? Windows rootkits detector
? (c)oded by offtopic@mail.ru 2003
? (c) Sergey Gordeychik gordey@infosec.ru 2003
? usage:
? cscript rkdetect.vbs 
?
on error resume next
Set Args = WScript.Arguments
strComputer = Args(0)
scFile = «sc.txt»
Dim srvWMI()
Dim srvSC()
Dim k, i, j
Wscript.echo(«Query services via WMI...»)
Set objWMIService = GetObject(«winmgmts:» & _
«{impersonationLevel=Impersonate}!» & strComputer & «
ootcimv2»)
Set colServices = objWMIService.ExecQuery _
(«SELECT DisplayName,PathName FROM Win32_Service»)
i = colServices.Count
ReDim srvWMI(i)
i = 0
For Each objService in colServices
	srvWMI(i) = objService.DisplayName
	i = i + 1
Next
Wscript.echo(«Detected «& i & « services»)
Set fso = CreateObject(«Scripting.FileSystemObject»)
if fso.FileExists(scFile) Then fso.DeleteFile(scFile)
Wscript.echo(«Query services via SC...»)
set WshShell = WScript.CreateObject(«WScript.Shell»)
set scriptState = WshShell.Exec(«%comspec% /c sc.exe » & strComputer & « query state= all> «& scFile)
While (scriptState.Status = 0)
	WScript.Sleep(100)
Wend
Set f = fso.OpenTextFile(scFile, 1, False)
j = 0
ReDim srvSC(i*2)
While Not f.atEndOfStream
	s = f.ReadLine
	k = InStr(s, «DISPLAY_NAME:»)
	If k > 0 Then 
		srvSC(j)=Mid(s, 15, 255)
		j = j + 1
	End If
Wend
f.Close
Wscript.echo(«Detected «& j & « services»)
Wscript.echo(«Finding hidden services...»)
Wscript.echo(«»)
For j1 = 0 to j-1
	k = 0 
	For i1 = 0 to i-1
		If (srvSC(j1)<>srvWMI(i1)) Then k=k+1
	Next
	if k<>i-1 Then WScript.Echo(«Possible rootkit found: « & srvSC(j1)) 
Next
Wscript.Echo «Done»
If Err<>0 Then
	Wscript.Echo «Windows rootkits detector»
	Wscript.Echo «(c)oded by offtopic@mail.ru 2003»
	Wscript.Echo «(c) Sergey V. Gordeychik gordey@infosec.ru 2003»
	Wscript.Echo «» 
	Wscript.Echo «An error occurred. Check machine availability and your access level (must be an administrator).» 
	Wscript.Echo «» 
	Wscript.Echo «Usage:»
	Wscript.Echo «cscript rkdetect.vbs »
	Wscript.Echo «» 
	Wscript.Echo «» 
End If

Поделитесь материалом с коллегами и друзьями