VBS script in system security in eight the clever application-vulnerability warning-the black bar safety net

ID MYHACK58:6220069569
Type myhack58
Reporter 佚名
Modified 2006-06-05T00:00:00


VBS script virus a large number of popular brings us to the VBS function with a new understanding, now everyone on the it also began to pay attention to it. VBS code in local is by the Windows Script Host(WSH)interpreter execution. VBS script to perform without the WSH, the WSH is Microsoft offers a 3 2-bit Windows platform, language-independent script interpreter mechanisms, which makes the scripts directly on the Windows desktop or Command Prompt running. Using the WSH, the user can manipulate the WSH objects, ActiveX object, registry, and file system. In Windows 2 0 0 0, You can also use WSH to access the Windows NT Active Directory Service.

Using VBS to write the script in the window interface by wscript. exe file interpreted, in the character interface by cscript. exe file interpreted. wscript. exe is a script language interpreter, is it so that the script can be executed, like the execution of a batch. About the VBS you than I am familiar with many, so no longer nonsense, directly into the theme, check out my summary of the VBS in the system of safety of eight is wonderful with it.

One, to the Registry Editor to unlock

Use Notepad to edit the following:

DIM WSH SET WSH=WSCRIPT. CreateObject("WSCRIPT. SHELL") 'firing live WScript. The Shell object WSH. POPUP("unlock Registry Editor!") 'Display pop-up information“to unlock the Registry Editor!” WSH. Regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion \Policies\System\DisableRegistryTools",0,"REG_DWORD" 'To Registry Editor to unlock WSH. POPUP("registry successfully unlocked!") 'Display the popup message“registry successfully unlocked!” Save For to. vbs is the extension of the file, use double-click.

Second, the close Win NT/2 0 0 0 default share

Use Notepad to edit the following:

Dim WSHShell'define variables set WSHShell=CreateObject("WScript. shell") 'create a Can with theoperating systemto communicate the object WSHShell Dim fso,dc Set fso=CreateObject("Scripting. FileSystemObject")'create File System Object set dc=fso. Drives 'get all the drive letters For Each d in dc Dim str WSHShell. run("net share"& d. driveletter &"$ /delete")'close all drive to the hidden share next WSHShell. run("net share admin$ /delete") WSHShell. run("net share ipc$ /delete")'close the admin$and ipc$pipes shared

Now to test it out, 先打开cmd.exe, enter the net share command to see your machine on the shared. Double click to execute stopshare. vbs, you will see the window flashed. Then in cmd enter net share command, this time did not find the shared list.

Third, display the local IP address

There are many times when we need to know the IP address of the machine, using a variety of software although you can do it, but using the VBS script is also very convenient. Use Notepad to edit the following:

Dim WS Set WS=CreateObject("MSWinsock. Winsock") IPAddress=WS. LocalIP MsgBox "Local IP=" & IPAddress

The above content is saved as ShowIP. vbs, double click to execute you can get the machine IP address.

Fourth, the use of script programming to delete the log

The invasion of the system after a successful hack the first thing to do is clear the log, if in a graphical interface remote control the other machine or from the terminal landing into the, deleting the logs is not a difficult thing to do, since the log although it is as a service to run, but unlike http,ftp is such a service, you can at the command line to stop, then delete, at the command line with net stop eventlog is not stopped, so it was assumed that in the command line to delete the log is very difficult, actually not so, say the use of scripts programmed in VMI can delete the log, but also very simple and convenient. The source code is as follows:

strComputer= "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Backup)}!\\" & _ strComputer & "\root\cimv2") dim mylogs(3) mylogs(1)="application" mylogs(2)="system" mylogs(3)="security" for Each logs in mylogs Set colLogFiles=objWMIService. ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='"&logs&"'") For Each objLogfile in colLogFiles objLogFile. ClearEventLog() Next next

The above code is saved as cleanevent. the vbs file can be. In the above code, first get the object, then use its clearEventLog()method to delete the log. Build an array, application,security,system, if there are other logs can also be added to the array. Then with a for Loop, delete an array in each element, i.e. each log.

Five, the use of script forgery log

Delete the log, any one have the mind of an administrator faced with the empty log, immediately it will react to being invaded, so a clever hacker learn how to fake the log. The use of Scripting in eventlog method of creating the log is very simple, consider the following code:

set ws=wscript. createobject("Wscript. shell") ws. logevent 0 ,"write log success" 'create a successful implementation of the log

Will the above code to save to createlog. vbs can be. This code is easy to understand, first obtain the wscript of a shell object, and then use the shell object's logevent method. logevent usage: logevent eventtype,"description" [,remote system], where eventtype is the type of log, you can use parameters are as follows: 0 for successful execution, 1 Do error, 2 warning 4 information 8 success audit, 1 6 failure audit. So in the above code, put 0 instead of 1,2,4,8,1 6 May, the quotation marks in the content of the log description. Use this method to write the log there is a disadvantage that can only be written to the Application log, and the log sources only for the WSH, Windows Scripting Host, so can not play too much of a hidden effect, this is only for your reference.

Sixth, disable Start menu option

Use Notepad to edit the following:

Dim ChangeStartMenu Set ChangeStartMenu=WScript. CreateObject("WScript. Shell") RegPath="HKCR\Software\Microsoft\Windows\CurrentVersion\Policies\" Type_Name="REG_DWORD" Key_Data=1

StartMenu_Run="NoRun" StartMenu_Find="NoFind" StartMenu_Close="NoClose"

Sub Change(Argument) ChangeStartMenu. RegWrite RegPath&Argument,Key_Data,Type_Name MsgBox("Success!") End Sub

Call Change(StartMenu_Run) 'disable the“Start”menu in the“run”function Call Change(StartMenu_Find) 'disable the“Start”menu in the“Find”function Call Change(StartMenu_Close) 'disable the“Start”menu in the“closed system”function

The above code is saved as ChangeStartMenu. vbs file use double-click.

Seven, the implementation of an external program

Use Notepad to edit the following:

DIM objShell set objShell=wscript. createObject("wscript. shell") iReturn=objShell. Run("cmd.exe /C set var=world", 1, TRUE)

Save As. the vbs file can be. In this code, we first set an environment variable, which is named var, and the value of the world, 用户可以使用%Comspec%来代替cmd.exe and you can put the command: set var=world, changed to other command, so you can make it can run arbitrary commands.

Eight, restarts the specified IIS service

Use Notepad to edit the following:

Const ADS_SERVICE_STOPPED = 1 Set objComputer = GetObject("WinNT://MYCOMPUTER,computer") Set objService = objComputer. GetObject("Service","MYSERVICE") If (objService. Status = ADS_SERVICE_STOPPED) Then objService. Start End If

It is to startsvc. vbs is the name stored in the C disk root directory. And by the following command to execute: cscript c:\startsvc.vbs the. Run, after you specify the IIS service item will be re-opened.

Finally, we say that the opening paragraph mentioned the VBS script virus prevention method. VBS virus to perform without the WSH, to bring people convenience at the same time, the WSH also for the spread of the virus left. So in order to prevent VBS viruses, you can select the WSH uninstall, just open the Control Panel, find the“Add/Remove Programs”, click on“Windows Installer”, and then double-click one of the“accessories”item, then in the opened window in the“Windows Scripting Host”A“√”removed, and then the consecutive points two times“OK”it can be a WSH uninstall. Alternatively, you can also click on“my computer”→“view”→“Folder Options”in the pop-up dialog box, click on the“file types”, then delete the VBS, VBE, JS, JSE file extension with the application of the mapping, can achieve the prevention of the VBS script virus purposes.