Virus Trojan Killer actual combat No. 017: The preparation of a special killing tool for U-disk virus

This series of tutorials is copyright "I spring and Autumn" All, reproduced please indicate the source.

For video tutorials, please visit "I Spring" (www.ichunqiu.com).

Preface

After several discussions, we have a certain understanding of the U disk virus, then this time we will be based on the characteristics of the virus behavior, to write needles for the U-disk virus special kill tool.

Special Kill tool function Description

Because this time is a U disk virus, so I intend to put this special kill tool in another form of implementation. No longer like the previous several times the need for passive operation, but when our special kill tool after execution, once a U disk INSERT, you can actively detect the contents of the U disk, if the virus is found, remove it, and then check the system is also a virus, if there is, also clean up. Our kill tool for this time requires the following features:

1 . When the tool is opened, it is necessary to monitor if there is a U disk insert, and if so, start the detection mechanism.

Here you can use the Ondevicechange () This message response function, so that the current system of newly added equipment real-time monitoring, and through the parameters of the function of the specific content of the judgment, you can realize the monitoring of the U disk.

2 . Find out if there is a Autorun.inf file in the USB stick, and if so, the name of the self-initiated virus program after parsing the contents of the "open" statement in the file.

Parse the contents of the Autorun.inf file, you can use GetPrivateProfileString () This function, through it, first find the "AutoRun" section, then find the section "open" after the content, To get the name of the self-initiated virus program.

3. Delete the Autorun.inf file and the program it will open (Recycle.exe).

First, the CRC32 fingerprint signature of the Recycle.exe should be computed and stored as a global variable for subsequent matching of the virus program. Since the program created by the virus has a system and hidden properties, you should set the file property of the virus program to normal (normal) before deleting it, which can be achieved through the setfileattributes () function. Then use DeleteFile () to remove the virus program.

4. Search the EXE program on the USB flash drive, perform CRC32 fingerprint matching, remove all virus programs, and recover the hidden folders.

Depending on the CRC32 value of the virus program calculated above, all exe files in the root disk of the USB stick can be matched. After all, there is no change in the virus program ontology, just a change of name. In addition, the virus will also be hidden from the folder with the same name as the virus, because we did not analyze how the virus picked these folders (in fact, there is no need to analyze), so we can only find the hidden folder by the virus name, and then set its properties to normal, then the folder is restored.

5. Resolve the registry startup entry for the local system, and locate the name of the virus program and the hidden location.

before removing a virus program from the local system, we need to end the virus process first. Since the name of the virus is based on the characteristics of the computer, and we do not reverse the analysis of its algorithm (in fact, it is not necessary), so we do not know the virus program on different computers of the process name is what, it can not directly end the virus process. But here you can use a trickery method that the virus will add itself to the registry startup item, so we can get the name of the virus and the hidden location just by parsing the registry startup key. After my tests on different computers, I can tell that the virus name is made up of six characters, so we just find the name of the startup item is six characters, and the program that it launches can match the CRC32 fingerprint feature of the previous calculation, then we find the name of the virus and the hidden location.

6, according to the name of the virus found above, the end of the current running virus process, and remove the virus startup items and Virus ontology.

with the name of the virus, you can search in the current process, and after you find it, you can end the virus process and then delete the virus ontology.

7. Delete the nine dynamic link library files created by the virus, which are located in "E_n4" in the Temp folder.

In fact, even if you do not delete these dynamic library files, it is also possible, but in order to complete the killing, I still need to delete them here, but it is necessary to note that, in general, the folder is not able to delete directly, you need to first empty the contents of the folder, To remove the folder.

Looking at the above seven items, it is found that the first four items are mainly for the repair of the USB stick, while the latter three are for local system repair. Next I will use MFC to implement these functions.

