Shulou(Shulou.com)06/03 Report--

Editor to share with you what are the more practical small codes in various applications of VBS, I believe most people do not know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's learn about it together.

VBS application--

The massive prevalence of VBS scripting viruses has given us a new understanding of the functions of VBS, and now people are beginning to pay attention to it. The VBS code is executed locally through Windows Script Host (WSH) interpretation. The execution of VBS scripts is inseparable from WSH,WSH, which is a language-independent script interpretation mechanism based on 32-bit Windows platform provided by Microsoft, which enables scripts to run directly from the Windows desktop or command prompt. With WSH, users can manipulate WSH objects, ActiveX objects, the registry, and file systems. Under Windows 2000, you can also use WSH to access the Windows NT active Directory service.

Scripts written in VBS are interpreted and executed by wscript.exe files in the window interface and cscript.exe files in the character interface. Wscript.exe is a scripting language interpreter that allows scripts to be executed just like batch processing. You must be much more familiar with VBS than I am, so no more nonsense, just get to the topic and take a look at my summary of the eight wonderful uses of VBS in system security.

Unlock the registry editor

Use notepad to edit the following:

DIM WSH

SET WSH=WSCRIPT.CreateObject ("WSCRIPT.SHELL") 'inactivate WScript.Shell object

WSH.POPUP ("unlock Registry Editor!")

'Show the pop-up message "unlock Registry Editor!"

WSH.Regwrite "HKCU\ Software\ Microsoft\ Windows\ CurrentVersion

\ Policies\ System\ DisableRegistryTools ", 0," REG_DWORD "

'Unlock the registry editor

WSH.POPUP ("registry unlocked successfully!")

'displays the pop-up message "Registry unlocked successfully!"

Save to a file with a .vbs extension and double-click when you use it.

2. Disable the default sharing of Win NT/2000

Use notepad to edit the following:

Dim WSHShell' defines variables

Set WSHShell=CreateObject ("WScript.shell") 'create an object WSHShell that can communicate with the operating system

Dim fso,dc

Set fso=CreateObject ("Scripting.FileSystemObject") 'create a file system object

Set dc=fso.Drives' get all drive letters

For Each d in dc

Dim str

WSHShell.run ("net share" & d.driveletter & "$/ delete") 'turns off hidden sharing for all drives

Next

WSHShell.run ("net share admin$ / delete")

WSHShell.run ("net share ipc$ / delete") 'turns off admin$ and ipc$ pipe sharing

Now to test it, open cmd.exe first, enter the net share command and you can see the share on your machine. When you double-click to execute stopshare.vbs, you will see the window flash by. Then type the net share command in cmd, and no share list is found.

3. Display the local IP address

There are many times, we need to know the local IP address, although it can be done with a variety of software, but it is also very convenient to use VBS scripts. Use notepad to edit the following:

Dim WS

Set WS=CreateObject ("MSWinsock.Winsock")

IPAddress=WS.LocalIP

MsgBox "Local IP=" & IPAddress

Save the above as ShowIP.vbs, and double-click to execute to get the native IP address.

Use script programming to delete logs

The first thing a hacker does after a successful intrusion into the system is to clear the log. If you remotely control the other machine or log in from the terminal with a graphical interface, it is not difficult to delete the log. Although the log is also run as a service, it is different from a service like http,ftp, which can be stopped and then deleted under the command line. Using net stop eventlog under the command line cannot be stopped. So some people think that it is very difficult to delete logs under the command line, but in fact this is not the case. For example, you can delete logs by using VMI in scripting programming, and it is very simple and convenient. The source code is as follows:

StrComputer= "."

Set objWMIService = GetObject ("winmgmts:" _

& "{impersonationLevel=impersonate, (Backup)}!\" & _

StrComputer & "\ root\ cimv2")

Dim mylogs (3)

Mylogs (1) = "application"

Mylogs (2) = "system"

Mylogs (3) = "security"

For Each logs in mylogs

Set colLogFiles=objWMIService.ExecQuery _

("Select * from Win32_NTEventLogFile where LogFileName='" & logs& "'")

For Each objLogfile in colLogFiles

ObjLogFile.ClearEventLog ()

Next

Next

Just save the above code as a cleanevent.vbs file. In the above code, you first get the object object, and then use its clearEventLog () method to delete the log. Create an array, application,security,system, and join the array if there are other logs. Then use a for loop to delete each element in the array, that is, each log.

