自制杀毒小软件.docx
《自制杀毒小软件.docx》由会员分享,可在线阅读,更多相关《自制杀毒小软件.docx(15页珍藏版)》请在冰豆网上搜索。
自制杀毒小软件
#defineDEBUGMSG
#include
#include
#include
#include
#include
#include"Psapi.h"
#pragmacomment(lib,"Psapi.lib")
#defineerronGetLastError()
TCHARname[50]={0};//保存虫虫的文件名+路径
FILE*Gfp=NULL;//输出到文件
BOOLScanVXER(LPTSTRV_FileName,longV_FileOffset,intV_Length,TCHAR*V_Contents);
//匹配特征码函数
BOOLScanFileVXER(LPTSTRFileName);
//文件遍历函数
BOOLProcessVXER(void);
//枚举进程函数
BOOLKillProc(DWORDProcessID);
//杀进程函数
BOOLEnablePrivilege(LPTSTRPrivilegeName);
//提升权限函数
BOOLRegDelVXER(void);
//删除注册表项函数
voidUsage(LPCTSTRParameter);
//帮助函数
intmain(intargc,TCHAR*argv[])
{
if(argc!
=2)
{
Usage(argv[0]);
return0;
}
#ifdefDEBUGMSG
Gfp=fopen("VXER.txt","a+");
if(Gfp==NULL)
{
printf("Open\"VXER.txt\"fail\n");
return0;
}
fprintf(Gfp,"%s\n\n","[-------------------------Filelist-------------------------]");
#endif
if(strlen(argv[1])>10)
{
printf("Finenamenolargerthan\"10\"\n");
return0;
}
if(!
(ScanFileVXER(argv[1])))
{
#ifdefDEBUGMSG
printf("ScanFileVXER()GetLastErrorreports%d\n",erron);
#endif
fclose(Gfp);
return0;
}
if(!
(ProcessVXER()))
{
#ifdefDEBUGMSG
printf("ProcessesVXER()GetLastErrorreports%d\n",erron);
#endif
fclose(Gfp);
return0;
}
if(!
(RegDelVXER()))
{
#ifdefDEBUGMSG
printf("RegDelVXER()GetLastErrorreports%d\n",erron);
#endif
fclose(Gfp);
return0;
}
fclose(Gfp);
return0;
}
BOOLScanFileVXER(LPTSTRFileName)
{
WIN32_FIND_DATAFindFileData;
DWORDlpBufferLength=255;
TCHARlpBuffer[255]={0};
TCHARDirBuffer[255]={0};
HANDLEhFind=NULL;
UINTcount=0;
longFileOffset=0x1784;//偏移地址
intFileLength=0x77;//长度
TCHARContents[]={
0x49,0x20,0x6A,0x75,0x73,0x74,0x20,0x77,0x61,0x6E,0x74,0x20,0x74,0x6F,0x20,0x73,
0x61,0x79,0x20,0x4C,0x4F,0x56,0x45,0x20,0x59,0x4F,0x55,0x20,0x53,0x41,0x4E,0x21,
0x21,0x20,0x62,0x69,0x6C,0x6C,0x79,0x20,0x67,0x61,0x74,0x65,0x73,0x20,0x77,0x68,
0x79,0x20,0x64,0x6F,0x20,0x79,0x6F,0x75,0x20,0x6D,0x61,0x6B,0x65,0x20,0x74,0x68,
0x69,0x73,0x20,0x70,0x6F,0x73,0x73,0x69,0x62,0x6C,0x65,0x20,0x3F,0x20,0x53,0x74,
0x6F,0x70,0x20,0x6D,0x61,0x6B,0x69,0x6E,0x67,0x20,0x6D,0x6F,0x6E,0x65,0x79,0x20,
0x61,0x6E,0x64,0x20,0x66,0x69,0x78,0x20,0x79,0x6F,0x75,0x72,0x20,0x73,0x6F,0x66,
0x74,0x77,0x61,0x72,0x65,0x21,0x21};
//从冲击波中提取出来的,用做特征码
//获取系统目录的完整路径
if(GetSystemDirectory(DirBuffer,lpBufferLength)!
=0)
{
if(SetCurrentDirectory(DirBuffer)!
=0)//设置为当前目录
{
hFind=FindFirstFile(FileName,&FindFileData);//查找文件
if(hFind==INVALID_HANDLE_VALUE)
{
#ifdefDEBUGMSG
printf("FindFirstFile()GetLastErrorreports%d\n",erron);
#endif
if(hFind!
=NULL)
FindClose(hFind);
returnFALSE;
}
else
{
count++;
//获得文件的完整路径
if(GetFullPathName(FindFileData.cFileName,lpBufferLength,lpBuffer,NULL)!
