也谈100%防上网病毒的最终实际应用（可自定义路径以及文件类型）

今天把一个朋友编写的防护网页木马的VBS发了出来，他做的这个脚本可以自定义路径以及类别以及更完美的解决了某些游戏更新与执行的问题，在这里对他表示深深的感谢-----浩月。

具体的功能如下：

'功能:禁止在临时目录%temp%/*.*、%ietemp%/Content.IE5/*.*及其它指定路径中运行指定的后缀名
'如果与某个游戏不兼容时，也就是某个游戏会自动生成执行文件到被禁的目录，请把路径加到白名单中
'程序本身已兼容梦幻西游、大话西游更新，并自动取系统的临时目录和IE临时目录加入黑名单列表。
'                                                               - 浩月.net 编写

以下为VBS脚本：

'功能:禁止在临时目录%temp%/*.*、%ietemp%/Content.IE5/*.*及其它指定路径中运行指定的后缀名
'如果与某个游戏不兼容时，也就是某个游戏会自动生成执行文件到被禁的目录，请把路径加到白名单中
'程序本身已兼容梦幻西游、大话西游更新，并自动取系统的临时目录和IE临时目录加入黑名单列表。
'                                                               - 浩月.net 编写

On Error Resume Next
setupgpedit()

Function setupgpedit() '利用组策略的软件安全防止网站木马和恶意程序
On Error Resume Next
Dim WshShell, IETempPath, hjmlist, keypath, pathlist,num8
'------------------------------------------------------------------------↓开放运行的程序路径(白名单)
'------------------------------------------------------------------------↓支持多路径,以分号隔开
filepath="%temp%/gpatch.exe;"
'------------------------------------------------------------------------↓路径列表(黑名单路径)
'------------------------------------------------------------------------↓支持多路径,以分号隔开

'------------------------------------------------------------------------↓支持多路径,以分号隔开
pathlist = "C:/Test/;"
'------------------------------------------------------------------------↓要禁止的后缀名列表(黑名单后缀)
'------------------------------------------------------------------------↓支持多路径,以分号隔开
hjmlist = "exe;com;bat;cmd;vbs;vbe;"
'------------------------------------------------------------------------↓禁止运行默认路径
keypath="HKLM/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/"
'------------------------------------------------------------------------↓开放运行默认路径
keyfile="HKLM/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/262144/Paths/"
'------------------------------------------------------------------------↓分割后缀后列表
namelist=Split(hjmlist,";")
Set WshShell = WScript.CreateObject("WScript.Shell")
'------------------------------------------------------------------------↓取IE缓存路径并加入路径列表
pathlist=WshShell.RegRead("HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders/Cache") & "/Content.IE5/;"&pathlist
pathlist=WshShell.RegRead("HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders/Cache") & "/Content.IE5/*/;"&pathlist
'------------------------------------------------------------------------↓取临时目录路径并加入路径列表
pathlist=WshShell.RegRead("HKEY_CURRENT_USER/Environment/Temp")&"/;"&pathlist
pathlist=WshShell.RegRead("HKEY_CURRENT_USER/Environment/Temp")&"/*/;"&pathlist
'------------------------------------------------------------------------↓分割路径列表
pathlists=Split(pathlist,";")
'------------------------------------------------------------------------↓分割开放运行的列表
filepaths=Split(filepath,";")

'------------------------------------------------------------------------↓循环路径列表
WshShell.RegDelete keypath

'------------------------------------------------------------------------↓开始写开放策略
For w = 1 to int(UBound(filepaths)) step 1
'------------------------------------------------------------------------↓置随机种子
    Randomize
'------------------------------------------------------------------------↓取6位随机数并转成16进制
    num6=Str2Hex(Int((899999 * Rnd) + 100000))
'------------------------------------------------------------------------↓写注册表项
    WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}/",,"REG_SZ"
    WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}/LastModified",0,"REG_BINARY"
    WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}/Description","开放运行文件"&filepaths(w-1),"REG_SZ"
    WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}/SaferFlags",0,"REG_DWORD"
    WshShell.RegWrite keyfile & "{8156dd45-e093-4a3e-9755-" & num6 & "}/ItemData",filepaths(w-1),"REG_EXPAND_SZ"
Next
'------------------------------------------------------------------------↓开放策略完毕