Interface Design

Here is a new "MFC AppWizard" project, the project name is set to "Uviruskiller", then create a "basic dialog box", and then click "Finish", then use an "edit box" and two "button" control to complete the interface design:

Figure 1 Interface Design

Next, make the following settings for the "edit box":

Figure 2

and change its ID to idc_list. Then create a variable of type "control" with the name "M_safeopen" for the "Safely open USB Drive" button control:

Figure 3

At this point, the interface design is finished. In fact, we can completely according to their own preferences to design their own program interface.

write code to detect a USB drive letter

Since the program was developed under MFC, you can use the Ondevicechange () message response function. So our first step is to add the message map to the file UVirusKillerDlg.cpp first:

Figure 4 Adding a message map code

Next, under protected in the header file UVirusKillerDlg.h, add the definition of the message response function:

Figure 5 Adding a message response function definition

then add the code that gets the drive letter in the file UVirusKillerDlg.cpp:

void Cuviruskillerdlg::getdrivername (DWORD dwdata) {Pdev_broadcast_hdr PDEVHDR = (PDEV_BROADCAST_HDR) dwData; If the device type is dbt_devtyp_volume, the current struct is converted to the structure of the//dbt_devtyp_volume type if (Pdevhdr->dbch_devicetype = = Dbt_de Vtyp_volume) {//struct conversion pdev_broadcast_volume Pdevvolume = (pdev_broadcast_volume) pDe                        VHDR;                                      If Pdevvolume->dbcv_flags is 0, it is a removable disk if (Pdevvolume->dbcv_flags = = 0) {                        By the pdevvolume->dbcv_unitmask shift to determine the logical drive letter,//No. 0 bit represents a, the 1th is the B disk, and so on.                        DWORD Dwunitmask = pdevvolume->dbcv_unitmask;                                Move up to 26 bits at most, as there are at most 26 bits for (i = 0; i <; ++i) {                                Because the newly inserted removable device must be the last drive letter,//So here look for the lowest bit value in Dwunitmask as the bit of 0x1. if (Dwunitmask & 0x1) {//found to jump out of the loop                                Break                        }//Not found then continue to shift search Dwunitmask = dwunitmask >> 1;                        }//If the 26-bit loop is still not found, return if (I >= 26)                        {return;                }//Format operation converted to string Drivername.format ("%c:", i + ' A '); }        }}

Finally, in the header file UVirusKillerDlg.h, add the following:

Figure 6

It is important to note that because the program uses Dbt_devtyp_volume to start with Dbt_, you must include the header file "Dbt.h" in UVirusKillerDlg.cpp. Then define a character-type global variable I to hold the drive letter of the removable disk. and define a CString type of cstxt to hold the hint content. At this point, the procedure for judging the drive letter has been completed. After writing the above procedure, we need to refine the ondevicechange () function.

detecting suspicious files in a USB driveThis is no longer explained, I have added enough comments to the code:

