|
6688
新手上路
积分 7
发帖 7
注册 2008-11-21
状态 离线
|
『楼 主』:
[已结]VBS 解密
不知道是怎么加密的~看不懂~
原文件在这
http://upload.cn-dos.net/img/1118.rar
这是代码(直接复制代码是不能运行的)
#@~^lwoAAA==6 P3MDKDP"+k;:PH+XY@#@&Gk:,3?@#@&2U~xPr{^VGw�oVb#TQ}rhbB}Ypr$K�,�^G* RSBOcO��pm2�s1CN�,�91w||4l|;[�dWVbmNDGvaLbV8wKV3|wns^Cld^4,W3^CK;VN7MlX�}oM5a3V;\=C^|;t$0ralnm^\w0D�B��2. M8hdD;6�1�,g3V50t8}e67;2mLh33$a]G\$wCL8R,|0=e(-l���0H8+CgKmDw8(mE�sV).Yg}6hb9}D5r$nvG$w!m\gTw��G;aIDkklB?0lO�I��@$:#C\{1l���=OPYt.m �)�*&f��W52"Tr/mB%3Cc�p��hl C4^@*5m9lUKT\l���#YKY4.mc�=�XcT ZRRR��wMx]?N;lFmblT�O��jnNls/r66m���=d?|t588�,�Tc *z2&��KwKKDt.^xT%mZ�)��9W$w3GAx3)/^���|k?|t;( �1�c��wMx]?N;lnmkm �O��jLm:dSs5wW:N���=dj|t;8f�,�zJR c*��$wxU{454dTr4W�1�,H;6Cozloa���#/U{4;8*�,�!BT*��V61meK^a@$PHg@$U{4$4�fM~]_Ih1)|"$}K;1`a.xV4hdD50vW$w]Trdm9?3mR#(/]?N;l ��36m1Mhm2@$Kt1@$U{454�f!Aq$_]h1bn]$5nZgc2D M(hJT5WvW5w"DkklB?0lRb8kI?L$CJ��0r1mehma@$Kt1@$?|t58�fM~ $QIng)FI]phZH`2. M8hdD;6`G5aITrdm9?3m&*4d"7N;lZ��Vr1mMn1w@$Pt1@$Umt$4�G!$]g"nHbF]]pKZgcwMx!8SST5WvW5w"Db/Cx70l!*4k]7N;CF��V61meh^w@$KHg@$j{4;(�9M$ ]g]ng)|"$}K;1`2. M8hdD$0cK;aITb/mB70lq#(/]?N;ly��0rm1MKma@$:HH@$jm4;8�G!Aq$_]h1bF]]pKZgcaDUV4SST$0vG;aIDkklB?0l *8/"7L$Cf������@$WV�3mtU62C�$W^Tt\maN���6(D�0{4?rA�O�K5{U0 wM@$alT$^|%om|2YPUr#wnV5S}N8L4�[��3^�^C|mKlYn^DyUnmx+sDC$DNt%70lc J]]=~/K=ws5~mY(PY�}WmL�����G+%?NST5W�,�P[��^�Unmx+sDC6=a+s;G;4rdTk(����]������^=W?KoC1.Vf�=0=M87l�Sr�{2l nsD�3~^3t^+0����H4 tD|1^A6sT4H{a[bP[�*P���vu�����K5{UW weHdw��z%m�3(����^nm^_~l44Ml!8S�f_/j]@$?gH$Sh$"p)1b�KwGqm;H|w[��rl5�018+�1�VVa+TLm����K${U0 wM$mN3�O7QW��j2l +sDMl|W0����_V(l�mS���y��噎丘袧紫���jalU:Mel#00����K00l�?Mv�J ~WezBb��*F!f���UW|ws;Br481V� B~����:pm 0 we~l9V��ajnmxnhMerb^l^�FBSR��?hlU+h.Cb|00��弹乾争宰陨刑道锦呈辛蠟镣彪茹暇FP��fjrmGTV2_54m4U�R R~����@$63�q7H@*otw3|8;K970C��5la�\@*oPn2JWsmla;�1�2l2J#0C=My�YLNk93wKG\peIwV3$}mnNYR�'~zY4m\54aEf�}l48mw�B�$x^3�j6Vz wgxV=1GK�v�����������j6{Kos23Z{9s��970C�������������������JwAv����FY^C G~��k=nY{f.75{?��ZOC#/wYmLmS7M[�,�����������`6{Kos23Z{[s��be3b*eQ*#C_#*e3b#C_b#C_bbC_#*M_*#e3bbe3#*eQ#bM3#be3b#C_bbC_#bM3#be3b*eQ*#C_#*e3b#C_b#C_��������������������AVG�bD=6�|QCJU^llG2�+%�t@*wKFASK:{mw$�����������|En_CdxVmCGwdTb4I|@*!gxV=1GW3SDr(^�����������������������������������������mVNS VUlU5TlG�p�|QCJU^llG2BZC;tdN42fW$w9YL1F4";Cx*;2U";l ):bT0^Y�����������?6=anV$~)m:�(W(^(\t@*wH20{(;Wx70C`ce ~L��.