|
lxsky
新手上路
积分 14
发帖 4
注册 2007-3-22
状态 离线
|
『楼 主』:
如何获得一个进程的pid 号并强制杀死他
使用 LLM 解释/回答一下
现在电脑中毒了,进程为abc.exe,直接用tskill根本不杀,但是用ntsd -c q -p PID结束进程可以,现在想使用批处理实现,我是菜鸟,看了好多论坛的贴感觉还是不太好
@echo off
for /f "tokens=1,2" %%i in ('tasklist') do (
echo %%i | findstr /i "abc.exe" 1>nul 2>nul && (
ntsd -c q -p %%j & set qq=%%i
)
)
if /i not "%qq%"=="abc.exe" echo 没有中毒
echo.
pause
xp下还是可以的,不知道2000下行不行?
论坛有个
tasklist | findstr "abc.exe"&&goto :p
好险也可以套,不知道怎么作
大家帮我简化一下,我也学习一下
Now the computer is infected with a virus, and the process is abc.exe. Directly using tskill can't kill it at all, but using ntsd -c q -p PID to end the process works. Now I want to implement it with a batch script. I'm a newbie. I read many forum posts and still feel not very good.
@echo off
for /f "tokens=1,2" %%i in ('tasklist') do (
echo %%i | findstr /i "abc.exe" 1>nul 2>nul && (
ntsd -c q -p %%j & set qq=%%i
)
)
if /i not "%qq%"=="abc.exe" echo No virus
echo.
pause
It works under XP, not sure if it works under 2000?
There's one in the forum:
tasklist | findstr "abc.exe"&&goto :p
It's also okay to wrap it, not sure how to do it.
Everyone help simplify it, I also want to learn.
|
|
 2007-3-29 12:50 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『第 2 楼』:
使用 LLM 解释/回答一下
Originally posted by lxsky at 2007-3-29 12:50:
如何获得一个进程的pid 号并强制杀死他 ...
干吗非要pid 直接ntsd -c q -pn abc.exe不行吗。
Originally posted by lxsky at 2007-3-29 12:50:
How to get the PID of a process and force kill it...
Why do you have to use PID specifically? Can't you just use ntsd -c q -pn abc.exe?
|
|
|
2007-3-29 13:45 |
|
|
lxsky
新手上路
积分 14
发帖 4
注册 2007-3-22
状态 离线
|
『第 3 楼』:
使用 LLM 解释/回答一下
呵呵,谢谢 2 楼,ntsd确实可以这样用
Hehe, thanks to the 2nd floor, ntsd can indeed be used like this
|
|
|
2007-3-29 23:50 |
|
|
lp1129
初级用户
积分 186
发帖 92
注册 2007-3-27
状态 离线
|
『第 4 楼』:
使用 LLM 解释/回答一下
这个才是比较厉害的命令,
Taskkill /IM /F abc.exe
如果还有人说什么,只有XP的机子才能用,那么老兄,你的机子实在该淘汰了!
This is a relatively powerful command,
Taskkill /IM /F abc.exe
If someone says something like only XP machines can use it, then buddy, your machine really needs to be eliminated!
|
|
|
2007-3-30 11:52 |
|
|
axi
中级用户
脚本爱好者
积分 238
发帖 93
注册 2007-3-11
来自 GZ
状态 离线
|
『第 5 楼』:
使用 LLM 解释/回答一下
Originally posted by lp1129 at 2007-3-29 22:52:
这个才是比较厉害的命令,
Taskkill /IM /F abc.exe
如果还有人说什么,只有XP的机子才能用,那么老兄,你的机子实在该淘汰了!
无错!在XP用 taskkill 就可以,如果用:
taskkill /f /t /im abc.exe
就更利害,连其子进程都一同杀掉。
Originally posted by lp1129 at 2007-3-29 22:52:
This is a more powerful command,
Taskkill /IM /F abc.exe
If someone says only XP machines can use it, then buddy, your machine really needs to be replaced!
Correct! On XP, you can use taskkill. If you use:
taskkill /f /t /im abc.exe
it's even more powerful, killing its child processes at the same time.
|
|
|
2007-3-30 12:07 |
|
|
everest79
金牌会员
一叶枝头,万树皆春
积分 2564
发帖 1127
注册 2006-12-25
状态 离线
|
『第 6 楼』:
使用 LLM 解释/回答一下
若是拒绝外部中止的话,taskkill也不行,你拿kaspersky试试
If you refuse external termination, taskkill won't work either. Try using kaspersky.
|
|
|
2007-3-30 12:35 |
|
|
lxmxn
版主
积分 11386
发帖 4938
注册 2006-7-23
状态 离线
|
『第 7 楼』:
使用 LLM 解释/回答一下
插一句,4楼的命令格式错误。
Just to interject, the command format on the 4th floor is incorrect.
|
|
|
2007-4-2 00:21 |
|
|
flyinspace
银牌会员
积分 1206
发帖 517
注册 2007-3-25
状态 离线
|
『第 8 楼』:
使用 LLM 解释/回答一下
Originally posted by lp1129 at 2007-3-29 10:52 PM:
这个才是比较厉害的命令,
Taskkill /IM /F abc.exe
如果还有人说什么,只有XP的机子才能用,那么老兄,你的机子实在该淘汰了!
