如何在后台找到运行 VBScript 的文件位置? [关闭]

Posted

技术标签:

【中文标题】如何在后台找到运行 VBScript 的文件位置? [关闭]【英文标题】:How to find file location of running VBScript in background? [closed] 【发布时间】:2020-05-05 18:10:57 【问题描述】:

我一整天都在进行渗透测试;我从 github 获取了一个 python 脚本,现在我忘记了它的名字;它在任何地方隐藏到我的系统后,我运行它;每次我启动我的系统时,都会打开一个 cmd;然后 VB SCRIPT 消息弹出窗口并打扰了我很多,我很累。截图:

当我打开任务管理器,并单击打开文件位置时,它会将我带到C:\Windows\System32\wscript.exe不要从它所在的位置文件位置正在启动。

我接受可以解决我的问题的任何类型的答案,任何类型意味着任何类型(例如程序化、手动等)。

【问题讨论】:

在任务管理器中显示摘要选项卡没有意义 - 显示详细信息选项卡。 @Mark i.stack.imgur.com/mMGjz.png @MuhammadAli 可能是主脚本位于您的运行注册表中,我们不知道是 vbscript 还是批处理文件启动了这些子脚本?你能确认我的建议吗? @Hackoo 是的,可以,正如我提到的,在启动时 cmd 打开,我认为它会启动所有这些 vbscripts。而且我不知道该如何调查。 这不需要脚本来调查,它是基本的操作系统知识和了解应用程序可以自动执行的位置(任务计划程序、注册表、启动文件夹等) 【参考方案1】:

你应该提取他们的命令行来找到他们的位置!

只需将此代码复制并粘贴为 Get_CommandLine_Process.bat 并通过双击执行它,它将提取它们的路径以便使用您的 Windows 资源管理器进行探索。

@echo off
Title Extract CommandLine Of Running Processes by Hackoo 2020
Mode 100,30 & color 0A
Set "ProcessName=wscript.exe"
Set "TmpFile=%~n0_Abs_cmdline.txt"
Set "LogFile=%~n0_cmdline.txt
If Exist "%TmpFile%" Del "%TmpFile%"
If Exist "%LogFile%" Del "%LogFile%"
Set "ProcessCmd="
Set /a "Count=0"
SetLocal EnableDelayedExpansion
@For /f "tokens=2 delims==" %%P in ('wmic process where caption^="%ProcessName%" get commandline /format:list ^| find /I "%ProcessName%" 2^>nul') do (
        Set /a Count+=1
        Set "ProcessCmd[!Count!]=%%P"
)
@for /L %%i in (1,1,%Count%) do (
        echo !ProcessCmd[%%i]!>con
        echo !ProcessCmd[%%i]! >> "%TmpFile%"
)
Timeout /T 1 /NoBreak>nul
If exist "%TmpFile%" Call :Extract "%TmpFile%" "%LogFile%"
@For /f "delims=" %%a in ('Type "%LogFile%"') do (
    Explorer /n, /select, %%a
)
REM If exist "%LogFile%" Start "" "%LogFile%" & Exit
pause & Exit
::********************************************************************************************************
:Extract <InputData> <OutPutData>
(
echo Data = WScript.StdIn.ReadAll
echo Data = Extract(Data,"(^?^!.*(\x22\w^)^)\b.*(\w^).*(\.ps1^|\.hta^|\.vbs^|\.vbe^|\.cmd^|\.bat^|\.lnk^)"^)
echo WScript.StdOut.WriteLine Data
echo '************************************************
echo Function Extract(Data,Pattern^)
echo    Dim oRE,oMatches,Match,Line
echo    set oRE = New RegExp
echo    oRE.IgnoreCase = True
echo    oRE.Global = True
echo    oRE.Pattern = Pattern
echo    set oMatches = oRE.Execute(Data^)
echo    If not isEmpty(oMatches^) then
echo        For Each Match in oMatches  
echo            Line = Line ^& chr(34^) ^& Trim(Match.Value^) ^& chr(34^) ^& vbcrlf
echo        Next
echo        Extract = Line 
echo    End if
echo End Function
echo '************************************************
)>"%tmp%\%~n0.vbs"
cscript /nologo "%tmp%\%~n0.vbs" < "%~1" > "%~2"
If Exist "%tmp%\%~n0.vbs" Del "%tmp%\%~n0.vbs"
exit /b
::****************************************************

