Virus Trojan scan and removal: compilation of the dedicated kill tool for QQ Trojan Horse stealing

Source: Internet
Author: User

Virus Trojan scan and removal: compilation of the dedicated kill tool for QQ Trojan Horse stealing
I. Preface as I have compiled a general kill tool framework in article 004th "virus Trojan scan: Writing pandatv killing tools, this framework is basically applicable to the virus after simple modification. Therefore, this article will not discuss the overlapping knowledge, but will only discuss the preparation of the exclusive killing tool for the specific aspect of the virus, and then combine them into a complete exclusive tool for the virus.


Ii. Principle Discussion for this virus, its biggest characteristic is the use of process daemon technology. After the virus runs, three virus processes exist at the same time. If either of them is disabled, the disabled processes are restarted due to the presence of two virus processes. To solve this problem, three virus processes cannot be shut down at the same time by means of "hand speed", but other measures should be taken. I have discussed in Article 004th on security tools: Process Manager (I). In this case, we should suspend the processes before closing them. Generally, a process cannot be directly paused. When the process to be paused is located, all threads under the process should be paused, and the process will be stopped. After actual tests, the Process Manager compiled in the article can successfully shut down the three processes. After figuring out the principle, you need to implement it by programming.


3. We need to pause the three virus processes one by one before writing the code. For simplicity, the Win32 console application is created here. The Code is as follows:

[Cpp] view plaincopy # include "windows. h "# include" stdio. h "# include" tlhelp32.h "int main () {/////////////////////////////////////// /// // The virus process must be suspended first // //////////////////////////////////////// /// // printf ("START virus scanning... \ n "); // take a snapshot of all processes in the system. HANDLE hSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0); if (hSnap = INVALID_HANDLE_VALUE) {print F ("process snapshot creation failed! \ N "); return 0;} PROCESSENTRY32 Pe32 = {0}; // set the Pe32.dwSize = sizeof (PROCESSENTRY32) before using this structure ); // traverse the process snapshot BOOL bRet = Process32First (hSnap, & Pe32); // pause the virus process while (bRet) through Loop) {// match the three process names if (strcmp (Pe32.szExeFile, "severe.exe") = 0 | strcmp (Pe32.szExeFile, "conime.exe ") = 0 | strcmp (Pe32.szExeFile, "tfidma.exe") = 0) {// create a thread snapshot HANDLE thSnap = createconlhelp32snapshot (TH32CS_SNAPTH READ, Pe32.th32ProcessID); if (thSnap = INVALID_HANDLE_VALUE) {printf ("% s thread snapshot creation failed! \ N ", Pe32.szExeFile); return 0;} THREADENTRY32 Te32 = {0}; // before using this structure, set Te32.dwSize = sizeof (THREADENTRY32 ); // traverse the thread snapshot BOOL tbRet = Thread32First (thSnap, & Te32); // pause all threads in the virus process through a loop while (tbRet) {// determine the thread's if (Bytes = Pe32.th32ProcessID) {// open the thread HANDLE hThread = OpenThread (THREAD_ALL_ACCESS, FALSE, Te32.th32ThreadID); // pause the thread SuspendThread (hThread ); // close the thread handle Clo SeHandle (hThread);} tbRet = Thread32Next (thSnap, & Te32);} printf ("% s process suspended successfully! \ N ", Pe32.szExeFile); CloseHandle (thSnap);} bRet = Process32Next (hSnap, & Pe32 );} //////////////////////////////////////// //// // The program ends the virus process /// //////////////////////////////////////// //// // hSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0); if (hSnap = INVALID_HANDLE_VALUE) {printf ("process snapshot creation failed! \ N "); return 0;} // before using this structure, set the Pe32.dwSize = sizeof (PROCESSENTRY32); // traverse the process snapshot bRet = Process32First (hSnap, & Pe32); // loop the virus process while (bRet) {// match the three process names if (strcmp (Pe32.szExeFile, "severe.exe ") = 0 | strcmp (Pe32.szExeFile, "conime.exe") = 0 | strcmp (Pe32.szExeFile, "tfidma.exe") = 0) {HANDLE hProcess = OpenProcess (PROCESS_TERMINATE, FALSE, pe32.th32ProcessID); TerminateProcess (hPro Cess, 0); printf ("virus process % s ended successfully! \ N ", Pe32.szExeFile); CloseHandle (hProcess);} bRet = Process32Next (hSnap, & Pe32);} printf (" virus process cleared! \ N "); CloseHandle (hSnap); getchar (); return 0 ;}

The above program can be compiled successfully.

 

Iv. program testing

To test the virus killing tool, I copied the virus sample and the program to the virtual machine, then executed the virus program, and finally executed the killing tool:

Figure 1 test the exclusive killing tool

Tests show that the kill tool is effective and will not be described in detail.

V. Summary

The use of process daemon technology can make the virus more stubborn and difficult to deal with, and requires special processing to eliminate it. The methods discussed in this article can also be applied to other aspects, which are to be explored by readers.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.