VC ++ information security programming (6) implement anti-virus programs and kill D3 virus examples

We will use the code to practice a antivirus program, clear the readable and writable program, scan the program's signature, and delete the virus.

 

 

 

# Include "stdafx. H "# include" Scandisk. H "# include" scandiskdlg. H "# ifdef _ debug # define new debug_new # UNDEF this_filestatic char this_file [] = _ file __; # endifuint threadproc (lpvoid PARAM) {cscandiskdlg * Scandisk = (required *) param; cstring part; int I = 0; int Cy = Scandisk-> m_disk.getlength ()/2; do {part = Scandisk-> m_disk.mid (2 * I, 2 ); scandisk-> searchfolder (char *) part. getbuffer (0); I ++;} while (I <Cy & Scandisk-> Status); char s [256]; sprintf (S, "Total number of scanned files = % d", Scandisk-> totalfilenum); Scandisk-> m_static.sendmessage (wm_settext, 0, (lparam) (lpctstr) S); Return 0 ;} //////////////////////////////////////// /// // cscandiskdlg dialogcscandiskdlg:: cscandiskdlg (cwnd * pparent/* = NULL */): cdialog (cscandiskdlg: IDD, pparent) {// {afx_data_init (cscandiskdlg) m_disk = _ T (""); //} afx_data_init // not E that loadicon does not require a subsequent destroyicon in win32m_hicon = afxgetapp ()-> loadicon (idr_mainframe); totalfilenum = 0; // total number of scanned files} void cscandiskdlg :: dodataexchange (cdataexchange * PDX) {cdialog: dodataexchange (PDX); // {afx_data_map (tables) ddx_control (PDX, idc_static1, m_static); ddx_control (PDX, idc_list1, m_list); ddx_control (PDX, idc_bstart, m_bstart); ddx_text (PDX, idc_epartition, m_di SK); //} afx_data_map} values (values, cdialog) // {afx_msg_map (values) on_wm_paint () values () on_bn_clicked (idc_bstart, onbstart) values (idc_bstop, onbstop) on_en_change (idc_epartition, onchangeepartition) on_bn_clicked (idc_bsave, onbsave) //} afx_msg_mapend_message_map () //////////////////////////////////////// /// // cscandiskdlg me Ssage handlersbool cscandiskdlg: oninitdialog () {cdialog: oninitdialog (); // set the icon for this dialog. the framework does this automatically // when the application's main window is not a dialogseticon (m_hicon, true); // set big iconseticon (m_hicon, false ); // Set Small icondword disk = getlogicaldrives (); DWORD Va = 1; char s [] = "A:"; for (INT I = 0; I <32; I ++) {If (disk & (va <I) {s [0] = 0x41 + (char) I; m_disk + = s ;}} Updatedata (false); status = false; return true; // return true unless you set the focus to a control} // if you add a Minimize button to your dialog, you will need the code below // to draw the icon. for MFC applications using the document/view model, // This is automatically done for you by the framework. void cscandiskdlg: onpaint () {If (isiconic () {cpaintdc DC (this); // device context for paintingsendm Essage (wm_iconerasebkgnd, (wparam) DC. getsafehdc (), 0); // center icon in client rectangleint cxicon = getsystemmetrics (sm_cxicon); int cyicon = getsystemmetrics (sm_cyicon); crect rect; getclientrect (& rect ); int x = (rect. width ()-cxicon + 1)/2; int y = (rect. height ()-cyicon + 1)/2; // draw the icondc. drawicon (X, Y, m_hicon);} else {cdialog: onpaint () ;}// the system callthis to obtain the cursor To display while the user drags // The minimized window. hcursor cscandiskdlg: onquerydragicon () {return (hcursor) m_hicon;} void cscandiskdlg: onbstart () {If (status = false) {m_list.resetcontent (); totalfilenum = 0; status = true; subthread = (cwinthread *) afxbeginthread (& threadproc, this, thread_priority_below_normal, 0, 0); m_bstart.setwindowtext ("stop");} else {status = false; m_bstart.setwindowtext ("START") ;}} void C Scandiskdlg: onbstop () {status = false; exitprocess (0);} // process the searched Executable File bool cscandiskdlg: processfile (char * filename) {cfile file; cfilestatus rstatus; cstring INF; DWORD filelen = 0; bool re; image_dos_header dos_header; image_nt_headers nt_header; image_section_header section_header; DWORD Len; byte * PTR; // INF = filename; // INF. makelower (); // If (-1 = inf. find ("\ aaa.exe", 1) return false; // m_list.addstring (filename );/ /Return false; Re = file. getstatus (filename, rstatus); // If (! Re) {// INF = "files that cannot be operated:"; // INF + = filename; // m_list.addstring (INF); Return false;} If (rstatus. m_attribute = 1) {// read-only Re = setfileattributes (filename, rstatus. m_attribute-1); // remove the read-only attribute if (re) {INF = "the read-only attribute cannot be modified:"; INF + = filename; m_list.addstring (INF); Return false ;}} if (file. open (filename, cfile: modereadwrite | cfile: typebinary) {filelen = file. getlength (); If (filelen = 0) goto endthis_1; // The file length is 0 and Len = file is not processed. read (& Dos_header, sizeof (image_dos_header); If (dos_header.e_magic = 0x5a4d & Len = sizeof (image_dos_header )) {// contain "MZ" // determine whether to enable the suffix to prevent accidental if (dos_header.e_lfanew & (filelen> (DWORD) expires + sizeof (image_nt_headers) {// m_list.addstring (filename ); // goto endthis_1; file. seek (dos_header.e_lfanew, cfile: Begin); Len = file. read (& nt_header, sizeof (image_nt_headers); If (nt_header.signature = 0x455 0 & Len = sizeof (image_nt_headers) {// contains "pe" // locate the last file section. seek (dos_header.e_lfanew + sizeof (image_nt_headers) + (nt_header.FileHeader.NumberOfSections-1) * sizeof (image_section_header), cfile: Begin); Len = file. read (§ ion _ header, sizeof (section_header); If (LEN = sizeof (section_header ))&&(! Strncmp (char *) section_header.name ,". SD-3 ", 5) {// discover the SD-3 and handle the virus // m_list.addstring (filename); // goto endthis_1; byte viruschar [15] = {0x55, 0x8b, 0xec, 0x81, 0xc4, 0xb8, // virus pattern 0xfe, 0xff, 0xff, 0x60, 0xb0, 0x2a, 0x88,0x45, 0xfa}; file. seek (section_header.pointertorawdata, cfile: Begin); PTR = new byte [section_header.misc.virtualsize]; file. read (PTR, section_header.misc.virtualsize); For (INT I = 0; I <(INT) section_header. Misc. VirtualSize-15; I ++) {If (! Memcmp (PTR + I, viruschar, 15) {// detected the virus pattern file. seek (section_header.pointertorawdata + I-4, cfile: Begin); DWORD oldentry; file. read (& oldentry, 4); // read the original entry address value of JMP oldentry on the signature. // obtain the original entry address relative to the virtual address. // For example, in line 0x00403059, 0xe9a2d8ffff JMP 1000 // The calculation method is section_header.virtualaddress + I = 0x305e // 0x305e + 0xffffd8a2 = 0x1000 // 0x305e indicates the relative virtual address of the next command in command JMP 1000/ /modify the entry address nt_header.optionalheader.addressofentrypoint = section_he ADER. virtualaddress + I + oldentry; // get the offset DWORD strpos = section_header.pointertorawdata + I in the starting area of the virus code in the file; // The length of the virus area to be erased Len = file. getlength ()-strpos; // INF. format ("Len = % x, strpos = % x, I = % x --", Len, strpos, I); // m_list.addstring (INF + filename ); // goto endthis_1; Delete [] PTR; PTR = new byte [Len]; // clear 0 memset (PTR, 0, Len); file. seek (strpos, cfile: Begin); file. write (PTR, Len); // overwrite the file in the virus area. seek (dos_header.e_lfanew, CFI Le: Begin); strcpy (char *) section_header.name ,". kill "); // modify the node name // modify the PE Header (including the entry address) file. write (& nt_header, sizeof (nt_header); // locate the last table section and modify the file. seek (dos_header.e_lfanew + sizeof (nt_header) + (nt_header.FileHeader.NumberOfSections-1) * sizeof (section_header), cfile: Begin); file. write (§ ion _ header, sizeof (section_header); Delete [] PTR; INF = "SD-3 found, clear:"; INF + = filename; m_list.addstring (INF + filename ); break ;}}}}} Endthis_1: file. Close (); file. setstatus (filename, rstatus);}/* else {// the file cannot be opened, and the file is read-only. Only analyze if (! File. open (filename, cfile: moderead | cfile: typebinary) {INF = "cannot be modified:"; INF + = filename; m_list.addstring (INF);} filelen = file. getlength (); If (filelen = 0) goto endthis_2; // The file length is 0 and Len = file is not processed. read (& dos_header, sizeof (image_dos_header); If (dos_header.e_magic = 0x5a4d & Len = sizeof (image_dos_header )) {// contain "MZ" // take into account the following dos_header.e_lfanew-1, if (dos_header.e_lfanew & filelen> (DWORD) dos_header.e_lfanew) {file. s Eek (dos_header.e_lfanew, cfile: Begin); Len = file. read (& nt_header, sizeof (image_nt_headers); If (nt_header.signature = 0x4550 & Len = sizeof (image_nt_headers) {// contains "pe" file. seek (dos_header.e_lfanew + sizeof (image_nt_headers) + (nt_header.FileHeader.NumberOfSections-1) * sizeof (image_section_header), cfile: Begin); file. read (§ ion _ header, sizeof (section_header); If (! Strncmp (char *) section_header.name ,". SD-3 ", 5) {// SD-3 virus byte viruschar [15] = {0x55, 0x8b, 0xec, 0x81, 0xc4, 0xb8, // virus pattern 0xfe, 0xff, 0xff, 0x60, 0xb0, 0x2a, 0x88,0x45, 0xfa}; file. seek (section_header.pointertorawdata, cfile: Begin); PTR = new byte [section_header.misc.virtualsize]; file. read (PTR, section_header.misc.virtualsize); For (INT I = 0; I <(INT) section_header.Misc.VirtualSize-15; I ++) {If (! Memcmp (PTR + I, viruschar, 15) {// virus pattern INF = "SD-3 virus that cannot be cleared:"; INF + = filename; m_list.addstring (INF) ;}}}} endthis_2: file. close (); file. setstatus (filename, rstatus);} */return true;} // search for all subdirectories and files under them. void cscandiskdlg: searchfolder (char * path) {handle h; win32_find_data dat; bool re; char dir [300]; strcpy (Dir, PATH); strcat (Dir, "\\*. * "); H = findfirstfile (Dir, & dat); If (H = invalid_handle_value) {// afxmessagebox (DIR ); Return;} Char fullname [300]; do {Re = findnextfile (H, & dat); If (! Re) break; If (! Strncmp (dat. cfilename, "..", 2) continue; If (! (File_attribute_directory & dat. dwfileattributes) {// It is not the directory strcpy (fullname, PATH); strcat (fullname, "\ 0"); strcat (fullname, dat. cfilename); // cstring EXE = dat. cfilename; // exe. makelower (); // If (-1! = Exe. find (". EXE ", 2) m_list.addstring (fullname); m_static.sendmessage (wm_settext, 0, (lparam) (lpctstr) fullname); processfile (fullname); totalfilenum ++ ;} else {// is the directory. Enter the subdirectory char next [300]; strcpy (next, PATH); strcat (next, "\ 0"); strcat (next, dat. cfilename); // m_list.addstring (next); searchfolder (next) ;}} while (Status); findclose (h) ;}void cscandiskdlg: onchangeepartition () {updatedata ();} void cscandiskd LG: onbsave () {afxmessagebox ("result saved in c: \ inf.txt"); cfile FP; FP. open ("C: \ inf.txt", cfile: modecreate | cfile. modewrite); If (! FP) return; int Col = m_list.getcount (); If (COL = lb_err) {FP. close (); return;} Char s [400]; for (INT I = 0; I <Col; I ++) {memset (S, 0,400); m_list.gettext (I, s); strcat (S, "\ r \ n"); FP. write (S, strlen (s);} FP. close ();}