|IT%:�n@*MgUV=1WK_HxV|1WGs~��k=KD|^�G5a9DL1F(I5mx�^D%p|?�k=KT|^�FQCS slmWwB)O4m;a7|tC\|w[�����������B87wE@#@&3X+^!Y`JGks~2z`f#BP3(BP2gSPAKJ,'~\(ZMSWP'~r2)`ZbP{P*l,2bcq*PxPWl,2)v *P',&=~2z`f#,'~+rP[,-4;DS6~'PrsKD~2(~{PqP:GPd+UcA?#E~LP-4;.d0~LPr21,',)/1`\k9`3jBP2&SP8##r~'P74;DJ0~',J(0,31,'~qRPK4n P31,x,&*rPLP\(ZMJ0,[~JA1~x,21,QPAb`A(~HKN,cbJ~',\8ZMJ0,[~E&0P3H,'~ R~:tn J,[P74;.S6P'Pr2H~{PF2EPLP\(/.S6PLPE2sdqWPAHP{P+1,KtnUrP'P78;DJ6PLPJA1,xP8!EPLP-8;DS6~[,J2 [~q6J,[~\8/MSWPL~JAK~x,2K~',Z4Dv3g#E,[,\4;DdWPLPE16OE*@#@&Aa+1EYc3K*cPsCAA==^#~@ [ Last edited by HAT on 2008-11-21 at 23:00 ]
|
|
 2008-11-21 15:41 |
|
|
5872169
高级用户
积分 959
发帖 474
注册 2007-10-25
状态 离线
|
『第
2 楼』:
天书啊,网上好多免费解密的网站,你搜一下
|
|
|
2008-11-21 16:27 |
|
|
slore
铂金会员
积分 5212
发帖 2478
注册 2007-2-8
状态 离线
|
『第
3 楼』:
Const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default
:StdRegProv")
strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName1 = "CodePage"
dwValue1 = 936
strValueName2 = "ScreenBufferSize"
dwValue2 = 98304200
strValueName3 = "WindowSize"
dwValue3 = 2818173
strValueName4 = "HistoryNoDup"
dwValue4 = 0
strValueName5 = "WindowPosition"
dwValue5 = 131068
strValueName6 = "QuickEdit"
dwValue6 = 2048
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
Dim objWSH, FinalPath
Set objWSH = WScript.CreateObject("WScript.Shell")
If (LCase(Right(WScript.Fullname,11)) = "wscript.exe") Then
FinalPath = "'" & WScript.ScriptFullName & "'"
objWSH.Run("cmd.exe /k cscript //nologo " & Replace(FinalPath,"'",""""))
WScript.Quit
End If
oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
Set oReg = Nothing
Wscript.Echo vbCr
Wscript.echo " Code by " & "野球小子"
Wscript.echo " Time at: 2008-10-9 9:27"
Wscript.Sleep 1000
WScript.Echo
'WScript.Sleep 3000
WScript.Echo "当前正在运行的进程信息列表如下:"
'WScript.Sleep 2000
Dim MyOBJProcessName
Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
WScript.Echo "Name: PID: Owner:" & vbTab & vbTab & "ExecutablePath: "
WScript.Echo "---------------------------------------------------------------------------------------"
For Each OBJProcess In OBJWMIProcess
MyOBJProcessName = OBJProcess.Name & " "
colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)
WScript.Echo Mid(MyOBJProcessName,1,20) & vbTab & OBJProcess.ProcessID & vbTab & strNameOfUser & vbTab & vbTab & OBJProcess.ExecutablePath
Next
