Autorunsc 是一個資安命令列工具,可以查看特定電腦開啟會用到的資訊,對於檢測惡意程式相當有幫助.本範例先透過批次檔產生一個XML檔案,再利用VB6處理XML檔案 供後續應用....
批次檔內容
@echo off
rem -accepteula 接受EULA
rem -a Show all entries.
rem -x 輸出XML
rem -v 驗證簽章
rem -f 產生MD5等HASH資訊
.\autorunsc.exe -accepteula -a -x -v -f > .\xxxx4.xml
VB6 程式碼
Dim G_Temps As String '暫存供輸出用
Dim G_subItem As Integer '統計每個item 包含多少node數
Private Sub Form_Load()
ParseXmlDocument
End Sub
'處理XML檔
Sub ParseXmlDocument()
Dim xmlDoc As DOMDocument30
Dim intCounter As Integer
Set xmlDoc = New MSXML2.DOMDocument30
'xmlDoc.loadXML Me.TxtXML.Text
xmlDoc.Load (App.Path & "\xxxx4.xml")
Call RecurseChildNodes(xmlDoc, xmlDoc.childNodes) '遞迴處理
Set xmlDoc = Nothing
End Sub
'遞迴XML文件內的節點
Public Function RecurseChildNodes(xmlDoc As MSXML2.DOMDocument30, childNode As IXMLDOMNodeList)
Dim icnt As Integer
Dim CurrChildNode As IXMLDOMNodeList
Dim intNodeCounter As Integer
Set CurrChildNode = childNode
Dim subItem As Integer
Dim temps As String
For intNodeCounter = 0 To CurrChildNode.length - 1
'Debug.Print intNodeCounter
If CurrChildNode.length > 0 Then
Set childNode = CurrChildNode.Item(intNodeCounter).childNodes
If childNode.length > 0 Then
RecurseChildNodes xmlDoc, childNode
Select Case LCase(CurrChildNode.Item(intNodeCounter).nodeName)
Case "item" '每次經過 item 就輸出先前累積的資訊
icnt = icnt + 1
Debug.Print "次數 " & (icnt) & " " & G_subItem & ". " & G_Temps
Call WriteFiles("output.txt", "次數 " & (icnt) & " " & G_subItem & ". " & G_Temps)
G_Temps = ""
G_subItem = 0
Case Else
G_Temps = G_Temps & CurrChildNode.Item(intNodeCounter).nodeTypedValue & "," ' & vbCrLf
G_subItem = G_subItem + 1
End Select
End If
End If
Next intNodeCounter
End Function
'寫入LOG
Sub WriteFiles(ByVal FN, ByVal sContent)
On Error Resume Next
Const ForWriting = 2
Const ForAppend = 8
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(App.Path & "\" & FN & ".txt", 8, True)
f.WriteLine sContent
f.Close
Set fso = Nothing
End Sub
'輸出範例
次數 492 14. HKLM\Software\Classes\Folder\Shellex\ColumnHandlers,PDF Shell Extension,Enabled,HKCR\CLSID\{F9DB5320-233E-11D1-9F84-707F02C10627},PDF Shell Extension,Adobe Systems, Inc.,(Verified) Adobe Systems,11.0.3.37,c:\program files\common files\adobe\acrobat\activex\pdfshell.dll,2013/5/11 下午 05:34,edfa163fdbd7051cd9148410e4b56af0,6c512b12f830ef82ed09e985187fbd704329f66b,8db4a369f42ff3701e02de3b3ba182e81b4690d6b95aa2c7281b43ccfbf9c242,8db4a369f42ff3701e02de3b3ba182e81b4690d6b95aa2c7281b43ccfbf9c242,
次數 493 2. HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers,2013/5/8 下午 02:05,
次數 494 14. HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers,Shell Extension for Malware scanning,Enabled,HKCR\CLSID\{45AC2688-0253-4ED8-97DE-B5370FA7D48A},AntiVirus context menu,Avira Operations GmbH & Co. KG,(Verified) Avira Operations GmbH & Co. KG,14.0.3.336,c:\program files\avira\antivir desktop\shlext.dll,2014/2/13 下午 10:31,e39276483186ef0a9e0b483016a36180,22b2d12ad8428e8f6b171a21aa900daab9d1c7fc,c4836624c4194cf9862bedc83c93bf7c368c59af0292b71b45da7672163546eb,c4836624c4194cf9862bedc83c93bf7c368c59af0292b71b45da7672163546eb,
......
參考文章
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://www.freevbcode.com/ShowCode.asp?ID=5750
沒有留言:
張貼留言