BOOL Cuviruskillerdlg::ondevicechange (UINT neventtype,//an event type.      DWORD Dwdata//The address of a structure that//contains event-specific data.  ) {//The system broadcasts the DBT_DEVICEARRIVAL device event when//a device or piece of media have been inserted and becomes available.if (Neventtype = = Dbt_devicearrival) {//before the USB flash drive is not avira, make "safe to open USB drive" is not available M_safeopen.enablewindow (F Alse);        Setdlgitemtext (Idc_list, cstxt);//Get the drive letter name Getdrivername (dwdata); Displays the drive letter of the removable disk CString tmpfile; Tmpfile.format ("Removable disk detected:%c\r\n", i + ' A '); Cstxt + = Tmpfile;        Setdlgitemtext (Idc_list, cstxt); If the drive letter is obtained successfully, continue with the IF (drivername! = "") {//Create CString type of file so that it holds the full path of the Autorun.inf CString File            = DriverName;            File + = "\\autorun.inf";            Used to save the program name started by Autorun.inf char Szbuff[max_path] = {0};       Determine if the Autorun.inf file in the removable disk exists if (getfileattributes (File.getbuffer (0)) = =-1)     {Cstxt + = "No autorun.inf\r\n detected on removable disk"; Setdlgitemtext (Idc_list, cstxt);//If Autorun.inf is not present in the current USB flash drive, then the "Safely open USB Drive" button is available M_safeopen.enablewindow (TRUE); return FALSE            ;            } Cstxt + = "detected autorun.inf\r\n on removable disk"; Cstxt + = "is parsing the startup content of Autorun.inf \ r \ n";            Setdlgitemtext (Idc_list, cstxt); Gets the content after open in the Autorun.inf file, which is the suspicious file to be opened automatically getprivateprofilestring ("AutoRun",//the name                Of the section containing the key name.                "Open",//the name of the key whose associated string is to be retrieved.                 NULL,//a the default string.                Szbuff,//a Pointer to the buffer that receives the retrieved string.                MAX_PATH,//the size of the buffer pointed to by the lpreturnedstring//parameter, in characters.            File.getbuffer (0)//the name of the initialization file.            ); Delfile Save the path to the program initiated by Autorun.inf CstrinG Delfile = drivername;delfile + = ' \ \ ';            Delfile + = Szbuff;            Cstxt + = "program initiated by Autorun.inf:"; Cstxt + = delfile;cstxt + = "\ r \ n Calculating the hash value of the virus program ... \ r \ n";            Setdlgitemtext (Idc_list, cstxt);                       Gets the CRC32 value of the virus program VirusCRC32 = CalcCRC32 (delfile); deleting autorun.inf on removable disks and files started by them requires first adjusting the properties of the virus program to normalcstxt + = "deleting Autorun.inf in removable disks and programs started by it ... \ r \ n";                SetFileAttributes (file, file_attribute_normal);//delete Autorun.infbool BRet = deletefile (file); Cstxt + = File;if (bRet) { Cstxt + = _t ("virus program is removed!)             \ r \ n ");} else{Cstxt + = _t ("Virus program cannot be deleted!        \ r \ n ");} SetFileAttributes (Delfile, file_attribute_normal);//delete the virus program initiated by Autorun.inf bret = DeleteFile (delfile); Cstxt + = Delfile;if (bRet) {cstxt + = _t ("virus program is removed!)             \ r \ n ");} else{Cstxt + = _t ("Virus program cannot be deleted! \ r \ n ");} Searchanddeletevirus (drivername); Cstxt + = _t ("You can now safely open the USB flash drive or repair the Local system!) \ r \ n ");            Setdlgitemtext (Idc_list, cstxt); "Secure Open USB Drive"Button available M_safeopen.enablewindow (TRUE); }}//the system broadcasts the DBT_DEVICEREMOVECOMPLETE device event//when a device or piece of media has been PHY Sically Removed.else if (neventtype = = Dbt_deviceremovecomplete) {//when the USB drive is unplugged, make the "Safely open USB Drive" button unavailable M_safeopen.enablewi    Ndow (FALSE); } return TRUE;

