AntiIframe.vbs

#该脚本是批量挂马程序的逆向，用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改Pattern参数指定要处理的文件名，文件名之间用|隔开（也支持vbs正则表达式）。由于要修改文件，请谨慎的使用（最好先备份文件）

#用法:CScriptAntiIframe.vbs[处理的路径][包含清除内容的文件]

#例子:CScriptAntiIframe.vbsd:Webd:lake2.txt

复制代码 代码如下:

'-----------------------

'Anti-Iframeinvbs

'Author:lake2(http://lake2.0x54.org)

'Date:2007-2-27

'Version:1.1

'-----------------------

'--------ConfigStart--------------

'配置要处理的文件名，可使用vbs正则表达式；也可以使用“(index.asp|index.htm|index.html)”枚举格式

Pattern="^.+.(htm|html|asp|aspx|php)$"

'--------ConfigEnd--------------

CallShowInfo()

IfWScript.Arguments.Count=2Then

IfRight(WScript.Arguments.Item(0),1)=""Then

iflen(WScript.Arguments.Item(0))>3then

thePath=Mid(WScript.Arguments.Item(0),1,Len(WScript.Arguments.Item(0))-1)

else

thePath=WScript.Arguments.Item(0)

endif

Else

thePath=WScript.Arguments.Item(0)

EndIf

CallCheckArg(thePath)

WScript.Echo"开始清理，请稍候……"

CallShowAllFile(thePath)

WScript.Echovbcrlf&"清理完成！"&vbcrlf

Else

CallShowHelp()

EndIf

SubShowInfo()

HelpStr=HelpStr&"=====＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝====="&vbcrlf

HelpStr=HelpStr&"=====欢迎使用雷客图ASP站长安全助手vbs版====="&vbcrlf

HelpStr=HelpStr&"=====之Anti-批量挂马====="&vbcrlf

HelpStr=HelpStr&"=====Author:lake2====="&vbcrlf

HelpStr=HelpStr&"=====Email:lake2@mail.csdn.net====="&vbcrlf

HelpStr=HelpStr&"=====欢迎访问www.0x54.org得到更多信息====="&vbcrlf

HelpStr=HelpStr&"=====＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝====="&vbcrlf

HelpStr=HelpStr&vbcrlf

WScript.EchoHelpStr

EndSub

SubShowHelp()

HelpStr=HelpStr&"#用法:CScriptAntiIframe.vbs[处理的路径][包含清除内容的文件]"&vbcrlf

HelpStr=HelpStr&"#例子:CScriptAntiIframe.vbsd:Webd:lake2.txt"&vbcrlf

HelpStr=HelpStr&vbcrlf

WScript.EchoHelpStr

EndSub

SubCheckArg(arg)

tmpPath=arg

SetobjFSO=WScript.CreateObject("Scripting.FileSystemObject")

IfNotobjFSO.FileExists(WScript.Arguments.Item(1))Then

WScript.Echo"Error：未找到配置文件“"&WScript.Arguments.Item(1)&"”！"

WScript.Quit

ElseIfNotobjFSO.FolderExists(tmpPath)Then

WScript.Echo"Error：错误的路径“"&tmpPath&"”！"

WScript.Quit

EndIf

SetobjFSO=Nothing

EndSub

'遍历处理path及其子目录所有文件

SubShowAllFile(Path)

SetFSO=CreateObject("Scripting.FileSystemObject")

Setg=FSO.GetFile(WScript.Arguments.Item(1))

Ifg.Size>0Then

Setts2=g.OpenAsTextStream(1,-2)

filecon=ts2.ReadAll

ts2.Close

Setts2=Nothing

Else

WScript.Echo"Error：配置文件"&WScript.Arguments.Item(1)&"大小为0！"

WScript.Quit

EndIf

Setg=Nothing

Setf=FSO.GetFolder(Path)

Setfc2=f.files

OnErrorResumeNext

ForEachmyfileinfc2

IfErrThenWScript.Echo"权限不足，不能检查目录"&thePath:exitsub

SetregEx=NewRegExp

regEx.IgnoreCase=True

regEx.Global=True

regEx.Pattern=Pattern

IfregEx.Test(myfile.name)Then

CheckFilepath&""&myfile.name,filecon

EndIf

SetregEx=Nothing

Next

Setfc=f.SubFolders

ForEachf1infc

ShowAllFilepath&""&f1.name

Next

SetFSO=Nothing

EndSub

SubCheckFile(filepath,filecon2)

xSet=GetCharSet(filepath)

SettStream=CreateObject("ADODB.Stream")

tStream.type=1

tStream.mode=3

tStream.open

tStream.Position=0

tStream.LoadFromFileFilePath

IferrThenExitSubendif

tStream.type=2

tStream.charset=xSet

DoUntiltStream.EOS

filecon=filecon&LCase(tStream.ReadText(102400))

Loop

tStream.close()

SettStream=Nothing

IfInStr(filecon,filecon2)>0Then

filecon=Replace(filecon,filecon2,"")

SettStream=CreateObject("ADODB.Stream")

tStream.type=2

tStream.mode=3

tStream.charset=xSet

tStream.open

tStream.Position=0

tStream.WriteTextfilecon

tStream.SaveToFilefilepath,2

tStream.close()

SettStream=Nothing

WScript.Echo"已经修复文件:"&filepath&"..."

EndIf

EndSub

FunctionGetCharSet(xPath)

SettStream=CreateObject("ADODB.Stream")

tStream.type=1

tStream.mode=3

tStream.open

tStream.Position=0

tStream.LoadFromFilexPath

byte1=ascB(tStream.Read(1))

byte2=ascB(tStream.Read(1))

byte3=ascB(tStream.Read(1))

tStream.close()

SettStream=Nothing

Ifbyte1=239andbyte2=187andbyte3=191Then

GetCharSet="UTF-8"

Else

GetCharSet="GB2312"

EndIf

EndFunction