关于ver 0.1可以参考我之前的一篇[post
](http://www.newsmth.net/pc/pccon.php?id=671&nid=347474&s=all)
——————————————我是分割线——————————————
-
本脚本的目的在于远程协助对电脑毫无操作经验的人清除电脑上的小毒、小马和小流氓~
-
rootkit级别的暂时不是通过WMI可以解决的,所以不是我的这个小脚本的编写目的
-
版本升级频率取决于遇到的病毒和马儿的顽固程度
——————————————我是分割线——————————————
Changes since ver 0.1
+ 操作日志记录到文件
+ 删除系统服务
+ 遍历使用spt的16种终止进程方法
+ 通过进程名查找进程pid
> 修改函数异常处理的方法为记录日志到文件
/****************************************************************************** * Author: TrojanJason@NEWSMTH * Created on: 2007-12-28 * Last Modified: 2008-01-19 * Version: 0.2 * =================================================== * run: cscript //nologo virusCleanerUtils.js * =================================================== * Changelog: * =================================================== * Changes since ver 0.1 * + 操作日志记录到文件 * + 删除系统服务 * + 遍历使用spt的16种终止进程方法 * + 通过进程名查找进程pid * > 修改函数异常处理的方法为记录日志到文件 */ //-----------------全局变量开始----------------------- var objWSH = new ActiveXObject("wscript.shell"); var fso = new ActiveXObject("scripting.filesystemobject"); var Log = new Logger(); var hasExceptions = 0; //OpenTextFile 中读写标志位 var ForRead = 1; var ForWrite = 2; var ForAppend = 8; //custom input dialog vars var vbOKCancel = 1; // 确定/取消 var vbOKOnly = 0; //确定 var vbInformation = 64; var vbCancel = 2; //终止 重试 忽略,对于Popup的返回值来说表示用户点击'取消' //special folders spec var WindowsFolder = 0; var SystemFolder = 1; var TemporaryFolder = 2; //spt kill level constant /* 1 - standard process termination; 2 - terminate process by terminating all its threads; 3 - terminate process using remote thread; 4 - terminate process by instruction pointer (IP) modification; 5 - crash process by resetting memory attributes; 6 - crash process by rewriting critical process data; 7 - terminate process as part of a job; 8 - terminate process using debuger; 9 - terminate process as a task; 10 - terminate process by sending WM_CLOSE; 11 - terminate process by sending WM_SYSCOMMAND; 12 - terminate process using windows station message; 13 - terminate process using DLL injection 1; 14 - terminate process using DLL injection 2; 15 - simulation of normal process exit; 16 - terminate process by "bruteforce" message posting; */ //-----------------全局变量结束----------------------- //-----------------全局对象定义开始----------------------- function VCHelper() { } VCHelper.prototype.deleteSystemService = deleteSystemService; VCHelper.prototype.stopSystemService = stopSystemService; VCHelper.prototype.deleteRegKey = deleteRegKey; VCHelper.prototype.createRegKey = createRegKey; VCHelper.prototype.readRegKey = readRegKey; VCHelper.prototype.killProcessByName = killProcessByName; VCHelper.prototype.killProcessByPid = killProcessByPid; VCHelper.prototype.killProcessByPidSpt = killProcessByPidSpt; VCHelper.prototype.killProcessByPidAll = killProcessByPidAll; VCHelper.prototype.killProcessByNameAll = killProcessByNameAll; VCHelper.prototype.findProcessByPid = findProcessByPid; VCHelper.prototype.findPidByProcessName = findPidByProcessName; VCHelper.prototype.unloadDll = unloadDll; VCHelper.prototype.deleteFile = deleteFile; VCHelper.prototype.deleteFileByEnvVar = deleteFileByEnvVar; VCHelper.prototype.writeTextToFile = writeTextToFile; VCHelper.prototype.copyFile = copyFile; VCHelper.prototype.deleteFolder = deleteFolder; function UtilsHelper() { } UtilsHelper.prototype.hex = hex; UtilsHelper.prototype.info = info; function TestVCHelper() { } TestVCHelper.prototype.buildTestCase = function(){ try{ fso.OpenTextFile("test.txt", ForWrite, true).Close(); fso.OpenTextFile("d:\\temp\\sss.txt", ForWrite, true).Close(); fso.CreateFolder("d:\\中文 目录"); fso.OpenTextFile("d:\\中文 