Pclxav Trojan Hunter The first generation characteristic code engine source code _ Vulnerability Research

The reason for the release is mainly due to the long-standing engine problem of a domestic security software. I hope this article can make it a substantive update.
Security software that wants to give users, consumers, security, not trouble
Specific engine problem performance is to scan files, create a copy, and then scan this copy of the file.
Even if the shell-killing experts like AVP, see the Shell will not all take off. There's a lot of potential for viruses to be extracted directly from the shell.
Defined.
The source code is as follows, partially truncated, because this article is not for everyone to write scanners, and this engine is no longer used
.
Const CBUF_SIZE = 65536;
var Fintbuffer:pbytearray;
Procedure Checkinternalbuffer (Apos:integer);
Var
Pfr:integer;
Begin
if (Fintbufferpos =-1) or (APos < Fintbufferpos) or (apos+16) >
(fintbufferpos+cbuf_size))
Then BEGIN

PFR: = APos-(cbuf_size Div 2);
If PFR < 0
Then
PFR: = 0;
Fintfile.position: = PFR;
Fintfile.read (fintbuffer^, cbuf_size);
Fintbufferpos: = PFR;
End
End
Procedure FreeFile;
Begin
If Fintfile <> Nil
Then BEGIN

Fintfile.free;
Fintfile: = nil;
End
End
function Canopenfile (const aname:string): Boolean;
Var
Fhandle:thandle;
Begin
Result: = False;
ReadOnly: = True;
If FileExists (aname)
Then BEGIN
Fhandle:=createfilea (Pchar (aname), Generic_read, File_share_read,
NIL, open_existing, File_attribute_normal, 0);
If Fhandle <> invalid_handle_value
Then BEGIN
CloseHandle (Fhandle);
Result: = True;

End
End
End
function LoadFromFile (const filename:string): Boolean;
Begin
Result: = True;
Fintfile: = Newreadfilestream (filename);
Try
Fintfile.position: = 0;

Fdatasize2:=fintfile. Size;
Fintbufferpos:=-1;
Result: = True;
Finally

End
End

function find (Abuffer:pchar; const acount, Astart, Aend:integer
): Integer;
Find something in the ' current file ' and return the
Position,-1 if not found const IgnoreCase, Searchtext:boolean
Var
Pcr:tcursor;
Pchact:char;
Pcmem, Pcfind, Pchit, Pend:integer;
Begin
Result: =-1;
Pend: = Aend;

If acount < 1
Then
Exit;
If Astart + acount > (pend+1)
Then
Exit; Would never to found, if Search-part is smaller than
Searched data
Try
Pcmem: = Astart;
Pcfind: = 0;
Pchit: = pcmem+1;
Repeat
If Pcmem > Pend
Then
Exit;
Checkinternalbuffer (PCMEM);
Pchact: = Char (Fintbuffer [Pcmem-fintbufferpos]);
if (pchact = Abuffer[pcfind])
Then BEGIN
If Pcfind = (aCount-1)
Then BEGIN
Result: = pcmem-acount+1;
Exit;
End
ELSE begin
If Pcfind = 0
Then
Pchit: = pcmem+1;
INC (PCMEM);
INC (Pcfind);
End
End
ELSE begin
Pcmem: = Pchit;
Pcfind: = 0;
Pchit: = pcmem+1;
End
Until False;

Finally
Cursor: = PCR;
End
End
function Tform1.check2 (filename:string): boolean;
Const
Chexchars = 0123456789ABCDEF;
var h,n,x,
Findlen,findpos,mypos:longint;
Up, findstr:string;
pstr:string;
Pct,pct1:integer;
Begin
Result:=false;
Findstr,mypos to Value:
Mypos:=mypoint;

PSTR: =;
PCT1: = Length (findstr) Div 2;
For PCT: = 0 to (Length (findstr) Div 2)-1

PSTR: = pstr + Char (Pos (findstr[pct*2+1), Chexchars)-1 * 16 +
(Pos (findstr[pct*2+2], Chexchars)-1);
Getmem (Findbuf, pCT1);
Try

Findlen: = pCT1;
Move (Pstr[1], findbuf^, PCT1);

Findpos: =find (findstr, Findbuf, Findlen, MyPos, mypos+findlen-1)


If Findpos =-1
Then exit
Else

Begin
Do something!
Result:=true;
Exit



End
Finally
End
End
Support multiple sections of the definition of the code omitted, nothing more than to find and then continue slightly.
Support? Omit some bytes of code omitted, nothing more than change the function.
Code is very messy, indeed, I always do not like to arrange neatly, or how the Bug (funny)
This code is separated from the hexadecimal editor code, because the original control is used to edit the file for the user, so the default
To copy a file to a Windows Temp folder, and then modify that
Copy the file to avoid user error operation.
So use any control, or you have to carefully check the source code intent, if necessary, modify it, otherwise it is unfavorable to the user
.
About domestic killing soft, jiangmin do not know wrong to change, remove can check 2000 kinds of virus of a security software virus code, can't think
There are measures
Rising, if you can improve the international virus hunting force, a lot of attention to foreign trends, there is hope.
Jinshan, do not give free to users do not need things, the future will be better.
The ability of killing soft kill virus abroad: KAV&GT;MCAFEE&GT;NOD32
Unknown virus hunting force is the opposite
The last small request, hope that people less use foreign multi-engine detection, make domestic kill soft emboldened more point bar.
About the author of this article, Jike,the2avpro (Pclxav) creator, the software is running a second-generation signature engine, the first
Whether the three-generation floating signature engine can come out is still unknown.
Contact: jike_man@hotmail.com http://crackchina.nease.net/