标题: 映像劫持 解除和禁止程序运行 [打印本页]
作者: yangzhiyi 时间: 2008-4-10 17:38 标题: 映像劫持 解除和禁止程序运行
中过机器狗的人就知道有用
:: 本工具可查看、禁止和解除禁止被映像劫持不能运行的程序 by yangzhiyi 200-04-10
:: 很多木马病毒等会用 映像劫持 技术来禁止安全软件运行,当然你也可用它来禁止木马病毒运行。
@echo off
title 映像劫持 解除和禁止程序运行
:start
cls
rd /s /q "%temp%\ifeo" 1>nul 2>nul
md "%temp%\ifeo" 1>nul 2>nul
set adir=%temp%\ifeo
set route=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
echo 正在读取已被禁止运行的程序列表
reg query "%route%" 2>nul >%adir%\1.txt
for /F "usebackq tokens=7 delims=\" %%i in (%adir%\1.txt) do @echo %%i >>%adir%\2.txt
findstr "[.]" %adir%\2.txt 2>nul > %adir%\3.txt
for /F %%i in (%adir%\3.txt) do (
reg query "%route%\%%i" /v Debugger 2>nul 1>nul && echo %%i >>%adir%\list.txt
)
del /q /f %adir%\?.txt
:input
cls
echo 已被禁止运行的程序列表
echo -------------------------------------------
IF EXIST %adir%\list.txt (type %adir%\list.txt) else (echo 无映像劫持项)
echo -------------------------------------------
echo.
echo 输入 程序名称(如qq.exe),如果程序已禁止则会解除禁止
echo 输入 a 则删除全部的禁止项目
echo 输入 d 则删除像劫持项(不推荐)
echo 输入 b 则批量禁止(在当前目录建立list.txt文件,每行一个名称)
echo 输入 x 则退出本工具
echo.
set name=
set /p name=请输入:
if /I "%name%" == "" goto input
if /I "%name%" == "a" goto 3
if /I "%name%" == "d" goto 4
if /I "%name%" == "b" goto 5
if /I "%name%" == "x" goto end
echo 已输入:%name% | findstr "[.]" || (echo 输入错误 & pause >nul & goto input)
findstr "%name%" %adir%\list.txt 2>nul 1>nul
if not %ERRORLEVEL% == 1 goto 2
:1
reg add "%route%\%name%" /v "Debugger" /t REG_SZ /d "ntsd -d # 劫持 %name% 禁止它运行" /f >nul 2>nul
echo.
echo 已禁止运行%name%
echo.
pause
goto start
:2
reg delete "%route%\%name%" /f >nul 2>nul
echo.
echo 已解除禁止运行%name%
echo.
pause
goto start
:3
for /F %%j in ('IF EXIST %adir%\list.txt type %adir%\list.txt') do (reg delete "%route%\%%j" /f 2>nul 1>nul)
echo.
echo 已解除所有禁止运行项
echo.
pause
goto start
:4
reg export "%route%" "%adir%\Image File Execution Options.reg" 2>nul 1>nul
copy /y "%adir%\Image File Execution Options.reg" "Image File Execution Options.reg" 2>nul 1>nul && echo. & echo 已备份到当前目录,有问题时请恢复。
reg delete "%route%" /f >nul 2>nul
echo.
echo 已删除整项
echo.
pause
goto start
:5
IF EXIST list.txt (
for /F %%j in (list.txt) do (reg add "%route%\%%j" /v "Debugger" /t REG_SZ /d "ntsd -d # 劫持 %name% 禁止它运行" /f >nul 2>nul)
echo.
echo 已禁止list.txt文件中的所有项
) else (
echo 当前目录无 list.txt 文件
)
echo.
