ntiIframe.vbs用于批量清除被添加到文件中的恶意代码 |
|
AntiIframe.vbs #该脚本是批量挂马程序的逆向,用于批量清除被添加到文件中的恶意代码 。记事本打开文件可以修改Pattern参数指定要处理的文件名,文件名之间用|隔开(也支持vbs正则表达式) 。由于要修改文件,请谨慎的使用(最好先备份文件) #用法: CScript AntiIframe.vbs [处理的路径] [包含清除内容的文件] #例子: CScript AntiIframe.vbs d:\Web d:\lake2.txt 复制代码 代码如下: ----------------------- Anti-Iframe in vbs Author: lake2 (http://lake2.0x54.org) Date: 2007-2-27 Version: 1.1 ----------------------- -------- Config Start -------------- 配置要处理的文件名,可使用vbs正则表达式;也可以使用“(index.asp|index.htm|index.html)”枚举格式 Pattern = "^.+\.(htm|html|asp|aspx|php)$" -------- Config End -------------- Call ShowInfo() If WScript.Arguments.Count = 2 Then If Right(WScript.Arguments.Item(0),1) = "\" Then if len(WScript.Arguments.Item(0))>3 then thePath = Mid(WScript.Arguments.Item(0),1,Len(WScript.Arguments.Item(0))-1) else thePath = WScript.Arguments.Item(0) end if Else thePath = WScript.Arguments.Item(0) End If Call CheckArg(thePath) WScript.Echo "开始清理,请稍候……" Call ShowAllFile(thePath) WScript.Echo vbcrlf & "清理完成!" & vbcrlf Else Call ShowHelp() End If Sub ShowInfo() HelpStr = HelpStr & "==============================" & vbcrlf HelpStr = HelpStr & "===== 欢迎使用雷客图 ASP 站长安全助手vbs版 =====" & vbcrlf HelpStr = HelpStr & "===== 之 Anti-批量挂马 =====" & vbcrlf HelpStr = HelpStr & "===== Author: lake2 =====" & vbcrlf HelpStr = HelpStr & "===== Email:lake2@mail.csdn.net =====" & vbcrlf HelpStr = HelpStr & "===== 欢迎访问 www.0x54.org 得到更多信息 =====" & vbcrlf HelpStr = HelpStr & "==============================" & vbcrlf HelpStr = HelpStr & vbcrlf WScript.Echo HelpStr End Sub Sub ShowHelp() HelpStr = HelpStr & "#用法: CScript AntiIframe.vbs [处理的路径] [包含清除内容的文件]" & vbcrlf HelpStr = HelpStr & "#例子: CScript AntiIframe.vbs d:\Web d:\lake2.txt" & vbcrlf HelpStr = HelpStr & vbcrlf WScript.Echo HelpStr End Sub Sub CheckArg(arg) tmpPath = arg Set objFSO = WScript.CreateObject ("Scripting.FileSystemObject") If Not objFSO.FileExists(WScript.Arguments.Item(1)) Then WScript.Echo "Error:未找到配置文件“" & WScript.Arguments.Item(1) & "”!" WScript.Quit ElseIf Not objFSO.FolderExists(tmpPath) Then WScript.Echo "Error:错误的路径“" & tmpPath & "”!" WScript.Quit End If Set objFSO = Nothing End Sub 遍历处理path及其子目录所有文件 Sub ShowAllFile(Path) Set FSO = CreateObject("Scripting.FileSystemObject") Set g = FSO.GetFile(WScript.Arguments.Item(1)) If g.Size > 0 Then Set ts2 = g.OpenAsTextStream(1, -2) filecon = ts2.ReadAll ts2.Close Set ts2 = Nothing Else WScript.Echo "Error:配置文件" & WScript.Arguments.Item(1) & "大小为0!" WScript.Quit End If Set g = Nothing Set f = FSO.GetFolder(Path) Set fc2 = f.files On Error Resume Next For Each myfile in fc2 If Err Then WScript.Echo "权限不足,不能检查目录"&thePath:exit sub Set regEx = New RegExp regEx.IgnoreCase = True regEx.Global = True regEx.Pattern = Pattern If regEx.Test(myfile.name) Then CheckFile path&"\"&myfile.name, filecon End If Set regEx = Nothing Next Set fc = f.SubFolders For Each f1 in fc ShowAllFile path&"\"&f1.name Next Set FSO = Nothing End Sub Sub CheckFile(filepath, filecon2) xSet = GetCharSet(filepath) Set tStream = CreateObject("ADODB.Stream") tStream.type = 1 tStream.mode = 3 tStream.open tStream.Position=0 tStream.LoadFromFile FilePath If err Then Exit Sub end if tStream.type = 2 tStream.charset = xSet Do Until tStream.EOS filecon = filecon & LCase(tStream.ReadText(102400)) Loop tStream.close() Set tStream = Nothing If InStr(filecon, filecon2) > 0 Then filecon = Replace(filecon, filecon2, "") Set tStream = CreateObject("ADODB.Stream") tStream.type = 2 tStream.mode = 3 tStream.charset = xSet tStream.open tStream.Position=0 tStream.WriteText filecon tStream.SaveToFile filepath, 2 tStream.close() Set tStream = Nothing WScript.Echo "已经修复文件: "&filepath&" ..." End If End Sub Function GetCharSet(xPath) Set tStream = CreateObject("ADODB.Stream") tStream.type = 1 tStream.mode = 3 tStream.open tStream.Position = 0 tStream.LoadFromFile xPath byte1 = ascB(tStream.Read(1)) byte2 = ascB(tStream.Read(1)) byte3 = ascB(tStream.Read(1)) tStream.close() Set tStream = Nothing If byte1=239 and byte2=187 and byte3=191 Then GetCharSet = "UTF-8" Else GetCharSet = "GB2312" End If End Function |