'------------------------------------------------------------------------↓开始写禁止策略
For o = 1 to int(UBound(pathlists)) step 1
'------------------------------------------------------------------------↓循环后缀名列表
  For p = 1 to int(UBound(namelist)) step 1
'------------------------------------------------------------------------↓置随机种子
    Randomize
'------------------------------------------------------------------------↓取6位随机数并转成16进制
    num6=Str2Hex(Int((899999 * Rnd) + 100000))
'------------------------------------------------------------------------↓写注册表项
    WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}/",,"REG_SZ"
    WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}/LastModified",0,"REG_BINARY"
    WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}/Description","禁止运行本路径中的"&namelist(p-1)&"文件","REG_SZ"
    WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}/SaferFlags",0,"REG_DWORD"
    WshShell.RegWrite keypath & "{8156dd45-e093-4a3e-9755-" & num6 & "}/ItemData",pathlists(o-1)&"*."&namelist(p-1),"REG_EXPAND_SZ"
  Next
Next
'------------------------------------------------------------------------↓结束指定进程
exitprocess("explorer.exe")
'------------------------------------------------------------------------↓更新组策略
WshShell.Run ("gpupdate /force"),0
'------------------------------------------------------------------------↓刷新桌面
WshShell.Run ("RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters")
End Function

Function exitprocess(exename)'结束指定进程,可以是程序名或程序路径
     strComputer="."
     Set objWMIService = GetObject ("winmgmts://" & strComputer & "/root/cimv2")
     Set colItems = objWMIService.ExecQuery ("SELECT * FROM Win32_process")
     For Each objItem in colItems
         if objitem.ExecutablePath<>"" then '=========================先判断命令路径是否符合
            if instrs(objitem.ExecutablePath,exename) = False then '命令路径符合就结束
               objItem.Terminate()
            else
               if instrs(objitem.Name,exename) = False then '命令路径不符合时判断程序名
                  objItem.Terminate()
               end if
            end if
          else
             if instrs(objitem.Name,exename) = False then '命令路径为空时直接判断程序名是否符合
                objItem.Terminate()
             end if
          end if
      Next
End Function

Function instrs(patrn, strng) '搜索指定字符是否存在
  Dim regEx, retVal
  Set regEx = New RegExp
  regEx.Pattern = patrn
  regEx.IgnoreCase = True         ' 是否区分大小写。
  retVal = regEx.Test(strng)
  If retVal Then
    instrs = False
  Else
    instrs = True
  End If
End Function

Function Str2Hex(ByVal strHex) '返回16进制字符串
Dim sHex,tempnum
For i = 1 To Len(strHex)
  sHex = sHex & Hex(Asc(Mid(strHex,i,1)))
Next
  Str2Hex = sHex
End Function

更新了下

感谢某位朋友提供的思路，解决了运行后CMD.EXE无法自动关闭的问题

包括了卸载补丁，都是立即运行生效的

之前在某论坛看到了篇文章，是说通过在组策略建立路径规则，不允许从临时文件夹启动任何可执行文件（.exe/.bat./.cmd/.com等)，以此达到防病毒的目的。具体的方法如下
运行里面输入 GPEDIT.MSC,然后----计算机配置---WINDOWS设置---安全设置---软件限制策略----其他规则，
点右键选创建新的规则---然后选新路径规则，在路径栏目里面输入 %USERPROFILE%/Local Settings/Temp/（这个是当前用户临时文件夹的变量）*.exe，*.exe这个是你想要限制从临时文件夹启动的文件类型，比如*.bat/*.cmd等，一般我们限制可执行文件就好了，当然你也可以通过这个方法限制其他路径的文件是否允许执行。

