ntiIframe.vbs用于批量清除被添加到文件中的恶意代码
程序员文章站
2022-06-23 22:08:37
antiiframe.vbs #该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改pattern参数指定要处理的文件名,文件名之间用|...
antiiframe.vbs
#该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改pattern参数指定要处理的文件名,文件名之间用|隔开(也支持vbs正则表达式)。由于要修改文件,请谨慎的使用(最好先备份文件)
#用法: cscript antiiframe.vbs [处理的路径] [包含清除内容的文件]
#例子: cscript antiiframe.vbs d:\web d:\lake2.txt
'-----------------------
'anti-iframe in vbs
'author: lake2 (http://lake2.0x54.org)
'date: 2007-2-27
'version: 1.1
'-----------------------
'-------- config start --------------
'配置要处理的文件名,可使用vbs正则表达式;也可以使用“(index.asp|index.htm|index.html)”枚举格式
pattern = "^.+\.(htm|html|asp|aspx|php)$"
'-------- config end --------------
call showinfo()
if wscript.arguments.count = 2 then
if right(wscript.arguments.item(0),1) = "\" then
if len(wscript.arguments.item(0))>3 then
thepath = mid(wscript.arguments.item(0),1,len(wscript.arguments.item(0))-1)
else
thepath = wscript.arguments.item(0)
end if
else
thepath = wscript.arguments.item(0)
end if
call checkarg(thepath)
wscript.echo "开始清理,请稍候……"
call showallfile(thepath)
wscript.echo vbcrlf & "清理完成!" & vbcrlf
else
call showhelp()
end if
sub showinfo()
helpstr = helpstr & "==============================" & vbcrlf
helpstr = helpstr & "===== 欢迎使用雷客图 asp 站长安全助手vbs版 =====" & vbcrlf
helpstr = helpstr & "===== 之 anti-批量挂马 =====" & vbcrlf
helpstr = helpstr & "===== author: lake2 =====" & vbcrlf
helpstr = helpstr & "===== email:lake2@mail.csdn.net =====" & vbcrlf
helpstr = helpstr & "===== 欢迎访问 www.0x54.org 得到更多信息 =====" & vbcrlf
helpstr = helpstr & "==============================" & vbcrlf
helpstr = helpstr & vbcrlf
wscript.echo helpstr
end sub
sub showhelp()
helpstr = helpstr & "#用法: cscript antiiframe.vbs [处理的路径] [包含清除内容的文件]" & vbcrlf
helpstr = helpstr & "#例子: cscript antiiframe.vbs d:\web d:\lake2.txt" & vbcrlf
helpstr = helpstr & vbcrlf
wscript.echo helpstr
end sub
sub checkarg(arg)
tmppath = arg
set objfso = wscript.createobject ("scripting.filesystemobject")
if not objfso.fileexists(wscript.arguments.item(1)) then
wscript.echo "error:未找到配置文件“" & wscript.arguments.item(1) & "”!"
wscript.quit
elseif not objfso.folderexists(tmppath) then
wscript.echo "error:错误的路径“" & tmppath & "”!"
wscript.quit
end if
set objfso = nothing
end sub
'遍历处理path及其子目录所有文件
sub showallfile(path)
set fso = createobject("scripting.filesystemobject")
set g = fso.getfile(wscript.arguments.item(1))
if g.size > 0 then
set ts2 = g.openastextstream(1, -2)
filecon = ts2.readall
ts2.close
set ts2 = nothing
else
wscript.echo "error:配置文件" & wscript.arguments.item(1) & "大小为0!"
wscript.quit
end if
set g = nothing
set f = fso.getfolder(path)
set fc2 = f.files
on error resume next
for each myfile in fc2
if err then wscript.echo "权限不足,不能检查目录"&thepath:exit sub
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = pattern
if regex.test(myfile.name) then
checkfile path&"\"&myfile.name, filecon
end if
set regex = nothing
next
set fc = f.subfolders
for each f1 in fc
showallfile path&"\"&f1.name
next
set fso = nothing
end sub
sub checkfile(filepath, filecon2)
xset = getcharset(filepath)
set tstream = createobject("adodb.stream")
tstream.type = 1
tstream.mode = 3
tstream.open
tstream.position=0
tstream.loadfromfile filepath
if err then exit sub end if
tstream.type = 2
tstream.charset = xset
do until tstream.eos
filecon = filecon & lcase(tstream.readtext(102400))
loop
tstream.close()
set tstream = nothing
if instr(filecon, filecon2) > 0 then
filecon = replace(filecon, filecon2, "")
set tstream = createobject("adodb.stream")
tstream.type = 2
tstream.mode = 3
tstream.charset = xset
tstream.open
tstream.position=0
tstream.writetext filecon
tstream.savetofile filepath, 2
tstream.close()
set tstream = nothing
wscript.echo "已经修复文件: "&filepath&" ..."
