VBScript之通过对比注册表查找隐藏的服务
代码(checksvr.vbs):
'on error resume next
const hkey_local_machine = &h80000002
set oreg=getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\default:stdregprov")
strkeypath = "system\currentcontrolset\services"
oreg.enumkey hkey_local_machine, strkeypath, arrsubkeys
wscript.echo "checking, please wait ..."
wscript.echo ""
for each subkey in arrsubkeys
oreg.getstringvalue hkey_local_machine, strkeypath & "\\" & subkey, "objectname", strvalue
if not (strvalue = "") then
'判断服务, 利用数组来比较不知道会不会快些?
if not (checksvr(subkey)) then
wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & "[ hidden ]"
else
wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & "[ ok ]"
end if
end if
next
wscript.echo ""
wscript.echo "all done."
wscript.quit (0)
function checksvr(strname)
set owmi = getobject("winmgmts:" & "{impersonationlevel=impersonate}!\\.\root\cimv2")
set cservice = owmi.execquery("select * from win32_service where name='" & strname & "'")
if (cservice.count <> 0) then
checksvr = true
else
checksvr = false
end if
end function
function formatouttab(strname)
strlen = len(strname)
select case true
case strlen < 8
formatouttab = vbtab & vbtab & vbtab & vbtab & vbtab
case strlen < 16
formatouttab = vbtab & vbtab & vbtab & vbtab
case strlen < 24
formatouttab = vbtab & vbtab & vbtab
case strlen < 32
formatouttab = vbtab & vbtab
case strlen < 40
formatouttab = vbtab
case else
formatouttab = vbtab
end select
end function
利用字典,速度要快很多:
dim odic, oreg, owmi, arrservices
const hkey_local_machine = &h80000002
wscript.echo "[*] checking, please wait ..."
wscript.echo ""
set odic = createobject("scripting.dictionary")
set owmi = getobject("winmgmts:" & "{impersonationlevel=impersonate}!\\.\root\cimv2")
set arrservices = owmi.execquery("select * from win32_service")
for each strservice in arrservices
odic.add strservice.name, strservice.name
next
set oreg = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\default:stdregprov")
strkeypath = "system\currentcontrolset\services"
oreg.enumkey hkey_local_machine, strkeypath, arrsubkeys
for each subkey in arrsubkeys
oreg.getstringvalue hkey_local_machine, strkeypath & "\\" & subkey, "objectname", strvalue
if not (strvalue = "") then
if odic.exists(subkey) then
wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & "[ ok ]"
else
wscript.echo subkey & formatouttab(subkey) & strvalue & formatouttab(strvalue) & "[ hidden ]"
end if
end if
next
odic.removeall
wscript.echo ""
wscript.echo "[*] all done."
wscript.quit (0)
function formatouttab(strname)
strlen = len(strname)
select case true
case strlen < 8
formatouttab = vbtab & vbtab & vbtab & vbtab
case strlen < 16
formatouttab = vbtab & vbtab & vbtab
case strlen < 24
formatouttab = vbtab & vbtab
case strlen < 32
formatouttab = vbtab
case else
formatouttab = vbtab
end select
end function
来自: enun.net