如何在后台找到运行 VBScript 的文件位置? [关闭]
Posted
技术标签:
【中文标题】如何在后台找到运行 VBScript 的文件位置? [关闭]【英文标题】:How to find file location of running VBScript in background? [closed] 【发布时间】:2020-05-05 18:10:57 【问题描述】:我一整天都在进行渗透测试;我从 github 获取了一个 python 脚本,现在我忘记了它的名字;它在任何地方隐藏到我的系统后,我运行它;每次我启动我的系统时,都会打开一个 cmd;然后 VB SCRIPT 消息弹出窗口并打扰了我很多,我很累。截图:
当我打开任务管理器,并单击打开文件位置时,它会将我带到C:\Windows\System32\wscript.exe不要从它所在的位置文件位置正在启动。
我接受可以解决我的问题的任何类型的答案,任何类型意味着任何类型(例如程序化、手动等)。
【问题讨论】:
在任务管理器中显示摘要选项卡没有意义 - 显示详细信息选项卡。 @Mark i.stack.imgur.com/mMGjz.png @MuhammadAli 可能是主脚本位于您的运行注册表中,我们不知道是 vbscript 还是批处理文件启动了这些子脚本?你能确认我的建议吗? @Hackoo 是的,可以,正如我提到的,在启动时 cmd 打开,我认为它会启动所有这些 vbscripts。而且我不知道该如何调查。 这不需要脚本来调查,它是基本的操作系统知识和了解应用程序可以自动执行的位置(任务计划程序、注册表、启动文件夹等)。 【参考方案1】:你应该提取他们的命令行来找到他们的位置!
只需将此代码复制并粘贴为 Get_CommandLine_Process.bat 并通过双击执行它,它将提取它们的路径以便使用您的 Windows 资源管理器进行探索。
@echo off
Title Extract CommandLine Of Running Processes by Hackoo 2020
Mode 100,30 & color 0A
Set "ProcessName=wscript.exe"
Set "TmpFile=%~n0_Abs_cmdline.txt"
Set "LogFile=%~n0_cmdline.txt
If Exist "%TmpFile%" Del "%TmpFile%"
If Exist "%LogFile%" Del "%LogFile%"
Set "ProcessCmd="
Set /a "Count=0"
SetLocal EnableDelayedExpansion
@For /f "tokens=2 delims==" %%P in ('wmic process where caption^="%ProcessName%" get commandline /format:list ^| find /I "%ProcessName%" 2^>nul') do (
Set /a Count+=1
Set "ProcessCmd[!Count!]=%%P"
)
@for /L %%i in (1,1,%Count%) do (
echo !ProcessCmd[%%i]!>con
echo !ProcessCmd[%%i]! >> "%TmpFile%"
)
Timeout /T 1 /NoBreak>nul
If exist "%TmpFile%" Call :Extract "%TmpFile%" "%LogFile%"
@For /f "delims=" %%a in ('Type "%LogFile%"') do (
Explorer /n, /select, %%a
)
REM If exist "%LogFile%" Start "" "%LogFile%" & Exit
pause & Exit
::********************************************************************************************************
:Extract <InputData> <OutPutData>
(
echo Data = WScript.StdIn.ReadAll
echo Data = Extract(Data,"(^?^!.*(\x22\w^)^)\b.*(\w^).*(\.ps1^|\.hta^|\.vbs^|\.vbe^|\.cmd^|\.bat^|\.lnk^)"^)
echo WScript.StdOut.WriteLine Data
echo '************************************************
echo Function Extract(Data,Pattern^)
echo Dim oRE,oMatches,Match,Line
echo set oRE = New RegExp
echo oRE.IgnoreCase = True
echo oRE.Global = True
echo oRE.Pattern = Pattern
echo set oMatches = oRE.Execute(Data^)
echo If not isEmpty(oMatches^) then
echo For Each Match in oMatches
echo Line = Line ^& chr(34^) ^& Trim(Match.Value^) ^& chr(34^) ^& vbcrlf
echo Next
echo Extract = Line
echo End if
echo End Function
echo '************************************************
)>"%tmp%\%~n0.vbs"
cscript /nologo "%tmp%\%~n0.vbs" < "%~1" > "%~2"
If Exist "%tmp%\%~n0.vbs" Del "%tmp%\%~n0.vbs"
exit /b
::****************************************************
编辑:这是另一个纯 vbscript 代码:WScript_Explorer_Location.vbs
Option Explicit
Dim Title,Process,ColProcess
Title = "Find file location of running VBScript in background"
ColProcess = Find_Location("wscript.exe")
For Each Process in ColProcess
MsgBox Process,vbInformation,Title
Explorer(Process)
Next
'-------------------------------------------------
Sub Explorer(File)
Dim ws
Set ws = CreateObject("Wscript.Shell")
ws.run "Explorer /n,/select,"& File &""
End Sub
'-------------------------------------------------
Function Find_Location(MyProcess)
Dim colItems,objItem,CmdLine,ArrProcess
ArrProcess = Array()
Set colItems = GetObject("winmgmts:").ExecQuery("Select * from Win32_Process " _