目录\\test.txt", ForWrite, true).Close(); fso.OpenTextFile(fso.GetSpecialFolder(TemporaryFolder)+"temp.ani", ForWrite, true).Close(); }catch(Err){ } } TestVCHelper.prototype.runTestCase = function(){ var TestCase = new VCHelper(); //display program info info(); //test copy file TestCase.copyFile("test.txt", "d:\\temp\\test1111.txt"); TestCase.copyFile("test.txt","d:\\temp\\test2222.txt"); TestCase.copyFile("test.txt","d:\\nonexist\\test2222.txt"); TestCase.deleteFile("d:\\temp\\sss.txt"); TestCase.deleteFile("d:\\中文 目录\\test.txt"); TestCase.deleteFile("d:\\temp\\test1111.txt"); TestCase.deleteFile("d:\\temp\\test2222.txt"); TestCase.deleteFolder("d:\\中文 目录"); TestCase.deleteFileByEnvVar("%temp%\\temp.ani"); TestCase.writeTextToFile("111\n2222\n333", "test.txt", ForAppend, false); TestCase.writeTextToFile("111\n2222\n333", "test.txt", ForWrite, true); TestCase.writeTextToFile("444\n2222\n333", "test.txt", ForAppend, true); TestCase.deleteFile("test.txt"); //test process termination TestCase.unloadDll("SciLexer.DLL"); TestCase.killProcessByName("notepad.exe"); TestCase.killProcessByNameAll("calc.exe"); TestCase.killProcessByPid(3972); //test stopping service TestCase.stopSystemService("MSIServer"); //test registry operations TestCase.createRegKey("HKCU\\Software\\ACME\\FortuneTeller\\",1,"REG_BINARY"); TestCase.createRegKey("HKCU\\Software\\ACME\\FortuneTeller\\MindReader", "Goocher!", "REG_SZ"); Log.log(readRegKey("HKCU\\Software\\ACME\\FortuneTeller\\MindReader")); TestCase.deleteRegKey("HKCU\\Software\\ACME\\FortuneTeller\\MindReader"); TestCase.deleteRegKey("HKCU\\Software\\ACME\\FortuneTeller\\"); TestCase.deleteRegKey("HKCU\\Software\\ACME\\"); } //日志对象 function Logger(logLevel) { } Logger.prototype.name = "VirusCleanLog.log"; Logger.prototype.log = function(str){ var fd = fso.OpenTextFile(Log.name, ForAppend, true); fd.Write(new Date().getCurrentTime() + " - " + str + "\n"); fd.Close(); } //获得当前系统时间 Date.prototype.getCurrentTime = function() { return this.getYear() + "/" + (this.getMonth() + 1) + "/" + this.getDate() + " " + this.getHours() + ":" + this.getMinutes() + ":" + this.getMilliseconds(); } //-----------------全局对象定义结束----------------------- /************************************** ************ 系统服务操作 ************** **************************************/ //停止服务 function stopSystemService(srvcName) { try{ var strcomputer, objwmi, servicelist, service, sname; strcomputer ="."; objwmi = GetObject("winmgmts:\\\\" + strcomputer + "\\root\\cimv2"); //确保只停止当前状态为'Running'或'Unknown'的服务 servicelist = objwmi.ExecQuery("Select * from Win32_Service where (State='Running' or State='Unknown') and Name='" + srvcName + "'"); var e = new Enumerator(servicelist); for (;!e.atEnd();e.moveNext()) { var service = e.item(); if(service.stopservice() == 0){ Log.log("*****停止服务:'" + srvcName + "'成功"); }else{ Log.log("!!!!!停止服务:'" + srvcName + "'失败"); } } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //删除服务 function deleteSystemService(srvcName) { try{ var strcomputer, objwmi, servicelist, service, sname; strcomputer ="."; objwmi = GetObject("winmgmts:\\\\" + strcomputer + "\\root\\cimv2"); servicelist = objwmi.ExecQuery("Select * from Win32_Service where Name='" + srvcName + "'"); var e = new Enumerator(servicelist); for (;!e.atEnd();e.moveNext()) { var service = e.item(); if(service.Delete() == 0){ Log.log("*****删除服务:'" + srvcName + "'成功"); }else{ Log.log("!!!!!