Virus Trojan scan: compilation of the pandatv killing tool

Source: Internet
Author: User
Tags crc32

Virus Trojan scan: compilation of the pandatv killing tool
I. preface if it is a non-infectious virus, after analyzing the behavior, you can start to write a killing tool. Of course, for the object we studied this time, "pandatv burn incense", we did not come up with all its malicious behaviors through the previous behavior analysis. After all, we have not conducted Reverse Analysis on it. Therefore, we only write the killing tool based on the results obtained in the previous article. In general, the kill tool can be implemented in both batch processing and programming languages. However, in reality, it is made by the latter because it is more rigorous and flexible. Therefore, I will use C ++ to write a simple "pandatv" killing program.

Ii. Virus behavior review and induction here we will first review the virus behavior:
Virus Behavior 1: The virus creates a process named “spoclsv.exe. The path of the Process file is "C: \ WINDOWS \ system32 \ drivers \ spoclsv.exe ".
Virus behavior 2: Use the net share command in command line mode to cancel sharing in the system.
Virus Action 3: delete the startup Item of the security software in the registry.
Virus behavior 4: Create "svcshare" in the Registry "HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run" for "C: \ WINDOWS \ system32 \ drivers \ spoclsv.exe "virus program.
Virus behavior 5: Modify the registry so that hidden files cannot be displayed through common settings. The location is: HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL. The virus sets the CheckedValue to 0.
Virus behavior 6: add your own beibeibeito the root directory and name it as paisetup.exe. At the same time, create "autorun. inf" for virus startup. The attributes of these two files are "hidden ".
Virus behavior 7: Create a hidden file named "Desktop _. ini" in some directories.
Virus behavior 8: send packets to other machines in the LAN.
Looking at the above eight-point behavior, it should be noted that the second behavior, because I do not know the user's computer settings before the poisoning, so I intend to ignore this. Third, I don't know which anti-virus software is installed on the user's computer, and the virus will delete all the soft-kill Registry Startup items, so I plan to ignore this item, after using this kill tool, you can reinstall the software to kill, or experienced users can add a soft name to the Registry. In addition, I plan to ignore the eighth behavior of the virus, because as long as the virus body is deleted, this problem will naturally be solved, therefore, my kill tool mainly deals with the remaining five problems. Readers may also find that the work I have to do with the exclusive killing tool is very similar to the manual killing process I have previously written, this is why I stressed at the time that we still need to master the skill of manually killing viruses.
3. Creation of the exclusive killing tool interface
If you use batch processing for anti-virus, because there is no interface at runtime, we often do not know what the anti-virus program has done or whether it has been successfully killed, this also highlights the advantages of using advanced languages to develop exclusive tools. Here, I use MFC to develop the "pandatv incense" virus killing tool, as shown in the following figure:



Figure 1 interface Rendering
The attributes of the "Edit Box" control are adjusted as follows:

Figure 2 adjust the properties of the "Edit Box" Control
The interface is very simple. The next step is to compile the code.

4. Calculating the hash value of a virus program there is a method similar to the pattern scanning and removal method in virus scanning and removal technology. This method does not extract the pattern from the virus, but calculates the hash value of the virus. With this hash value, you can calculate and compare the hash of each file during the scan and removal process. This method is simple and easy to implement. It is generally used before reverse analysis when a virus is detected. Common algorithms for calculating hashes include MD5, Sha-1, and CRC32.
Here we use the CRC32 algorithm to calculate the hash value. The Code is as follows:

DWORD CRC32 (BYTE * ptr, DWORD Size) {DWORD crcTable [256], crcTmp1; // dynamically generated CRC-32 table for (int I = 0; I <256; I ++) {crcTmp1 = I; for (int j = 8; j> 0; j --) {if (crcTmp1 & 1) crcTmp1 = (crcTmp1> 1) ^ 0xEDB88320L; else crcTmp1 >>=1;} crcTable [I] = crcTmp1;} // calculate the CRC32 value DWORD crcTmp2 = 0 xffffffffff; while (Size --) {crcTmp2 = (crcTmp2> 8) & 0x00FFFFFF) ^ crcTable [(crcTmp2 ^ (* ptr) & 0xFF]; ptr ++ ;} return (crcTmp2 ^ 0 xFFFFFFFF );}

