Source code of pandatv exclusive tool to remove infected EXE files
/*
Pandatv excludes infected EXE files
By: ww0830
Create: 2007-1-7
*/
# Include "windows. H"
# Include <stdio. h>
# Include <string. h>
# Include <stdlib. h>
# Define test
Long g_lcheckfilenumber; // file number checked
Long g_lclearfilenumber; // clear number
//
// Function:
// Check if EXE file binded by whboy Virus
//
// Parameter:
// File * FP -- file stream to read
//
// Return:
// True -- bind by viruse
// False -- not bind by viruse
//
// Remark:
// Don't close FP, will be closed by main
Bool checkwhvirus (File * FP)
{
// Get position
Fpos_t Pos = 0x12605;
If (fsetpos (FP, & Pos )! = 0)
{
Printf ("trouble opening file/N ");
// Fclose (FP );
Return false;
}
// Read 2 byte from fpost
Char buffer [50];
Fread (buffer, sizeof (char), 2, FP );
If (buffer [0] = 'M'
& Buffer [1] = 'Z ')
{
// Read reverse
Long repos =-1;
Fseek (FP, repos, seek_end );
Fread (buffer, sizeof (char), 1, FP );
If (buffer [0] = 0x01)
{
Return true;
}
}
Return false;
}
//
// Function:
// Clear Virus
//
// Parameter:
// File * FP -- virus EXE file
// Char * -- Origin file name
//
// Return:
// Void
Void clearvirus (File * FP, char * stroriginfilename)
{
Long repos =-1;
Long lfilelen = 0;
Long lexp = 1;
Char buffer [50];
// To 0x02
While (1)
{
Repos --;
Fseek (FP, repos, seek_end );
Fread (buffer, sizeof (char), 1, FP );
If (buffer [0] = 0x02)
{
Break;
}
// 0x02 38 37
Lfilelen = (buffer [0]-'0') * lexp + lfilelen;
Lexp * = 10;
}
Printf ("/R/nlen is % d", lfilelen );
// New Len char
Char * stroriginfile = new char [lfilelen];
Fpos_t Pos = 0x12605;
Fsetpos (FP, & Pos );
Fread (stroriginfile, sizeof (char), lfilelen, FP );
// Rename virus to exe.exe
Fclose (FP );
Char strbackupfile [max_path];
Strcpy (strbackupfile, stroriginfilename );
Strbackupfile [strlen (strbackupfile)-1] = '1'; // ex1
Movefile (stroriginfilename, strbackupfile );
// Cout to file
File * outfp;
Outfp = fopen (stroriginfilename, "WB ");
// Ouput to exe
Fwrite (stroriginfile, sizeof (char), lfilelen, outfp );
Fclose (outfp );
Delete [] stroriginfile;
}
// Function:
// Visit all folders and files
//
// Paremeter:
// Char * lppath -- path of File
//
// Return:
// Void
//
Void visitallfiles (char * lppath)
{
Char szfind [max_path];
Win32_find_data findfiledata;
Strcpy (szfind, lppath );
Strcat (szfind ,"//*.*");
Handle hfind =: findfirstfile (szfind, & findfiledata );
If (invalid_handle_value = hfind)
Return;
While (true)
{
// If director, visit all sub-folders
If (findfiledata. dwfileattributes & file_attribute_directory)
{
If (findfiledata. cfilename [0]! = '.')
{
Char szfile [max_path];
Strcpy (szfile, lppath );
Strcat (szfile ,"//");
Strcat (szfile, findfiledata. cfilename );
Visitallfiles (szfile );
}
}
Else
{
// Judge if EXE file
Int Len = strlen (findfiledata. cfilename );
Const char * P = (char *) & findfiledata. cfilename [len-3];
If (_ stricmp (P, "EXE") = 0) // case insentive!
