simpleviruschecker.c

著名的任天堂FC游戏机模拟器VirtuaNes 085版的源码!

/*

 SimpleVirusChecker
 version 1.1
 programmed by Norix

 Copyright Note
 source code: SimpleVirusChecker.c,SimpleVirusChecker.h

 Please use this program freely.
 An author isn't concerned on a loss at having used this program at all.
 An author prays for virus software disappearing from a PC in the world.

 --Attention--
 Because an author doesn't have a PC infected with a virus program, can't
 guarantee it whether you were able to completely check it.

 Histroy:
 v1.1	add WORM_FIZZER
	add WORM_PALYH
	add WORM_LOVGATE
	add WORM_OPASERV
 v1.11	add WORM_SOBIG.F
*/
#include	"SimpleVirusChecker.h"
#include	<tchar.h>

#define	KEYTYPE_1	(1<<0)	/* Windows startup registry */
#define	KEYTYPE_2	(1<<1)	/* Windows Servece registry(NT only) */

typedef	struct	{
	TCHAR*	keyname;
	int	type;		/* type */
	int	length;		/* use strncmp length (0 is use strcmp) */
} VIRUSKEYTBL;

static	VIRUSKEYTBL	viruskeytbl[] = {
/*	KEY				KEYTYPE			LENGTH */
	_T("Wink"),			KEYTYPE_1|KEYTYPE_2,	4,	/* Klez */
	_T("WindowsMGM"),		KEYTYPE_1|KEYTYPE_2,	0,	/* Sobig */
	_T("Avril Lavigne - Muse"),	KEYTYPE_1,		0,	/* Lirva */
	_T("SystemInit"),		KEYTYPE_1,		0,	/* Fizzer */
	_T("System Tray"),		KEYTYPE_1,		0,	/* Palyh */
	_T("WinGate initialize"),	KEYTYPE_1,		0,	/* Lovgate */
	_T("ScrSvr"),			KEYTYPE_1,		0,	/* Opaserv */
	_T("SSK Service"),		KEYTYPE_1,		0,	/* Sobig.E */
	_T("TrayX"),			KEYTYPE_1,		0,	/* Sobig.F */
	NULL, 0, 0	/* term */
};

/* WindowsNT? */
static	int	IsNT( void )
{
	OSVERSIONINFO	osvi;
	osvi.dwOSVersionInfoSize = sizeof(osvi);
	if( !GetVersionEx(&osvi) )
		return	0;

	if( osvi.dwPlatformId == VER_PLATFORM_WIN32_NT )
		return	1;

	if( osvi.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS )
		return	0;

	/* unknown */
	return	-1;
}

/* A check of a type to be infected with *.exe activation (representative example:SIRCAM) */
static	int	ExeRegistryCheck( void )
{
	HKEY	hKey;
	LONG	lResult;
	DWORD	dwCount;

	if( RegOpenKeyEx( HKEY_CLASSES_ROOT, _T("exefile\\shell\\open\\command"),
			0, KEY_READ, &hKey ) != ERROR_SUCCESS ) {
		return	-1;
	}

	lResult = RegQueryValueEx( hKey, _T(""), NULL, NULL, NULL, &dwCount );
	RegCloseKey( hKey );
	if( lResult != ERROR_SUCCESS ) {
		return	-1;
	}
	/*
	  Check it whether a parameter is different from a default parameter.
	  May think that this is originally infected when it is only '"%1" %*'
	  and has length more than it.
	*/
	if( dwCount > 8 ) {
		return	1;
	}
	/* OK */
	return	0;
}

/* Character string comparison */
static	int	KlezTypeCheckSub( const char* name, int mask )
{
	VIRUSKEYTBL*	tbl = viruskeytbl;

	while( tbl->keyname ) {
		if( tbl->type & mask ) {
			if( !tbl->length ) {
				if( StrCmpI( name, tbl->keyname ) == 0 )
					return	1;
			} else {
				if( StrCmpNI( name, tbl->keyname, tbl->length ) == 0 )
					return	1;
			}
		}
		tbl++;
	}
	return	0;
}

/* A check of the registry which a virus uses */
static	int	KlezTypeCheck( void )
{
	HKEY	hKey;
	LONG	lResult;
	TCHAR	szKeyName[1024];
	DWORD	dwIndex, dwCount;
	FILETIME ft;
	int	viruscount = 0;

	/* Search a thing registered with Windows Startup */
	if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, _T("Software\\Microsoft\\Windows\\CurrentVersion\\Run"),
			    0, KEY_READ, &hKey ) != ERROR_SUCCESS ) {
		return	-1;
	}
	dwIndex = 0;
	while( 1 ) {
		dwCount = sizeof(szKeyName)/sizeof(TCHAR);
		lResult = RegEnumValue( hKey, dwIndex, szKeyName, &dwCount, 0, NULL, NULL, NULL );
		if( lResult != ERROR_SUCCESS ) {
			break;
		}
		viruscount += KlezTypeCheckSub( szKeyName, KEYTYPE_1 );
		dwIndex++;
	}
	RegCloseKey( hKey );

	if( !IsNT() ) {
		return	viruscount;
	}

	/* Search a thing registered with WindowsNT Service */
	if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, _T("System\\CurrentControlSet\\Services"),
			    0, KEY_READ, &hKey ) != ERROR_SUCCESS ) {
		return	-1;
	}
	dwIndex = 0;
	while( 1 ) {
		dwCount = sizeof(szKeyName)/sizeof(TCHAR);
		lResult = RegEnumKeyEx( hKey, dwIndex, szKeyName, &dwCount, 0, NULL, NULL, &ft );
		if( lResult != ERROR_SUCCESS ) {
			break;
		}
		viruscount += KlezTypeCheckSub( szKeyName, KEYTYPE_2 );
		dwIndex++;
	}
	RegCloseKey( hKey );

	return	viruscount;
}

int	SimpleVirusChecker(void)
{
	int	viruscount = 0;

	if( IsNT() < 0 )
		return	-1;

	if( ExeRegistryCheck() > 0 )
		viruscount++;

	viruscount += KlezTypeCheck();

	return	viruscount;
}