#include "fundef.h"
Int main (int Argc, char * argv [])
{
IF (argc == 1)
{
USAGE (Argv [0]);
Return 0;
}
IF (! (SCANFILEVXER (Argv [1]))))
{
Printf ("ScanFileVxer () getLastError REPORTS% D / N", Erron);
Return 0;
}
IF (! ((processvxer ()))))
{
Printf ("Processes () getLastError REPORTS% D / N", Erron);
Return 0;
}
IF (! (regdelvxer ()))))
{
Printf ("RegdelVxer () getLastError Reports% D / N", Erron);
Return 0;
}
Return 0;
}
Bool ScanFileVxer (Char * filename)
{
INT count = low;
Win32_find_data findfiledata;
Handle hfind;
Bool returnvalue = false;
DWORD lpbufferlength = high;
Char lpbuffer [high] = {low};
Char Dirbuffer [MAX_PATH];
Long fileoffset = 0x1784; // offset address
INT filelength = 0x77; // length
Unsigned char contents [] = {
0x49, 0x20, 0x6a, 0x75, 0x73, 0x74, 0x20, 0x77, 0x61, 0x6e, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x73,
0x61, 0x79, 0x20, 0x4c, 0x4f, 0x56, 0x45, 0x20, 0x59, 0x4f, 0x55, 0x20, 0x53, 0x41, 0x4e, 0x21,
0x21, 0x20, 0x62, 0x69, 0x6c, 0x6c, 0x79, 0x20, 0x67, 0x61, 0x74, 0x65, 0x73, 0x20, 0x77, 0x68,
0x79, 0x20, 0x64, 0x6f, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6d, 0x61, 0x6b, 0x65, 0x20, 0x74, 0x68,
0x69, 0x73, 0x20, 0x70, 0x6f, 0x73, 0x73, 0x69, 0x62, 0x6c, 0x65, 0x20, 0x3f, 0x20, 0x53, 0x74,
0x6f, 0x70, 0x20, 0x6d, 0x61, 0x6b, 0x69, 0x6e, 0x67, 0x20, 0x6d, 0x6f, 0x6e, 0x65, 0x79, 0x20,
0x61, 0x6e, 0x64, 0x20, 0x66, 0x69, 0x78, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x73, 0x6f, 0x66,
0x74, 0x77, 0x61, 0x72, 0x65, 0x21, 0x21};
// Specific content, hexadecimal
/ / Get the full path to the system directory
IF (GetSystemDirectory (Dirbuffer, lpbufferLength)! = low
{
IF (setCurrentDirectory (Dirbuffer)! = low) // Set to the current directory
{
Hfind = findfirstfile (filename, & findfiledata); // Find files
IF (hfind == invalid_handle_value) {
Printf ("FindfirstFile () getLastError Reports% D / N", Erron);
FindClose (HFIND);
Return ReturnValue;
}
Else
{
COUNT ;
// Get the full path to the file
IF (getFilePathname (FindfileData.cfileName, lpbufferlength, lpbuffer, null)! = LOW)
Printf ("FilePath:% S / N", LPBUFFER;
Else
{
Printf ("GetFullPathname () getLastError Reports% D / N", Erron);
FindClose (HFIND);
Return ReturnValue;
}
}
// Matching work
ScanVxer (FindfileData.cfileName, FileOffset, FileLength, Contents);
}
}
While (FindNextFile (Hfind, & FindfileData) / / Continue Find File
{
COUNT ;
// except "." And ".."
IF (strcmp ("." == low || strcmp ("..", findfiledata.cfilename) == LOW)
{
Printf ("File no include /"./" and /"../"/n ");
exit (0);
}
IF (getFilePathname (FindfileData.cfileName, lpbufferlength, lpbuffer, null)! = LOW)
Printf ("Next FilePath:% S / N", LPBUFFER);
Else
{
Printf ("GetFullPathname () getLastError Reports% D / N", Erron);
FindClose (HFIND);
exit (0);
}
ScanVxer (FindfileData.cfileName, FileOffset, FileLength, Contents);
}
Printf ("File Total:% D / N", count); // Print the number of files found
FindClose (HFIND); // Turn off the search handle
ReturnValue = True;
Return ReturnValue;
}
Bool scanvxer
Char * v_filename, // file name
Long v_fileoffset, // offset address
INT V_LENGTH, // Length
Void * v_contents // Content
{
INT CMPRETURN = LOW;
CHAR FILECONTENTS [high] = {low};
Bool returnvalue = false;
File * fp = null;
fp = fopen (v_filename, "rb"); // Open in binary read-only mode
IF (fp == null)
{
Printf ("File Open Fail / N");
Fclose (fp);
Return ReturnValue;
}
FSeek (fp, v_fileoffset, seek_set); // points the file pointer to the display address of the file in the file
Fread (FileContents, v_length, 1, fp); // Read the length of the length of the feature code Cmpreturn = MEMCMP (V_Contents, FileContents, v_length);
// Match the feature code. Failure Back False
IF (Cmpreturn == LOW)
{
Printf ("File Match Completely / N); // Print File Match Message
Strcpy (name, v_filename); // Save the file name in the global variable NAME
exit (0);
}
Else
ReturnValue = false;
}
Bool ProcessVxer (Void)
{
DWORD LPIDPROCESS [1024], CBNEEDED_1, CBNEEDED_2;
Handle hproc;
HModule HMOD [1024];
Char procfile [MAX_PATH];
Char filename [file] = {low};
Bool returnvalue = false;
INT PCOUNT = Low;
INT I;
EnablePrivilege (se_debug_name); // Improve permission
// Enumerate the process
IF (! (lpidProcess, Sizeof (LPIDPROCESS), & CBNEEDED_1)))))
{
Printf ("Enumprocesses () getLastEnRror Reports% D / N", Erron);
Return 0;
}
For (i = low; i <(int) cbeneded_1 / 4; i )
{
// Open the first process found
HProc = OpenProcess (Process_all_Access, False, LPIDPROCESS [I]);
IF (HPROC)
{
// Enumerate Process Module
IF (ENUMPROCESSMODULES (HPROC, HMOD, SIZEOF (HMOD), & CBNEEDED_2))
{
// Enumerate the process module file name, including full path
IF (GetModuleFileNameex (HProc, HMOD [0], Procfile, Sizeof (Procfile)))
{
Printf ("[% 5D] / T% S / N", LPIDPROCESS [I], PROCFILE); // Output Process
// Can consider commenting it off, so you don't output a list of processes.