| (_ Stricmp (P, "SCR") = 0)
)
{
G_lcheckfilenumber ++;
// If EXE file, check it
Char strfilename [max_path];
Strcpy (strfilename, lppath );
Strcat (strfilename ,"//");
Strcat (strfilename, findfiledata. cfilename );
Printf ("T: % lD, clear: % lD, check % S/R ",
G_lcheckfilenumber, g_lclearfilenumber, strfilename );
File * FP;
If (FP = fopen (strfilename, "rb "))
= NULL)
{
Printf ("can't open % s/n", strfilename );
}
Else
{
If (checkwhvirus (FP ))
{
G_lclearfilenumber ++;
Clearvirus (FP, strfilename); // FP closed in the function
Printf ("virus found! % S and cleared/R/N ", strfilename );
}
Else
{
Fclose (FP );
}
}
}
}
// Find next file
If (! Findnextfile (hfind, & findfiledata ))
Break;
}
Findclose (hfind );
}
// Main
Int main (INT argc, char * argv [])
{
// 1. visit all the folders, then get EXE file
// 2. Check if position 0x126005 is the MD
// 3. If so, check last bit to 0x02, get the origin file Len
// 4. copy from 0x126005 to Len, recover to the origin File
If (argc <2)
{
Printf ("Usage: EXE 0/EXE 1 Folder/N ");
Return-1;
}
G_lcheckfilenumber = 0;
G_lclearfilenumber = 0;
If (atoi (argv [1]) = 1)
Visitallfiles (argv [2]);
Else
{
Char clabel;
For (clabel = 'C'; clabel <= 'Z'; clabel ++)
{
Char strrootpath [] = {"C ://"};
Strrootpath [0] = clabel;
Uint res;
If (RES = getdrivetype (strrootpath ))
= Drive_fixed)
{
Strrootpath [2] = '/0'; // "C :"
Visitallfiles (strrootpath );
}
Else
{
If (RES = drive_cdrom)
Continue;
Else
Break;
}
}
}
Printf ("/R/nfinished: checked: % d cleard: % d/R/N", g_lcheckfilenumber, g_lclearfilenumber );
Getchar ();
Return 0;
# Ifdef Test
If (argc <2)
{
Printf ("Usage: EXE checkfile.exe/N ");
Return-1;
}
// Open File
File * FP;
If (FP = fopen (argv [1], "rb "))
= NULL)
{
Printf ("can't open % s/n", argv [1]);
Return-1;
}
// Get position
Fpos_t Pos = 0x12605;
If (fsetpos (FP, & Pos )! = 0)
{
Printf ("trouble opening file/N ");
Fclose (FP );
Return-1;
}
// Read 2 byte from fpost
Char buffer [50];
Fread (buffer, sizeof (char), 2, FP );
If (buffer [0] = 'M'
& Buffer [1] = 'Z ')
{
// Read reverse
Long repos =-1;
Fseek (FP, repos, seek_end );
Fread (buffer, sizeof (char), 1, FP );
If (buffer [0] = 0x01)
{
Printf ("virus found! /N ");
Long lfilelen = 0;
Long lexp = 1;
// To 0x02
While (1)
{
Repos --;
Fseek (FP, repos, seek_end );
Fread (buffer, sizeof (char), 1, FP );
If (buffer [0] = 0x02)
{
Break;
}
// 0x02 38 37
Lfilelen = (buffer [0]-'0') * lexp + lfilelen;
Lexp * = 10;
}
Printf ("Origin file Len is % d", lfilelen );
// New Len char
Char * stroriginfile = new char [lfilelen];
Pos = 0x12605;
Fsetpos (FP, & Pos );
Fread (stroriginfile, sizeof (char), lfilelen, FP );
// Rename virus to exe.exe
Fclose (FP );
// Agrv1_11__whboybackup_byww0830.exe 1
Char strcommand [1024*3];
Strcpy (strcommand, "RENAME /"");
Strcat (strcommand, argv [1]);
Strcat (strcommand ,"/"/"");
Strcat (strcommand, argv [1]);
Strcat (strcommand, "_whboybackup_byww0830.exe 1 /"");
System (strcommand );
// Cout to file
File * outfp;
Outfp = fopen (argv [1], "WB ");
// Ouput to exe
Fwrite (stroriginfile, sizeof (char), lfilelen, outfp );
Fclose (outfp );
Delete [] stroriginfile;
Printf ("cleard! ");
}
}
Else
{
Fclose (FP );
Printf ("not virus! Quit/N ");
}
# Else
// 1. Visit and get all the EXE file
// Check
Char strfilename [1024*2];
//
File * FP;
If (FP = fopen (strfilename, "rb "))
= NULL)
{
Printf ("can't open % s/n", strfilename );
Return-1;
}
If (checkwhvirus (FP ))
{
Printf ("virus found! % S ", strfilename );
Clearvirus (FP, strfilename); // FP closed in the function
}
Else
{
Fclose (FP );
}
# Endif
Return 0;
}