杀传奇私服外挂rootkit的脚本,原理很简单就是操纵注册表的,针对释放驱动到sysroot下而且其没注册的Cmpcallback或者没针对键值修改做保护,上代码,啰嗦版本有注释一看就明白
扯蛋啰嗦版本
# -*- coding:utf-8 -*-
import glob
import os
import ctypes
from _winreg import *
#获取当前程序所在路径
currentpath1 = os.getcwd()
currentpath2 = '现在程序所在的路径为 :'+ currentpath1
print currentpath2.decode("utf-8")
#遍历所有可疑文件
f = glob.glob('C:\Windows' + '\\*.sys')
print ('检测到 C:\Windows 目录下的可疑文件如下').decode("utf-8")
#判断有多少个驱动文件并删除没有加载的驱动
for i, file in enumerate(f) :
#枚举路径
filename = os.path.basename(file)
sysrootpath2 = 'C:\\Windows\\' + filename
#print i, filename
#尝试删除驱动文件
try:
os.remove(sysrootpath2)
print ('删除文件').decode("utf-8") + filename + ('成功').decode("utf-8")
except:
print ('有可疑驱动正在运行无法直接删除').decode("utf-8")
#if i==0:
# print ('只有一个可疑文件').decode("utf-8")
#else:
# print ('存在多个可疑驱动文件并已经删除外挂驱动外的其他可疑驱动文件').decode("utf-8")
#确认外挂驱动名
#virusf = glob.glob('C:\Windows' + '\\*.sys')
#for filewg in virusf :
# wdfilename = os.path.basename(filewg)
#realwgfilename = wdfilename[0:-4]
#print ('重新定位外挂驱动文件:').decode("utf-8")
#print (wdfilename)
virusf = glob.glob('C:\Windows' + '\\*.sys')
sysfilenamelist = []
for filewg in virusf :
print filewg
readywdfilename = os.path.basename(filewg)
sysfilenamelist.append(readywdfilename)
print sysfilenamelist
try:
sysfilenamelist.remove('pagefile.sys')
print 'del pagefile.sys successed'
except:
print 'del pagefile.sys failed'
print sysfilenamelist
wdfilename = sysfilenamelist[0]
realwgfilename = wdfilename[0:-4]
#修改外挂驱动注册表键值
Start = 'Start'
try:
regpath1 = 'SYSTEM\\ControlSet001\\services' + '\\' + realwgfilename
reg1 = OpenKey(HKEY_LOCAL_MACHINE, regpath1, 0, KEY_WRITE)
SetValueEx (reg1, Start, 0, REG_DWORD, 4)
CloseKey(reg1)
print ('处理ControlSet001成功').decode("utf-8")
except:
print ('处理ControlSet001出错').decode("utf-8")
try:
regpath2 = 'SYSTEM\\ControlSet002\\services' + '\\' + realwgfilename
reg2 = OpenKey(HKEY_LOCAL_MACHINE, regpath2, 0, KEY_WRITE)
SetValueEx (reg2, Start, 0, REG_DWORD, 4)
CloseKey(reg2)
print ('处理ControlSet002成功').decode("utf-8")
except:
print ('处理ControlSet002出错').decode("utf-8")
try:
regpath3 = 'SYSTEM\\ControlSet002\\services' + '\\' + realwgfilename
reg3 = OpenKey(HKEY_LOCAL_MACHINE, regpath3, 0, KEY_WRITE)
SetValueEx (reg3, Start, 0, REG_DWORD, 4)
CloseKey(reg3)
print ('处理ControlSet003成功').decode("utf-8")
except:
print ('处理ControlSet003出错或者项目不存在').decode("utf-8")
try:
regpath4 = 'SYSTEM\\ControlSet002\\services' + '\\' + realwgfilename
reg4 = OpenKey(HKEY_LOCAL_MACHINE, regpath4, 0, KEY_WRITE)
SetValueEx (reg4, Start, 0, REG_DWORD, 4)
CloseKey(reg4)
print ('处理ControlSet004成功').decode("utf-8")
except:
print ('处理ControlSet002出错或者项目不存在').decode("utf-8")
#delete key
#regpath2 = 'SYSTEM\\CurrentControlSet\\services'
#reg2 = OpenKey(HKEY_LOCAL_MACHINE, regpath2, res=0, sam=KEY_WRITE)
#DeleteKey(reg2, filename2)
#chinesedisplay2 = '已经禁止病毒自启动,现在请直接拔掉电源线使电脑直接断电,等5秒后插上重启'
#print chinesedisplay2.decode("utf-8")
#print isinstance(filename2, basestring)
print ('''
操作尚未完成,不要点关机或者重启!