我还,写一个命令就要考虑到通用性。
若不支持则在该对象的机器上禁用自己的脚本。
而且现在中国,还有许多的企业还用的是windows 2000。
Originally posted by lp1129 at 2007-3-29 10:52 PM:
This is a more powerful command,
Taskkill /IM /F abc.exe
If someone says only XP machines can use it, then my friend, your machine really needs to be eliminated!
I still, need to consider universality when writing a command.
If it is not supported, then disable your own script on the machine of that object.
Moreover, in China now, many enterprises still use Windows 2000.
|
知,不觉多。不知,乃求知 |
|
|
2007-4-2 00:38 |
|
|
slore
铂金会员
积分 5212
发帖 2478
注册 2007-2-8
状态 离线
|
『第 9 楼』:
使用 LLM 解释/回答一下
Taskkill.exe复制过去用看看
Taskkill.exe copy it over and use it to see
|
|
|
2007-4-2 00:54 |
|
|
axi
中级用户
脚本爱好者
积分 238
发帖 93
注册 2007-3-11
来自 GZ
状态 离线
|
|
|
2007-4-4 01:25 |
|
|
applecy
初级用户
积分 168
发帖 78
注册 2006-12-27
状态 离线
|
『第 11 楼』:
使用 LLM 解释/回答一下
开玩笑的说句``最牛的是关机
Just kidding, the most amazing thing is shutting down
|
|
|
2007-4-4 01:39 |
|
|
baomaboy
银牌会员
积分 1513
发帖 554
注册 2005-12-30
状态 离线
|
『第 12 楼』:
使用 LLM 解释/回答一下
Originally posted by axi at 2007-4-4 01:25:
我记得在网上有一个终止进程的文件 inject.dll 其使用方法是(先把 inject.dll 复制到 system32 目录下):
rundll32 inject.dll,Install explorer.exe vnetclient.exe qqga ...
这个好玩 试试看
Originally posted by axi at 2007-4-4 01:25:
I remember there is a file inject.dll on the Internet for terminating processes. The usage is (first copy inject.dll to the system32 directory):
rundll32 inject.dll,Install explorer.exe vnetclient.exe qqga ...
This is interesting. Let's give it a try.
|
|
|
2007-4-4 02:16 |
|
|
a201341717
贫困用户
积分 -2
发帖 20
注册 2007-1-30
状态 离线
|
 『第 13 楼』:
使用 LLM 解释/回答一下
[img=2,1]http://c.py99.net/pic/f?v=20074/31311547.jpg[/img]
|
[img=2,1]http://c.py99.net/pic/f?v=20074/31311547.jpg[/img] |
|
|
2007-4-4 02:38 |
|
|
everest79
金牌会员
一叶枝头,万树皆春
积分 2564
发帖 1127
注册 2006-12-25
状态 离线
|
『第 14 楼』:
使用 LLM 解释/回答一下
10f的好东西,不知资源占用如何
Good stuff of 10f, not sure about resource usage
|
|
|
2007-4-5 13:20 |
|
|
axi
中级用户
脚本爱好者
积分 238
发帖 93
注册 2007-3-11
来自 GZ
状态 离线
|
 『第 15 楼』:
使用 LLM 解释/回答一下
多谢 everest97 兄的加分,这东西占用资源非常小,以下是关于它的一个说明:
ProcessInjector是一种DLL插入式整人软件.它能对用户自定义的黑名单上的程序加以结束任务操作.
用途:
* 防止不懂事的家伙使用IE下载Adware.(当然,是只准使用firefox浏览器的意思:) )
* 解救迷失在网络游戏的家伙
* 让进来安装"星空极速"的电信员工无功而返
本程序考虑到被整对象的电脑水平,使用了DLL插入式技术,没有实体程序,只有DLL安装到DLL宿主进程中.然而使用IceSword和Process Explorer可以很简单的发现本程序.
使用方法:
确保你把inject.dll拷贝到%SYSTEM32%目录中,在开始->运行中输入:
rundll32 inject.dll,Install <宿主>
其中宿主是你要插入的进程名(带exe扩展名).宿主可以是explorer.exe,也可以是winlogon.exe,smss.exe, conime.exe等系统关键进程.使用系统关键进程会无法结束inject.dll的活动.一旦宿主被杀死,ProcessInjector会停止运行.禁止程序列表(带exe扩展名)是将被加入到黑名单的程序名,它们将被inject.dll每秒杀1次.
