A comparison of the various applications of VBS with a practical small code _vbs

VBS APPLICATION--

The popularity of the VBS script virus has given us a new understanding of the function of VBS, and now we are starting to pay attention to it. The VBS code is performed locally by using Windows Script Host (WSH) interpretation. The implementation of a VBS script cannot be separated from Wsh,wsh is a language-agnostic scripting mechanism that Microsoft provides based on the 32-bit Windows platform, which enables scripts to run directly from the Windows desktop or at the command prompt. With WSH, users can manipulate WSH objects, ActiveX objects, registries, and file systems. Under Windows 2000, you can also use WSH to access the Windows NT Active Directory service.

Scripts written with VBS are executed by the Wscript.exe file in the window interface, and are interpreted by the Cscript.exe file in the character interface. Wscript.exe is a scripting language interpreter, which allows a script to be executed as if it were executing a batch. About VBS You must be more familiar than I am, so no nonsense, directly into the subject, see my summary of the VBS in the system security eight magical.

First, unlock the Registry Editor

Edit the following in Notepad:

DIM WSH
SET Wsh=wscript. CreateObject ("WSCRIPT.") SHELL ")" Wscript.Shell object
WSH. POPUP (Unlock Registry Editor!)
' Show pop-up message unlock Registry Editor! '
WSH. RegWrite "Hkcu\software\microsoft\windows\currentversion
\policies\system\disableregistrytools ", 0," REG_DWORD "
' Unlock Registry Editor
WSH. POPUP ("Registry unlocked successfully!")
' Show pop-up info ' registry unlock success! '
Save as a file with a. vbs extension and double-click it when you use it.

Second, close the win nt/2000 default sharing

Edit the following in Notepad:

Dim WshShell ' defines a variable
Set Wshshell=createobject ("Wscript.Shell") ' creates an object that communicates with the operating system WshShell
Dim FSO,DC
Set fso=createobject ("Scripting.FileSystemObject") ' Creates file system objects
Set DC=FSO. Drives ' Get all drive letter
For each D in DC
Dim Str
Wshshell.run ("net share" &d.driveletter & "$/delete") ' Turn off hidden shares for all drives
Next
Wshshell.run ("net share admin$/delete")
Wshshell.run ("net share ipc$/delete") ' closes admin$ and ipc$ pipeline share

Now to test, first open cmd.exe, input net share command can see their own machine on the share. After you double-click the execution stopshare.vbs, you will see the window flash past. And then enter the net share command in CMD, the shared list is not found at this time

Third, display the native IP address

There are many times when we need to know the IP address of this computer, although it is possible to use a variety of software, but the VBS script is also very convenient. Edit the following in Notepad:

Dim WS
Set ws=createobject ("Mswinsock.winsock")
Ipaddress=ws. Localip
MsgBox "Local ip=" & IPAddress

Save the above content as Showip.vbs, double-click to execute to get the native IP address.

Iv. using scripting to delete logs

The first thing hackers do after a successful intrusion system is to clear the log, if the graphics interface to remotely control the other machine or access from the terminal, delete log is not a difficult thing, because although the log is also as a service operation, but unlike the HTTP,FTP services, you can stop at the command line, and then delete, net stop eventlog cannot be stopped at the command line, so it is considered difficult to delete the log at the command line, but it is not, for example, using the VMI in scripting to delete logs, and is very simple and convenient. The source code is as follows:

Strcomputer= "."
Set objWMIService = GetObject ("winmgmts:" _
& "{impersonationlevel=impersonate, (Backup)}!\\" & _
StrComputer & "\root\cimv2")
Dim mylogs (3)
Mylogs (1) = "Application"
Mylogs (2) = "System"
Mylogs (3) = "Security"
For each logs in Mylogs
Set Collogfiles=objwmiservice.execquery _
("SELECT * from Win32_NTEventLogFile where logfilename= '" &logs& "")
For each objlogfile in Collogfiles
Objlogfile.cleareventlog ()
Next
Next

Save the above code as a cleanevent.vbs file. In the above code, you first get the object and then use its ClearEventlog () method to delete the log. Create an array, Application,security,system, and if there are other logs, you can also add an array. Then, with a for loop, delete each element in the array, which is the individual log.

