Recently to write an online kill the east, although it is dedicated to kill (originally just to clear a few specific files and kill a few specific processes, and then restore the user's registry to normal, a lot of virus Trojan favorite thing to do is to write image hijacking and then the machine restarts, security-related software all finished, but there is no technical content , using the operating system "vulnerability" only), but because it is a disk drive, the virus (Trojan) is disgusting, is an infection type, your disk EXE file can all give you infected into a "small disk machine", very scary, hehe, so no way, to clear it, must kill the disk drive after the process, Scan the whole, for every infected EXE file (like COM file can not infect) to repair, how to do disk traversal? Take a look at the following code: (In fact, the anti-virus engine is the process of working on a file to traverse the disk, and then processing each file)
- // -------------------------------------------------------------------------
- Function: Scandirectory
- Function: Traverse a directory and do something (what do you want to do?)
- return value: DWORD
- Parameter: const WCHAR *pwszpath
- Note: The disk root directory can be
- // -------------------------------------------------------------------------
- DWORD scandirectory (const WCHAR *pwszpath)
- {
- Uses_conversion;
- static int ncountfile = 0;
- DWORD dwret = 1;
- WCHAR *s = NULL;
- HANDLE hfind = NULL;
- Win32_find_dataw fd = {0};
- WCHAR Wszfilename[max_path] = L"";
- Lstrcpyw (Wszfilename, Pwszpath);
- s = wszfilename + wcslen (wszfilename);
- if (* (s-1)! = L'//')
- *s++ = L'//';
- //wcscpy_s (S, 4, L "* *");
- :: Lstrcpyw (S, L"* *");
- Hfind = Findfirstfilew (Wszfilename, &FD);
- if (hfind==invalid_handle_value)
- goto Exit0;
- Do
- {
- //Filter
- if (_wcsicmp (L".", fd.cfilename) = = 0 | | _wcsicmp (L":", fd.cfilename) = = 0)
- continue;
- :: Lstrcpyw (S, fd.cfilename);
- * (S + lstrlenw (fd.cfilename)) = L'/0 ';
- //If the folder is recursive
- if (fd.dwfileattributes & file_attribute_directory)
- {
- //delete. SVN directory, I do a small job, delete the file, O (∩_∩) o ...
- WCHAR Wszsvncmd[max_path] = {0};
- :: Lstrcpyw (Wszsvncmd, L"rmdir/s/q");
- :: Lstrcatw (Wszsvncmd, wszfilename);
- :: Lstrcatw (Wszsvncmd, L"//.svn");
- System (W2A (Wszsvncmd));
- Scandirectory (Wszfilename);
- }
- Else
- {
- //Scan the file
- //Here you can put in your processing code for the file
- }
- }while (:: Findnextfilew (Hfind, &FD));
- Dwret = 0;
- Exit0:
- if (hfind! = INVALID_HANDLE_VALUE)
- {
- :: FindClose (Hfind);
- Hfind = NULL;
- }
- return dwret;
- }
Of course, the above code can only traverse a disk, unless you know that your machine has several disks, and then call a few times, but you do not know how many disks on the user's machine, so there must be the following code and the above match:
- // -------------------------------------------------------------------------
- Function: Parsediskname
- function: Resolves the name of the disk that can be scanned on the machine
- Return value: DWORD returns the number of disks that can be scanned
- Parameter: TCHAR *pszdiskname buffer put the English letter name of the disk that can be scanned
- Note:
- // -------------------------------------------------------------------------
- DWORD parsediskname (TCHAR *pszdiskname)
- {
- static TCHAR *pszwordtable = {"abcdefghijklmnopqrstuvwxyz"};
- DWORD Dwdisk;
- DWORD dwbase = 0x1;
- DWORD dwcount = 0; //record number of disks
- DWORD dwscancount = 0; //number of valid disks to scan for return
- DWORD dwstyle;
- TCHAR Szdiskpath[4] = {0}; //cache a disk root directory name
- TCHAR szdiskarray[26] = {0}; //Record all disk names to be scanned
- Dwdisk = GetLogicalDrives ();
- While (Dwdisk && dwcount <=:: Lstrlen (pszwordtable))
- {
- memset (Szdiskpath, 0, sizeof (Szdiskpath));
- if (Dwdisk & dwbase)
- {
- :: Lstrcpyn (Szdiskpath, pszwordtable + dwcount, 2);
- :: Lstrcat (Szdiskpath, TEXT ("://"));
- Dwstyle = GetDriveType (Szdiskpath);
- //Whether it is possible to scan the
- if (drive_removable = = Dwstyle | | drive_fixed = = dwstyle)
- {
- Szdiskarray[dwscancount] = Pszwordtable[dwcount];
- dwscancount++;
- }
- }
- Dwdisk = Dwdisk & ~dwbase;
- Dwbase = Dwbase * 2;
- dwcount++;
- }
- :: lstrcpy (Pszdiskname, Szdiskarray);
- return dwscancount;
- }
Hehe, almost, but the above traversal file with recursive implementation, there may be a stack overflow situation, with iterative implementation of traversing the disk is also possible, but I have not to write one, or feel too troublesome, recursive more convenient AH. Again show point code, to restart the computer, but this restart is similar to the power-down restart, we do not casually try Ah, a tune your machine can not get any notice on the restart, why so use it? It is because some viruses do something bad when they receive a system restart notification, and this is the way to completely erase it.
- // -------------------------------------------------------------------------
- Function: Forceshutdown
- Function: Forced restart
- return value: HRESULT
- Note:
- // -------------------------------------------------------------------------
- HRESULT Forceshutdown ()
- {
- //force restart Parameter function pointer declaration
- typedef ENUM _shutdown_action
- {
- Shutdownnoreboot,
- Shutdownreboot,
- Shutdownpoweroff
- } shutdown_action;
- typedef DWORD (winapi* lpntshutdownsystem) (shutdown_action ACTION);
- LONG nret = FALSE;
- HANDLE Htoken;
- Token_privileges TKP;
- HANDLE hprocess = NULL;
- hmodule hntdll = NULL;
- hprocess =:: GetCurrentProcess ();
- if (hprocess = = NULL)
- goto Exit0;
- if (!::openprocesstoken (hprocess, Token_adjust_privileges | Token_query, &htoken))
- goto Exit0;
- if (!::lookupprivilegevalue (NULL, Se_shutdown_name, &TKP. Privileges[0]. LUID))
- goto Exit0;
- Tkp. Privilegecount = 1;
- Tkp. Privileges[0]. Attributes = se_privilege_enabled;
- :: AdjustTokenPrivileges (Htoken, FALSE, &TKP, 0, (ptoken_privileges) NULL, 0);
- Hntdll = LoadLibrary (_t ("NTDLL.DLL"));
- if (hntdll)
- {
- Lpntshutdownsystem Ntshutdownsystem = (lpntshutdownsystem) GetProcAddress (Hntdll, "Ntshutdownsystem");
- if (ntshutdownsystem)
- {
- Ntshutdownsystem (Shutdownreboot);
- }
- :: FreeLibrary (Hntdll);
- Nret = TRUE;
- }
- Exit0:
- if (htoken)
- {
- :: CloseHandle (Htoken);
- Htoken = NULL;
- }
- if (hprocess)
- {
- :: CloseHandle (hprocess);
- hprocess = NULL;
- }
- return nret;
- }
Let's talk about that stack overflow later.
http://blog.csdn.net/magictong/article/details/2784420
On the method of traversing disk Win32