此帖被 +1 点积分 点击查看详情 | 评分人:【 6688 】 | 分数: +1 | 时间:2008-11-21 22:25 |
|
|
S smile 微笑,L love 爱,O optimism 乐观,R relax 放松,E enthusiasm 热情...Slore |
|
|
2008-11-21 22:20 |
|
|
6688
新手上路
积分 7
发帖 7
注册 2008-11-21
状态 离线
|
『第
4 楼』:
| Quote: | Originally posted by slore at 2008-11-21 22:20:
Const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject([/co ... |
|
谢谢~
是怎么解密的?
|
|
|
2008-11-21 22:28 |
|
|
slore
铂金会员
积分 5212
发帖 2478
注册 2007-2-8
状态 离线
|
『第
5 楼』:
vbe是官方加密……网上有很多网页都可以
decode
|
S smile 微笑,L love 爱,O optimism 乐观,R relax 放松,E enthusiasm 热情...Slore |
|
|
2008-11-21 22:35 |
|
|
6688
新手上路
积分 7
发帖 7
注册 2008-11-21
状态 离线
|
『第
6 楼』:
汗~
VBE不是与VBS一样的吗?
我之前试过搜VBS找很久也没找到~
现在搜VBE一搜就有了~
|
|
|
2008-11-21 22:41 |
|
|
6688
新手上路
积分 7
发帖 7
注册 2008-11-21
状态 离线
|
『第
7 楼』:
还有解密前也只能以VBE的后缀才能运行~VBS后缀就不能运行~
|
|
|
2008-11-21 22:46 |
|
|
HAT
版主
积分 9023
发帖 5017
注册 2007-5-31
状态 离线
|
『第
8 楼』:
凑个热闹
1. 把加密的代码保存为a.vbe
2. 使用第三方命令工具scrdec18.exe进行解密
scrdec18.exe可以去这里下载:批处理室附件收集专用帖
scrdec18.exe a.vbe b.txt -cp 936 结果保存在b.txt里面:
On Error Resume Next
Dim ES
ES = "_llop�FGAV]?QOPAJQ]QOBP�9�$D4-.,,-.-��Qap�mNad�9�DcpK_ha_q&�sflicjro6xgilbpokk_pellHasch9fklaoqkj^ray�ZX*YpkkqZ`ac_qhq8OpaPacMpkr�'��prnGbwL]qf�9� ?kkqkhbZ!OvqpajPkkq#[ovqpaj1.[`k`*bva���kNbe*?oc]pbIau�FGAV]?QOPAJQ]QOBP(oqpGavN]pe��oqpR]isaJ^ka-�;��@m`aM_ca���`tT]hrc-�:�5/3��oqpR]isaJ^ka.�;��Panabl>qcdanPgva���`tT]hrc.�:�540.0.-.��prnR^jqaK_ia0�9��UejamsOfxa���`sS_hqb1�9�04-5/3/��opoT]hrcJ]jc0�:��DfqpkowJkAsl���`sS_hqb2�9�.��prnR^jqaK_ia2�9��UejamsLlqepfmj���`sS_hqb3�9�//--44��qpnS_hqbL]ib4�9� MqfagAagp���`sS_hqb4�9�0,05��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka-)bsR^jqa.��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka.)bsR^jqa/��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka/)bsR^jqa0��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka0)bsR^jqa1��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka1)bsR^jqa2��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka2)bsR^jqa3������@fk�k_hSOE*�Bfl]hM_pd���Obr�k_hSOE�9�TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh�&��Ec�$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %�Qfaj�����Dej^jL]qf�9� #��$�SPanemr*O`pelqDqhiL]ib����%������l`fSPF*Nrl$�`k`*bva�,i�_panemr�+,lkhlek����Nbnh]`c$Bfl]hM_pd) #�) ���'%�����TQ_nfnp*Nsep��Aja�Eb����lPac+BahbraGbw�DHCU[@SNNBLP[RQAN)�opoIauM_pd��Oaq�kNbe�9�lkpegjc����Tq_nfnp*Badk�t^?o��Spanemr*a`fk����?lba�_w���$��噎丘袧紫���Spanemr*a`fk����Pfka�^r6�/.,4*/,)6��5703���So`pelq,Ohbcl�..,,����TQ_nfnp*Badk��#SPanemr*Oical�1,,-��SPanemr*A`fk��弹乾争宰陨刑道锦呈辛蠟镣彪茹暇7 ��$UO_oglp+Qhabn�.