删除服务:'" + srvcName + "'失败"); } } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } /************************************** ************ 注册表操作 *************** **************************************/ //删除注册表键值 function deleteRegKey(regKeyName) { try{ Log.log("deleteRegKey(" + regKeyName + ")"); objWSH.RegDelete(regKeyName); }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //创建/修改注册表键值 function createRegKey(regKeyName, regKeyValue, regType) { try{ Log.log("createRegKey(" + regKeyName + "," + regKeyValue + "," + regType + ")"); objWSH.RegWrite(regKeyName, regKeyValue, regType); }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //读取注册表键值 function readRegKey(regKeyName) { try{ Log.log("readRegKey(" + regKeyName + ")"); return objWSH.RegRead(regKeyName); }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } /************************************** ************ 进程操作 *************** **************************************/ //进程终结 by name function killProcessByName(procName) { try{ var w = GetObject("winmgmts:"); var processlist = w.execquery("select * from win32_process where name='" + procName + "'"); var e = new Enumerator(processlist); for(;!e.atEnd();e.moveNext()){ var process = e.item(); if(process.terminate()){ Log.log("!!!!!终止进程:'" + procName + "'失败"); }else{ Log.log("*****终止进程" + procName + "成功"); } } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //进程终结 by pid function killProcessByPid(pid) { try{ var w = GetObject("winmgmts:"); var processlist = w.execquery("select * from win32_process where ProcessId='" + pid + "'"); var e = new Enumerator(processlist); for(;!e.atEnd();e.moveNext()){ var process = e.item(); if(process.terminate()){ Log.log("!!!!!终止进程pid:'" + pid + "'失败"); }else{ Log.log("*****终止进程pid" + pid + "成功"); } } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //进程终结 by pid 使用spt.exe function killProcessByPidSpt() { var pid, level, params; if(arguments == null || arguments.length < 2){ return; }else{ pid = arguments[]; level = arguments[1]; params = arguments[2] == null ? null : arguments[2]; } try{ if(findProcessByPid(pid) == null){//不存在pid所代表的进程 Log.log("!!!!!不存在进程(pid=" + pid + ", level=" + level + ")"); return 0; } var oExec; if(params == null || params.length < 1){ oExec = objWSH.Exec("spt " + pid + " " + level); }else{ oExec = objWSH.Exec("spt " + pid + " " + level + " " + params); } var isSuccessful = false; while(!oExec.StdOut.AtEndOfStream) { var output = oExec.StdOut.ReadLine(); if(output.indexOf("succeed") > -1){//程序执行成功 isSuccessful = true; break; } } if(!isSuccessful){ Log.log("!!!!!强制终止进程(pid=" + pid + ", level=" + level + ")失败"); return 1; }else{ Log.log("*****强制终止进程(pid=" + pid + ", level=" + level + ")成功"); return 0; } }catch(err){ objWSH.Popup("请将第三方程序spt.exe与本专杀放在同一目录下",64,"注意"); hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); return 2; } } //遍历尝试16种进程终止方法 function killProcessByPidAll(pid) { for(var i = 1;i < 17;i++){ if(!killProcessByPidSpt(pid, i))//执行成功 break; } } //遍历尝试16种进程终止方法by process name function killProcessByNameAll(procName) { var pids = findPidByProcessName(procName); if(pids != null && pids.length > 0){ for(var i = 0;i < pids.length;i++){ Log.log("进程" + procName + "存在pid:" + pids[i]); killProcessByPidAll(pids[i]); } } } //查找进程 by pid function findProcessByPid(pid) { try{ var w = GetObject("winmgmts:"); var processlist = w.execquery("select * from win32_process where ProcessId='" + pid + "'"); var e = new Enumerator(processlist); for(;!e.atEnd();e.moveNext()){ var process = e.item(); return process; } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //通过进程名查找pid function findPidByProcessName(procName) { var pids = new Array(); try{ var w = GetObject("winmgmts:"); var processlist = w.execquery("select * from win32_process where name='" + procName + "'"); var e = new Enumerator(processlist); for(;!e.atEnd();e.moveNext()){ var process = e.item(); pids.push(process.ProcessId); } return pids; }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //dll文件卸载 function unloadDll(dllName) { try{ var oExec = objWSH.Exec("ps /e * " + dllName); var output = ""; var isSuccessful = false; while(!oExec.StdOut.AtEndOfStream) { var output = oExec.StdOut.ReadLine(); if(output.indexOf("succeed") > -1){//程序执行成功 isSuccessful = true; break; } } if(!isSuccessful){ Log.log("!!!!!