VC ++ information security programming (6) implement anti-virus programs and kill D3 virus examples

Source: Internet
Author: User

We will use the code to practice a antivirus program, clear the readable and writable program, scan the program's signature, and delete the virus.

 

 

 

# Include "stdafx. H "# include" Scandisk. H "# include" scandiskdlg. H "# ifdef _ debug # define new debug_new # UNDEF this_filestatic char this_file [] = _ file __; # endifuint threadproc (lpvoid PARAM) {cscandiskdlg * Scandisk = (required *) param; cstring part; int I = 0; int Cy = Scandisk-> m_disk.getlength ()/2; do {part = Scandisk-> m_disk.mid (2 * I, 2 ); scandisk-> searchfolder (char *) part. getbuffer (0); I ++;} while (I <Cy & Scandisk-> Status); char s [256]; sprintf (S, "Total number of scanned files = % d", Scandisk-> totalfilenum); Scandisk-> m_static.sendmessage (wm_settext, 0, (lparam) (lpctstr) S); Return 0 ;} //////////////////////////////////////// /// // cscandiskdlg dialogcscandiskdlg:: cscandiskdlg (cwnd * pparent/* = NULL */): cdialog (cscandiskdlg: IDD, pparent) {// {afx_data_init (cscandiskdlg) m_disk = _ T (""); //} afx_data_init // not E that loadicon does not require a subsequent destroyicon in win32m_hicon = afxgetapp ()-> loadicon (idr_mainframe); totalfilenum = 0; // total number of scanned files} void cscandiskdlg :: dodataexchange (cdataexchange * PDX) {cdialog: dodataexchange (PDX); // {afx_data_map (tables) ddx_control (PDX, idc_static1, m_static); ddx_control (PDX, idc_list1, m_list); ddx_control (PDX, idc_bstart, m_bstart); ddx_text (PDX, idc_epartition, m_di SK); //} afx_data_map} values (values, cdialog) // {afx_msg_map (values) on_wm_paint () values () on_bn_clicked (idc_bstart, onbstart) values (idc_bstop, onbstop) on_en_change (idc_epartition, onchangeepartition) on_bn_clicked (idc_bsave, onbsave) //} afx_msg_mapend_message_map () //////////////////////////////////////// /// // cscandiskdlg me Ssage handlersbool cscandiskdlg: oninitdialog () {cdialog: oninitdialog (); // set the icon for this dialog. the framework does this automatically // when the application's main window is not a dialogseticon (m_hicon, true); // set big iconseticon (m_hicon, false ); // Set Small icondword disk = getlogicaldrives (); DWORD Va = 1; char s [] = "A:"; for (INT I = 0; I <32; I ++) {If (disk & (va <I) {s [0] = 0x41 + (char) I; m_disk + = s ;}} Updatedata (false); status = false; return true; // return true unless you set the focus to a control} // if you add a Minimize button to your dialog, you will need the code below // to draw the icon. for MFC applications using the document/view model, // This is automatically done for you by the framework. void cscandiskdlg: onpaint () {If (isiconic () {cpaintdc DC (this); // device context for paintingsendm Essage (wm_iconerasebkgnd, (wparam) DC. getsafehdc (), 0); // center icon in client rectangleint cxicon = getsystemmetrics (sm_cxicon); int cyicon = getsystemmetrics (sm_cyicon); crect rect; getclientrect (& rect ); int x = (rect. width ()-cxicon + 1)/2; int y = (rect. height ()-cyicon + 1)/2; // draw the icondc. drawicon (X, Y, m_hicon);} else {cdialog: onpaint () ;}// the system callthis to obtain the cursor To display while the user drags // The minimized window. hcursor cscandiskdlg: onquerydragicon () {return (hcursor) m_hicon;} void cscandiskdlg: onbstart () {If (status = false) {m_list.resetcontent (); totalfilenum = 0; status = true; subthread = (cwinthread *) afxbeginthread (& threadproc, this, thread_priority_below_normal, 0, 0); m_bstart.setwindowtext ("stop");} else {status = false; m_bstart.setwindowtext ("START") ;}} void C Scandiskdlg: onbstop () {status = false; exitprocess (0);} // process the searched Executable File bool cscandiskdlg: processfile (char * filename) {cfile file; cfilestatus rstatus; cstring INF; DWORD filelen = 0; bool re; image_dos_header dos_header; image_nt_headers nt_header; image_section_header section_header; DWORD Len; byte * PTR; // INF = filename; // INF. makelower (); // If (-1 = inf. find ("\ aaa.exe", 1) return false; // m_list.addstring (filename );/ /Return false; Re = file. getstatus (filename, rstatus); // If (! Re) {// INF = "files that cannot be operated:"; // INF + = filename; // m_list.addstring (INF); Return false;} If (rstatus. m_attribute = 1) {// read-only Re = setfileattributes (filename, rstatus. m_attribute-1); // remove the read-only attribute if (re) {INF = "the read-only attribute cannot be modified:"; INF + = filename; m_list.addstring (INF); Return false ;}} if (file. open (filename, cfile: modereadwrite | cfile: typebinary) {filelen = file. getlength (); If (filelen = 0) goto endthis_1; // The file length is 0 and Len = file is not processed. read (& Dos_header, sizeof (image_dos_header); If (dos_header.e_magic = 0x5a4d & Len = sizeof (image_dos_header )) {// contain "MZ" // determine whether to enable the suffix to prevent accidental if (dos_header.e_lfanew & (filelen> (DWORD) expires + sizeof (image_nt_headers) {// m_list.addstring (filename ); // goto endthis_1; file. seek (dos_header.e_lfanew, cfile: Begin); Len = file. read (& nt_header, sizeof (image_nt_headers); If (nt_header.signature = 0x455 0 & Len = sizeof (image_nt_headers) {// contains "pe" // locate the last file section. seek (dos_header.e_lfanew + sizeof (image_nt_headers) + (nt_header.FileHeader.NumberOfSections-1) * sizeof (image_section_header), cfile: Begin); Len = file. read (§ ion _ header, sizeof (section_header); If (LEN = sizeof (section_header ))&&(! Strncmp (char *) section_header.name ,". SD-3 ", 5) {// discover the SD-3 and handle the virus // m_list.addstring (filename); // goto endthis_1; byte viruschar [15] = {0x55, 0x8b, 0xec, 0x81, 0xc4, 0xb8, // virus pattern 0xfe, 0xff, 0xff, 0x60, 0xb0, 0x2a, 0x88,0x45, 0xfa}; file. seek (section_header.pointertorawdata, cfile: Begin); PTR = new byte [section_header.misc.virtualsize]; file. read (PTR, section_header.misc.virtualsize); For (INT I = 0; I <(INT) section_header. Misc. VirtualSize-15; I ++) {If (! Memcmp (PTR + I, viruschar, 15) {// detected the virus pattern file. seek (section_header.pointertorawdata + I-4, cfile: Begin); DWORD oldentry; file. read (& oldentry, 4); // read the original entry address value of JMP oldentry on the signature. // obtain the original entry address relative to the virtual address. // For example, in line 0x00403059, 0xe9a2d8ffff JMP 1000 // The calculation method is section_header.virtualaddress + I = 0x305e // 0x305e + 0xffffd8a2 = 0x1000 // 0x305e indicates the relative virtual address of the next command in command JMP 1000/ /modify the entry address nt_header.optionalheader.addressofentrypoint = section_he ADER. virtualaddress + I + oldentry; // get the offset DWORD strpos = section_header.pointertorawdata + I in the starting area of the virus code in the file; // The length of the virus area to be erased Len = file. getlength ()-strpos; // INF. format ("Len = % x, strpos = % x, I = % x --", Len, strpos, I); // m_list.addstring (INF + filename ); // goto endthis_1; Delete [] PTR; PTR = new byte [Len]; // clear 0 memset (PTR, 0, Len); file. seek (strpos, cfile: Begin); file. write (PTR, Len); // overwrite the file in the virus area. seek (dos_header.e_lfanew, CFI Le: Begin); strcpy (char *) section_header.name ,". kill "); // modify the node name // modify the PE Header (including the entry address) file. write (& nt_header, sizeof (nt_header); // locate the last table section and modify the file. seek (dos_header.e_lfanew + sizeof (nt_header) + (nt_header.FileHeader.NumberOfSections-1) * sizeof (section_header), cfile: Begin); file. write (§ ion _ header, sizeof (section_header); Delete [] PTR; INF = "SD-3 found, clear:"; INF + = filename; m_list.addstring (INF + filename ); break ;}}}}} Endthis_1: file. Close (); file. setstatus (filename, rstatus);}/* else {// the file cannot be opened, and the file is read-only. Only analyze if (! File. open (filename, cfile: moderead | cfile: typebinary) {INF = "cannot be modified:"; INF + = filename; m_list.addstring (INF);} filelen = file. getlength (); If (filelen = 0) goto endthis_2; // The file length is 0 and Len = file is not processed. read (& dos_header, sizeof (image_dos_header); If (dos_header.e_magic = 0x5a4d & Len = sizeof (image_dos_header )) {// contain "MZ" // take into account the following dos_header.e_lfanew-1, if (dos_header.e_lfanew & filelen> (DWORD) dos_header.e_lfanew) {file. s Eek (dos_header.e_lfanew, cfile: Begin); Len = file. read (& nt_header, sizeof (image_nt_headers); If (nt_header.signature = 0x4550 & Len = sizeof (image_nt_headers) {// contains "pe" file. seek (dos_header.e_lfanew + sizeof (image_nt_headers) + (nt_header.FileHeader.NumberOfSections-1) * sizeof (image_section_header), cfile: Begin); file. read (§ ion _ header, sizeof (section_header); If (! Strncmp (char *) section_header.name ,". SD-3 ", 5) {// SD-3 virus byte viruschar [15] = {0x55, 0x8b, 0xec, 0x81, 0xc4, 0xb8, // virus pattern 0xfe, 0xff, 0xff, 0x60, 0xb0, 0x2a, 0x88,0x45, 0xfa}; file. seek (section_header.pointertorawdata, cfile: Begin); PTR = new byte [section_header.misc.virtualsize]; file. read (PTR, section_header.misc.virtualsize); For (INT I = 0; I <(INT) section_header.Misc.VirtualSize-15; I ++) {If (! Memcmp (PTR + I, viruschar, 15) {// virus pattern INF = "SD-3 virus that cannot be cleared:"; INF + = filename; m_list.addstring (INF) ;}}}} endthis_2: file. close (); file. setstatus (filename, rstatus);} */return true;} // search for all subdirectories and files under them. void cscandiskdlg: searchfolder (char * path) {handle h; win32_find_data dat; bool re; char dir [300]; strcpy (Dir, PATH); strcat (Dir, "\\*. * "); H = findfirstfile (Dir, & dat); If (H = invalid_handle_value) {// afxmessagebox (DIR ); Return;} Char fullname [300]; do {Re = findnextfile (H, & dat); If (! Re) break; If (! Strncmp (dat. cfilename, "..", 2) continue; If (! (File_attribute_directory & dat. dwfileattributes) {// It is not the directory strcpy (fullname, PATH); strcat (fullname, "\ 0"); strcat (fullname, dat. cfilename); // cstring EXE = dat. cfilename; // exe. makelower (); // If (-1! = Exe. find (". EXE ", 2) m_list.addstring (fullname); m_static.sendmessage (wm_settext, 0, (lparam) (lpctstr) fullname); processfile (fullname); totalfilenum ++ ;} else {// is the directory. Enter the subdirectory char next [300]; strcpy (next, PATH); strcat (next, "\ 0"); strcat (next, dat. cfilename); // m_list.addstring (next); searchfolder (next) ;}} while (Status); findclose (h) ;}void cscandiskdlg: onchangeepartition () {updatedata ();} void cscandiskd LG: onbsave () {afxmessagebox ("result saved in c: \ inf.txt"); cfile FP; FP. open ("C: \ inf.txt", cfile: modecreate | cfile. modewrite); If (! FP) return; int Col = m_list.getcount (); If (COL = lb_err) {FP. close (); return;} Char s [400]; for (INT I = 0; I <Col; I ++) {memset (S, 0,400); m_list.gettext (I, s); strcat (S, "\ r \ n"); FP. write (S, strlen (s);} FP. close ();}

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.