先关掉并退出所有程序,然后直接拔掉电源线使电脑直接断电!
等5秒后插上重启''').decode("utf-8")
ctypes.windll.user32.MessageBoxW(0, u'关掉并退出所有程序,直接拔掉电源线使电脑直接断电', u'操作提示',0)
短小精悍版本
# -*- coding:utf-8 -*-
import glob
import os
import ctypes
from _winreg import *
currentpath1 = os.getcwd()
currentpath2 = '现在程序所在的路径为 :'+ currentpath1
print currentpath2.decode("utf-8")
f = glob.glob('C:\Windows' + '\\*.sys')
print ('检测到 C:\Windows 目录下的可疑文件如下').decode("utf-8")
for i, file in enumerate(f) :
filename = os.path.basename(file)
sysrootpath2 = 'C:\\Windows\\' + filename
try:
os.remove(sysrootpath2)
print ('删除文件').decode("utf-8") + filename + ('成功').decode("utf-8")
except:
print ('有可疑驱动正在运行无法直接删除').decode("utf-8")
virusf = glob.glob('C:\Windows' + '\\*.sys')
sysfilenamelist = []
for filewg in virusf :
print filewg
readywdfilename = os.path.basename(filewg)
sysfilenamelist.append(readywdfilename)
print sysfilenamelist
try:
sysfilenamelist.remove('pagefile.sys')
print 'del pagefile.sys successed'
except:
print 'del pagefile.sys failed'
print sysfilenamelist
wdfilename = sysfilenamelist[0]
realwgfilename = wdfilename[0:-4]
Start = 'Start'
try:
regpath1 = 'SYSTEM\\ControlSet001\\services' + '\\' + realwgfilename
reg1 = OpenKey(HKEY_LOCAL_MACHINE, regpath1, 0, KEY_WRITE)
SetValueEx (reg1, Start, 0, REG_DWORD, 4)
CloseKey(reg1)
print ('处理ControlSet001成功').decode("utf-8")
except:
print ('处理ControlSet001出错').decode("utf-8")
try:
regpath2 = 'SYSTEM\\ControlSet002\\services' + '\\' + realwgfilename
reg2 = OpenKey(HKEY_LOCAL_MACHINE, regpath2, 0, KEY_WRITE)
SetValueEx (reg2, Start, 0, REG_DWORD, 4)
CloseKey(reg2)
print ('处理ControlSet002成功').decode("utf-8")
except:
print ('处理ControlSet002出错').decode("utf-8")
try:
regpath3 = 'SYSTEM\\ControlSet002\\services' + '\\' + realwgfilename
reg3 = OpenKey(HKEY_LOCAL_MACHINE, regpath3, 0, KEY_WRITE)
SetValueEx (reg3, Start, 0, REG_DWORD, 4)
CloseKey(reg3)
print ('处理ControlSet003成功').decode("utf-8")
except:
print ('处理ControlSet003出错或者项目不存在').decode("utf-8")
try:
regpath4 = 'SYSTEM\\ControlSet002\\services' + '\\' + realwgfilename
reg4 = OpenKey(HKEY_LOCAL_MACHINE, regpath4, 0, KEY_WRITE)
SetValueEx (reg4, Start, 0, REG_DWORD, 4)
CloseKey(reg4)
print ('处理ControlSet004成功').decode("utf-8")
except:
print ('处理ControlSet002出错或者项目不存在').decode("utf-8")
print ('''
操作尚未完成,不要点关机或者重启!
先关掉并退出所有程序,然后直接拔掉电源线使电脑直接断电!
等5秒后插上重启''').decode("utf-8")
ctypes.windll.user32.MessageBoxW(0, u'关掉并退出所有程序,直接拔掉电源线使电脑直接断电', u'操作提示',0)