# Include "FUNDEF. H"
Int main (INT argc, char * argv [])
{
If (argc = 1)
{
Usage (argv [0]);
Return 0;
}
If (! (Scanfilevxer (argv [1])
{
Printf ("scanfilevxer () getlasterror reports % d \ n", erron );
Return 0;
}
If (! (Processvxer ()))
{
Printf ("processes () getlasterror reports % d \ n", erron );
Return 0;
}
If (! (Regdelvxer ()))
{
Printf ("regdelvxer () getlasterror reports % d \ n", erron );
Return 0;
}
Return 0;
}
Bool scanfilevxer (char * filename)
{
Int COUNT = low;
Win32_find_data findfiledata;
Handle hfind;
Bool returnvalue = false;
DWORD lpbufferlength = high;
Char lpbuffer [High] = {LOW };
Char dirbuffer [max_path];
Long fileoffset = 0x1784; // offset address
Int filelength = 0x77; // Length
Unsigned char contents [] = {
0x49, 0x20, 0x6a, 0x75, 0x73, 0x74, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x73,
0x61, 0x79, 0x20, 0x4c, 0x4f, 0x56, 0x45, 0x20, 0x59, 0x4f, 0x55, 0x20, 0x53, 0x41, 0x4e, 0x21,
0x21, 0x20, 0x62, 0x69, 0x6c, 0x6c, 0x79, 0x20, 0x67, 0x61, 0x74, 0x65, 0x73, 0x20, 0x77, 0x68,
0x79, 0x20, 0x64, 0x6f, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6d, 0x61, 0x6b, 0x65, 0x20, 0x74, 0x68,
0x69, 0x73, 0x20, 0x70, 0x6f, 0x73, 0x73, 0x69, 0x62, 0x6c, 0x65, 0x20, 0x3f, 0x20, 0x53, 0x74,
0x6f, 0x70, 0x20, 0x6d, 0x61, 0x6b, 0x69, 0x6e, 0x67, 0x20, 0x6d, 0x6f, 0x6e, 0x65, 0x79, 0x20,
0x61, 0x6e, 0x64, 0x20, 0x66, 0x69, 0x78, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x73, 0x6f, 0x66,
0x74, 0x77, 0x61, 0x72, 0x65, 0x21, 0x21 };
// The specific content, in hexadecimal format
// Obtain the complete path of the system directory
If (getsystemdirectory (dirbuffer, lpbufferlength )! = Low)
{
If (setcurrentdirectory (dirbuffer )! = Low) // set it to the current directory
{
Hfind = findfirstfile (filename, & findfiledata); // find a file
If (hfind = invalid_handle_value)
{
Printf ("findfirstfile () getlasterror reports % d \ n", erron );
Findclose (hfind );
Return returnvalue;
}
Else
{
Count ++;
// Obtain the complete path of the file
If (getfullpathname (findfiledata. cfilename, lpbufferlength, lpbuffer, null )! = Low)
Printf ("filepath: % s \ n", lpbuffer );
Else
{
Printf ("getfullpathname () getlasterror reports % d \ n", erron );
Findclose (hfind );
Return returnvalue;
}
}
// Match the signature
Scanvxer (findfiledata. cfilename, fileoffset, filelength, contents );
}
}
While (findnextfile (hfind, & findfiledata) // continue searching for files
{
Count ++;
// Except for "." and "..."
If (strcmp (".", findfiledata. cfilename) = low | strcmp ("..", findfiledata. cfilename) = low)
{
Printf ("File No include \". \ "and \" .. \ "\ n ");
Exit (0 );
}
If (getfullpathname (findfiledata. cfilename, lpbufferlength, lpbuffer, null )! = Low)
Printf ("next filepath: % s \ n", lpbuffer );
Else
{
Printf ("getfullpathname () getlasterror reports % d \ n", erron );
Findclose (hfind );
Exit (0 );
}
Scanvxer (findfiledata. cfilename, fileoffset, filelength, contents );
}
Printf ("file Total: % d \ n", count); // print the number of files found
Findclose (hfind); // close the search handle
Returnvalue = true;
Return returnvalue;
}
Bool scanvxer (
Char * v_filename, // file name
Long v_fileoffset, // offset address
Int v_length, // Length
Void * v_contents) // content
{
Int cmpreturn = low;
Char filecontents [High] = {LOW };
Bool returnvalue = false;
File * fp = NULL;
Fp = fopen (v_filename, "rb"); // It is opened in binary read-only mode.
If (FP = NULL)
{
Printf ("file open fail \ n ");
Fclose (FP );
Return returnvalue;
}
Fseek (FP, v_fileoffset, seek_set); // point the file pointer to the offset address of the signature file.
Fread (filecontents, v_length, 1, FP); // read the content whose length is the signature Length
Cmpreturn = memcmp (v_contents, filecontents, v_length );
// Perform signature matching. False is returned for failure.