编辑:这是另一个纯 vbscript 代码:WScript_Explorer_Location.vbs

Option Explicit
Dim Title,Process,ColProcess
Title = "Find file location of running VBScript in background"
ColProcess = Find_Location("wscript.exe")
For Each Process in ColProcess
    MsgBox Process,vbInformation,Title
    Explorer(Process)
Next
'-------------------------------------------------
Sub Explorer(File)
    Dim ws
    Set ws = CreateObject("Wscript.Shell")
    ws.run "Explorer /n,/select,"& File &""
End Sub
'-------------------------------------------------
Function Find_Location(MyProcess)
    Dim colItems,objItem,CmdLine,ArrProcess
    ArrProcess = Array()
    Set colItems = GetObject("winmgmts:").ExecQuery("Select * from Win32_Process " _
    & "Where Name like '%"& MyProcess &"%' AND NOT commandline like '%" & wsh.scriptname & "%'",,48)
    For Each objItem in colItems
        If objItem.CommandLine <> "" Then
            CmdLine = Extract(objItem.CommandLine,"(?!.*(\x22\w))\b.*(\w).*(\.ps1|\.hta|\.vbs|\.vbe|\.cmd|\.bat|\.lnk)")
            ReDim Preserve ArrProcess(UBound(ArrProcess)+1)
            ArrProcess(UBound(ArrProcess))= CmdLine
        End If
    Next
    Find_Location = ArrProcess
End Function
'-------------------------------------------------
Function Extract(Data,Pattern)
    Dim oRE,oMatches,Match,Line
    set oRE = New RegExp
    oRE.IgnoreCase = True
    oRE.Global = True
    oRE.Pattern = Pattern
    set oMatches = oRE.Execute(Data)
    If not isEmpty(oMatches) then
        For Each Match in oMatches  
            Line = Line & chr(34) & Trim(Match.Value) & chr(34) & vbcrlf
        Next
        Extract = Line 
    End if
End Function
'-------------------------------------------------

如果您想使用相同的 vbscript 在后台查找其他进程,例如 cscript.exemshta.execmd.exe,以便探索它们的位置,只需将它们放入这样的数组中:@987654326 @

然后这样称呼他们:

For Each ProcessItem In ArrayProcesses
ColProcesses = Find_Location(ProcessItem)
    For Each Process in ColProcesses
        MsgBox Process,vbInformation,Title
        Explorer(Process)
    Next
Next

主vbscript可以这样写:Find_Explore_Process.vbs

Option Explicit
Dim Title,ArrayProcesses,ProcessItem,ColProcesses,Process
Title = "Find file location of running Processes in background"
ArrayProcesses = Array("wscript.exe","cscript.exe","mshta.exe","cmd.exe")
For Each ProcessItem In ArrayProcesses
ColProcesses = Find_Location(ProcessItem)
    For Each Process in ColProcesses
        MsgBox Process,vbInformation,Title
        Explorer(Process)
    Next
Next
'-------------------------------------------------
Sub Explorer(File)
    Dim ws
    Set ws = CreateObject("Wscript.Shell")
    ws.run "Explorer /n,/select,"& File &""
End Sub
'-------------------------------------------------
Function Find_Location(MyProcess)
    Dim colItems,objItem,CmdLine,ArrProcess
    ArrProcess = Array()
    Set colItems = GetObject("winmgmts:").ExecQuery("Select * from Win32_Process " _
    & "Where Name like '%"& MyProcess &"%' AND NOT commandline like '%" & wsh.scriptname & "%'",,48)
    For Each objItem in colItems
        If objItem.CommandLine <> "" Then
            CmdLine = Extract(objItem.CommandLine,"(?!.*(\x22\w))\b.*(\w).*(\.ps1|\.hta|\.vbs|\.vbe|\.cmd|\.bat|\.lnk)")
            ReDim Preserve ArrProcess(UBound(ArrProcess)+1)
            ArrProcess(UBound(ArrProcess))= CmdLine
        End If
    Next
    Find_Location = ArrProcess
End Function
'-------------------------------------------------
Function Extract(Data,Pattern)
    Dim oRE,oMatches,Match,Line
    set oRE = New RegExp
    oRE.IgnoreCase = True
    oRE.Global = True
    oRE.Pattern = Pattern
    set oMatches = oRE.Execute(Data)
    If not isEmpty(oMatches) then
        For Each Match in oMatches  
            Line = Line & chr(34) & Trim(Match.Value) & chr(34) & vbcrlf
        Next
        Extract = Line 
    End if
End Function
'-------------------------------------------------

参考您的编辑和评论,我附带了另一个名为:Scan_Registry_Run_Keys.bat 的批处理脚本,以便扫描您的注册表运行密钥并提取它们的路径

@echo off
REM Scan_Registry_Run_Keys.bat to get info about your running keys on the registry
REM And extract all their executables paths
Title Scanning Registry Run Keys by Hackoo 2020
Mode con cols=100 lines=5 & color 9E
setlocal ENABLEDELAYEDEXPANSION
Set "TmpFile=%Temp%\TmpFile.txt"
Set "OutPutFile=%~dp0Reg_Paths_EXE.txt"
Set "Files_List2Upload=%~dp0FilesList2Upload.txt"
Set "All_Users=%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Set "Current_User=%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

Set Keys=^
^ "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ^
^ "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

If Exist "%TmpFile%" Del "%TmpFile%"
If Exist "%OutPutFile%" Del "%OutPutFile%"
If Exist "%Files_List2Upload%" Del "%Files_List2Upload%"

For %%K in (%Keys%) Do (  
   cls
   echo;
   Echo             ***************************** Scanning in progress *****************************
   Echo             %%K
   Echo             ********************************************************************************
   Timeout /T 2 /Nobreak>nul
   reg query "%%~K" /s >> "%TmpFile%"
)