end if
end sub
function getcharset(xpath)
set tstream = createobject("adodb.stream")
tstream.type = 1
tstream.mode = 3
tstream.open
tstream.position = 0
tstream.loadfromfile xpath
byte1 = ascb(tstream.read(1))
byte2 = ascb(tstream.read(1))
byte3 = ascb(tstream.read(1))
tstream.close()
set tstream = nothing
if byte1=239 and byte2=187 and byte3=191 then
getcharset = "utf-8"
else
getcharset = "gb2312"
end if
end function
#该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改pattern参数指定要处理的文件名,文件名之间用|隔开(也支持vbs正则表达式)。由于要修改文件,请谨慎的使用(最好先备份文件)
#用法: cscript antiiframe.vbs [处理的路径] [包含清除内容的文件]
#例子: cscript antiiframe.vbs d:\web d:\lake2.txt
复制代码 代码如下:
'-----------------------
'anti-iframe in vbs
'author: lake2 (http://lake2.0x54.org)
'date: 2007-2-27
'version: 1.1
'-----------------------
'-------- config start --------------
'配置要处理的文件名,可使用vbs正则表达式;也可以使用“(index.asp|index.htm|index.html)”枚举格式
pattern = "^.+\.(htm|html|asp|aspx|php)$"
'-------- config end --------------
call showinfo()
if wscript.arguments.count = 2 then
if right(wscript.arguments.item(0),1) = "\" then
if len(wscript.arguments.item(0))>3 then
thepath = mid(wscript.arguments.item(0),1,len(wscript.arguments.item(0))-1)
else
thepath = wscript.arguments.item(0)
end if
else
thepath = wscript.arguments.item(0)
end if
call checkarg(thepath)
wscript.echo "开始清理,请稍候……"
call showallfile(thepath)
wscript.echo vbcrlf & "清理完成!" & vbcrlf
else
call showhelp()
end if
sub showinfo()
helpstr = helpstr & "==============================" & vbcrlf
helpstr = helpstr & "===== 欢迎使用雷客图 asp 站长安全助手vbs版 =====" & vbcrlf
helpstr = helpstr & "===== 之 anti-批量挂马 =====" & vbcrlf
helpstr = helpstr & "===== author: lake2 =====" & vbcrlf
helpstr = helpstr & "===== email:lake2@mail.csdn.net =====" & vbcrlf
helpstr = helpstr & "===== 欢迎访问 www.0x54.org 得到更多信息 =====" & vbcrlf
helpstr = helpstr & "==============================" & vbcrlf
helpstr = helpstr & vbcrlf
wscript.echo helpstr
end sub
sub showhelp()
helpstr = helpstr & "#用法: cscript antiiframe.vbs [处理的路径] [包含清除内容的文件]" & vbcrlf
helpstr = helpstr & "#例子: cscript antiiframe.vbs d:\web d:\lake2.txt" & vbcrlf
helpstr = helpstr & vbcrlf
wscript.echo helpstr
end sub
sub checkarg(arg)
tmppath = arg
set objfso = wscript.createobject ("scripting.filesystemobject")
if not objfso.fileexists(wscript.arguments.item(1)) then
wscript.echo "error:未找到配置文件“" & wscript.arguments.item(1) & "”!"
wscript.quit
elseif not objfso.folderexists(tmppath) then
wscript.echo "error:错误的路径“" & tmppath & "”!"
wscript.quit
end if
set objfso = nothing
end sub
'遍历处理path及其子目录所有文件
sub showallfile(path)
set fso = createobject("scripting.filesystemobject")
set g = fso.getfile(wscript.arguments.item(1))
if g.size > 0 then
set ts2 = g.openastextstream(1, -2)
filecon = ts2.readall
ts2.close
set ts2 = nothing
else
wscript.echo "error:配置文件" & wscript.arguments.item(1) & "大小为0!"
wscript.quit
end if
set g = nothing
set f = fso.getfolder(path)
set fc2 = f.files
on error resume next
for each myfile in fc2
if err then wscript.echo "权限不足,不能检查目录"&thepath:exit sub
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = pattern
if regex.test(myfile.name) then
checkfile path&"\"&myfile.name, filecon
end if
set regex = nothing
next
set fc = f.subfolders
for each f1 in fc
showallfile path&"\"&f1.name
next
set fso = nothing
end sub
sub checkfile(filepath, filecon2)
xset = getcharset(filepath)
set tstream = createobject("adodb.stream")
tstream.type = 1
tstream.mode = 3
tstream.open
tstream.position=0
tstream.loadfromfile filepath
if err then exit sub end if
tstream.type = 2
tstream.charset = xset
do until tstream.eos
filecon = filecon & lcase(tstream.readtext(102400))
loop
tstream.close()
set tstream = nothing
if instr(filecon, filecon2) > 0 then
filecon = replace(filecon, filecon2, "")
set tstream = createobject("adodb.stream")
tstream.type = 2
tstream.mode = 3
tstream.charset = xset
tstream.open
tstream.position=0
tstream.writetext filecon
tstream.savetofile filepath, 2
tstream.close()
set tstream = nothing
wscript.echo "已经修复文件: "&filepath&" ..."
end if
end sub
function getcharset(xpath)
set tstream = createobject("adodb.stream")
tstream.type = 1
tstream.mode = 3
tstream.open
tstream.position = 0
tstream.loadfromfile xpath
byte1 = ascb(tstream.read(1))
byte2 = ascb(tstream.read(1))
byte3 = ascb(tstream.read(1))
tstream.close()
set tstream = nothing
if byte1=239 and byte2=187 and byte3=191 then
getcharset = "utf-8"
else
getcharset = "gb2312"
end if
end function
上一篇: 简单了解常用的JavaScript 库