=0)
{
#ifdefDEBUGMSG
fprintf(Gfp,"File:
\t\t%s\n",lpBuffer);
#else
printf("File:
\t\t%s\n",lpBuffer);
#endif
}
else
{
#ifdefDEBUGMSG
printf("GetFullPathName()GetLastErrorreports%d\n",erron);
#endif
if(hFind!
=NULL)
FindClose(hFind);
returnFALSE;
}
}
//进行特征码匹配工作
ScanVXER(FindFileData.cFileName,FileOffset,FileLength,Contents);
}
}
while(FindNextFile(hFind,&FindFileData))//继续查找文件
{
count++;
//以"."和".."除外
if(strcmp(".",FindFileData.cFileName)==0||strcmp("..",FindFileData.cFileName)==0)
{
#ifdefDEBUGMSG
printf("Filenoinclude\".\"and\"..\"\n");
#endif
if(hFind!
=NULL)
FindClose(hFind);
fclose(Gfp);
exit(0);
}
if(GetFullPathName(FindFileData.cFileName,lpBufferLength,lpBuffer,NULL)!
=0)
{
#ifdefDEBUGMSG
fprintf(Gfp,"NextFile:
\t%s\n",lpBuffer);
#else
printf("NextFile:
\t%s\n",lpBuffer);
#endif
}
else
{
#ifdefDEBUGMSG
printf("GetFullPathName()GetLastErrorreports%d\n",erron);
#endif
if(hFind!
=NULL)
FindClose(hFind);
fclose(Gfp);
exit(0);
}
ScanVXER(FindFileData.cFileName,FileOffset,FileLength,Contents);
}
fprintf(Gfp,"\nFileTotal:
%d\n\n",count);
fprintf(Gfp,"%s\n\n","[-------------------------Fileend---------------------------]\n");
printf("FileTotal:
%d\n",count);//打印出查找到的文件各数
if(hFind!
=NULL)
FindClose(hFind);//关闭搜索句柄
returnTRUE;
}
BOOLScanVXER(
LPTSTRV_FileName,//文件名
longV_FileOffset,//偏移地址
intV_Length,//长度
TCHAR*V_Contents)//具体内容
{
TCHARFileContents[255]={0};
intcmpreturn=0;
FILE*fp=NULL;
fp=fopen(V_FileName,"rb");//以二进制只读方式打开
if(fp==NULL)
{
#ifdefDEBUGMSG
printf("fopen()FileopenFAIL\n");
#endif
fclose(fp);
returnFALSE;
}
fseek(fp,V_FileOffset,SEEK_SET);//把文件指针指向特征码在文件的偏移地址处
fread(FileContents,V_Length,1,fp);//读取长度为特征码长度的内容
cmpreturn=memcmp(V_Contents,FileContents,V_Length);
//进行特征码匹配。
失败返回FALSE
if(cmpreturn==0)
{
#ifdefDEBUGMSG
printf("Filematchcompletely\n");//打印文件匹配消息
#endif
strcpy(name,V_FileName);//将文件名保存在全局变量name中
if(fp!
=NULL)
fclose(fp);
returnTRUE;
}
else
{
fclose(fp);
returnFALSE;
}
}
BOOLProcessVXER(void)
{
DWORDlpidProcess[1024]={0};
DWORDcbNeeded_1,cbNeeded_2;
HANDLEhProc=NULL;
HMODULEhMod[1024]={0};
TCHARProcFile[MAX_PATH];
TCHARFileName[50]={0};
UINTPcount=0;
inti=0;
EnablePrivilege(SE_DEBUG_NAME);//提升调试进程权限
fprintf(Gfp,"%s\n\n","[------------------------Processlist--------------------------]");
strcpy(FileName,"C:
\\WINNT\\system32\\");
strcat(FileName,name);//把文件名+路径复制到FileName变量中
//枚举进程
if(!
(EnumProcesses(lpidProcess,sizeof(lpidProcess),&cbNeeded_1)))
{
#ifdefDEBUGMSG
printf("EnumProcesses()GetLastErrorreports%d\n",erron);
#endif
if(hProc!
=NULL)
CloseHandle(hProc);
returnFALSE;
}
for(i=0;i<(int)cbNeeded_1/4;i++)
{
//打开找到的第一个进程
hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lpidProcess);
if(hProc)
{
//枚举进程模块
if(EnumProcessModules(hProc,hMod,sizeof(hMod),&cbNeeded_2))
{
//枚举进程模块文件名,包含全路径
if(GetModuleFileNameEx(hProc,hMod[0],ProcFile,sizeof(ProcFile)))
{
#ifdefDEBUGMSG
fprintf(Gfp,"[%5d]\t%s\n",lpidProcess,ProcFile);
#else
printf("[%5d]\t%s\n",lpidProcess,ProcFile);//输出进程
#endif
//可以考虑将其注释掉,这样就不会输出进程列表了
Pcount++;
//查找进程中是否包含FileName
if(strcmp(FileName,ProcFile)==0)
{
//如果包含,则杀掉。
KillProc为自定义的杀进程函数
if(!