强制卸载dll文件:" + dllName + "失败,请确认dll文件名是否正确"); }else{ Log.log("*****强制卸载dll文件:" + dllName + "成功"); } }catch(err){ objWSH.Popup("请将第三方程序ps.exe与本专杀放在同一目录下",64,"注意"); hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } /************************************** ************ 文件操作 *************** **************************************/ //删除文件(根据全路径+文件名,注意路径中的斜杠是\\) function deleteFile(fileName) { try{ if(fso.FileExists(fileName)){ var v = fso.GetFile(fileName); v.attributes = 0; v.Delete(true);//force delete if read-only flag is set if(fso.FileExists(fileName)){//check if file has been deleted Log.log("!!!!!删除文件'" + fileName + "'失败"); }else{ Log.log("*****删除文件'" + fileName + "'成功"); } } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //删除文件(根据环境变量名+文件名,注意路径中的斜杠是\\) function deleteFileByEnvVar(fileSpec){ try{ var d = objWSH.ExpandEnvironmentStrings(fileSpec); if(fso.FileExists(d)){ var v = fso.GetFile(d); v.attributes = 0; v.Delete(true);//force delete if read-only flag is set if(fso.FileExists(d)){//check if file has been deleted Log.log("!!!!!删除文件'" + fileSpec + "'失败"); }else{ Log.log("*****删除文件'" + fileSpec + "'成功"); } } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //强制删除文件(借助第三方工具) //写文本文件 function writeTextToFile(txt, fileName, iomode, ForceCreate) { try{ var re = fso.OpenTextFile(fileName, iomode, ForceCreate); re.Write(txt); re.Close(); }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //复制文件 function copyFile(src, dst) { try{ if(fso.FileExists(src)){ var tempDst = dst.substring(0,dst.lastIndexOf("\\") + 1); if(!fso.FolderExists(tempDst)){//检查是否存在目标文件所在的目录 if(objWSH.Popup("不存在目标目录" + tempDst + "自动创建?",64,"注意",vbOKCancel) == vbCancel){//放弃复制 return; } fso.CreateFolder(tempDst); } if(fso.FileExists(dst)){//检查目标文件是否已经存在 if(objWSH.Popup("目标文件" + dst + "已存在,是否覆盖?",64,"注意",vbOKCancel) == vbCancel){//放弃覆盖 return; } } fso.GetFile(src).Copy(dst); }else{ objWSH.Popup("要拷贝的源文件" + src + "不存在",64,"注意",vbOKOnly); } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } //删除目录 function deleteFolder(folderName) { try{ if(fso.FolderExists(folderName)){ var folder = fso.GetFolder(folderName); folder.attributes = 0; folder.Delete(true); if(fso.FolderExists(folderName)){ Log.log("!!!!!删除目录'" + folderName + "'失败"); }else{ Log.log("*****删除目录'" + folderName + "'成功"); } } }catch(err){ hasExceptions ++; Log.log("Error " + hasExceptions + " occurred\nCode: " + hex(err.number) + "\nDescriptions: " + err.description); } } /************************************** ************ UtilsHelper类 *************** **************************************/ function hex(nmb) { if (nmb > 0) return nmb.toString(16); else return (nmb + 0x100000000).toString(16); } function info() { var _name = "Virus Clean Helper"; var _author = "All rights by TrojanJason@NEWSMTH"; var _version = "Version 0.2"; objWSH.Popup(_author + "\n" + _version, 64, _name); } function main() { //write your code here to perform virus batch clean //停止服务 //删除服务 //进程操作 //dll卸载 //删除文件 //清理注册表 } //run TestCase //var TestCase = new TestVCHelper(); //TestCase.buildTestCase(); //TestCase.runTestCase(); // //main function call main();
