Source code of the first generation of signature engine of Pclxav Trojan hunter

The reason for the release is mainly because of the long-standing engine problem of a security software in China.

Security software should be provided to users and users with security, rather than troubles.

A specific engine problem occurs when a file is scanned, a copy is created, and the copied file is scanned.

Even Shell kill experts like AVP won't take off their shells if they see them. It is also very likely that they can directly extract viruses from the shells.

Definition.

The source code is as follows. Some sections are deleted, because this article does not allow everyone to write scanners, and this engine is no longer used.

.

Const cBuf_Size = 65536;

Var fintbuffer: pbytearray;

Procedure CheckInternalBuffer (aPos: Integer );

Var

PFR: Integer;

Begin

If (fIntBufferPos =-1) or (aPos <fIntBufferPos) or (aPos + 16)>

(FIntBufferPos + cBuf_size ))

Then begin

PFR: = aPos-(cBuf_size div 2 );

If pFR <0

Then

PFR: = 0;

FIntFile. Position: = pFR;

FIntFile. Read (fIntBuffer ^, cBuf_Size );

FIntBufferPos: = pFR;

End;

End;

Procedure FreeFile;

Begin

If fIntFile <> nil

Then begin

FIntFile. Free;

FIntFile: = nil;

End;

End;

Function CanOpenFile (const aName: string): Boolean;

Var

FHandle: THandle;

Begin

Result: = False;

// ReadOnly: = True;

If FileExists (aName)

Then begin

Fhandle: = CreateFileA (pchar (aname), GENERIC_READ, file_assist_read,

NIL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 );

If fhandle <> INVALID_HANDLE_VALUE

Then begin

Closehandle (fHandle );

Result: = True;

End;

End;

End;

Function LoadFromFile (const Filename: string): Boolean;

Begin

Result: = True;

FIntFile: = newreadfilestream (filename );

Try

FIntFile. Position: = 0;

Fdatasize2: = fintfile. Size;

Fintbufferpos: =-1;

Result: = True;

Finally

End

End;

Function Find (aBuffer: PChar; const aCount, aStart, aEnd: Integer

): Integer;

// Find something in the current file and return

Position,-1 if not found const IgnoreCase, SearchText: Boolean

Var

// PCR: TCursor;

PChAct: Char;

PCMem, pCFind, pCHit, pEnd: Integer;

Begin

Result: =-1;

PEnd: = aEnd;

If aCount <1

Then

Exit;

If aStart + aCount> (pEnd + 1)

Then

Exit; // will never be found, if search-part is smaller

Searched data

Try

PCMem: = aStart;

PCFind: = 0;

PCHit: = pCMem + 1;

Repeat

If pCMem> pEnd

Then

Exit;

CheckInternalBuffer (pCMem );

PChAct: = Char (fIntBuffer [pCMem-fIntBufferPos]);

If (PChAct = aBuffer [PCFind])

Then begin

If PCFind = (aCount-1)

Then begin

Result: = PCMem-aCount + 1;

Exit;

End

Else begin

If PCFind = 0

Then

PCHit: = PCMem + 1;

Inc (PCMem );

Inc (PCFind );

End;

End

Else begin

PCMem: = PCHit;

PCFind: = 0;

PCHit: = PCMem + 1;

End;

Until False;

Finally

// Cursor: = pCR;

End;

End;

Function TForm1.check2 (filename: string): boolean;

Const

CHexChars = 0123456789 ABCDEF;

Var h, n, x,

Findlen, FindPos, mypos: longint;

Up, findstr: string;

PSTR: String;

PCT, pCT1: integer;

Begin

Result: = false;

Findstr, mypos value:

Mypos: = mypoint;

PSTR: =;

PCT1: = Length (findstr) div 2;

For pCT: = 0 to (Length (findstr) div 2)-1

PStr: = pStr + Char (Pos (findstr [pCt * 2 + 1], cHexChars)-1) * 16 +

(Pos (findstr [pCt * 2 + 2], cHexChars)-1 ));

GetMem (FindBuf, pCT1 );

Try

FindLen: = pCT1;

Move (pStr [1], FindBuf ^, pCt1 );

FindPos: = Find (findstr, FindBuf, FindLen, mypos, mypos + findlen-1)

If FindPos =-1

Then exit

Else

Begin

// Do something!

Result: = true;

Exit;

End;

Finally

End;

End;

The code that supports multi-segment definition is omitted, that is, the code can be found and then continued.

Supported? Ignore Part Of The Byte Code omitted, nothing more than modifying the function.

The code is messy. Indeed, I have never liked to arrange it neatly. Otherwise, how can I make a BUG (funny)

This code is separated from the hexadecimal editor code. Since the original control is used to edit files

Copy the file to the temporary WINDOWS folder and modify

To avoid misoperation.

Therefore, to use any control, you must carefully check the source code intent and modify it if necessary. Otherwise, it will be detrimental to the user.

.

Jiangmin can modify the virus code of a security software that can check 2000 viruses if he does not know how to kill software in China.

Measurement available

Rising stars, if they can improve the international virus hunting capabilities and pay more attention to foreign trends, there is still hope.

Kingsoft, do not give away what users do not need for free, the future will be better.

Foreign Anti-Virus capabilities: KAV> MCAFEE> NOD32

The opposite is unknown virus hunting.

The last little requirement is that we hope Chinese people will rarely use foreign multi-engine detection, so that we can try to make the domestic environment more powerful.

The author of this article, jike, creator of the2avpro (pclxav), is running the second generation of signature engine

It is still unknown whether three generations of floating pattern engines can come out.

Contact: jike_man@hotmail.com http://crackchina.nease.net/