There are two parameters for this function. One is the pointer to the buffer, and the other is the length of the buffer. It reads all the files into the buffer, and then uses the CRC32 function to calculate the CRC32 hash value of the file. The hash value of the "pandatv" virus I studied is 0x89240FCD. Note that the hash values of viruses of different versions are different. The hash values I have come up with are only for the viruses of the version I have discussed.

5. Search for processes and escalate Permissions

We need to check whether the virus exists in the memory. The Code is as follows:

BOOL FindTargetProcess(char *pszProcessName,DWORD *dwPid)   {      BOOL bFind = FALSE;             HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);       if (hProcessSnap == INVALID_HANDLE_VALUE)      {           return bFind;      }             PROCESSENTRY32 pe = { 0 };       pe.dwSize = sizeof(pe);             BOOL bRet = Process32First(hProcessSnap,&pe);      while (bRet)       {          if (lstrcmp(pe.szExeFile,pszProcessName) == 0)           {              *dwPid = pe.th32ProcessID;               bFind = TRUE;              break;           }          bRet = Process32Next(hProcessSnap,&pe);       }         CloseHandle(hProcessSnap);             return bFind;  }  

You also need to upgrade the system permission. After the upgrade is successful, the current process can access some restricted system resources. The Code is as follows:


BOOL EnableDebugPrivilege(char *pszPrivilege)   {      HANDLE hToken = INVALID_HANDLE_VALUE;       LUID luid;      TOKEN_PRIVILEGES tp;         BOOL bRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken);       if (bRet == FALSE)      {           return bRet;      }         bRet = LookupPrivilegeValue(NULL,pszPrivilege,&luid);       if (bRet == FALSE)      {           return bRet;      }         tp.PrivilegeCount = 1;       tp.Privileges[0].Luid = luid;      tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;         bRet = AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);         return bRet;   }  

 

6. Find and delete the Desktop _. ini file

The virus is created in a non-system directory under all drive letters with the name Desktop _. ini file. Although this file does not seem to cause any harm to the system, it should still be deleted to thoroughly detect and kill pandatv. This article mainly involves two aspects: one is to traverse the entire disk file, which requires the use of the FindFirstFile () and FindNextFile () API functions, and the use of recursive call; the other is to modify the file attributes, because the file created by the virus has three attributes: system, read-only, and hidden. If you do not change these attributes, You cannot delete the virus file. According to this idea, write the code as follows:

[Cpp] view plaincopyDWORD WINAPI FindFiles (LPVOID lpszPath) {javasstfindfile; HANDLE hFindFile; // scan path char szPath [MAX_PATH]; char szFindFile [MAX_PATH]; char szSearch [MAX_PATH]; char * szFilter; int len; int ret = 0; szFilter = "*. * "; lstrcpy (szPath, (char *) lpszPath); len = lstrlen (szPath); if (szPath [len-1]! = '\') {SzPath [len] = '\'; szPath [len + 1] = '\ 0';} lstrcpy (szSearch, szPath ); lstrcat (szSearch, szFilter); hFindFile = FindFirstFile (szSearch, & stFindFile); if (hFindFile! = Metadata) {do {lstrcpy (szFindFile, szPath); lstrcat (szFindFile, stFindFile. cFileName); if (stFindFile. dwFileAttributes & tags) {if (stFindFile. cFileName [0]! = '.') {FindFiles (szFindFile) ;}} else {if (! Lstrcmp (stFindFile. cFileName, "Desktop _. ini") {// remove the hidden file, system, and read-only attributes of DWORD dwFileAttributes = GetFileAttributes (szFindFile); dwFileAttributes & = ~ FILE_ATTRIBUTE_HIDDEN; dwFileAttributes & = ~ FILE_ATTRIBUTE_SYSTEM; dwFileAttributes & = ~ FILE_ATTRIBUTE_READONLY; SetFileAttributes (szFindFile, dwFileAttributes); // Delete Desktop _. ini BOOL bRet = DeleteFile (szFindFile); csTxt + = szFindFile; if (bRet) {csTxt ++ = _ T ("deleted! \ R \ n ");} else {csTxt + = _ T (" \ r \ n "cannot be deleted) ;}} ret = FindNextFile (hFindFile, & stFindFile );} while (ret! = 0);} FindClose (hFindFile); return 0 ;}

