Security tools: Making autorun. inf immunization programs

I. Preface

I have studied anti-virus in article 006th: Using WinRAR and autorun. autorun. as the final answer to this question, I plan to discuss how to use MFC to develop a simple immune program. Although we should be no longer suffering from autorun. inf, many of the ideas are still worth exploring. It should be emphasized that the focus of this article is prevention, that is, how to pin your computer before being threatened by autorun. inf. If autorun. inf is damaged on the computer, refer to Article 006th in the anti-virus series.

 

Ii. Immune principle of autorun. inf

We can find a lot of immunization tools on the Internet, and now some modified versions of the operating system will also provide such an immunization tool. The immune mechanism is to create a non-deleted autorun. inf folder to prevent viruses from generating an autorun. inf running virus. The main points of immunization are:

1. prevent viruses from generating the autorun. inf file in the root directory of the drive.

2. prevent viruses from damaging our immunity measures.

For the first point, we can create an autorun. inf folder under the root directory of the drive. The principle is that the file in the same directory cannot be the same as the folder name. For the second point, we can create an undeletable directory in the autorun. inf folder we just created.

In Windows, the following words cannot be used to name files/folders, including aux, COM1, com2, PRN, con, and NUL, because these names belong to device names, it is equivalent to a DOS device. If we name the files with these names, Windows will mistakenly assume that the names are duplicated. Although folders named after these names can be accessed or created, they cannot be deleted because Windows does not allow devices to be deleted in this way. In the system's view, this folder is a device. If the device name is not used as the file name, you can also use some methods to give the file or file a name that contains invalid characters. In this way, they cannot be deleted, this is also the method to be discussed next. Although such names cannot be created or deleted by normal means, we can implement them through programming. Next we will discuss the programming methods.

 

3. Use MFC to create an immune program interface

First, you need to create a dialog box-based MFC program, and then add a combo box control and two button controls on the default control on the interface:

Figure 1 Program Interface

Change the IDs of the three controls on the interface to idc_combo_driver, idc_immunity, and idc_cancel. Then, add a variable named "control" and "m_combodriver" to the ComboBox control.

One thing to note here is that many beginners find that after the program is running, click the lower triangle on the right side of the combo box control and the drop-down menu cannot be opened, however, you can select a drop-down item by using the keyboard "keyboard. In fact, this is because the combo box control needs to be pulled down to a certain range during interface design. Click the inverted triangle on the right to adjust the settings:

Figure 2 adjust the display range of the combo box Control

At this point, the interface design is still very simple. Next we need to add code to implement the function.

 

4. Compile the code of the immune programThe combo box control in the program is used to select the drive letter to be immune. Therefore, all drive letters must be displayed in the control for the user to choose from. Here, a function is defined to implement corresponding functions. In the cimmunityardlg. cpp file, find the oninitdialog () function and declare the function between "// todo: add extra initialization here" and "return:

InitComboDriver();

To indicate the initial settings of the Program dialog box, and then add the initcombodriver () function after the oninitdialog () function:

Void cimmunityardlg: initcombodriver () {char szdriverstring [maxbyte] = {0}; char * pTMP = NULL; // setdlgitemtext (idc_combo_driver, _ T ("select a drive letter... "); // get the string type drive list getlogicaldrivestrings (maxbyte, szdriverstring); pTMP = szdriverstring; while (* pTMP) {// Add the string m_combodriver.addstring (pTMP) to the ccombobox; // each drive letter occupies 4 bytes. Therefore, you can switch to the next drive letter pTMP + = 4 when adding 4 ;}}

For beginners, it is worth noting that because we have customized the initcombodriver () function, we must add the declaration of this function to the header file, that is, cimmunityardlg. h, you can add in public:

void InitComboDriver();

Next, add the code for the "immunity" button. Double-click the button to go to the code editing page. First, add two macro definitions at the top:

// Name of the Created directory # define Autorun "autorun. inf" // create a directory that cannot be deleted # define immunity \ immunity ...\\

The following code defines the buttons:

Void cimmunityardlg: onbtnimmunity () {// todo: add your control notification handler code here char szpath [max_path] = {0}; getdlgitemtext (idc_combo_driver, szpath, max_path ); // create Autorun. INF folder strcat (szpath, Autorun); bool Bret = createdirectory (szpath, null); // If the drive letter cannot be immune, it may be immune or the drive letter cannot be written if (! Bret) {// afxmessagebox ("immunity error! "); Return;} // create a folder that cannot be deleted for immunization strcat (szpath, immunity); Bret = createdirectory (szpath, null); If (! Bret) {afxmessagebox ("immunity error! ");}}

Next, add code to the cancel button:

Void cimmunityardlg: onbtncancel () {// todo: add your control notification handler code here char szpath [max_path] = {0}; // Delete the folder immunity ..., the path is X: \ autorun. INF \ immunity... getdlgitemtext (idc_combo_driver, szpath, max_path); strcat (szpath, Autorun); strcat (szpath, immunity); removedirectory (szpath ); // clear the array zeromemory (szpath, max_path) that stores path information; // Delete the folder Autorun. INF. The path is X: \ autorun. INF // note that the directory here needs to be deleted from the inside to the outside layers getdlgitemtext (idc_combo_driver, szpath, max_path); strcat (szpath, Autorun); removedirectory (szpath );}

So far, all the code has been compiled and tested to achieve the corresponding effect. I will not go into details here.

 

V. Knowledge supplement

The zeromemory () function is used in the above program. I used the memset () function to achieve the same purpose. The difference between the two is:

1. zeromemory () is provided by Microsoft SDK, and memset () is provided by C run-timelibrary. Therefore, zeromemory () can only be used in Windows systems, while memset () it can also be used in other systems.

2. zeromemory () is a macro that is used to set the content of a piece of memory to zero. It is actually implemented using memset () internally, while memset () not only clears the memory, you can also set the memory to another character.

3. If the program is a Win32 program and does not want to connect to the crun-time library, use zeromemory. If cross-platform is required, use memset. Zeromemory is equivalent to memset (buffer, 0, length ).

The differences between afxmessagebox and MessageBox are as follows:

1. afxmessagebox is a global function provided by the MFC Library and provides multiple reloads. MessageBox is a standard Windows API function.

2. The afxmessagebox function can be used in any class, while the MessageBox () function can only be used in the inheritance class of the cwnd class. In addition, the parameters of the afxmessagebox () function are not as rich as those of the MessageBox () function, so the latter is more flexible than the former.

3. afxmessagebox does not control the message box title. It is often used for internal data output or warning during program debugging. MessageBox is more formal and often used in the application version to be submitted, you can control the title content without using an executable file name with unknown meanings as the title.

 

Vi. SummaryThrough the preparation of this immune program, it has played a very good role. Although this immune program is of little significance today, many precautions and programming knowledge are worth learning. This is just a foundation, and more security tools will be compiled in the future.

Security tools: Making autorun. inf immunization programs