write the "Repair Local System" button event code

void Cuviruskillerdlg::onbtnrepair () {//Todo:add your control notification handler code Herecstxt + = _t ("Start detection of local system ... \ r \ n    Checking registry startup entries ... \ r \ n "); char regname[]=" software\\microsoft\\windows\\currentversion\\run\\ ";D word dwtype = 0;    DWORD dwbuffersize = maxbyte;    DWORD dwkeysize = Maxbyte;char Szvaluename[maxbyte] = {0};    Char Szvaluekey[maxbyte] = {0};//Open registry startup key HKey HKey = NULL; LONG Lretrun = RegOpenKey (HKEY_LOCAL_MACHINE, Regname, &hkey); if (lretrun! = ERROR_SUCCESS) {Afxmessagebo X ("Registry startup Key failed to open!")    "); return; }int i = 0;while (TRUE) {///enum key entry Lretrun = RegEnumValue (HKey, I, szValueName, &dwbuffersize, NULL, &dwtype, (U        nsigned char *) Szvaluekey, &dwkeysize);        if (Lretrun = = Error_no_more_items) {break; }//If the key entry is 6 characters and the key value points to the program's CRC32 fingerprint that matches the virus fingerprint, then the virus process is turned off and the DELETE key entry is associated with the virus ontology if (lstrlen (szvaluename) = = 6 && CalcCRC32 (Szva            Luekey) = = VirusCRC32) {BOOL bRet = FALSE;             DWORD dwpid = 0; // Remove the registry startup entry for the virus Regdeletevalue (HKey, szvaluename); Cstxt + = _t ("Registry startup item cleaned up!") \ r \ n "); Strcat (szValueName,".                EXE "), BRet = Findtargetprocess (szValueName, &dwpid), if (TRUE) {cstxt + = _t (" Check system memory ... \ r \ n ");                Cstxt + = _t ("Virus process exists in the system:"); Cstxt + = szValueName;                Cstxt + = _t ("Ready for avira ... \ r \ n");                    Setdlgitemtext (idc_list,cstxt);//Elevation of privilege BRet = Enabledebugprivilege (se_debug_name); if (BRet = = FALSE) {                Cstxt + = _t ("privilege failed \ r \ n");} else{Cstxt + = _t ("Elevate Permissions success!            \ r \ n ");}                Setdlgitemtext (idc_list,cstxt);//Open and try to end the virus process HANDLE hprocess = openprocess (process_all_access,false,dwpid);                    if (hprocess = = Invalid_handle_value) {cstxt + = _t ("Unable to end virus process \ r \ n");        return;}                BRet = TerminateProcess (hprocess,0);                    if (BRet = = FALSE) {cstxt + = _t ("Unable to end virus process \ r \ n");                return;} Cstxt + = _t ("The virus process has ended \ r \ n ");                Setdlgitemtext (Idc_list,cstxt); CloseHandle (hprocess);} break;}        Emptying buffer ZeroMemory (szvaluename,maxbyte); ZeroMemory (Szvaluekey, maxbyte); i++;} RegCloseKey (HKey);//delete the self-initiated virus program Cstxt + = szvaluekey;//Get the path of the folder where the virus program Szvaluekey[lstrlen (Szvaluekey)-11] = ' + '; SetFileAttributes (Szvaluekey, file_attribute_normal);    BOOL BRet = deletedirectory (Szvaluekey); if (bRet) {cstxt + = _t ("virus program is removed!)     \ r \ n ");} else{Cstxt + = _t ("Virus program cannot be deleted!    \ r \ n ");} Gets the folder path that holds the virus DLL file char temppath[100];D word dwsize = 100;    GetTempPath (dwsize, TempPath); Lstrcat (TempPath, "\e_n4");    SetFileAttributes (TempPath, file_attribute_normal);//delete virus folder Bret = DeleteDirectory (TempPath); Cstxt + = TempPath; if (bRet) {cstxt + = _t ("Virus folder is deleted!     \ r \ n ");} else{Cstxt + = _t ("Virus folder cannot be deleted!    \ r \ n ");} Setdlgitemtext (idc_list,cstxt);}

Now that all the major programs have been written, you can then test the Kill tool.

test of killing tools

Here we need to let the local system and a USB stick to maintain the status of poisoning, first unplug the USB flash drive, and then start the Kill tool, so that it began to monitor, then insert a USB flash drive, kill the tool will automatically start Avira:

Figure 7

At this point, if you click on the "safe to open the USB flash drive", will open the USB flash drive, you can find that the USB flash drive has no virus program, and the hidden folders are also displayed. If you click "Repair Local System", then the Kill tool will first end the virus process, and then delete the virus program in the system, so as to thoroughly clean up the system.

SummaryThe code for this kill tool is a little bit longer, but it's not that hard, it's a call to some basic API functions, which also uses many of the previous function codes of the Panda Burn tool, which shows that we should be good at using the programs we've written before. And should be good at analyzing virus characteristics, such as how to determine the name of the virus and hidden folders, if you want to reverse the analysis of these algorithms, then the process is undoubtedly difficult. At this point, for this time the U disk virus explained to Here, I hope you can extrapolate, some harvest.

Virus Trojan Killer actual combat No. 017: The preparation of a special killing tool for U-disk virus