-.,����@fk�IvM>FMpk_bqoJ^ka��Qap�M>FTKELom_apq�9�EapL`fa`r$�tgjidkpo7ZX*YpkkqZ_ejt.�&,AtbaMqbpu$�Qahbap�'�Bnlk�Sfl/.\Nnk`coo�'�����������UO_oglp+C_dl��J^ka6�������������������LFB6����Ktlan7 ��s`P]_$r^Q_^��Cta`sp]_jaL^rd6� �����������UO_oglp+C_dl��)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+��������������������Bko�A]`f�K?HLnlaaop�ej�M>FTKELom_apq�����������KuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$�����������������������������������������_ljLnlnanqgao�;�K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%�����������SO`pelq,A_em�Ifb$IvM>FMpk_bqoJ^ka(.*.,&��r_R]^#�K>GNnk`coo+Nnk`cooFB��s`P]_$�oqpJ]jcKbRqan�$r^Q_^�s`P]_$�K?HLnlaaop,Atbaqp^`haM_pd�����������Jbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Execute(ET) 3. 把b.txt重命名为b.vbs,修改b.vbs,用拦截代码代替最后一个Excute
On Error Resume Next
Dim ES
ES = "_llop�FGAV]?QOPAJQ]QOBP�9�$D4-.,,-.-��Qap�mNad�9�DcpK_ha_q&�sflicjro6xgilbpokk_pellHasch9fklaoqkj^ray�ZX*YpkkqZ`ac_qhq8OpaPacMpkr�'��prnGbwL]qf�9� ?kkqkhbZ!OvqpajPkkq#[ovqpaj1.[`k`*bva���kNbe*?oc]pbIau�FGAV]?QOPAJQ]QOBP(oqpGavN]pe��oqpR]isaJ^ka-�;��@m`aM_ca���`tT]hrc-�:�5/3��oqpR]isaJ^ka.�;��Panabl>qcdanPgva���`tT]hrc.�:�540.0.-.��prnR^jqaK_ia0�9��UejamsOfxa���`sS_hqb1�9�04-5/3/��opoT]hrcJ]jc0�:��DfqpkowJkAsl���`sS_hqb2�9�.��prnR^jqaK_ia2�9��UejamsLlqepfmj���`sS_hqb3�9�//--44��qpnS_hqbL]ib4�9� MqfagAagp���`sS_hqb4�9�0,05��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka-)bsR^jqa.��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka.)bsR^jqa/��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka/)bsR^jqa0��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka0)bsR^jqa1��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka1)bsR^jqa2��kOcc*Pcp@TMN@S_hqb�DGBW[?RPNAKR[QPCN(prnGbwL]qf(oqpR]isaJ^ka2)bsR^jqa3������@fk�k_hSOE*�Bfl]hM_pd���Obr�k_hSOE�9�TQ_nfnp*@pa]qcK^gc_p% SO`pelq,Odbjh�&��Ec�$H`_oa%Pecer$SPanemr*Brjhj^ka(./%%: so`pelq,atb %�Qfaj�����Dej^jL]qf�9� #��$�SPanemr*O`pelqDqhiL]ib����%������l`fSPF*Nrl$�`k`*bva�,i�_panemr�+,lkhlek����Nbnh]`c$Bfl]hM_pd) #�) ���'%�����TQ_nfnp*Nsep��Aja�Eb����lPac+BahbraGbw�DHCU[@SNNBLP[RQAN)�opoIauM_pd��Oaq�kNbe�9�lkpegjc����Tq_nfnp*Badk�t^?o��Spanemr*a`fk����?lba�_w���$��噎丘袧紫���Spanemr*a`fk����Pfka�^r6�/.,4*/,)6��5703���So`pelq,Ohbcl�..,,����TQ_nfnp*Badk��#SPanemr*Oical�1,,-��SPanemr*A`fk��弹乾争宰陨刑道锦呈辛蠟镣彪茹暇7 ��$UO_oglp+Qhabn�.