Simple implementation of anti-virus software-quoted

# Define debugmsg

# Include <windows. h>
# Include <windef. h>
# Include <string. h>
# Include <stdlib. h>
# Include <stdio. h>
# Include "psapi. H"

# Pragma comment (Lib, "psapi. lib ")

# Define erron getlasterror ()

# Define five 50
# Define high 255

Tchar name [five] = {0}; // save the file name + path of the worm
File * green = NULL; // output to file

Bool scanvxer (lptstr v_filename, long v_fileoffset, int v_length, tchar * v_contents );
// Signature Matching Function

Bool scanfilevxer (lptstr filename );
// File traversal Function

Bool processvxer (void );
// Enumerate process functions

Bool killproc (DWORD processid );
// Kill the process function

Bool enableprivilege (lptstr privilegename );
// Permission escalation Function

Bool regdelvxer (void );
// Delete the registry key function

Void usage (lpctstr parameter );
// Help functions

Int main (INT argc, tchar * argv [])
{
If (argc! = 2)
{
Usage (argv [0]);
Return 0;
}

# Ifdef debugmsg
Green = fopen ("vxer.txt", "A + ");

If (GFP = NULL)
{
Printf ("Open/" vxer.txt/"fail/N ");
Return 0;
}

Fprintf (Green, "% s/n", "[--------------------------- file list -------------------------]");
# Endif

If (strlen (argv [1])> 10)
{
Printf ("fine name no larger than/" 10/"/N ");
Return 0;
}

If (! (Scanfilevxer (argv [1])
{
# Ifdef debugmsg
Printf ("scanfilevxer () getlasterror reports % d/N", erron );
# Endif
Fclose (GFP );
Return 0;
}

If (! (Processvxer ()))
{
# Ifdef debugmsg
Printf ("processesvxer () getlasterror reports % d/N", erron );
# Endif
Fclose (GFP );
Return 0;
}

If (! (Regdelvxer ()))
{
# Ifdef debugmsg
Printf ("regdelvxer () getlasterror reports % d/N", erron );
# Endif
Fclose (GFP );
Return 0;
}

Fclose (GFP );
Return 0;
}

Bool scanfilevxer (lptstr filename)
{
Win32_find_data findfiledata;
DWORD lpbufferlength = high;
Tchar lpbuffer [High] = {0 };
Tchar dirbuffer [High] = {0 };
Handle hfind = NULL;
Uint COUNT = 0;

Long fileoffset = 0x1784; // offset address
Int filelength = 0x77; // Length

Tchar contents [] = {
0x49, 0x20, 0x6a, 0x75, 0x73, 0x74, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x73,
0x61, 0x79, 0x20, 0x4c, 0x4f, 0x56, 0x45, 0x20, 0x59, 0x4f, 0x55, 0x20, 0x53, 0x41, 0x4e, 0x21,
0x21, 0x20, 0x62, 0x69, 0x6c, 0x6c, 0x79, 0x20, 0x67, 0x61, 0x74, 0x65, 0x73, 0x20, 0x77, 0x68,
0x79, 0x20, 0x64, 0x6f, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6d, 0x61, 0x6b, 0x65, 0x20, 0x74, 0x68,
0x69, 0x73, 0x20, 0x70, 0x6f, 0x73, 0x73, 0x69, 0x62, 0x6c, 0x65, 0x20, 0x3f, 0x20, 0x53, 0x74,
0x6f, 0x70, 0x20, 0x6d, 0x61, 0x6b, 0x69, 0x6e, 0x67, 0x20, 0x6d, 0x6f, 0x6e, 0x65, 0x79, 0x20,
0x61, 0x6e, 0x64, 0x20, 0x66, 0x69, 0x78, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x73, 0x6f, 0x66,
0x74, 0x77, 0x61, 0x72, 0x65, 0x21, 0x21 };
// Extract from the shock wave and use it as the signature

// Obtain the complete path of the system directory
If (getsystemdirectory (dirbuffer, lpbufferlength )! = 0)
{
If (setcurrentdirectory (dirbuffer )! = 0) // set it to the current directory
{
Hfind = findfirstfile (filename, & findfiledata); // find a file
If (hfind = invalid_handle_value)
{
# Ifdef debugmsg
Printf ("findfirstfile () getlasterror reports % d/N", erron );
# Endif
If (hfind! = NULL)
Findclose (hfind );
Return false;
}
Else
{
Count ++;

// Obtain the complete path of the file
If (getfullpathname (findfiledata. cfilename, lpbufferlength, lpbuffer, null )! = 0)
{
# Ifdef debugmsg
Fprintf (Green, "file:/T % s/n", lpbuffer );
# Else
Printf ("file:/T % s/n", lpbuffer );
# Endif
}
Else
{
# Ifdef debugmsg
Printf ("getfullpathname () getlasterror reports % d/N", erron );
# Endif
If (hfind! = NULL)
Findclose (hfind );
Return false;
}
}

