This article illustrates the method of virus killing tool that VC realizes. Very practical, share to everyone for your reference. The implementation methods are as follows:
Nowadays virus Trojan worm is endless, and variant is one after another. Anti-virus companies and major security companies are providing free virus-killing tools, which are really helpful to ordinary users, with the advent of large viruses. In fact, write virus killing tools are not as mysterious as we imagine, using the SDK to write a console program to achieve virus killing, because no need to write graphical interface, so simple and quick! You can write it yourself! Don't believe it? Just keep watching. ^_^ nonsense not to say, and then began to talk about virus killing tools and implementation methods.
This article describes the virus kill tool is for Trojans, worms and other independent programs in the broader sense of the virus, rather than the kind of self-replicating infection of PE files attached to other programs that narrow-term virus. Because write that virus killing tools need PE file structure and other knowledge, relatively a bit difficult, so we first from relatively simple point of the beginning, difficult to introduce later.
For most viruses, the idea of antivirus is actually very simple, that is: the process of terminating the virus, the deletion of the startup items (generally in the registry under the Run* primary key), delete virus files, the file associated with the virus is also to modify Registry Restore file association. The following will be stated separately.
I. Termination of the process
There used to be a lot of friends on the internet who asked me how to terminate the specified process based on the filename, why use the function terminateprocess () cannot terminate the specified process directly. Let's take a look at the declaration of Function terminateprocess (): Bool terminateprocess (HANDLE hpeocess,uint uexitcode), where the first parameter is the process handle, not the process name (file name). So how do you get the handle to the specified process? We can use the function openprocess (), whose prototype is
Copy Code code as follows:
HANDLE OpenProcess (
DWORD dwdesiredaccess,//Access flag
BOOL bInheritHandle,//handling inherited Flags
DWORD DWPROCESSID//process identification number, process ID
);
The last parameter is the ID of the process, the process handle and the process ID are two different things, and you may be frustrated: how do you know the process ID? Of course there is! In windows9x/2000/xp/2003, Microsoft provides a TOOLHELP API series function to enumerate processes. Use the function createtoolhelp32snapshot () to get the snapshot handle, and then use Process32First () and Process32Next () to enumerate the current process. The information for each process is stored in the PROCESSENTRY32 structure during enumeration. PROCESSENTRY32 's prototype is:
Copy Code code as follows:
typedef struct TAGPROCESSENTRY32
{
DWORD dwsize; Structure size;
DWORD Cntusage; The reference count for this process;
DWORD Th32processid; Process ID;
DWORD Th32defaultheapid; Process default heap ID;
DWORD Th32moduleid; Process module ID;
DWORD cntthreads; The thread count that this process opens;
DWORD Th32parentprocessid; Parent process ID;
LONG pcpriclassbase; Thread priority;
DWORD dwflags; Reservations
Char Szexefile[max_path]; The full name of the process;
} PROCESSENTRY32;
Where Th32processid is the id,szexefile of the process is the file name of the process. So to terminate the specified process, we can enumerate the processes, one by one, to determine if Szexefile is the same as the process name we want to terminate, and if we take its th32processid parameter and then substitute the OpenProcess function to get the handle of the target process. This lets you terminate the process by using the function terminateprocess (). I wrote a function to terminate the specified process as follows:
Copy Code code as follows:
void Killprocessfromname (LPCTSTR name)//name The name of the process you want to terminate, Win9x include the path
{
PROCESSENTRY32 pe;//defines a variable of a PROCESSENTRY32 junction type
HANDLE Hshot=createtoolhelp32snapshot (th32cs_snapprocess,0);//Create snapshot handle
Pe.dwsize=sizeof (PROCESSENTRY32);/must first assign value to dwsize
if (Process32First (HSHOT,&PE))
{
Todo
{if (strcmp (pe.szexefile,name) ==0)//Determine if this process is the process you want to terminate
HANDLE hprocess=openprocess (PROCESS_ALL_ACCESS,FALSE,PE.TH32PROCESSID);//If you are using its ID to get the handle
TerminateProcess (hprocess,0);/Terminate the process
}
while (Process32Next (HKZ,&PE));
}
CloseHandle (hshot); Don't forget close at last
}
When used, simply call the function killprocessfromname () in the main () function, set the parameter to the name of the process you want to terminate, and Win9x include the path. One more thing to note is that you should not forget to #include.
Ii. Deletion of documents
This step is very simple, call function DeleteFile () can, Bool DeleteFile (LPCTSTR lpfilename), the lpFileName set to point to the file name of the deleted files of the pointer, you can include specific path.
Third, modify the registry, delete startup items and file associations
First, the target primary key is opened with a function RegOpenKeyEx (), and the RegOpenKeyEx () function prototype is:
Copy Code code as follows:
LONG RegOpenKeyEx (
HKEY hkey,//The handle of the key that will be opened
LPCTSTR lpsubkey,//point to the name string pointer that contains the child build that will be opened
DWORD uloptions,//for reserved words, must be null
Regsam samdesired,//access rights
Phkey phkresult//The handle pointer to the open key
);
After the handle is obtained, the function RegSetValueEx () is used to modify the key value, and the function prototype is:
Copy Code code as follows:
LONG RegSetValueEx (
HKEY hkey,//Handle of the currently open key
LPCTSTR Lpvaluename,//point to Non-empty string pointer containing the name of the value to query
DWORD Reserved,//reserved value, must be null
DWORD dwtype,//key value types, such as REG_SZ, REG_DWORD, etc.
CONST BYTE * lpdata,//pointer to key value data, note this variable type, not lpctstr!
DWORD cbdata//Pointer to save the set value length variable in bytes
);
Of course, you can also use function regdeletevalue () to remove key values. Don't forget to close with the function RegCloseKey () after the operation is complete.
Using these functions is simple, as long as you change the corresponding parameter to the corresponding value you want to delete or modify the registry, the only note is that the type of the 5th parameter in the RegSetValueEx () function is byte instead of lpctstr! Through these can be very convenient to delete the specified startup items and restore the file association, in order to facilitate understanding, I give an example of repair EXE file association, we modify the corresponding parameters can be applied to other key values of the modification, swapping with the Regdeletevalue function can be implemented to delete from the startup item.
Copy Code code as follows:
HKEY hkey;
LPCTSTR data1= "/"%1/"%*"//exe file default open way, "%1/" table EXE file itself
DWORD Lresult=regopenkeyex (HKEY_CLASSES_ROOT, "Exefile//shell//open//command", 0,key_write,&hkey);
if (lresult==error_success)
RegSetValueEx (hkey, "", NULL,REG_SZ, (LPBYTE) data1,9);//Modify Key value
RegCloseKey (HKEY);
Here, a virus kill tool model has been preliminarily completed, we write the text of the function of the parameters for you want to kill the target virus corresponding characteristics of the data compiled. This is a simple kill tool, can only deal with ordinary Trojans, worms and other viruses, we should specific situation specific analysis, according to the specific situation to expand the program features, such as some Trojans are modified Win.ini, System.ini to achieve automatic operation, we need to operate the file to delete the corresponding data, in addition , sometimes you also need to add termination services, uninstall DLL module, enter the RING0 operation and other functions. In short, I believe that you can write the virus Trojan kill tools! Oh, is not a very fulfilling feeling!
I hope this article on the VC program for everyone to help.