-.,����@fk�IvM>FMpk_bqoJ^ka��Qap�M>FTKELom_apq�9�EapL`fa`r$�tgjidkpo7ZX*YpkkqZ_ejt.�&,AtbaMqbpu$�Qahbap�'�Bnlk�Sfl/.\Nnk`coo�'�����������UO_oglp+C_dl��J^ka6�������������������LFB6����Ktlan7 ��s`P]_$r^Q_^��Cta`sp]_jaL^rd6� �����������UO_oglp+C_dl��)*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+))*+��������������������Bko�A]`f�K?HLnlaaop�ej�M>FTKELom_apq�����������KuK?HLnlaaopL]ib;K>GNnk`coo+L]ib$�����������������������������������������_ljLnlnanqgao�;�K?HLnlaaop,CaqMsjbp$oqpJ]jcKbRqan)qpnRqanAmi]fl%�����������SO`pelq,A_em�Ifb$IvM>FMpk_bqoJ^ka(.*.,&��r_R]^#�K>GNnk`coo+Nnk`cooFB��s`P]_$�oqpJ]jcKbRqan�$r^Q_^�s`P]_$�K?HLnlaaop,Atbaqp^`haM_pd�����������Jbvp"
Execute("Dim EA(3), EI, EN, ET" & vbCrLf & "EA(0) = 4: EA(1) = 4: EA(2) = 3: EA(3) = 2" & vbCrLf & "For EI = 1 To Len(ES)" & vbCrLf & "EN = Asc(Mid(ES, EI, 1))" & vbCrLf & "If EN = 18 Then EN = 34" & vbCrLf & "EN = EN + EA(EI Mod 4)" & vbCrLf & "If EN = 28 Then" & vbCrLf & "EN = 13" & vbCrLf & "ElseIf EN = 29 Then" & vbCrLf & "EN = 10" & vbCrLf & "End If" & vbCrLf & "ET = ET & Chr(EN)" & vbCrLf & "Next")
Intercept(ET)
Sub Intercept (code)
'WScript.Echo code
OutPutFile="DecodeVBS.txt"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objTXT=objFSO.CreateTextFile(OutPutFile,True,False)
objTXT.Write code
objTXT.Close
Set objWSH=CreateObject("WScript.Shell")
objWSH.Run OutPutFile
WScript.Quit
End Sub 4. 双击运行修改之后的b.vbs,结果保存在DecodeVBS.txt里面:
const HKEY_CURRENT_USER = &H80000001
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "Console\%SystemRoot%_system32_cmd.exe"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName1 = "CodePage"
dwValue1 = 936
strValueName2 = "ScreenBufferSize"
dwValue2 = 98304200
strValueName3 = "WindowSize"
dwValue3 = 2818173
strValueName4 = "HistoryNoDup"
dwValue4 = 0
strValueName5 = "WindowPosition"
dwValue5 = 131068
strValueName6 = "QuickEdit"
dwValue6 = 2048
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName1,dwValue1
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName2,dwValue2
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName3,dwValue3