It should be noted that a csTxt global variable of the CString type needs to be defined before this program, which is used to output the killing result information to the program interface. This variable will also be used in subsequent programs.

 

7. Writing the main program

The main program is the response of the "one-click detection and removal" button. I have added the corresponding comments to the Code:

Void CKillWhBoyDlg: OnBtnKill () {// TODO: Add your control notification handler code here BOOL bRet = FALSE; DWORD dwPid = 0; //////////////////////////////////////// /// // spoclsv.exe process, and delete the virus program itself /////////////////////////////////// //// // bRet = FindTargetProcess ("spoclsv.exe ", & dwPid); if (bRet = TRUE) {csTxt = _ T ("check system memory... \ r \ n "); csTxt + = _ T ("Virus process in the system: spoclsv.exe \ r \ n"); csTxt + = _ T ("prepare to scan and kill... \ r \ n "); SetDlgItemText (IDC_LIST, csTxt); // Privilege Escalation bRet = EnableDebugPrivilege (SE_DEBUG_NAME); if (bRet = FALSE) {csTxt + = _ T ("failed to escalate permissions \ r \ n");} else {csTxt + = _ T ("permission escalation successful! \ R \ n ");} SetDlgItemText (IDC_LIST, csTxt); // open and try to end the virus Process HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwPid ); if (hProcess = INVALID_HANDLE_VALUE) {csTxt + = _ T ("unable to end virus processes \ r \ n"); return;} bRet = TerminateProcess (hProcess, 0 ); if (bRet = FALSE) {csTxt + = _ T ("unable to end virus Process \ r \ n"); return ;} csTxt + = _ T ("the virus process has ended \ r \ n"); SetDlgItemText (IDC_LIST, csTxt); CloseHandle (hProcess);} else {csTxt + = _ T ("spoclsv.exe virus Process \ r \ n" does not exist in the system);} Sleep (10); // The Virus File char szSysPath [MAX_PATH] = {0}; GetSystemDirectory (szSysPath, MAX_PATH); lstrcat (szSysPath, "\ drivers \ spoclsv.exe"); csTxt + = _ T ("check that the spoclsv.exe file exists in the hard disk... \ r \ n "); if (GetFileAttributes (szSysPath) = 0 xFFFFFFFF) {csTxt ++ = _ T (" spoclsv.exe virus file does not exist \ r \ n ");} else {csTxt + = _ T ("The spoclsv.exe virus file exists and the hash value \ r \ n" is being calculated); HANDLE hFile = CreateFile (szSysPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile = INVALID_HANDLE_VALUE) {AfxMessageBox ("Create Error"); return ;} DWORD dwSize = GetFileSize (hFile, NULL); if (dwSize = 0 xFFFFFFFF) {AfxMessageBox ("GetFileSize Error"); return;} BYTE * pFile = (BYTE *) malloc (dwSize); if (pFile = NULL) {AfxMessageBox ("malloc Error"); return;} DWORD dw Num = 0; ReadFile (hFile, pFile, dwSize, & dwNum, NULL); // calculate the hash value of spoclsv.exe DWORD dwCrc32 = CRC32 (pFile, dwSize); if (pFile! = NULL) {free (pFile); pFile = NULL;} CloseHandle (hFile); // 0x89240FCD is the hash value of "pandatv" if (dwCrc32! = 0x89240FCD) {csTxt + = _ T ("spoclsv.exe Verification Failed \ r \ n");} else {csTxt + = _ T ("spoclsv.exe verification succeeded, deleting... \ r \ n "); // Remove File hiding, system, and read-only attributes DWORD dwFileAttributes = GetFileAttributes (szSysPath); dwFileAttributes & = ~ FILE_ATTRIBUTE_HIDDEN; dwFileAttributes & = ~ FILE_ATTRIBUTE_SYSTEM; dwFileAttributes & = ~ Parameters; SetFileAttributes (szSysPath, dwFileAttributes); // Delete spoclsv.exe bRet = DeleteFile (szSysPath); if (bRet) {csTxt + = _ T ("spoclsv.exe virus deleted! \ R \ n ");} else {csTxt + = _ T (" spoclsv.exe virus cannot be deleted \ r \ n "); }}setdlgitemtext (IDC_LIST, csTxt ); sleep (10 ); //////////////////////////////////////// //// // Delete the setup.exe and autorun. inf, and Desktop _. ini /////////////////////////////////////// //// // char szDriverString [MAXBYTE] = {0 }; char * pTmp = NULL; // get the string type drive list GetLogicalDriveStrings (MAXBYTE, szDriver String); pTmp = szDriverString; while (* pTmp) {char szAutorunPath [MAX_PATH] = {0}; char szSetupPath [MAX_PATH] = {0}; lstrcat (szAutorunPath, pTmp ); lstrcat (szAutorunPath, "autorun. inf "); lstrcat (szSetupPath, pTmp); lstrcat (szSetupPath," setup.exe "); if (GetFileAttributes (szSetupPath) = 0 xFFFFFFFF) {csTxt + = pTmp; csTxt + = _ T ("The setup.exe virus file does not exist \ r \ n");} else {csTxt + = pTmp; csTxt + = _ T ("setup. ex The e Virus file exists and is calculating the checksum... \ r \ n "); HANDLE hFile = CreateFile (szSetupPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile = INVALID_HANDLE_VALUE) {AfxMessageBox ("Create Error"); return;} DWORD dwSize = GetFileSize (hFile, NULL); if (dwSize = 0 xFFFFFFFF) {AfxMessageBox ("GetFileSize Error "); return;} BYTE * pFile = (BYTE *) malloc (dwSize); if (pFile = NULL) {AfxMe SsageBox ("malloc Error"); return;} DWORD dwNum = 0; ReadFile (hFile, pFile, dwSize, & dwNum, NULL); DWORD dwCrc32 = CRC32 (pFile, dwSize ); if (pFile! = NULL) {free (pFile); pFile = NULL;} CloseHandle (hFile); if (dwCrc32! = 0x89240FCD) {csTxt + = _ T ("Verification Failed \ r \ n");} else {csTxt + = _ T ("Verification Successful, deleting... \ r \ n "); // Remove File hiding, system, and read-only attributes DWORD dwFileAttributes = GetFileAttributes (szSetupPath); dwFileAttributes & = ~ FILE_ATTRIBUTE_HIDDEN; dwFileAttributes & = ~ FILE_ATTRIBUTE_SYSTEM; dwFileAttributes & = ~ FILE_ATTRIBUTE_READONLY; SetFileAttributes (szSetupPath, dwFileAttributes); // Delete setup.exe bRet = DeleteFile (szSetupPath); if (bRet) {csTxt + = pTmp; csTxt + = _ T ("setup.exe virus deleted! \ R \ n ");} else {csTxt + = pTmp; csTxt + = _ T (" The setup.exe virus cannot be deleted \ r \ n ");}}} // remove the file hiding, system, and read-only attributes DWORD dwFileAttributes = GetFileAttributes (szAutorunPath); dwFileAttributes & = ~ FILE_ATTRIBUTE_HIDDEN; dwFileAttributes & = ~ FILE_ATTRIBUTE_SYSTEM; dwFileAttributes & = ~ FILE_ATTRIBUTE_READONLY; SetFileAttributes (szAutorunPath, dwFileAttributes); // Delete autorun. inf bRet = DeleteFile (szAutorunPath); csTxt + = pTmp; if (bRet) {csTxt + = _ T ("autorun. inf deleted! \ R \ n ");} else {csTxt + = _ T (" autorun. inf does not exist or \ r \ n "cannot be deleted);} // Delete Desktop _. ini FindFiles (pTmp); // check the next drive letter pTmp + = 4;} Sleep (10 ); //////////////////////////////////////// //// // fix the Registry content, delete the virus startup Item and fix the hidden display of the file /////////////////////////////// /// // csTxt + = _ T ("Checking registry... \ r \ n "); SetDlgItemText (IDC_LIST, csTxt); // first check the startup Item char RegRun [] =" Software \ Micros Oft \ Windows \ CurrentVersion \ Run "; HKEY hKeyHKCU = NULL; LONG lSize = MAXBYTE; char cData [MAXBYTE] = {0}; long lRet = RegOpenKey (HKEY_CURRENT_USER, regRun, & hKeyHKCU); if (lRet = ERROR_SUCCESS) {lRet = RegQueryValueEx (hKeyHKCU, "svcshare", NULL, NULL, (unsigned char *) cData, (unsigned long *) & lSize); if (lRet = ERROR_SUCCESS) {if (lstrcmp (cData, "C: \ WINDOWS \ system32 \ drivers \ spoclsv.exe") = 0) {CsTxt + = _ T ("virus information \ r \ n" exists in the Registry Startup key);} lRet = RegDeleteValue (hKeyHKCU, "svcshare "); if (lRet = ERROR_SUCCESS) {csTxt + = _ T ("the virus information in the Registry Startup entry has been deleted! \ R \ n ");} else {csTxt + = _ T (" the virus information in the Registry Startup item cannot be deleted \ r \ n ");}} else {csTxt + = _ T ("the Registry Startup item does not contain the virus information \ r \ n");} RegCloseKey (hKeyHKCU );} else {csTxt + = _ T ("failed to read Registry Startup item information \ r \ n");} // you can fix the hidden display of the file, set the value of CheckedValue to 1 char RegHide [] = "SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL"; HKEY hKeyHKLM = NULL; DWORD dwFlag = 1; long lRetHide = RegOpenKey (HKEY_LOCAL_MACHIN E, RegHide, & hKeyHKLM); if (lRetHide = ERROR_SUCCESS) {csTxt ++ = _ T ("Checking Registry File hiding options... \ r \ n "); if (ERROR_SUCCESS = RegSetValueEx (hKeyHKLM, // subkey handle" CheckedValue ", // value name 0, // must be zero REG_DWORD, // value type (const byte *) & dwFlag, // pointer to value data 4) // length of value data {csTxt + = _ T ("Registry repaired! \ R \ n ");} else {csTxt + = _ T (" file hiding options that cannot restore the REGISTRY \ r \ n ");}} //////////////////////////////////////// /// // the virus is scanned and killed ///////// //////////////////////////////////////// //// // csTxt + = _ T ("virus detection and removal completed, please use professional antivirus software for Comprehensive scanning! \ R \ n "); SetDlgItemText (IDC_LIST, csTxt );}

At this point, all the code has been compiled, and there is no error. an executable file is generated directly.

8. Test the exclusive killing tool

To test this kill tool, I copied both it and pandatv to the virtual machine. Run the virus program first, and then run the kill tool, as shown in:

Figure 3 run the kill tool to kill viruses

It can be seen that this program has completely eliminated the virus and combined with the Process Monitor to Monitor this program, we can know that our exclusive killing tool is practical and will not go into details here.

IX. Summary

This is because we are dealing with a real virus, so the code Looks long, just a few lines of code can delete a "virtual" virus. In the future, I will write a special killer tool for different viruses and Trojans. I will also use the code of this special killer tool as a framework. In future articles, I will only describe the newly added knowledge points, and I will take the overlapping knowledge points with each other. I also hope that you can thoroughly master the methods described in this article.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.