Turn a vking kill code. Study later 001

The ravages of Viking many victims, and the more exasperating is the specialized software company provided by the special killing tools can not be completely removed.
Helpless in addition to write a, please need a friend here to download: http://www.chenoe.com
the tool can effectively release the virus in the infected EXE and restore EXE files, most of the tools on the net are directly delete exe files. In addition, this tool also has Viking immunity function.

After downloading the direct operation can be Avira, if the killing several times can not shut down the process, restart the computer continue Avira should be able to kill. Until the number of viruses is 0 o'clock.

In addition to the end of the process section of the tool to provide code, the end of the process is generally used terminateprocess function, but for the more stubborn process will be used unconventional means to kill.
My approach is to first increase this program to the debug level of permissions. Then close with terminateprocess, and if it fails, enumerate the threads in the process and close them with TerminateThread. Then end the process with terminateprocess. This will basically shut down 99% of the non-system processes.
Also, for a process that is injected with a virus DLL, the module in the process is enumerated and judged. Then decide whether or not to kill,kill the method ibid.

The following are the process, thread, and module-related code:
Private Declare Function createtoolhelp32snapshot Lib "kernel32" (ByVal lflags as Long, ByVal Lprocessid as long) as long
Private Declare Function process32first Lib "kernel32" (ByVal hsnapshot as Long, uprocess as PROCESSENTRY32) as Long
Private Declare Function process32next Lib "kernel32" (ByVal hsnapshot as Long, uprocess as PROCESSENTRY32) as Long
Private Declare Function thread32first Lib "KERNEL32.dll" (ByVal hsnapshot as Long, ByRef Lpte as THREADENTRY32) as Long
Private Declare Function thread32next Lib "KERNEL32.dll" (ByVal hsnapshot as Long, ByRef Lpte as THREADENTRY32) as Long
Private Declare Function module32first Lib "KERNEL32.dll" (ByVal hsnapshot as Long, ByRef Lppe as MODULEENTRY32) as Long
Private Declare Function module32next Lib "KERNEL32.dll" (ByVal hsnapshot as Long, ByRef LPME as MODULEENTRY32) as Long
Private Declare Function terminateprocess Lib "kernel32" (ByVal hprocess as Long, ByVal Uexitcode as long) as long
Private Declare Function terminatethread Lib "kernel32" (ByVal hthread as Long, ByVal Dwexitcode as long) as long
Private Declare Function openprocess Lib "kernel32" (ByVal dwdesiredaccess as Long, ByVal binherithandle as Long, ByVal DW ProcessId as long) as long
Private Declare Function openthread Lib "KERNEL32.dll" (ByVal dwdesiredaccess as Long, ByVal binherithandle as Long, ByVal dwThreadID as long) as long
Private Declare Function closehandle Lib "kernel32" (ByVal Hobject as long) as long

Private Const th32cs_snapprocess = &h2
Private Const th32cs_snapthread = &h4
Private Const th32cs_snapmodule as Long = &h8

Private Const process_terminate as Long = (&H1)
Private Const MAX_PATH as Integer = 260

Private Type PROCESSENTRY32
dwsize as Long
Cntusage as Long
Th32processid as Long
Th32defaultheapid as Long
Th32moduleid as Long
Cntthreads as Long
Th32parentprocessid as Long
Pcpriclassbase as Long
DwFlags as Long
Szexefile as String * MAX_PATH
End Type

Private Type moduleentry32                                            ' module
    dwsize   as Long
    th32moduleid   as Long
    th32processid   as Long
    glblcntusage   as Long
    proccntusage   as Long
     modbaseaddr   as Byte
    modbasesize   as Long
     hmodule   as Long
    szmodule   as String *
    szexepath   as String * 1024x768
End Type

Private Type THREADENTRY32 ' thread
dwsize as Long
Cntusage as Long
Th32threadid as Long
Th32ownerprocessid as Long
Tpbasepri as Long
Tpdeltapri as Long
DwFlags as Long
End Type

Public Function Killthread (ByVal ProcessID as Long) as Boolean
Dim Hthread as Long, R as long, I as long
Dim TList () as THREADENTRY32

TList = Getthreadlist (ProcessID)

    for i = 0 to UBound (TList)
        with TList (i)
             hthread = Openthread (Process_terminate, False,. Th32threadid)     ' get process handle
            If Hthread <> 0 Then
                 R = TerminateThread (hthread, 0)             ' Close process
            End If
         End With
    Next
    killthread = r <> 0
End Function

Public Function killprocess (ByVal ProcessName as String, Optional ByVal Bkillthread As Boolean) as Boolean
Dim hprocess as Long, R as Long
Dim PList () as PROCESSENTRY32
Dim Name as String, I as Long

PList = Getprocesslist

For i = 0 to UBound (PList)
With PList (i)
Name = Left (. Szexefile, InStr (1,. Szexefile, vbNullChar)-1)
DoEvents
Form1.lbState.Caption = "In memory Check Poison:" & Name
R = Inmodule (. Th32processid, ProcessName)

If LCase (Trim (Name)) = LCase (Trim (ProcessName)) Or R Then
hprocess = OpenProcess (Process_terminate, False,. th32processid) ' Get process handle '
If hprocess <> 0 Then
R = terminateprocess (hprocess, 0) ' Close process
If R Then
Addlog Name, "closed process"
Else
If Bkillthread Then
If killthread (. Th32processid) Then
Addlog Name, "End Thread"
Else
Addlog Name, "Thread End Failed"
End If
End If
R = terminateprocess (hprocess, 0) ' Close process
If R Then
Addlog Name, "closed process"
Else
Addlog Name, "Process end Failed"
End If
End If
Else
Addlog Name, "Unable to get process handle"
End If
End If