& "Where Name like '%"& MyProcess &"%' AND NOT commandline like '%" & wsh.scriptname & "%'",,48)
For Each objItem in colItems
If objItem.CommandLine <> "" Then
CmdLine = Extract(objItem.CommandLine,"(?!.*(\x22\w))\b.*(\w).*(\.ps1|\.hta|\.vbs|\.vbe|\.cmd|\.bat|\.lnk)")
ReDim Preserve ArrProcess(UBound(ArrProcess)+1)
ArrProcess(UBound(ArrProcess))= CmdLine
End If
Next
Find_Location = ArrProcess
End Function
'-------------------------------------------------
Function Extract(Data,Pattern)
Dim oRE,oMatches,Match,Line
set oRE = New RegExp
oRE.IgnoreCase = True
oRE.Global = True
oRE.Pattern = Pattern
set oMatches = oRE.Execute(Data)
If not isEmpty(oMatches) then
For Each Match in oMatches
Line = Line & chr(34) & Trim(Match.Value) & chr(34) & vbcrlf
Next
Extract = Line
End if
End Function
'-------------------------------------------------
如果您想使用相同的 vbscript 在后台查找其他进程,例如 cscript.exe、mshta.exe、cmd.exe,以便探索它们的位置,只需将它们放入这样的数组中:@987654326 @
然后这样称呼他们:
For Each ProcessItem In ArrayProcesses
ColProcesses = Find_Location(ProcessItem)
For Each Process in ColProcesses
MsgBox Process,vbInformation,Title
Explorer(Process)
Next
Next
主vbscript可以这样写:Find_Explore_Process.vbs
Option Explicit
Dim Title,ArrayProcesses,ProcessItem,ColProcesses,Process
Title = "Find file location of running Processes in background"
ArrayProcesses = Array("wscript.exe","cscript.exe","mshta.exe","cmd.exe")
For Each ProcessItem In ArrayProcesses
ColProcesses = Find_Location(ProcessItem)
For Each Process in ColProcesses
MsgBox Process,vbInformation,Title
Explorer(Process)
Next
Next
'-------------------------------------------------
Sub Explorer(File)
Dim ws
Set ws = CreateObject("Wscript.Shell")
ws.run "Explorer /n,/select,"& File &""
End Sub
'-------------------------------------------------
Function Find_Location(MyProcess)
Dim colItems,objItem,CmdLine,ArrProcess
ArrProcess = Array()
Set colItems = GetObject("winmgmts:").ExecQuery("Select * from Win32_Process " _
& "Where Name like '%"& MyProcess &"%' AND NOT commandline like '%" & wsh.scriptname & "%'",,48)
For Each objItem in colItems
If objItem.CommandLine <> "" Then
CmdLine = Extract(objItem.CommandLine,"(?!.*(\x22\w))\b.*(\w).*(\.ps1|\.hta|\.vbs|\.vbe|\.cmd|\.bat|\.lnk)")
ReDim Preserve ArrProcess(UBound(ArrProcess)+1)
ArrProcess(UBound(ArrProcess))= CmdLine
End If
Next
Find_Location = ArrProcess
End Function
'-------------------------------------------------
Function Extract(Data,Pattern)
Dim oRE,oMatches,Match,Line
set oRE = New RegExp
oRE.IgnoreCase = True
oRE.Global = True
oRE.Pattern = Pattern
set oMatches = oRE.Execute(Data)
If not isEmpty(oMatches) then
For Each Match in oMatches
Line = Line & chr(34) & Trim(Match.Value) & chr(34) & vbcrlf
Next
Extract = Line
End if
End Function
'-------------------------------------------------
参考您的编辑和评论,我附带了另一个名为:Scan_Registry_Run_Keys.bat 的批处理脚本,以便扫描您的注册表运行密钥并提取它们的路径
@echo off
REM Scan_Registry_Run_Keys.bat to get info about your running keys on the registry
REM And extract all their executables paths
Title Scanning Registry Run Keys by Hackoo 2020
Mode con cols=100 lines=5 & color 9E
setlocal ENABLEDELAYEDEXPANSION
Set "TmpFile=%Temp%\TmpFile.txt"
Set "OutPutFile=%~dp0Reg_Paths_EXE.txt"
Set "Files_List2Upload=%~dp0FilesList2Upload.txt"
Set "All_Users=%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Set "Current_User=%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
