系统服务有可能被 rootkit 隐藏,但有些时候我们仍可以从注册表中找到相关的信息。建议以管理员权限运行,否则有些服务列举不出来或出现错误的提示
![](https://ss.0133.cn/article/d4/fa/98/d4fa98f84d16f9d1228954e58be15532.jpg-600)
代码(checksvr.vbs):
Const HKEY_LOCAL_MACHINE = &H80000002 Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") strKeyPath = "SYSTEM\CurrentControlSet\Services" Wscript.Echo "Checking, please wait ..." For Each subkey In arrSubKeys End If Function CheckSvr(strName) Function FormatOutTab(strName) Case strLen <32 以上就是VBScript之通过对比注册表查找隐藏的服务的详细内容,更多请关注0133技术站其它相关文章!
'On Error Resume Next
oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
Wscript.Echo ""
oReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath & "\\" & subkey, "ObjectName", strValue
If Not (strValue = "") Then
'判断服务, 利用数组来比较不知道会不会快些?
If Not (CheckSvr(subkey)) Then
Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ Hidden ]"
Else
Wscript.Echo subkey & FormatOutTab(subkey) & strValue & FormatOutTab(strValue) & "[ OK ]"
End If
Next
Wscript.Echo ""
Wscript.Echo "All done."
Wscript.Quit (0)
Set oWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")
Set cService = oWMI.ExecQuery("Select * from Win32_Service WHERE Name='" & strName & "'")
If (cService.count <> 0) Then
CheckSvr = True
Else
CheckSvr = False
End If
End Function
strLen = Len(strName)
Select Case True
Case strLen <8
FormatOutTab = vbTab & vbTab & vbTab & vbTab & vbTab
Case strLen <16
FormatOutTab = vbTab & vbTab & vbTab & vbTab
Case strLen <24
FormatOutTab = vbTab & vbTab & vbTab
FormatOutTab = vbTab & vbTab
Case strLen <40
FormatOutTab = vbTab
Case Else
FormatOutTab = vbTab
End Select
End Function