注:每次安装inject.dll都会覆盖原来黑名单文件的内容.
运行此程序后会生成一个配置文件BlackList.config,并在注册表启动项中添加"inject"="rundll32 inject.dll,Install explorer.exe"). 电信员工将会遭遇到星空极速主程序"无端消失"的问题.
例子:
rundll32 inject.dll,Install explorer.exe vnetclient.exe iexplorer.exe qqgame.exe
程序将把inject.dll插入到explorer.exe进程中,加入自身到系统启动项中,建立黑名单文件%SYSTEM32%\blacklist.config,并每隔1秒把IE和QQ游戏和星空极速主程序全部杀死.程序名不分大小写.
生成的BlackList.config文件:
vnetclient.exe
iexplorer.exe
qqgame.exe
可以被实时编辑的黑名单文件:
ProcessInjector的黑名单文件(%SYSTEM32%\BlackList.config)可以被实时编辑.ProcessInjector每隔10秒重新加载一次黑名单.你可以用记事本打开黑名单文件,加入你不喜欢的程序名:)
有关资源占有率:
在我的测试环境下(赛扬M 1.4G + 512MB内存),ProcessInjector对宿主的CPU占有率影响微乎其微.
卸载:
到HKLM\Software\Microsoft\Windows\CurrentVersion\Run中寻找inject项删除.
重启后删除%SYSTEM32%\blacklist.config与%SYSTEM32%\inject.dll.(可选)
有关本软件:
本软件是免费软件.Outmatch以人格担保没有恶意代码,然而并不保证本程序会能在你的计算机上正确运行.
Last edited by axi on 2007-4-5 at 08:59 AM ]
Thanks to brother everest97 for the points. This thing occupies very little resources. The following is an explanation about it:
ProcessInjector is a DLL injection-based prank software. It can perform the operation of ending the tasks of programs on the user-defined blacklist.
Uses:
* Prevent ignorant guys from using IE to download Adware. (Of course, it means only allowing the use of the firefox browser :) )
* Rescue guys lost in online games
* Make telecommunication employees who come in to install "Sky Speed" return empty-handed
This program takes into account the computer level of the pranked object, and uses the DLL injection technology. There is no physical program; only the DLL is installed into the DLL host process. However, IceSword and Process Explorer can easily detect this program.
Usage method:
Make sure you copy inject.dll to the %SYSTEM32% directory. Enter in Start -> Run:
rundll32 inject.dll,Install <host>
Among them, the host is the process name you want to inject (with the.exe extension). The host can be explorer.exe, or it can be system critical processes such as winlogon.exe, smss.exe, conime.exe, etc. Using system critical processes will make it impossible to end the activity of inject.dll. Once the host is killed, ProcessInjector will stop running. The prohibited program list (with the.exe extension) is the program names that will be added to the blacklist, and they will be killed by inject.dll once per second.
Note: Each time inject.dll is installed, it will overwrite the content of the original blacklist file.
After running this program, a configuration file BlackList.config will be generated, and the "inject" = "rundll32 inject.dll,Install explorer.exe" will be added to the registry startup item. Telecommunication employees will encounter the problem that the main program of Sky Speed "disappears without reason".
Example:
rundll32 inject.dll,Install explorer.exe vnetclient.exe iexplorer.exe qqgame.exe
The program will insert inject.dll into the explorer.exe process, add itself to the system startup item, create the blacklist file %SYSTEM32%\blacklist.config, and kill IE, QQ game, and the main program of Sky Speed all once per second. The program names are case-insensitive.
The generated BlackList.config file:
vnetclient.exe
iexplorer.exe
qqgame.exe
The blacklist file that can be edited in real time:
The blacklist file of ProcessInjector (%SYSTEM32%\BlackList.config) can be edited in real time. ProcessInjector reloads the blacklist once every 10 seconds. You can open the blacklist file with Notepad and add the program names you don't like :)
About resource occupancy:
Under my test environment (Celeron M 1.4G + 512MB memory), ProcessInjector has a negligible impact on the CPU occupancy of the host.
Uninstallation:
Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run to find the inject item and delete it.
After restarting, delete %SYSTEM32%\blacklist.config and %SYSTEM32%\inject.dll. (Optional)
About this software:
This software is free software. Outmatch guarantees with personality that there is no malicious code, however, it does not guarantee that this program will run correctly on your computer.
Last edited by axi on 2007-4-5 at 08:59 AM ]
此帖被 +14 点积分 点击查看详情 | 评分人:【 lxmxn 】 | 分数: +10 | 时间:2007-4-5 21:59 | | 评分人:【 baomaboy 】 | 分数: +4 | 时间:2007-4-6 05:51 |
|
|
|
|
2007-4-5 21:46 |
|