(
    Dir /b /s "%All_Users%"
    Dir /b /s "%Current_User%"
)>> "%TmpFile%"

Call :Extract "%TmpFile%" "%OutPutFile%"
If Exist "%TmpFile%" Start "" "%TmpFile%"

For /f "delims=" %%a in ('Type "%OutPutFile%"') do (
    echo "%%~a">>"%Files_List2Upload%"
)

If Exist "%OutPutFile%" Del "%OutPutFile%"
Start "" "%Files_List2Upload%"
Exit
::****************************************************
:Extract <InputData> <OutPutData>
(
echo Data = WScript.StdIn.ReadAll
echo Data = Extract(Data,"(^?^!.*(REG_SZ^|REG_EXPAND_SZ^)^)\b.*(\w^).*(\.exe""^|\.exe^|\.vbs^|\.vbe^|\.cmd^|\.bat^|\.lnk^)"^)
echo WScript.StdOut.WriteLine Data
echo '************************************************
echo Function Extract(Data,Pattern^)
echo    Dim oRE,oMatches,Match,Line
echo    set oRE = New RegExp
echo    oRE.IgnoreCase = True
echo    oRE.Global = True
echo    oRE.Pattern = Pattern
echo    set oMatches = oRE.Execute(Data^)
echo    If not isEmpty(oMatches^) then
echo        For Each Match in oMatches   
echo            Line = Line ^& Trim(Match.Value^) ^& vbcrlf
echo        Next
echo        Extract = Line
echo    End if 
echo End Function
echo '************************************************
)>"%tmp%\%~n0.vbs"
cscript /nologo "%tmp%\%~n0.vbs" < "%~1" > "%~2"
If Exist "%tmp%\%~n0.vbs" Del "%tmp%\%~n0.vbs"
exit /b
::****************************************************
:ExtractTarget <Link>
(
    echo set Ws = CreateObject("WScript.Shell"^)
    echo set Lnk = Ws.Createshortcut(WScript.Arguments(0^)^)
    echo WScript.Echo Lnk.TargetPath
)>Tmp.vbs
cscript //nologo Tmp.vbs "%~1" & Del Tmp.vbs
Exit /b
::****************************************************

【讨论】:

假设 abc.vbs后台中运行。 abc.vbs 还运行其他脚本,如 xyz1.vbs、xyz2.vbs、xyz3.vbs,您的脚本将告诉 xyz1.vbs、xyz2 的位置。 vbs,xyz3.vbs,不是abc.vbs的文件位置。 @MuhammadAli 检查我的最后编辑并告诉我结果!如果这对您有用,您也可以添加批处理标签! 这太过分了,与任务管理器中的Startup 选项卡显示的内容没有什么不同。 @MuhammadAli 这不会解决问题,他们想知道在启动时试图自动执行脚本的原因。脚本本身不再存在,但自动运行它们的条目存在。 @Lankymart 任务管理器启动选项卡是空的,我尝试了很多东西但没有为我工作。后台病毒正在使用C:\Windows\System32\wscript.exe 启动 Vb 脚本。但是 wscript.exe 不会告诉你父应用程序是从哪里启动的。这就是问题所在。【参考方案2】:

使用这个:

Set Wsh = CreateObject("Wscript.Shell")
script_name = Wscript.ScriptFullName
Set FSO = CreateObject("Scripting.FileSystemObject")
Set File = FSO.GetFile(script_name)
Folder = FSO.GetParentFolderName(File) 
strPath = "explorer.exe /e," & Folder
Wsh.Run strPath

这将打开当前正在运行的脚本的父文件夹。

如果您希望将其用于另一个脚本,请将 Wscript.ScriptFullName 替换为另一个脚本的名称。


或者,

打开任务管理器并转到详细信息选项卡。如果 VBScript 正在运行,进程 wscript.exe 或 cscript.exe 将出现在列表中。

右键单击列标题并启用“命令行”。这应该告诉您正在执行哪个脚本文件。

【讨论】:

Nahi Sir aap samajhe nahi,我想调查那个 vbscript 并关闭它再次运行,我没有创建那个 VBS,所以我不知道它是从哪里执行的,所以我想知道它的文件位置。还有你关于任务栏命令行,我得到了这个cscript.exe C:/python37/shoot.vbs,而且那个路径不存在。 Aap dekh rahe hai us path me 反斜杠 ki jagha pe slash hai。 Isi liey woh path galat hai。您会看到路径中有斜杠,这是 Linux 语法。在 Windows 路径中有反斜杠(),所以正确的路径是 C:\python37\shoot.vbs Baat 到 aap ki theek hai,但这两条路径都不存在使用正斜杠或反斜杠。

以上是关于如何在后台找到运行 VBScript 的文件位置? [关闭]的主要内容,如果未能解决你的问题,请参考以下文章

停止运行VBScript

当应用程序在后台运行时无法找到位置更新

如何使批处理BAT文件在后台运行而不显示DOS窗口

redis如何后台启动

如何在后台运行android应用程序[重复]

如何成功执行vbscript?