V. Use scripts to forge logs

After deleting the log, any intelligent administrator who faces an empty log will immediately react to the intrusion, so a clever hacker learns how to forge a log. Using the EventLog method in scripting to create a log is very simple, see the following code:

Set Ws=wscript.createobject ("Wscript.Shell")
Ws.logevent 0, "Write Log Success" ' Create a successful execution log

Save the above code as Createlog.vbs. This code is easy to understand, first get a Shell object of WScript, and then take advantage of the LogEvent method of the Shell object. LogEvent usage: logevent eventtype, "description" [, remote system], where EventType is the log type, the following parameters can be used: 0 for successful execution, 1 for execution error, 2 warning, 4 message, 8 successful audits, 16 failure audits. So in the code above, change 0 to 1,2,4,8,16, and the contents of the quotes are log descriptions. The use of this method to write the log has a disadvantage, that can only write to the application log, and the log source can only be WSH, that is, Windows Scripting Host, so can not play a lot of hidden role, this is for everyone's reference.

Six, disable Start menu option

Edit the following in Notepad:

Dim Changestartmenu
Set changestartmenu=wscript.createobject ("Wscript.Shell")
Regpath= "Hkcr\software\microsoft\windows\currentversion\policies\"
Type_name= "REG_DWORD"
Key_data=1

Startmenu_run= "NoRun"
Startmenu_find= "Nofind"
Startmenu_close= "Noclose"

Sub Change (Argument)
Changestartmenu.regwrite Regpath&argument,key_data,type_name
MsgBox ("success!")
End Sub

Call Change (Startmenu_run) ' Disables the ' run ' feature in the Start menu
Call Change (Startmenu_find) ' Disables the ' Find ' feature in the Start menu
' Turn off system ' feature in the Start menu is disabled by call Change (Startmenu_close)

Save the above code as a Changestartmenu.vbs file, and double-click it when you use it.

VII. implementation of external procedures

Edit the following in Notepad:

DIM Objshell
Set Objshell=wscript.createobject ("Wscript.Shell")
Ireturn=objshell.run ("cmd.exe/c set Var=world", 1, TRUE)

Save as a. vbs file. In this code, we first set up an environment variable named Var, and the value is world, the user can use%comspec% instead of Cmd.exe, and the command: Set Var=world can be changed to another command, so that it can run arbitrary commands.

Viii. Restart the specified IIS service

Edit the following in Notepad:

Const ads_service_stopped = 1
Set objcomputer = GetObject ("Winnt://mycomputer,computer")
Set objservice = Objcomputer.getobject ("Service", "MyService")
If (objservice.status = ads_service_stopped) Then
Objservice.start
End If

Keep it in the C-packing directory in the name of Startsvc.vbs. The following command is executed: cscript c:\startsvc.vbs. After running, the IIS service entry that you specified will be reopened.

Finally, let's say the method of defending the VBS script virus mentioned at the beginning. The implementation of VBS virus can not be separated from WSH, in bringing convenience to people at the same time, WSH also for the spread of the virus left an opportunity. So to prevent the VBS virus, you can choose to uninstall WSH, just open the Control Panel, find Add/Remove Programs, click Windows Installer, double-click the "Attachment" item, and then in the open window, "Windows Scripting Host" One of the "√" removed, and then continuous point two times "OK" can be WSH uninstall. Or, you can also click on "My Computer" → "View" → "Folder Options", in the pop-up dialog box, click "File Type", and then delete the VBS, VBE, JS, jse file suffix name and application mapping, can be achieved to prevent the VBS script virus.