End with
Next
End Function

Private Function getthreadlist (ByVal ProcessID as Long) as THREADENTRY32 ()
Dim I as Long
Dim TList () as THREADENTRY32
Dim TE32 as THREADENTRY32
Dim Hthreadsnap as Long
Dim Theloop as Long

Hthreadsnap = CreateToolhelp32Snapshot (Th32cs_snapthread, ProcessID)
Te32.dwsize = Len (TE32)

Theloop = Thread32first (Hthreadsnap, TE32)
While Theloop <> 0

If Te32.th32ownerprocessid = ProcessID Then
ReDim Preserve TList (i)
TerminateThread Te32.th32threadid, 0
TList (i) = TE32
i = i + 1
End If

Theloop = Thread32next (Hthreadsnap, TE32)
Wend

CloseHandle Hthreadsnap
Getthreadlist = TList
End Function

Private Function getprocesslist () as PROCESSENTRY32 ()
Dim I as Long
Dim PList () as PROCESSENTRY32
Dim PE32 as PROCESSENTRY32
Dim Hprocesssnap as Long
Dim Theloop as Long

Hprocesssnap = CreateToolhelp32Snapshot (th32cs_snapprocess, 0)
Pe32.dwsize = Len (PE32)

Theloop = Process32First (Hprocesssnap, PE32)
While Theloop <> 0
ReDim Preserve PList (i)
PList (i) = PE32
i = i + 1
Theloop = Process32Next (Hprocesssnap, PE32)
Wend

CloseHandle Hprocesssnap
Getprocesslist = PList
End Function

Private Function getmodulelist (ByVal ProcessID as Long) as MODULEENTRY32 ()
Dim I as Long
Dim mlist () as MODULEENTRY32
Dim ME32 as MODULEENTRY32
Dim Hmodulesnap as Long
Dim Theloop as Long

Hmodulesnap = CreateToolhelp32Snapshot (Th32cs_snapmodule, ProcessID)
Me32.dwsize = Len (ME32)

Theloop = Module32first (Hmodulesnap, ME32)
While Theloop <> 0
ReDim Preserve mlist (i)
Mlist (i) = ME32
i = i + 1
Theloop = Module32next (Hmodulesnap, ME32)
Wend

CloseHandle Hmodulesnap
Getmodulelist = Mlist
End Function

Private Function Inmodule (ByVal ProcessID as Long, ByVal ModuleName as String) as Boolean
Dim I as Long
Dim mlist () as MODULEENTRY32
Dim Name as String

On Error GoTo ERR:

Mlist = Getmodulelist (ProcessID)

    for i = 0 to UBound (mlist)
        with mlist (i)
             Name = left (. Szmodule, InStr (1,. Szmodule, vbNullChar)- 1)
            If LCase (Name) = LCase (modulename) Then
                inmodule = True
                Exit for
            End If
         End With
    Next
Err:
End Function

' This is a display of anti-virus records
Sub Addlog (txt1 As String, txt2 as String)
    Dim item as ListItem
    Set Item = for M1.lv.ListItems.Add (,, txt1)
    item.subitems (1) = Txt2
End Sub

The following is the code that sets the permission level for this program, which can be called before the program is loaded: Enabledebugprivilege
Private Type Large_integer
LowPart as Long
Highpart as Long
End Type

Private Const Anysize_array as Long = 1
Private Const se_privilege_enabled as Long = &h2
Private Const token_adjust_privileges as Long = &h20
Private Const token_query as Long = &h8

Private Type luid_and_attributes
LUID as Large_integer
Attributes as Long
End Type

Private Type token_privileges
Privilegecount as Long
Privileges (Anysize_array) as Luid_and_attributes
End Type

Private Declare Function lookupprivilegevalue Lib "advapi32.dll" Alias "Lookupprivilegevaluea" (ByVal Lpsystemname as Str ING, ByVal lpname as String, ByRef Lpluid as Large_integer) as Long
Private Declare Function adjusttokenprivileges Lib "advapi32.dll" (ByVal tokenhandle as Long, ByVal disableallprivileges A s long, ByRef newstate as Token_privileges, ByVal bufferlength as Long, byref previousstate as Long, ByRef returnlength as Long) as Long
Private Declare Function getcurrentprocess Lib "KERNEL32.dll" () as Long
Private Declare Function getcurrentprocessid Lib "KERNEL32.dll" () as Long

Private Declare Function closehandle Lib "KERNEL32.dll" (ByVal Hobject as long) as long
Private Declare Function openprocesstoken Lib "advapi32.dll" (ByVal ProcessHandle as Long, ByVal desiredaccess as Long, by Ref Tokenhandle as Long) as long
Private Declare Function GetLastError Lib "KERNEL32.dll" () as Long

Function Enabledebugprivilege () as Boolean
Dim TP as Token_privileges
Dim Htoken as Long, R as Long, E as Long

R = OpenProcessToken (getcurrentprocess, Token_adjust_privileges Or token_query, Htoken)
E = GetLastError
' Err.Raise 6
If R and not E then
R = Lookupprivilegevalue (vbNullString, "SeDebugPrivilege", TP. Privileges (0). LUID)
E = GetLastError

If R and not E then
Tp. Privilegecount = 1
Tp. Privileges (0). Attributes = se_privilege_enabled

            r = adjusttokenprivileges (Htoken, False, TP, LenB (TP), 0, 0)
            enabledebugprivilege = GetLastError = 0
        End If
    End If
     Call CloseHandle (htoken)
End Function