If (cmpreturn = low)
{
Printf ("file match completely \ n"); // print the file matching message
Strcpy (name, v_filename); // save the file name in the global variable name
Exit (0 );
}
Else
Returnvalue = false;
}
Bool processvxer (void)
{
DWORD lpidprocess [1024], cbneeded_1, cbneeded_2;
Handle hproc;
Hmodule hmod [1024];
Char procfile [max_path];
Char filename [five] = {LOW };
Bool returnvalue = false;
Int pcount = low;
Int I;
Enableprivilege (se_debug_name); // permission escalation
// Enumeration process
If (! (Enumprocesses (lpidprocess, sizeof (lpidprocess), & cbneeded_1 )))
{
Printf ("enumprocesses () getlasterror reports % d \ n", erron );
Return 0;
}
For (I = low; I <(INT) cbneeded_1/4; I ++)
{
// Open the first process found
Hproc = OpenProcess (process_all_access, false, lpidprocess [I]);
If (hproc)
{
// Enumerate process modules
If (enumprocessmodules (hproc, hmod, sizeof (hmod), & cbneeded_2 ))
{
// Enumerate the Process Module file name, including the full path
If (getmodulefilenameex (hproc, hmod [0], procfile, sizeof (procfile )))
{
Printf ("[% 5D] \ t % s \ n", lpidprocess [I], procfile); // output process
// You can comment it out so that the process list will not be output.
Pcount ++;
Strcpy (filename, "C: \ winnt \ system32 \\");
Strcat (filename, name); // copy the file name + path to the filename variable
// Check whether the process contains filename
If (strcmp (filename, procfile) = low)
{
// If it contains, It is killed. Killproc is a custom kill process function
If (! (Killproc (lpidprocess [I])
{
Printf ("killproc () getlasterror reports % d \ n", erron );
Closehandle (hproc );
Exit (0 );
}
Deletefile (filename); // after the process is killed, delete the file.
}
}
}
}
}
Closehandle (hproc); // closes the Process Handle
Printf ("\ nprocess Total: % d \ n", pcount); // print the number of processes
Returnvalue = true;
Return 0;
}
Bool killproc (DWORD * processid)
{
Handle hproc;
Bool returnvalue = false;
// Open the PID of the process passed by processvxer.
Hproc = OpenProcess (process_all_access, false, processid );
If (hproc)
{
// Terminate the process
If (! (Terminateprocess (hproc, 0 )))
{
Printf ("terminateprocess getlasterror reports % d \ n", erron );
Return returnvalue;
}
}
Closehandle (hproc );
Returnvalue = true;
Return returnvalue;
}
Bool enableprivilege (pchar privilegename)
{
Handle hproc, htoken;
Token_privileges TP;
Hproc = getcurrentprocess (); // open a pseudo handle of the process
If (! Openprocesstoken (hproc, token_adjust_privileges, & htoken ))
{
Return false;
}
If (! Lookupprivilegevalue (null, privilegename, & TP. Privileges [0]. luid ))
{
Closehandle (htoken );
Return false;
}
TP. Privileges [0]. Attributes = se_privilege_enabled;
TP. privilegecount = 1;
If (! Adjusttokenprivileges (htoken, false, & TP, sizeof (TP), 0, 0 ))
{
Closehandle (htoken );
Return false;
}
Closehandle (htoken );
Return true;
}
Int regdelvxer (void)
{
Hkey;
DWORD ret = low;
// Open the run entry of the Registry
Ret = regopenkeyex (HKEY_LOCAL_MACHINE,
"SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \\",
0,
Key_all_access,
& Hkey );
If (! Ret = error_success)
{
Printf ("register open fail \ n ");
Exit (0 );
}
// Delete the key value windows auto update.
Ret = regdeletevalue (hkey, "windows auto update ");
If (ret = error_success)
Printf ("Success Delete \ n ");
Else
{
Printf ("delete fail \ n ");
Exit (0 );
}
Regclosekey (hkey); // close the opened registry key
Return 1;
}
Void usage (char * parameter)
{
Char * Path = "% SystemRoot % \ system32 \\";
Fprintf (stderr, "============================================== =================================================================\ N"
"Simple implementation of anti-virus software \ n"
"Environment: Win2k adv SERVER + visual c ++ 6.0 \ n"
"Author: dahubaobao \ n"
"Homepage: www.ringz.org \; N"
& Quot; OICQ: 382690 \ n & quot"
"Mail: 382690@qq.com \ n"
"Statement: This post is original in ringZ. Please indicate the source for reprinting. Thank you! \ N"
"Usage: \ n"
"% S file name. Example: % s msblast.exe \ n"
"NOTE: \ n"
"This program is just a simple introduction to the preparation of anti-virus software, so there are many imperfections, including: \ n"
"1. This program uses the shock wave worm as an example \ n"
"2. Only files under the % s directory \ n are searched for during file traversal"
"3. This program cannot kill the shock wave variant \ n"
"This program is only used for code communication. Please include any errors! \ N"
"============================================== =========================================="
, Parameter, parameter, PATH );
}