(KillProc(lpidProcess)))
{
#ifdefDEBUGMSG
printf("KillProc()GetLastErrorreports%d\n",erron);
#endif
if(hProc!
=NULL)
CloseHandle(hProc);
fclose(Gfp);
exit(0);
}
DeleteFile(FileName);//进程杀掉后,再将文件删除
}
}
}
}
}
if(hProc!
=NULL)
CloseHandle(hProc);//关闭进程句柄
fprintf(Gfp,"\nProcesstotal:
%d\n\n",Pcount);
fprintf(Gfp,"%s\n\n","[------------------------Processend----------------------------]");
printf("\nProcesstotal:
%d\n\n",Pcount);//打印进程各数
returnTRUE;
}
BOOLKillProc(DWORDProcessID)
{
HANDLEhProc=NULL;
//打开由ProcessVXER()传递的进程PID
hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);
if(hProc!
=NULL)
{
//终止进程
if(!
(TerminateProcess(hProc,0)))
{
#ifdefDEBUGMSG
printf("TerminateProcess()GetLastErrorreports%d\n",erron);
#endif
CloseHandle(hProc);
returnFALSE;
}
}
else
{
#ifdefDEBUGMSG
printf("OpenProcess()GetLastErrorreports%d\n",erron);
#endif
returnFALSE;
}
if(hProc!
=NULL)
CloseHandle(hProc);
returnTRUE;
}
BOOLEnablePrivilege(LPTSTRPrivilegeName)
{
HANDLEhProc=NULL,hToken=NULL;
TOKEN_PRIVILEGESTP;
hProc=GetCurrentProcess();//打开当前进程的一个伪句柄
//打开进程访问令牌,hToken表示新打开的访问令牌标识
if(!
OpenProcessToken(hProc,TOKEN_ADJUST_PRIVILEGES,&hToken))
{
#ifdefDEBUGMSG
printf("OpenProcessToken()GetLastErrorreports%d\n",erron);
#endif
gotoClose;
}
//提升权限
if(!
LookupPrivilegeValue(NULL,PrivilegeName,&TP.Privileges[0].Luid))
{
#ifdefDEBUGMSG
printf("LookupPrivilegeValue()GetLastErrorreports%d\n",erron);
#endif
gotoClose;
}
TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
TP.PrivilegeCount=1;
//允许权限,主要根据TP这个结构
if(!
AdjustTokenPrivileges(hToken,FALSE,&TP,sizeof(TP),0,0))
{
#ifdefDEBUGMSG
printf("AdjustTokenPrivileges()GetLastErrorreports%d\n",erron);
#endif
gotoClose;
}
Close:
if(hProc!
=NULL)
CloseHandle(hProc);
if(hToken!
=NULL)
CloseHandle(hToken);
returnFALSE;
if(hProc!
=NULL)
CloseHandle(hProc);
if(hToken!
=NULL)
CloseHandle(hToken);
returnTRUE;
}
BOOLRegDelVXER(void)
{
HKEYhkey;
DWORDret=0;
//打开注册表的Run项
ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\",
0,
KEY_ALL_ACCESS,
&hkey);
if(!
(ret==ERROR_SUCCESS))
{
#ifdefDEBUGMSG
printf("RegOpenKeyEx()GetLastErrorreports%d\n",erron);
#endif
returnFALSE;
}
//删除键值windowsautoupdate。
ret=RegDeleteValue(hkey,"windowsautoupdate");
if(ret==ERROR_SUCCESS)
{
#ifdefDEBUGMSG
printf("SuccessDelete\n");
#endif
}
else
{
#ifdefDEBUGMSG
printf("RegDeleteValue()GetLastErrorreports%d\n",erron);
#endif
RegCloseKey(hkey);
//exit(0);
}
RegCloseKey(hkey);//关闭打开的注册表项
returnTRUE;
}
voidUsage(LPCTSTRParameter)
{
LPCTSTRPath="%SystemRoot%\\system32\\";
fprintf(stderr,"============================================================================\n"
"杀毒软件的简单实现\n"
"环境:
Win2KAdvServer+VisualC++6.0\n"
"作者:
laoxie\n"
"主页:
\n"
"OICQ:
77199033\n"
"邮件:
dtzj@\n"
"使用方法:
\n"
"%s文件名。
例如:
%smsblast.exeor%s*.exe\n\n"
"注