Fifth, use scripts to forge logs

After deleting the log, any intelligent administrator will immediately react to being hacked in the face of an empty log, so a smart hacker learns how to forge a log. Creating a log using the eventlog method in scripting is very simple, take a look at the following code:

Set ws=wscript.createobject ("Wscript.shell")

Ws.logevent 0, "write log success" 'create a successful execution log

Just save the above code as createlog.vbs. This code is easy to understand, first getting a shell object of wscript, and then using the logevent method of the shell object. Usage of logevent: logevent eventtype, "description" [, remote system], where eventtype is a log type. The parameters that can be used are as follows: 0 indicates successful execution, 1 execution error, 2 warnings, 4 messages, 8 successful audit, 16 fault audit. So in the above code, change 0 to 1, 2, 4, 8, 16, and the contents in quotation marks are log descriptions. The log written by this method has a disadvantage, that is, it can only be written to the application log, and the log source can only be WSH, that is, Windows Scripting Host, so it can not play too much hidden role, here for your reference only.

Disable the start menu option

Use notepad to edit the following:

Dim ChangeStartMenu

Set ChangeStartMenu=WScript.CreateObject ("WScript.Shell")

RegPath= "HKCR\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\"

Type_Name= "REG_DWORD"

Key_Data=1

StartMenu_Run= "NoRun"

StartMenu_Find= "NoFind"

StartMenu_Close= "NoClose"

Sub Change (Argument)

ChangeStartMenu.RegWrite RegPath&Argument,Key_Data,Type_Name

MsgBox ("Success!")

End Sub

Call Change (StartMenu_Run) 'disable the run feature in the start menu

Call Change (StartMenu_Find) 'disable the find feature in the start menu

Call Change (StartMenu_Close) 'disable the shutdown function on the start menu

Save the above code as a ChangeStartMenu.vbs file and double-click when you use it.

VII. Execute external procedures

Use notepad to edit the following:

DIM objShell

Set objShell=wscript.createObject ("wscript.shell")

IReturn=objShell.Run ("cmd.exe / C set var=world", 1, TRUE)

Just save as a .vbs file. In this code, we first set an environment variable named var, and the value is world, the user can use% Comspec% instead of cmd.exe, and can change the command: set var=world to other commands, so that it can run arbitrary commands.

Restart the specified IIS service

Use notepad to edit the following:

Const ADS_SERVICE_STOPPED = 1

Set objComputer = GetObject ("WinNT://MYCOMPUTER,computer")

Set objService = objComputer.GetObject ("Service", "MYSERVICE")

If (objService.Status = ADS_SERVICE_STOPPED) Then

ObjService.Start

End If

Save it in the root directory of C disk under the name of startsvc.vbs. And execute it with the following command: cscript c:\ startsvc.vbs. After running, the IIS service item you specified will be reopened.

Finally, let's talk about the prevention of VBS scripting viruses mentioned at the beginning. The execution of VBS virus is inseparable from WSH. While bringing convenience to people, WSH also leaves an opportunity for the spread of the virus. So if you want to prevent VBS virus, you can choose to uninstall WSH, just open the control panel, find "add / remove programs", click "Windows installer", and then double-click the "attachments" item, and then remove the "√" of "Windows Scripting Host" in the open window, and then click "OK" twice in a row to uninstall WSH. Alternatively, you can click "my computer" → to view "→" folder options, in the pop-up dialog box, click "File Type", and then delete VBS, VBE, JS, JSE file suffix and application mapping, can achieve the purpose of preventing VBS script virus.

These are all the contents of this article entitled "what are the more practical small codes in various applications of VBS?" Thank you for your reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.