PCOUNT ;
STRCPY (FileName, "C: // WinNT // System32 //");
Strcat (filename, name); // copy the file name path to the FileName variable
/ / Do not contain FileName in the process
IF (FileName, Procfile) == LOW)
{
// If you are included, it will be killed. KillProc is a custom kill function
IF (! (killproc (lpidprocess [i])))))
{
Printf ("KillProc () getLastError Reports% D / N", Erron);
CloseHandle (HPROC);
exit (0);
}
DELETEFILE (filename); // After killing, delete files
}
}
}
}
}
CloseHandle (HPROC); // Close process handle
Printf ("/ nProcess Total:% D / N", PCOUNT); // Many number of print processes
ReturnValue = True;
Return 0;
}
Bool KillProc (DWORD * Processid)
{
Handle Hproc; Bool ReturnValue = FALSE;
/ / Open the process PID passed by ProcessVxer
HProc = OpenProcess (Process_All_Access, False, ProcessId);
IF (HPROC)
{
// Terminate the process
IF (! (TerminateProcess (HProc, 0))))
{
Printf ("TerminateProcess GetLastError Reports% D / N", Erron);
Return ReturnValue;
}
}
CloseHandle (HPROC);
ReturnValue = True;
Return ReturnValue;
}
Bool EnablePrivilege (Pchar PrivileGename)
{
Handle Hproc, HTOKEN;
Token_Privileges TP;
HProc = getCurrentProcess (); // Open a pseudo handle of the process
IF (! openprocessToken (hproc, token_adjust_privileges, & htokeen))
{
Return False;
}
IF (! Lookupprivilerage (Null, PrivileGename, & Tp.privileges [0] .luid))
{
CloseHandle (HTOKEN);
Return False;
}
TP.Privileges [0] .attributes = se_privilege_enabled;
Tp.privilegectount = 1;
IF (! AdjustTokenprivilegege "(HToken, False, & TP, Sizeof (TP), 0, 0)
{
CloseHandle (HTOKEN);
Return False;
}
CloseHandle (HTOKEN);
Return True;
}
Int Regdelvxer (Void)
{
HKEY HKEY;
DWORD RET = LOW;
/ / Open the RUN item of the registry
Ret = regopenkeyex (HKEY_LOCAL_MACHINE,
"Software // Microsoft // Windows // CurrentVersion // Run //",
0,
Key_all_access,
& HKEY);
IF (! RET == Error_Success)
{
Printf ("Register Open Fail / N);
exit (0);
}
// Delete the key value Windows Auto Update.
Ret == RegdeleteValue (HKEY, "Windows Auto Update);
IF (Ret == Error_Success)
Printf ("Success Delete / N");
Else
{
Printf ("Delete Fail / N");
exit (0);
}
RegcloseKey (HKEY); // Close the open registry key
Return 1;
}
Void usage (char * parameter)
{
CHAR * PATH = "% systemroot% // system32 //";
fprintf (stderr, "=============================================== ================================ / n "" Simple implementation of anti-virus software / N "
"Environment: WIN2K ADV Server Visual C 6.0 / N"
"Author: dahubaobao / n"
"Home:
www.ringz.org/i
"OICQ: 382690 / N"
"Mail: 382690@qq.com/N"
"Statement: This post was originally created by the cyclo (Ringz), please indicate the source, thank you! / N / n"
"How to use: / n"
"% s file name. For example:% s msblast.exe / n / N"
"Notes: / N"
"This program simply introduces the method of writing anti-virus software, so there are many imperfect places, including: / n"
"1. This program is an example / n" with impact wave worms. "
"2, file traverses only search for files in% s directory / N"
"3, this program cannot kill the shock wave variant / N / N"
"This program just uses code communication, if there is a mistake, please include! / N"
"=================================================== ============================ "
Parameter, Parameter, Path;
}