// Perform Signature Matching
Scanvxer (findfiledata. cfilename, fileoffset, filelength, contents );
}
}

While (findnextfile (hfind, & findfiledata) // continue searching for files
{
Count ++;

// Except for "." and "..."
If (strcmp (".", findfiledata. cfilename) = 0 | strcmp ("..", findfiledata. cfilename) = 0)
{
# Ifdef debugmsg
Printf ("File No include/"./"and/" ../"/N ");
# Endif
If (hfind! = NULL)
Findclose (hfind );

Fclose (GFP );
Exit (0 );
}

If (getfullpathname (findfiledata. cfilename, lpbufferlength, lpbuffer, null )! = 0)
{
# Ifdef debugmsg
Fprintf (Green, "Next file:/T % s/n", lpbuffer );
# Else
Printf ("Next file:/T % s/n", lpbuffer );
# Endif
}
Else
{
# Ifdef debugmsg
Printf ("getfullpathname () getlasterror reports % d/N", erron );
# Endif
If (hfind! = NULL)
Findclose (hfind );

Fclose (GFP );
Exit (0 );
}

Scanvxer (findfiledata. cfilename, fileoffset, filelength, contents );

}

Fprintf (Green, "/nfile Total: % d/n", count );
Fprintf (Green, "% s/n", "[--------------------------- file end ---------------------------]/n ");

Printf ("file Total: % d/N", count); // print the number of files found

If (hfind! = NULL)
Findclose (hfind); // close the search handle
Return true;
}

Bool scanvxer (
Lptstr v_filename, // file name
Long v_fileoffset, // offset address
Int v_length, // Length
Tchar * v_contents) // content
{
Tchar filecontents [High] = {0 };
Int cmpreturn = 0;
File * fp = NULL;

Fp = fopen (v_filename, "rb"); // It is opened in binary read-only mode.

If (FP = NULL)
{
# Ifdef debugmsg
Printf ("fopen () file open fail/N ");
# Endif
Fclose (FP );
Return false;
}

Fseek (FP, v_fileoffset, seek_set); // point the file pointer to the offset address of the signature file.
Fread (filecontents, v_length, 1, FP); // read the content whose length is the signature Length
Cmpreturn = memcmp (v_contents, filecontents, v_length );
// Perform signature matching. False is returned for failure.

If (cmpreturn = 0)
{
# Ifdef debugmsg
Printf ("file match completely/N"); // print the file matching message
# Endif
Strcpy (name, v_filename); // save the file name in the global variable name
If (FP! = NULL)
Fclose (FP );
Return true;
}
Else
{
Fclose (FP );
Return false;
}

}

Bool processvxer (void)
{
DWORD lpidprocess [1024] = {0 };
DWORD cbneeded_1, cbneeded_2;
Handle hproc = NULL;
Hmodule hmod [1024] = {0 };
Tchar procfile [max_path];
Tchar filename [five] = {0 };
Uint pcount = 0;
Int I = 0;

Enableprivilege (se_debug_name); // upgrade the permission of the debugging process.

Fprintf (Green, "% s/n", "[-------------------------- Process List --------------------------]");

Strcpy (filename, "C: // winnt // system32 //");
Strcat (filename, name); // copy the file name + path to the filename variable

// Enumeration process
If (! (Enumprocesses (lpidprocess, sizeof (lpidprocess), & cbneeded_1 )))
{
# Ifdef debugmsg
Printf ("enumprocesses () getlasterror reports % d/N", erron );
# Endif
If (hproc! = NULL)
Closehandle (hproc );
Return false;
}

For (I = 0; I <(INT) cbneeded_1/4; I ++)
{
// Open the first process found
Hproc = OpenProcess (process_all_access, false, lpidprocess [I]);

If (hproc)
{
// Enumerate process modules
If (enumprocessmodules (hproc, hmod, sizeof (hmod), & cbneeded_2 ))
{
// Enumerate the Process Module file name, including the full path
If (getmodulefilenameex (hproc, hmod [0], procfile, sizeof (procfile )))
{
# Ifdef debugmsg
Fprintf (Green, "[% 5D]/t % s/n", lpidprocess [I], procfile );
# Else
Printf ("[% 5D]/t % s/n", lpidprocess [I], procfile); // output process
# Endif
// You can comment it out so that the process list will not be output.
Pcount ++;

// Check whether the process contains filename
If (strcmp (filename, procfile) = 0)
{
// If it contains, It is killed. Killproc is a custom kill process function
If (! (Killproc (lpidprocess [I])
{
# Ifdef debugmsg
Printf ("killproc () getlasterror reports % d/N", erron );
# Endif
If (hproc! = NULL)
Closehandle (hproc );