pause
goto start
:end
rd /s /q "%temp%\ifeo" 1>nul 2>nul
:: 很多木马病毒等会用 映像劫持 技术来禁止安全软件运行,当然你也可用它来禁止木马病毒运行。
@echo off
title 映像劫持 解除和禁止程序运行
:start
cls
rd /s /q "%temp%\ifeo" 1>nul 2>nul
md "%temp%\ifeo" 1>nul 2>nul
set adir=%temp%\ifeo
set route=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
echo 正在读取已被禁止运行的程序列表
reg query "%route%" 2>nul >%adir%\1.txt
for /F "usebackq tokens=7 delims=\" %%i in (%adir%\1.txt) do @echo %%i >>%adir%\2.txt
findstr "[.]" %adir%\2.txt 2>nul > %adir%\3.txt
for /F %%i in (%adir%\3.txt) do (
reg query "%route%\%%i" /v Debugger 2>nul 1>nul && echo %%i >>%adir%\list.txt
)
del /q /f %adir%\?.txt
:input
cls
echo 已被禁止运行的程序列表
echo -------------------------------------------
IF EXIST %adir%\list.txt (type %adir%\list.txt) else (echo 无映像劫持项)
echo -------------------------------------------
echo.
echo 输入 程序名称(如qq.exe),如果程序已禁止则会解除禁止
echo 输入 a 则删除全部的禁止项目
echo 输入 d 则删除像劫持项(不推荐)
echo 输入 b 则批量禁止(在当前目录建立list.txt文件,每行一个名称)
echo 输入 x 则退出本工具
echo.
set name=
set /p name=请输入:
if /I "%name%" == "" goto input
if /I "%name%" == "a" goto 3
if /I "%name%" == "d" goto 4
if /I "%name%" == "b" goto 5
if /I "%name%" == "x" goto end
echo 已输入:%name% | findstr "[.]" || (echo 输入错误 & pause >nul & goto input)
findstr "%name%" %adir%\list.txt 2>nul 1>nul
if not %ERRORLEVEL% == 1 goto 2
:1
reg add "%route%\%name%" /v "Debugger" /t REG_SZ /d "ntsd -d # 劫持 %name% 禁止它运行" /f >nul 2>nul
echo.
echo 已禁止运行%name%
echo.
pause
goto start
:2
reg delete "%route%\%name%" /f >nul 2>nul
echo.
echo 已解除禁止运行%name%
echo.
pause
goto start
:3
for /F %%j in ('IF EXIST %adir%\list.txt type %adir%\list.txt') do (reg delete "%route%\%%j" /f 2>nul 1>nul)
echo.
echo 已解除所有禁止运行项
echo.
pause
goto start
:4
reg export "%route%" "%adir%\Image File Execution Options.reg" 2>nul 1>nul
copy /y "%adir%\Image File Execution Options.reg" "Image File Execution Options.reg" 2>nul 1>nul && echo. & echo 已备份到当前目录,有问题时请恢复。
reg delete "%route%" /f >nul 2>nul
echo.
echo 已删除整项
echo.
pause
goto start
:5
IF EXIST list.txt (
for /F %%j in (list.txt) do (reg add "%route%\%%j" /v "Debugger" /t REG_SZ /d "ntsd -d # 劫持 %name% 禁止它运行" /f >nul 2>nul)
echo.
echo 已禁止list.txt文件中的所有项
) else (
echo 当前目录无 list.txt 文件
)
echo.
pause
goto start
:end
rd /s /q "%temp%\ifeo" 1>nul 2>nul
作者: knoppix7 时间: 2008-4-10 17:42
把reg.exe regedit.exe劫持了的话就..
作者: bat-zw 时间: 2008-4-10 17:49
粗略看了下,原理是对的,但临时文件太多了,建议完善。
作者: knoppix7 时间: 2008-4-10 18:11
临时文件好多...
建议用FOR嵌套一下..
作者: yangzhiyi 时间: 2008-4-11 12:43
临时文件好多是多了点,但反正一定要有,所以多几个和少几个没什么关别,反正会删除。