Virus Trojan scan and removal: compilation of the dedicated kill tool for QQ Trojan Horse stealing
I. Preface as I have compiled a general kill tool framework in article 004th "virus Trojan scan: Writing pandatv killing tools, this framework is basically applicable to the virus after simple modification. Therefore, this article will not discuss the overlapping knowledge, but will only discuss the preparation of the exclusive killing tool for the specific aspect of the virus, and then combine them into a complete exclusive tool for the virus.
Ii. Principle Discussion for this virus, its biggest characteristic is the use of process daemon technology. After the virus runs, three virus processes exist at the same time. If either of them is disabled, the disabled processes are restarted due to the presence of two virus processes. To solve this problem, three virus processes cannot be shut down at the same time by means of "hand speed", but other measures should be taken. I have discussed in Article 004th on security tools: Process Manager (I). In this case, we should suspend the processes before closing them. Generally, a process cannot be directly paused. When the process to be paused is located, all threads under the process should be paused, and the process will be stopped. After actual tests, the Process Manager compiled in the article can successfully shut down the three processes. After figuring out the principle, you need to implement it by programming.
3. We need to pause the three virus processes one by one before writing the code. For simplicity, the Win32 console application is created here. The Code is as follows:
[Cpp] view plaincopy # include "windows. h "# include" stdio. h "# include" tlhelp32.h "int main () {/////////////////////////////////////// /// // The virus process must be suspended first // //////////////////////////////////////// /// // printf ("START virus scanning... \ n "); // take a snapshot of all processes in the system. HANDLE hSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0); if (hSnap = INVALID_HANDLE_VALUE) {print F ("process snapshot creation failed! \ N "); return 0;} PROCESSENTRY32 Pe32 = {0}; // set the Pe32.dwSize = sizeof (PROCESSENTRY32) before using this structure ); // traverse the process snapshot BOOL bRet = Process32First (hSnap, & Pe32); // pause the virus process while (bRet) through Loop) {// match the three process names if (strcmp (Pe32.szExeFile, "severe.exe") = 0 | strcmp (Pe32.szExeFile, "conime.exe ") = 0 | strcmp (Pe32.szExeFile, "tfidma.exe") = 0) {// create a thread snapshot HANDLE thSnap = createconlhelp32snapshot (TH32CS_SNAPTH READ, Pe32.th32ProcessID); if (thSnap = INVALID_HANDLE_VALUE) {printf ("% s thread snapshot creation failed! \ N ", Pe32.szExeFile); return 0;} THREADENTRY32 Te32 = {0}; // before using this structure, set Te32.dwSize = sizeof (THREADENTRY32 ); // traverse the thread snapshot BOOL tbRet = Thread32First (thSnap, & Te32); // pause all threads in the virus process through a loop while (tbRet) {// determine the thread's if (Bytes = Pe32.th32ProcessID) {// open the thread HANDLE hThread = OpenThread (THREAD_ALL_ACCESS, FALSE, Te32.th32ThreadID); // pause the thread SuspendThread (hThread ); // close the thread handle Clo SeHandle (hThread);} tbRet = Thread32Next (thSnap, & Te32);} printf ("% s process suspended successfully! \ N ", Pe32.szExeFile); CloseHandle (thSnap);} bRet = Process32Next (hSnap, & Pe32 );} //////////////////////////////////////// //// // The program ends the virus process /// //////////////////////////////////////// //// // hSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0); if (hSnap = INVALID_HANDLE_VALUE) {printf ("process snapshot creation failed! \ N "); return 0;} // before using this structure, set the Pe32.dwSize = sizeof (PROCESSENTRY32); // traverse the process snapshot bRet = Process32First (hSnap, & Pe32); // loop the virus process while (bRet) {// match the three process names if (strcmp (Pe32.szExeFile, "severe.exe ") = 0 | strcmp (Pe32.szExeFile, "conime.exe") = 0 | strcmp (Pe32.szExeFile, "tfidma.exe") = 0) {HANDLE hProcess = OpenProcess (PROCESS_TERMINATE, FALSE, pe32.th32ProcessID); TerminateProcess (hPro Cess, 0); printf ("virus process % s ended successfully! \ N ", Pe32.szExeFile); CloseHandle (hProcess);} bRet = Process32Next (hSnap, & Pe32);} printf (" virus process cleared! \ N "); CloseHandle (hSnap); getchar (); return 0 ;}
The above program can be compiled successfully.
Iv. program testing
To test the virus killing tool, I copied the virus sample and the program to the virtual machine, then executed the virus program, and finally executed the killing tool:
Figure 1 test the exclusive killing tool
Tests show that the kill tool is effective and will not be described in detail.
V. Summary
The use of process daemon technology can make the virus more stubborn and difficult to deal with, and requires special processing to eliminate it. The methods discussed in this article can also be applied to other aspects, which are to be explored by readers.