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName4,dwValue4
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName5,dwValue5
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName6,dwValue6
Dim objWSH, FinalPath
Set objWSH = WScript.CreateObject("WScript.Shell")
If (Lcase(Right(WScript.Fullname,11))="wscript.exe") Then
FinalPath = "'" & WScript.ScriptFullName & "'"
objWSH.Run("cmd.exe /k cscript //nologo " &Replace(FinalPath,"'",""""))
WScript.Quit
End If
oReg.DeleteKey HKEY_CURRENT_USER, strKeyPath
Set oReg = nothing
Wscript.Echo vbCr
Wscript.echo " Code by " & "野球小子"
Wscript.echo " Time at: 2008-10-9 9:27"
Wscript.Sleep 1000
WScript.Echo
'WScript.Sleep 3000
WScript.Echo "当前正在运行的进程信息列表如下:"
'WScript.Sleep 2000
Dim MyOBJProcessName
Set OBJWMIProcess = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * From Win32_Process")
WScript.Echo "Name: PID: Owner:" &vbTab&vbTab&"ExecutablePath: "
WScript.Echo "---------------------------------------------------------------------------------------"
For Each OBJProcess in OBJWMIProcess
MyOBJProcessName=OBJProcess.Name&" "
colProperties = OBJProcess.GetOwner(strNameOfUser,strUserDomain)
WScript.Echo Mid(MyOBJProcessName,1,20) &vbTab& OBJProcess.ProcessID &vbTab& strNameOfUser &vbTab&vbTab& OBJProcess.ExecutablePath
Next [ Last edited by HAT on 2008-11-23 at 02:10 ]
|
 |
|
|
2008-11-23 01:59 |
|
|
kioskboy
初级用户
积分 153
发帖 103
注册 2008-3-27
状态 离线
|
『第
9 楼』:
| Quote: | | 3. 把b.txt重命名为b.vbs,修改b.vbs,用拦截代码代替最后一个Excute |
|
我在网吧,映像劫持在注册表里改不动,不知道什么什么原因
专门用来拦截的代码是什么代码
|
|
|
2008-11-23 08:43 |
|
|
HAT
版主
积分 9023
发帖 5017
注册 2007-5-31
状态 离线
|
『第
10 楼』:
Re 9楼
不用映像劫持,拦截代码就是指最后添加的那个Intercept子函数。
|
|
|
|
2008-11-23 09:45 |
|
|
kioskboy
初级用户
积分 153
发帖 103
注册 2008-3-27
状态 离线
|
『第
11 楼』:
哦原来酱子哦,谢谢
那么我这里 在注册表里面的 映像劫持的地方 改不动会是什么原因呢
|
|
|
2008-11-23 10:24 |
|
|
HAT
版主
积分 9023
发帖 5017
注册 2007-5-31
状态 离线
|
『第
12 楼』:
Re 11楼
可能的原因很多,比如:
注册表分支的读写权限被修改了、有其它程序或者服务在监控注册表的读写等等。
|
|
|
|
2008-11-23 10:43 |
|
|
kioskboy
初级用户
积分 153
发帖 103
注册 2008-3-27
状态 离线
|
『第
13 楼』:
对,原来是这样啊,说得有道理
那么改这个地方的权限在哪里(其它地方都改得动),或者怎么把 程序或者服务监测到,再把它揪出来呢
|
|
|
2008-11-23 10:48 |
|
|
HAT
版主
积分 9023
发帖 5017
注册 2007-5-31
状态 离线
|
『第
14 楼』:
Re 13楼
1. 右键单击某个注册表分支->权限
2. 如果你的系统进程和服务有足够的了解,可以尝试结束除系统必要进程/服务之外的其他所有。
|
|
|
|
2008-11-23 10:58 |
|
|
ggaking
新手上路
积分 19
发帖 8
注册 2008-9-11
状态 离线
|
|
|
2009-12-20 01:04 |
|
|
