The eight advantages of VBS scripts in System Security

Source: Internet
Author: User

Source: xiaoxin Technology Network

The prevalence of VBS script virus has given us a new understanding of VBS features, and now everyone has begun to pay attention to it. VBS code is locally interpreted and executed through Windows Script Host (WSH. WSH is indispensable for VBS script execution. WSH is a language-independent script interpretation mechanism provided by Microsoft Based on the 32-bit Windows platform, it enables the script to run directly on a Windows desktop or command prompt. WSH allows you to manipulate WSH objects, ActiveX objects, registries, and file systems. In Windows 2000, WSH can also be used to access the Windows NT Active Directory Service.

The script compiled with vbs is interpreted by the wscript.exe file in the window and interpreted by the cscript.exe file in the window. Wscript.exe is a script language interpreter that enables the script to be executed, just like executing a batch. You must be familiar with VBS more than I do, so don't talk nonsense. Go to the topic and check out the eight advantages of VBS in system security.

1. Unlock the Registry Editor

Use NotePad to edit the following content:

DIM WSH
Set wsh = WSCRIPT. CreateObject ("WSCRIPT. SHELL ").
WSH. POPUP ("unlock Registry Editor! ")
"Unlock Registry Editor!" is displayed !"
WSH. Regwrite "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools", 0, "REG_DWORD"
Unlock Registry Editor
WSH. POPUP ("Registry unlocked successfully! ")
The pop-up message "Registry unlocked successfully!" is displayed !"
Save the file as a. vbs extension. Double-click it when using it.

2. Disable default share of Win NT/2000

Use NotePad to edit the following content:

Dim WSHShell defines Variables
Set WSHShell = CreateObject ("WScript. shell") to create an object WSHShell that can communicate with the operating system
Dim fso, dc
Set fso = CreateObject ("Scripting. FileSystemObject") create a file system object
Set dc = fso. Drives get all drive letters
For Each d in dc
Dim str
WSHShell. run ("net share" & d. driveletter & "$/delete") Disable hidden sharing for all drives
Next
WSHShell. run ("net share admin $/delete ")
WSHShell. run ("net share ipc $/delete") Disable admin $ and ipc $ pipe sharing

Now, run cmd.exe and run the net share command to view the shares on your machine. Double-click stopshare. vbs and the window will pop up. Then enter the net share command in cmd. No sharing list is found at this time.

3. display the local IP Address


In many cases, we need to know the IP address of the Local Machine. Although we can use various software, it is very convenient to use VBS scripts. Use NotePad to edit the following content:

Dim WS
Set WS = CreateObject ("MSWinsock. Winsock ")
IPAddress = WS. LocalIP
MsgBox "Local IP =" & IPAddress

Save the preceding content as ShowIP. vbs and double-click it to obtain the local IP address.

4. Use Script Programming to delete logs

After successful system intrusion, The first thing hackers do is to clear logs. If you remotely control the other machine on the GUI or log in from the terminal, deleting logs is not a difficult task, although logs are also run as a service, but unlike services such as http and ftp, logs can be stopped and deleted in the command line, using net stop eventlog in the command line cannot be stopped, so some people think it is very difficult to delete the log in the command line. In fact, this is not the case, for example, the log can be deleted using the VMI in script programming, which is very simple and convenient. The source code is as follows:

StrComputer = "."
Set ob1_miservice = GetObject ("winmgmts :"_
& "{ImpersonationLevel = impersonate, (Backup )}! \"&_
StrComputer & "ootcimv2 ")
Dim mylogs (3)
Mylogs (1) = "application"
Mylogs (2) = "system"
Mylogs (3) = "security"
For Each logs in mylogs
Set colLogFiles = obw.miservice. ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName =" & logs &"")
For Each objLogfile in colLogFiles
ObjLogFile. ClearEventLog ()
Next
Next

Save the above Code as the cleanevent. vbs file. In the above Code, first obtain the object, and then use its clearEventLog () method to delete the log. Create an array, application, security, and system. You can add an array if there are other logs. Then, a for loop is used to delete each element in the array, that is, each log.

5. Use scripts to forge logs


After deleting the log, any thoughtful administrator will immediately respond to the intrusion when facing the empty log, so a smart hacker will learn how to forge the log. Using the eventlog method in Script Programming to create logs is very simple. Please refer to the following code:

Set ws = wscript. createobject ("Wscript. shell ")
Ws. logevent 0, "write log success" Create a successful execution log

Save the above Code as createlog. vbs. This code is easy to understand. first obtain a shell object of wscript, and then use the logevent method of the shell object. Logevent usage: logevent eventtype, "description" [, remote system], where eventtype is the log type. The following parameters can be used: 0 indicates successful execution, 1 indicates an execution error, 2 indicates a warning, 4 Information, 8 successful audits, 16 fault audits. So in the code above, change 0 to 1, 2, 4, 8, 16. The content in the quotation marks is the log description. One disadvantage of using this method to write logs is that the logs can only be written to application logs, and the log source can only be WSH, that is, Windows Scripting Host. Therefore, it cannot be concealed, this is for your reference only.

6. Disable the Start menu option

Use NotePad to edit the following content:

Dim ChangeStartMenu
Set ChangeStartMenu = WScript. CreateObject ("WScript. Shell ")
RegPath = "HKCRSoftwareMicrosoftWindowsCurrentVersionPolicies"
Type_Name = "REG_DWORD"
Key_Data = 1

StartMenu_Run = "NoRun"
StartMenu_Find = "NoFind"
StartMenu_Close = "NoClose"

Sub Change (Argument)
ChangeStartMenu. RegWrite RegPath & Argument, Key_Data, Type_Name
MsgBox ("Success! ")
End Sub

Call Change (StartMenu_Run) to disable the "run" function in the "Start" menu.
Call Change (StartMenu_Find) to disable the "Search" function in the "Start" menu.
Call Change (StartMenu_Close) to disable the "Disable System" function in the "Start" menu

Save the above Code as the ChangeStartMenu. vbs file. Double-click it when using it. 7. Execute external programs


Use NotePad to edit the following content:

DIM objShell
Set objShell = wscript. createObject ("wscript. shell ")
IReturn = objShell. Run ("cmd.exe/C set var = world", 1, TRUE)

Save it as a. vbs file. In this Code, we first set an environment variable named "var" and" world". Users can replace "cmdcomspecizer" with "cmd.exe" and change the command "set var = world" to other commands to run arbitrary commands.

8. Restart the specified IIS service

Use NotePad to edit the following content:

Const ADS_SERVICE_STOPPED = 1
Set objComputer = GetObject ("WinNT: // MYCOMPUTER, computer ")
Set objService = objComputer. GetObject ("Service", "MYSERVICE ")
If (objService. Status = ADS_SERVICE_STOPPED) Then
ObjService. Start
End If

Store it in the C root directory in the name of startsvc. vbs. Run the following command: cscript c: startsvc. vbs. After running, the specified IIS service item will be re-enabled.

Finally, let's talk about how to prevent the VBS script virus. The execution of the VBS virus is inseparable from WSH, which brings convenience to people, while also leaving a chance for the spread of the virus. To prevent the VBS virus, you can uninstall WSH. Just open the control panel, find "Add/delete programs", and click "Windows Installer ", double-click the "attachment" item, and remove "√" of "Windows Scripting Host" in the window that appears, then, the WSH can be detached after "OK" twice in a row. Alternatively, you can click "my computer"> "View"> "Folder Options". In the displayed dialog box, click "file type ", then, you can delete VBS, VBE, JS, and JSE file extensions and application mappings to prevent VBS script viruses.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.