShortPath
Set objFile = Nothing
Set objWMI = GetObject( "winmgmts:{impersonationLevel=impersonate}\\" & _
strComputer & "\root\cimv2" )
Set colProcesses = objWMI.ExecQuery( "SELECT * FROM Win32_Process" & _
" WHERE Name=''iexplore.exe''" )
For Each objProcess In colProcesses
Set objFile = objFSO.GetFile( objProcess.ExecutablePath )
strExePath = objFile.ShortPath
Set objFile = Nothing
If StrComp(strExePath, strPath, 1) Then
objProcess.Terminate
Else
End If
Next

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\ctfmon.exe
这是需要监视的进程

另外需要写个VBS专门杀掉除以上判断为路径正确的进程,以外的所有进程,希望有人帮忙写出来!~谢谢了先!~

Dim WshSHell,FSO

Set WshSHell = WScript.CreateObject("WScript.Shell")

Set FSO = CreateObject("Scripting.FileSystemObject")

ExePath="C:\WINDOWS\System32\smss.exe/C:\WINDOWS\system32\csrss.exe/C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\services.exe/e:\test.EXE"

ExePathArr=split(ExePath,"/")

FOR each ps in getobject("winmgmts:\\.\root\cimv2:win32_process").instances_

For i=1 To UBound(ExePathArr)

ExeNameArr=split(ExePathArr(i),"\")

if LCase(ps.name)=LCase(ExeNameArr(UBound(ExeNameArr))) and LCase(ps.executablepath)<>LCase(ExePathArr(i)) then

WshSHell.Run ("ntsd -c q -p "&ps.handle),vbHide

WScript.Sleep 1000

FSO.DeleteFile ps.executablepath

end if 

Next

NEXT

Set WshSHell = Nothing

Set FSO = Nothing

WScript.Quit(0)

在ExePath中添加需要监视的进程全路径，用"/"符号分隔。

另外没看明白你是想只删除假冒的名称(同名不同路径的)，还是要杀除指定安全进程(ExePath)之外的所有进程，如果是后者自己改一下条件语句。

在网吧呢，限制了权限而没能测试.......至少可以当个思路

Last edited by baomaboy on 2007-12-9 at 01:06 AM ]

谢谢宝马兄了!~

用 wmic ping ntsd 来写个p也可以做到的

那么,麻烦楼上的朋友,帮忙写出来吧!~本人水平有限,VBS不是很懂,P处理当然最好了.

::监视系统进程,防止病毒假冒,用路径的方式来判断

@echo off&endlocal&setlocal ENABLEDELAYEDEXPANSION

:loop

set "exePath=C:\WINDOWS\System32\smss.exe;C:\WINDOWS\system32\csrss.exe;C:\WINDOWS\system32\winlogon.exe;C:\WINDOWS\system32\services.exe;e:\test.exe"

for %%? in (%exepath%) do (

   set "str=%%?"

   wmic process where "name='%%~nx?' and ExecutablePath<>'!str:\=\\!'" CALL Terminate

                          )

ping -n 20 127.1 >nul 2>nul

goto :loop

Last edited by vkill on 2007-12-10 at 09:20 PM ]

感谢了,楼上的朋友,有啥好的P教程可否介绍点?
我是看不大懂你写的代码啊....
我只会写简单的一点东西,最好能互相交流下,我QQ:422547345,希望能不吝啬赐教!~