如何修复此md5扫描仪而不删除受感染的恶意软件文件?

时间:2019-04-22 14:03:34

标签: batch-file md5 malware-detection virus-scanning

我正在使用运行Windows 10的Hyper-V VM对完成的md5恶意软件扫描程序进行质量检查。该扫描程序未删除https://virusshare.com提供的恶意软件样本,这些样本包含在扫描程序数据库中并且是最新的。

我已经尝试过恢复为原始的SachaDee's code,但是没有用。可能是由于环境变量在某处设置不正确。

:MD5
cls
color 1c
title MD5 scanner
echo.
echo Warning!
echo.
echo This feature is undergoing multiple test-runs.
echo.
echo This moldule will auto remove malware when scanning.
echo.
echo This moldule could delete system or private files without any intent to do it.
echo.
echo We are not responsible for any damage to your computer or your files by using this moldule.
echo.
echo You have been WARNED!
echo.
pause

:dbpatch
cls
color B5
title MD5 scanner - Database Updates [0/4] 
cd /d "%~dp0\wget-1.11.4-1-bin\bin"
wget --timeout=30 --timestamping --continue --no-check-certificate https://media.githubusercontent.com/media/Richienb/virusshare-hashes/master/virushashes.txt
pause
goto :Asksect

:Asksect
cls
title MD5 scanner - Database Updates [0/4]
echo Do you want to retry the update?
echo.
echo Y/N
echo.
set /p chc45=
if %chc45%==y goto :dbpatch
if %chc45%==Y goto :dbpatch
if %chc45%==n goto :scan
if %chc45%==N goto :scan
goto :Asksect

:scan
cd /d "%~dp0" 
cls
title MD5 scanner - Database Updates [0/4]
echo Checked for Database Updates! Proceeding to Scan Engine...
echo.
pause 
cls
title MD5 scanner - Scan Path [0/4]
REM Copyright 2014 BatchProg
echo please specify path to scan down here
echo example C:\Users
echo AND PLEASE DONT ENTER SOMETHING THAT ISNT A COMPUTER PATH
echo IF YOU ENTER SOMETHING THAT ISNT A COMPUTER PATH THE PROGRAM WILL CRASH
set /p pathscan2=path:
cls
title MD5 scanner - Setting up necessary things [1/4]
del /f /q %~dp0\output.txt
REM for /r %%x in (*) do set /a fcount=%fcount%+1
REM set /a totsecscan=%fcount%*15
REM set /a totminscan=%totsecscan%/60
REM if %totminscan%==0 set /a etascan=%totsecscan% seconds && goto :md5hash
REM set /a tothourscan=%totminscan%/60
REM if %tothourscan%==0 set /a etascan=%totminscan% minutes && goto :md5hash
REM set /a totdayscan=%tothourscan%/24
REM if %totdayscan%==0 set /a etascan=%tothourscan% hours && goto :md5hash
REM set /a etascan=%totdayscan% days
goto :md5hash

:md5hash
cls
title MD5 scanner - Hashing [2/4]
set "$base=%~dp0\wget-1.11.4-1-bin\bin\virushashes.txt"
for /r %%f in (%pathscan2%) do %~dp0\md5.exe "%%f " >> %~dp0\output.txt
cd /d "%~dp0"
title MD5 scanner - Comparing Hashes with known malware hashes [3/4]
cls
%pathscan2% echo ETA of scan:%etascan%
echo.
echo Uses a lot of CPU power to process but this is real scanner.
echo It does find real malware but the ability to remove it-
echo is related with the environment it is run on.
echo Run on Safe mode with networking for best results. 
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "
title MD5 scanner - Deleting Temporary Files [4/4]
del /f /q %~dp0\output.txt
cls
title MD5 scanner - Completed
echo Scan and Delete completed
echo.
pause
goto :menu

我希望

for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "

将output.txt中的哈希与恶意软件哈希库进行比较,并删除任何恶意文件(如果可能,提示用户),但是代码根本不会删除任何文件。

其他信息; 样本output.txt

D3041FF4F3B76CC0353064D1133BFEDE  D:\EvaxHybrid\backup\.tmp.drivedownload\1191564.driveupload 
6756458290BE387639F0068C706E8881  D:\EvaxHybrid\backup\.tmp.drivedownload\1659364.driveupload 
9A66042E5A3619A7B49633752044FCEA  D:\EvaxHybrid\backup\.tmp.drivedownload\1977560.driveupload 
9E44B511DD344F2D35FA513EEA0D54E4  D:\EvaxHybrid\backup\.tmp.drivedownload\2110290.driveupload 
A845071F7C4B4E67EF64BFB4BF5C3FB5  D:\EvaxHybrid\backup\.tmp.drivedownload\2923965.driveupload 
C49B5CD76F60FCD284209384E2E4EB55  D:\EvaxHybrid\backup\.tmp.drivedownload\2924089.driveupload 
6B7484B3ADCE8141A4E7411C7F66A9D7  D:\EvaxHybrid\backup\.tmp.drivedownload\3048269.driveupload 
5A48A1B8A70B5A3A39D5EBC9B370BE4D  D:\EvaxHybrid\backup\.tmp.drivedownload\3395701.driveupload 
58B19F4875C82A846AD6DE62096D5F19  D:\EvaxHybrid\backup\.tmp.drivedownload\3488031.driveupload 
C7E363D722920967E737747DB0C79EDE  D:\EvaxHybrid\backup\.tmp.drivedownload\3660857.driveupload 
DBC938D49B09BE7E0FC1E7BEB74F487D  D:\EvaxHybrid\backup\.tmp.drivedownload\3673375.driveupload 
6068C7836BFF997EDBE52C6EC0AE7DF3  D:\EvaxHybrid\backup\.tmp.drivedownload\4033639.driveupload 
CD86C81B193594F8320832D34294CFA0  D:\EvaxHybrid\backup\.tmp.drivedownload\4132442.driveupload 
91D6210AA04AA666E2F32FF64B996E7E  D:\EvaxHybrid\backup\.tmp.drivedownload\4155809.driveupload 
7941801B8AF887E45B5021ED2466D4F8  D:\EvaxHybrid\backup\.tmp.drivedownload\4166678.driveupload    

1 个答案:

答案 0 :(得分:0)

for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "

for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find /I "%%a" "%$base%" >nul && del /p /f /s "%%b "

查找“ %% a”“%$ base%”> nul 更改为查找 / I “ %% a”“%$ base%” > nul ,因为数据库中的字母大小写和哈希算法输出(output.txt)有所不同。