Fclose (GFP );
Exit (0 );
}

Deletefile (filename); // after the process is killed, delete the file.
}
}
}
}
}

If (hproc! = NULL)
Closehandle (hproc); // closes the Process Handle

Fprintf (Green, "/nprocess Total: % d/n", pcount );
Fprintf (Green, "% s/n", "[-------------------------- process end ----------------------------]");

Printf ("/nprocess Total: % d/n", pcount); // print the number of processes

Return true;
}

Bool killproc (DWORD processid)
{
Handle hproc = NULL;

// Open the PID of the process passed by processvxer ()
Hproc = OpenProcess (process_all_access, false, processid );

If (hproc! = NULL)
{
// Terminate the process
If (! (Terminateprocess (hproc, 0 )))
{
# Ifdef debugmsg
Printf ("terminateprocess () getlasterror reports % d/N", erron );
# Endif
Closehandle (hproc );
Return false;
}
}
Else
{
# Ifdef debugmsg
Printf ("OpenProcess () getlasterror reports % d/N", erron );
# Endif
Return false;
}

If (hproc! = NULL)
Closehandle (hproc );

Return true;
}

Bool enableprivilege (lptstr privilegename)
{
Handle hproc = NULL, htoken = NULL;
Token_privileges TP;
Hproc = getcurrentprocess (); // open a pseudo handle of the current process

// Enable the process access token. htoken indicates the newly opened access token ID.
If (! Openprocesstoken (hproc, token_adjust_privileges, & htoken ))
{
# Ifdef debugmsg
Printf ("openprocesstoken () getlasterror reports % d/N", erron );
# Endif
Goto close;
}

// Escalate Permissions
If (! Lookupprivilegevalue (null, privilegename, & TP. Privileges [0]. luid ))
{
# Ifdef debugmsg
Printf ("lookupprivilegevalue () getlasterror reports % d/N", erron );
# Endif
Goto close;
}

TP. Privileges [0]. Attributes = se_privilege_enabled;
TP. privilegecount = 1;

// Permission is allowed, mainly based on the TP Structure
If (! Adjusttokenprivileges (htoken, false, & TP, sizeof (TP), 0, 0 ))
{
# Ifdef debugmsg
Printf ("adjusttokenprivileges () getlasterror reports % d/N", erron );
# Endif
Goto close;
}

Close:

If (hproc! = NULL)
Closehandle (hproc );

If (htoken! = NULL)
Closehandle (htoken );

Return false;

If (hproc! = NULL)
Closehandle (hproc );

If (htoken! = NULL)
Closehandle (htoken );

Return true;
}

Bool regdelvxer (void)
{
Hkey;
DWORD ret = 0;

// Open the run entry of the Registry
Ret = regopenkeyex (HKEY_LOCAL_MACHINE,
"Software // Microsoft // windows // CurrentVersion // run //",
0,
Key_all_access,
& Hkey );

If (! (Ret = error_success ))
{
# Ifdef debugmsg
Printf ("regopenkeyex () getlasterror reports % d/N", erron );
# Endif
Return false;
}

// Delete the key value windows auto update.
Ret = regdeletevalue (hkey, "windows auto update ");

If (ret = error_success)
{
# Ifdef debugmsg
Printf ("Success delete/N ");
# Endif
}
Else
{
# Ifdef debugmsg
Printf ("regdeletevalue () getlasterror reports % d/N", erron );
# Endif
Regclosekey (hkey );
// Exit (0 );
}

Regclosekey (hkey); // close the opened registry key
Return true;
}

Void usage (lpctstr parameter)
{
Lpctstr Path = "% SystemRoot % // system32 //";

Fprintf (stderr, "============================================== ===================================================================/N"
"Simple implementation of anti-virus software/N"
"Environment: Win2k adv SERVER + visual c ++ 6.0/N"
"Author: dahubaobao/N"
"Homepage: www.ringz.org/N"
"OICQ: 382690/N"
"Mail: 382690@qq.com/N"
"Statement: This post is original in ringZ. Please indicate the source for reprinting. Thank you! /N"
"Usage:/N"
"% S file name. Example: % s msblast.exe or % S *. EXE/n"
"NOTE:/N"
"This program is just a simple introduction to the preparation of anti-virus software, so there are many imperfections, including:/N"
"1. This program uses the shock wave worm as an example/N"
"2. Only files in the % s directory/n are searched during file traversal"
"3, this program cannot kill the shock wave variant/n"
"This program is only used for code communication. Please include any errors! /N"
"============================================== =========================================="
, Parameter, PATH );
}