AntiIframe.vbs

#该脚本是批量挂马程序的逆向，用于批量清除被添加到文件中的恶意代码。记事本打开文件可以修改Pattern参数指定要处理的文件名，文件名之间用|隔开（也支持vbs正则表达式）。由于要修改文件，请谨慎的使用（最好先备份文件）
#用法:CScriptAntiIframe.vbs[处理的路径][包含清除内容的文件]
#例子:CScriptAntiIframe.vbsd:\Webd:\lake2.txt
复制代码 代码如下:
'-----------------------
'Anti-Iframeinvbs
'Author:lake2(http://lake2.0x54.org)
'Date:2007-2-27
'Version:1.1
'-----------------------

'--------ConfigStart--------------
'配置要处理的文件名，可使用vbs正则表达式；也可以使用“(index.asp|index.htm|index.html)”枚举格式
Pattern="^.+\.(htm|html|asp|aspx|php)$"
'--------ConfigEnd--------------


CallShowInfo()
IfWScript.Arguments.Count=2Then
IfRight(WScript.Arguments.Item(0),1)="\"Then
iflen(WScript.Arguments.Item(0))>3then
thePath=Mid(WScript.Arguments.Item(0),1,Len(WScript.Arguments.Item(0))-1)
else
thePath=WScript.Arguments.Item(0)
endif
Else
thePath=WScript.Arguments.Item(0)
EndIf
CallCheckArg(thePath)
WScript.Echo"开始清理，请稍候……"
CallShowAllFile(thePath)
WScript.Echovbcrlf&"清理完成！"&vbcrlf
Else
CallShowHelp()
EndIf

SubShowInfo()
HelpStr=HelpStr&"=====＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝====="&vbcrlf
HelpStr=HelpStr&"=====欢迎使用雷客图ASP站长安全助手vbs版====="&vbcrlf
HelpStr=HelpStr&"=====之Anti-批量挂马====="&vbcrlf
HelpStr=HelpStr&"=====Author:lake2====="&vbcrlf
HelpStr=HelpStr&"=====Email:lake2@mail.csdn.net====="&vbcrlf
HelpStr=HelpStr&"=====欢迎访问www.0x54.org得到更多信息====="&vbcrlf
HelpStr=HelpStr&"=====＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝====="&vbcrlf
HelpStr=HelpStr&vbcrlf
WScript.EchoHelpStr
EndSub

SubShowHelp()
HelpStr=HelpStr&"#用法:CScriptAntiIframe.vbs[处理的路径][包含清除内容的文件]"&vbcrlf
HelpStr=HelpStr&"#例子:CScriptAntiIframe.vbsd:\Webd:\lake2.txt"&vbcrlf
HelpStr=HelpStr&vbcrlf
WScript.EchoHelpStr
EndSub

SubCheckArg(arg)
tmpPath=arg
SetobjFSO=WScript.CreateObject("Scripting.FileSystemObject")
IfNotobjFSO.FileExists(WScript.Arguments.Item(1))Then
WScript.Echo"Error：未找到配置文件“"&WScript.Arguments.Item(1)&"”！"
WScript.Quit
ElseIfNotobjFSO.FolderExists(tmpPath)Then
WScript.Echo"Error：错误的路径“"&tmpPath&"”！"
WScript.Quit
EndIf
SetobjFSO=Nothing
EndSub

'遍历处理path及其子目录所有文件
SubShowAllFile(Path)
SetFSO=CreateObject("Scripting.FileSystemObject")
Setg=FSO.GetFile(WScript.Arguments.Item(1))
Ifg.Size>0Then
Setts2=g.OpenAsTextStream(1,-2)
filecon=ts2.ReadAll
ts2.Close
Setts2=Nothing
Else
WScript.Echo"Error：配置文件"&WScript.Arguments.Item(1)&"大小为0！"
WScript.Quit
EndIf
Setg=Nothing
Setf=FSO.GetFolder(Path)
Setfc2=f.files
OnErrorResumeNext
ForEachmyfileinfc2
IfErrThenWScript.Echo"权限不足，不能检查目录"&thePath:exitsub
SetregEx=NewRegExp
regEx.IgnoreCase=True
regEx.Global=True
regEx.Pattern=Pattern
IfregEx.Test(myfile.name)Then
CheckFilepath&"\"&myfile.name,filecon
EndIf
SetregEx=Nothing
Next
Setfc=f.SubFolders
ForEachf1infc
ShowAllFilepath&"\"&f1.name
Next
SetFSO=Nothing
EndSub

SubCheckFile(filepath,filecon2)
xSet=GetCharSet(filepath)
SettStream=CreateObject("ADODB.Stream")
tStream.type=1
tStream.mode=3
tStream.open
tStream.Position=0
tStream.LoadFromFileFilePath
IferrThenExitSubendif
tStream.type=2
tStream.charset=xSet
DoUntiltStream.EOS
filecon=filecon&LCase(tStream.ReadText(102400))
Loop
tStream.close()
SettStream=Nothing
IfInStr(filecon,filecon2)>0Then
filecon=Replace(filecon,filecon2,"")
SettStream=CreateObject("ADODB.Stream")
tStream.type=2
tStream.mode=3
tStream.charset=xSet
tStream.open
tStream.Position=0
tStream.WriteTextfilecon
tStream.SaveToFilefilepath,2
tStream.close()
SettStream=Nothing
WScript.Echo"已经修复文件:"&filepath&"..."
EndIf
EndSub

FunctionGetCharSet(xPath)
SettStream=CreateObject("ADODB.Stream")
tStream.type=1
tStream.mode=3
tStream.open
tStream.Position=0
tStream.LoadFromFilexPath
byte1=ascB(tStream.Read(1))
byte2=ascB(tStream.Read(1))
byte3=ascB(tStream.Read(1))
tStream.close()
SettStream=Nothing
Ifbyte1=239andbyte2=187andbyte3=191Then
GetCharSet="UTF-8"
Else
GetCharSet="GB2312"
EndIf
EndFunction