一般IE临时文件默认的下载目录都是在临时文件夹中，我们禁止任何可执行文件从临时文件夹启动，这样应该对病毒防御有一定的效果，另外比如某些游戏比如大话等需要从临时文件夹启动的游戏自动升级可能无法运行，不过我们只要随时注意在自己的游戏主机升级这些游戏，也没有什么影响的把。

这个方法虽然有效，但是我们的网吧系统也许都在正常的运行中把，如果需要一台台的去修改的话，也挺麻烦的，所以我为了方便操作，把自己设置好的规则导出来，做成了批处理，你可以通过你的开机维护通道来加载。可能会闪动一下，那是在强制刷新系统，自己再用个VBS去黑框把。

暂时没有发现有什么副作用，有觉得可以的朋友可以拿去试下，帮忙测试下有没有效果，或者有什么病毒网站，（自动下文件并且运行的那种最好），发出来我去测试下。

测试了下，通过维护通道加载实际的应用方法必须如下：

先做一个批处理如下

@echo off

regedit/s //该策略的注册表文件的共享路径

taskkill /im explorer.exe /f

gpupdate/force
RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters

start explorer.exe

exit

在开机的维护批处理里面加上上面的内容

这样才可以立即生效，批处理直接导入的好像没有效果

以下是实际应用的批处理，不过需要用到的是注册表，我在附件中发出来了的，包括卸载的注册表

@echo off
echo Windows Registry Editor Version 5.00>>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths]>>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{27122b10-e1d1-47c5-a299-b7d4286539a9}]>>tmp.reg
echo "LastModified"=hex(b):e0,ad,60,64,b9,8e,c7,01>>tmp.reg
echo "Description"="">>tmp.reg
echo "SaferFlags"=dword:00000000>>tmp.reg
echo "ItemData"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,/>>tmp.reg
echo 4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,74,/>>tmp.reg
echo 00,74,00,69,00,6e,00,67,00,73,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,2a,00,/>>tmp.reg
echo 2e,00,63,00,6f,00,6d,00,00,00>>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{45c49d12-7feb-48b6-81c8-516f801d1062}]>>tmp.reg
echo "LastModified"=hex(b):f6,fc,03,61,b9,8e,c7,01>>tmp.reg
echo "Description"="">>tmp.reg
echo "SaferFlags"=dword:00000000>>tmp.reg
echo "ItemData"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,/>>tmp.reg
echo 4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,74,/>>tmp.reg
echo 00,74,00,69,00,6e,00,67,00,73,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,2a,00,/>>tmp.reg
echo 2e,00,62,00,61,00,74,00,00,00>>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{4e1ddf37-dbd2-446c-865d-969ad8619b91}]>>tmp.reg
echo "LastModified"=hex(b):52,b5,68,5b,b9,8e,c7,01>>tmp.reg
echo "Description"="">>tmp.reg
echo "SaferFlags"=dword:00000000>>tmp.reg
echo "ItemData"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,/>>tmp.reg
echo 4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,74,/>>tmp.reg
echo 00,74,00,69,00,6e,00,67,00,73,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,2a,00,/>>tmp.reg
echo 2e,00,63,00,6d,00,64,00,00,00>>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{a88ef251-1ec4-42ce-95df-4f47bf20e2ee}]>>tmp.reg
echo "LastModified"=hex(b):88,0c,06,54,b9,8e,c7,01>>tmp.reg
echo "Description"="">>tmp.reg
echo "SaferFlags"=dword:00000000>>tmp.reg
echo "ItemData"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,/>>tmp.reg
echo 4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,74,/>>tmp.reg
echo 00,74,00,69,00,6e,00,67,00,73,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,2a,00,/>>tmp.reg
echo 2e,00,65,00,78,00,65,00,00,00>>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{dda3f824-d8cb-441b-834d-be2efd2c1a33}]>>tmp.reg
echo "Description"="">>tmp.reg
echo "SaferFlags"=dword:00000000>>tmp.reg
echo "ItemData"=hex(2):25,00,48,00,4b,00,45,00,59,00,5f,00,43,00,55,00,52,00,52,00,/>>tmp.reg
echo 45,00,4e,00,54,00,5f,00,55,00,53,00,45,00,52,00,5c,00,53,00,6f,00,66,00,74,/>>tmp.reg
echo 00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,/>>tmp.reg
echo 66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,/>>tmp.reg
echo 00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,/>>tmp.reg
echo 5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,53,00,68,00,65,/>>tmp.reg
echo 00,6c,00,6c,00,20,00,46,00,6f,00,6c,00,64,00,65,00,72,00,73,00,5c,00,43,00,/>>tmp.reg
echo 61,00,63,00,68,00,65,00,25,00,4f,00,4c,00,4b,00,2a,00,00,00>>tmp.reg
echo "LastModified"=hex(b):90,ad,4a,7e,32,d9,c4,01>>tmp.reg
regedit /s tmp.reg
del tmp.reg
taskkill /im explorer.exe /f
gpupdate/force
RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters

start explorer.exe
exit

补丁卸载：

@echo off
echo Windows Registry Editor Version 5.00>>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths]>>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{27122b10-e1d1-47c5-a299-b7d4286539a9}]>>tmp.reg
echo "LastModified"=->>tmp.reg
echo "Description"=->>tmp.reg
echo "SaferFlags"=->>tmp.reg
echo "ItemData"=->>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{45c49d12-7feb-48b6-81c8-516f801d1062}]>>tmp.reg
echo "LastModified"=->>tmp.reg
echo "Description"=->>tmp.reg
echo "SaferFlags"=->>tmp.reg
echo "ItemData"=->>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{4e1ddf37-dbd2-446c-865d-969ad8619b91}]>>tmp.reg
echo "LastModified"=->>tmp.reg
echo "Description"=->>tmp.reg
echo "SaferFlags"=->>tmp.reg
echo "ItemData"=->>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{a88ef251-1ec4-42ce-95df-4f47bf20e2ee}]>>tmp.reg
echo "LastModified"=->>tmp.reg
echo "Description"=->>tmp.reg
echo "SaferFlags"=->>tmp.reg
echo "ItemData"=->>tmp.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Safer/CodeIdentifiers/0/Paths/{dda3f824-d8cb-441b-834d-be2efd2c1a33}]>>tmp.reg
echo "Description"="">>tmp.reg
echo "SaferFlags"=dword:00000000>>tmp.reg
echo "ItemData"=hex(2):25,00,48,00,4b,00,45,00,59,00,5f,00,43,00,55,00,52,00,52,00,/>>tmp.reg
echo 45,00,4e,00,54,00,5f,00,55,00,53,00,45,00,52,00,5c,00,53,00,6f,00,66,00,74,/>>tmp.reg
echo 00,77,00,61,00,72,00,65,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,/>>tmp.reg
echo 66,00,74,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,5c,00,43,00,75,/>>tmp.reg
echo 00,72,00,72,00,65,00,6e,00,74,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,/>>tmp.reg
echo 5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,53,00,68,00,65,/>>tmp.reg
echo 00,6c,00,6c,00,20,00,46,00,6f,00,6c,00,64,00,65,00,72,00,73,00,5c,00,43,00,/>>tmp.reg
echo 61,00,63,00,68,00,65,00,25,00,4f,00,4c,00,4b,00,2a,00,00,00>>tmp.reg
echo "LastModified"=hex(b):90,ad,4a,7e,32,d9,c4,01>>tmp.reg
regedit /s tmp.reg
del/y tmp.reg
taskkill /im explorer.exe /f
gpupdate/force
RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters

start explorer.exe

exit