Set Keys=^
^ "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ^
^ "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
If Exist "%TmpFile%" Del "%TmpFile%"
If Exist "%OutPutFile%" Del "%OutPutFile%"
If Exist "%Files_List2Upload%" Del "%Files_List2Upload%"
For %%K in (%Keys%) Do (
cls
echo;
Echo ***************************** Scanning in progress *****************************
Echo %%K
Echo ********************************************************************************
Timeout /T 2 /Nobreak>nul
reg query "%%~K" /s >> "%TmpFile%"
)
(
Dir /b /s "%All_Users%"
Dir /b /s "%Current_User%"
)>> "%TmpFile%"
Call :Extract "%TmpFile%" "%OutPutFile%"
If Exist "%TmpFile%" Start "" "%TmpFile%"
For /f "delims=" %%a in ('Type "%OutPutFile%"') do (
echo "%%~a">>"%Files_List2Upload%"
)
If Exist "%OutPutFile%" Del "%OutPutFile%"
Start "" "%Files_List2Upload%"
Exit
::****************************************************
:Extract <InputData> <OutPutData>
(
echo Data = WScript.StdIn.ReadAll
echo Data = Extract(Data,"(^?^!.*(REG_SZ^|REG_EXPAND_SZ^)^)\b.*(\w^).*(\.exe""^|\.exe^|\.vbs^|\.vbe^|\.cmd^|\.bat^|\.lnk^)"^)
echo WScript.StdOut.WriteLine Data
echo '************************************************
echo Function Extract(Data,Pattern^)
echo Dim oRE,oMatches,Match,Line
echo set oRE = New RegExp
echo oRE.IgnoreCase = True
echo oRE.Global = True
echo oRE.Pattern = Pattern
echo set oMatches = oRE.Execute(Data^)
echo If not isEmpty(oMatches^) then
echo For Each Match in oMatches
echo Line = Line ^& Trim(Match.Value^) ^& vbcrlf
echo Next
echo Extract = Line
echo End if
echo End Function
echo '************************************************
)>"%tmp%\%~n0.vbs"
cscript /nologo "%tmp%\%~n0.vbs" < "%~1" > "%~2"
If Exist "%tmp%\%~n0.vbs" Del "%tmp%\%~n0.vbs"
exit /b
::****************************************************
:ExtractTarget <Link>
(
echo set Ws = CreateObject("WScript.Shell"^)
echo set Lnk = Ws.Createshortcut(WScript.Arguments(0^)^)
echo WScript.Echo Lnk.TargetPath
)>Tmp.vbs
cscript //nologo Tmp.vbs "%~1" & Del Tmp.vbs
Exit /b
::****************************************************
【讨论】:
假设 abc.vbs 在后台中运行。 abc.vbs 还运行其他脚本,如 xyz1.vbs、xyz2.vbs、xyz3.vbs,您的脚本将告诉 xyz1.vbs、xyz2 的位置。 vbs,xyz3.vbs,不是abc.vbs的文件位置。 @MuhammadAli 检查我的最后编辑并告诉我结果!如果这对您有用,您也可以添加批处理标签! 这太过分了,与任务管理器中的Startup 选项卡显示的内容没有什么不同。
@MuhammadAli 这不会解决问题,他们想知道在启动时试图自动执行脚本的原因。脚本本身不再存在,但自动运行它们的条目存在。
@Lankymart 任务管理器启动选项卡是空的,我尝试了很多东西但没有为我工作。后台病毒正在使用C:\Windows\System32\wscript.exe 启动 Vb 脚本。但是 wscript.exe 不会告诉你父应用程序是从哪里启动的。这就是问题所在。【参考方案2】:
使用这个:
Set Wsh = CreateObject("Wscript.Shell")
script_name = Wscript.ScriptFullName
Set FSO = CreateObject("Scripting.FileSystemObject")
Set File = FSO.GetFile(script_name)
Folder = FSO.GetParentFolderName(File)
strPath = "explorer.exe /e," & Folder
Wsh.Run strPath
这将打开当前正在运行的脚本的父文件夹。
如果您希望将其用于另一个脚本,请将 Wscript.ScriptFullName 替换为另一个脚本的名称。
或者,
打开任务管理器并转到详细信息选项卡。如果 VBScript 正在运行,进程 wscript.exe 或 cscript.exe 将出现在列表中。
右键单击列标题并启用“命令行”。这应该告诉您正在执行哪个脚本文件。
【讨论】:
Nahi Sir aap samajhe nahi,我想调查那个 vbscript 并关闭它再次运行,我没有创建那个 VBS,所以我不知道它是从哪里执行的,所以我想知道它的文件位置。还有你关于任务栏命令行,我得到了这个cscript.exe C:/python37/shoot.vbs,而且那个路径不存在。
Aap dekh rahe hai us path me 反斜杠 ki jagha pe slash hai。 Isi liey woh path galat hai。您会看到路径中有斜杠,这是 Linux 语法。在 Windows 路径中有反斜杠(),所以正确的路径是 C:\python37\shoot.vbs。
Baat 到 aap ki theek hai,但这两条路径都不存在使用正斜杠或反斜杠。以上是关于如何在后台找到运行 VBScript 的文件位置? [关闭]的主要内容,如果未能解决你的问题,请参考以下文章