Virus judgment Technology

Author: Feng Ze [evilhsu]

Source: [est]

I believe most people have used anti-virus software. We also know that virus software often needs to update the virus database. In fact, this virus database collects the signatures extracted from viruses. Then, compare the signature to determine whether the file is a virus. With this knowledge, we can start a simple virus Judgment program by ourselves.

First, we need to extract the virus pattern by ourselves. For the sake of security, I will use Ca as an example. What? Do not know ca? Then you can search Baidu. I will not talk about it here.

After being edited by ultraedit, we found the following:

000c90h: 0a 73 53 41 2E 65 78 30 5C 31 39 32 2E 31 36 SSA. ex0 // 192.16

00000ca0h: 38 2E 30 B0 64 21 73 05 3C 83 98 1B 76 5B 36 8B 8.0 large! S <symbol V [6?

If you have used ca, you should know that this is the content in the ca help, as shown below:

C:/> Ca

Shadow administrator, by netxeyes 2002/04/28

Written by netxeyes 2002, dansnow@21cn.com

Usage: SA // ip account password cloneaccount clonepassword

Account: username (own administrator privilege)

Password: Password of user

Cloneaccount: cloneuser's account name (must already exsited)

Clonepassword: Set Password of cloneuser

Examples:

==========

Sa.exe // 192.168.0.16 administrator password iusr_victim setnewpass

Clone privillege of administrator to iusr_victim,

And set iusr_victim password to "setnewpass"

I believe this code should be very likely to appear in other software. Of course, you can also choose another pattern. I will use this here.

We can know from the above:

File offset address 0x0c90

Extracted signature length: 0x20 (32)

Signature content: 0a 73 53 41 2E 65 78 30 5C 31 39 32 2E 31 36

38 2E 30 B0 64 21 73 05 3C 83 98 1B 76 5B 36 8b

Now we can use a program to compare the code. below is the written Program:

# Include

# Include

Bool scanvir (const char * file, long offset, int length, void * vir );

Main ()

{

Int I;

Unsigned char Vir [] =

{0x0a, 0x41, 0x2e, 0x65,0 X, 0x30, 0x5c, 0x5c, 0x39,0x32, 0x2e, 0x31,0x36,0x38, 0x2e, 0x30, 0xb0, 0x64,0x21,0x73,0x05, 0x3c, 0x83,0x98, 0x1b, 0x76, 0x5b, 0x36, 0x8b };

I = scanvir ("C: // ca.exe", 0x0c90, 0x20, Vir); // call the Virus Detection Function

If (I = 1) printf ("warning! Virus detected. /N ");

If (I = 0) printf ("no virus is detected. /N ");

}

Bool scanvir (const char * file, long offset, int length, void * vir)

{

File * fp = NULL;

Int A = 0;

Char rvir [255] = {0 };

Bool B = false;

Fp = fopen (file, "rb"); // open the specified file in binary notation.

If (null = FP)

{Goto novir ;}

Fseek (FP, offset, seek_set); // point the file pointer to the offset address

Fread (rvir, length, 1, FP); // read the length code

A = memcmp (Vir, rvir, length); // compare with the code we extracted, and put the returned value in.

If (A = 0)

{

B = true;

}

Novir: If (FP) {fclose (FP); FP = NULL ;}

Return B;

}

Isn't it easy? If we add other functions, such as traversing all files to find viruses, clearing viruses, and figuring out what the virus leaves, isn't it a killer software.

The following is a program with the directory traversal function added. If you have time, I will add other programs ~~~

The following directory traversal function is added:

# Include

# Include

# Include

Bool scanvir (const char * filename, long offset, int length, void * vir );

Int viewfiles (char * directory, long offset, int length, void * vir );

Void main (void)

{

Unsigned char Vir [] =

{0x4a, 0x75, 0x6d, 0x55, 0x70, 0x85, 0x0b, 0x73, 0x4e, 0 x, 0 x, 0x54,0x69, 0x9a, 0x07, 0xd0,

0xa1, 0x4a, 0x6f, 0 x, 0 x, 0x61, 0x6b, 0 x, 0 x, 0x53, 0x4f, 0x0b, 0 x, 0x54,0x57,

0x41,0x55,0x11, 0x5c, 0x6a, 0x9c, 0x29, 0x5c, 0xe3, 0x97, 0x5c, 0x0f, 0x7f, 0x20, 0xf0, 0xb6 };

Char directory [max_path];

Int count;

Printf ("========================================== =========/N ");

Printf ("earthquake wave virus search tool/N ");

Printf ("www.chinahackers.cn. ST/N ");

Printf ("========================================== =========/N ");

Printf ("/N ");

Printf ("enter the name of the partition or directory to be checked/N ");

Printf ("reminder: Add ':' After the partition, and enter the full directory path/N ");

Printf ("Enter :");

Gets (directory );

Printf ("START virus search. Please wait.../N ");

Count = viewfiles (directory, 0x32a0, 0x30, Vir );

If (count> 0)

Printf ("this check found % d viruses in the directory./N", count );

Else

Printf ("security in % s, no virus found./N", directory );

Getch ();

}

Bool scanvir (const char * filename, long offset, int length, void * vir)

{

File * FP;

Char * rvir;

Bool B = false;

Fp = fopen (filename, "rb ");

If (FP! = NULL)

{

Fseek (FP, 0, seek_end );

If (Offset + Length <= ftell (FP ))

{

Fseek (FP, offset, seek_set );

Rvir = new char [length];

Fread (rvir, length, 1, FP );

B = memcmp (Vir, rvir, length) = 0;

Delete [] rvir;

}

Fclose (FP );

}

Return B;

}

Int viewfiles (char * directory, long offset, int length, void * vir)

{

Win32_find_data fdfinddata;

Handle hfind;

Char * filename;

Int COUNT = 0;

Bool done;

Filename = new char [strlen (directory) + 5];

Strcpy (filename, directory );

Strcat (filename ,"//*.*");

Hfind = findfirstfile (filename, & fdfinddata );

Delete [] filename;

Done = hfind! = Invalid_handle_value;

While (done)

{

If (strcmp (fdfinddata. cfilename, ".") & strcmp (fdfinddata. cfilename ,".."))

{

Filename = new char [strlen (directory) + strlen (fdfinddata. cfilename) + 2];

Strcpy (filename, directory );

Strcat (filename ,"//");

Strcat (filename, fdfinddata. cfilename );

If (fdfinddata. dwfileattributes & file_attribute_directory) = file_attribute_directory)

Count + = viewfiles (filename, offset, length, Vir );

Else

If (scanvir (filename, offset, length, Vir ))

{

Count ++;

Printf ("warning! Virus detected. Virus PATH % s/n ", filename );

}

Delete [] filename;

}

Done = findnextfile (hfind, & fdfinddata );

}

Findclose (hfind );

Return (count );

}