ukillpe.pas

用delphi写的杀毒软件的源程序

unit UKillPe;

interface

uses
  Windows, SysUtils, Messages;

function FindPeVirus(LFileName:string):Integer;
function FindV1:Integer; //.LWY测试用

var
 hFile:THandle;
 ImgDosHeader:IMAGE_DOS_HEADER;
 ImgNtHeaders:IMAGE_NT_HEADERS;
 peNTHeader:pImageNtHeaders;
 PEOptionalHeader:pImageOptionalHeader;
 ImgSectionHeader:IMAGE_SECTION_HEADER;
 BytesRead:Cardinal;

 tzName: Array of String;
 tzN: Integer;

implementation

uses Unit1;

//PE特征码
function FindPeVirus(LFileName:string):Integer;
begin
 Result:= 0;

 hFile:=CreateFile(PChar(LFileName),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
// MessageBox(0,PChar(LFileName),'错误',MB_ICONINFORMATION+MB_OK);
 if hFile=INVALID_HANDLE_VALUE then Exit;
 try
  SetFilePointer(hFile, 0, nil, FILE_BEGIN);
  ReadFile(hFile,ImgDosHeader,SizeOf(ImgDosHeader),BytesRead,nil);
  if ImgDosHeader.e_magic<>IMAGE_DOS_SIGNATURE then Exit;//PE文件DOS标记

//查病毒特征
  Result:=FindV1();
 finally
  CloseHandle(hFile);
 end;
end;

function FindV1:Integer; //.LWY测试用
var
 i: Integer;
 RVA_: DWORD;
 VA_: DWORD;
 Read_: Byte;
 VirusVar,VirusVar_: String;
begin
 Result:=0;
 VA_:=0;

 SetFilePointer(hFile,ImgDosHeader._lfanew,nil,FILE_BEGIN);
 Form1.Memo1.Lines.Add('3C值：'+IntToHex(ImgDosHeader._lfanew,2));
 ReadFile(hFile,ImgNtHeaders,SizeOf(ImgNtHeaders),BytesRead,nil);
 if ImgNtHeaders.Signature<>IMAGE_NT_SIGNATURE then Exit;//PE文件NT标记

 RVA_:=ImgNtHeaders.OptionalHeader.AddressOfEntryPoint;
 Form1.Memo1.Lines.Add('IMAGE BASE:'+IntToHex(ImgNtHeaders.OptionalHeader.ImageBase,2));
 Form1.Memo1.Lines.Add('IMAGE SIZE:'+IntToHex(ImgNtHeaders.OptionalHeader.SizeOfImage,2));

 for I:=1 to ImgNtHeaders.FileHeader.NumberOfSections do //读节头
 begin
  ReadFile(hFile,ImgSectionHeader,SizeOf(ImgSectionHeader),BytesRead,nil);

  Form1.Memo1.Lines.Add('ImgSectionHeader:'+PChar(@ImgSectionHeader.Name[0])+'  ImageVA:'+IntToHex(ImgSectionHeader.VirtualAddress,2)+'  节大小:'+IntToHex(ImgSectionHeader.SizeOfRawData,2));
  Form1.Memo1.Lines.Add('  节物理位置:'+IntToHex(ImgSectionHeader.PointerToRawData,2));
  if RVA_<ImgSectionHeader.SizeOfRawData+ImgSectionHeader.VirtualAddress then
  begin
   if VA_<1 then
   begin
    VA_:=RVA_+ImgSectionHeader.PointerToRawData-ImgSectionHeader.VirtualAddress;
    Form1.Memo1.Lines.Add('  物理EN:'+IntToHex(VA_,2));
   end;
  end;
 end;
 Form1.Memo1.Lines.Add('RVA:'+IntToHex(RVA_,2));
 SetFilePointer(hFile,VA_,nil,FILE_BEGIN);
 VirusVar:='12345678901234567890';
 VirusVar_:='';
 for i:=1 to Length(VirusVar) do
 begin
  if i mod 2=1 then
  begin
   ReadFile(hFile,Read_,SizeOf(Read_),BytesRead,nil);
   VirusVar_:=VirusVar_+IntToHex(Read_,2);
  end;
 end;
 Form1.Memo1.Lines.Add(VirusVar_);
 Result:=1;
end;

end.