? Windows rootkits detector ? (c)oded by offtopic@mail.ru 2003 ? (c) Sergey Gordeychik gordey@infosec.ru 2003 ? usage: ? cscript rkdetect.vbs? on error resume next Set Args = WScript.Arguments strComputer = Args(0) scFile = «sc.txt» Dim srvWMI() Dim srvSC() Dim k, i, j Wscript.echo(«Query services via WMI...») Set objWMIService = GetObject(«winmgmts:» & _ «{impersonationLevel=Impersonate}!» & strComputer & « ootcimv2») Set colServices = objWMIService.ExecQuery _ («SELECT DisplayName,PathName FROM Win32_Service») i = colServices.Count ReDim srvWMI(i) i = 0 For Each objService in colServices srvWMI(i) = objService.DisplayName i = i + 1 Next Wscript.echo(«Detected «& i & « services») Set fso = CreateObject(«Scripting.FileSystemObject») if fso.FileExists(scFile) Then fso.DeleteFile(scFile) Wscript.echo(«Query services via SC...») set WshShell = WScript.CreateObject(«WScript.Shell») set scriptState = WshShell.Exec(«%comspec% /c sc.exe » & strComputer & « query state= all> «& scFile) While (scriptState.Status = 0) WScript.Sleep(100) Wend Set f = fso.OpenTextFile(scFile, 1, False) j = 0 ReDim srvSC(i*2) While Not f.atEndOfStream s = f.ReadLine k = InStr(s, «DISPLAY_NAME:») If k > 0 Then srvSC(j)=Mid(s, 15, 255) j = j + 1 End If Wend f.Close Wscript.echo(«Detected «& j & « services») Wscript.echo(«Finding hidden services...») Wscript.echo(«») For j1 = 0 to j-1 k = 0 For i1 = 0 to i-1 If (srvSC(j1)<>srvWMI(i1)) Then k=k+1 Next if k<>i-1 Then WScript.Echo(«Possible rootkit found: « & srvSC(j1)) Next Wscript.Echo «Done» If Err<>0 Then Wscript.Echo «Windows rootkits detector» Wscript.Echo «(c)oded by offtopic@mail.ru 2003» Wscript.Echo «(c) Sergey V. Gordeychik gordey@infosec.ru 2003» Wscript.Echo «» Wscript.Echo «An error occurred. Check machine availability and your access level (must be an administrator).» Wscript.Echo «» Wscript.Echo «Usage:» Wscript.Echo «cscript rkdetect.vbs » Wscript.Echo «» Wscript.Echo «» End If