ukillpe.pas

用delphi写的杀毒软件的源程序

unit UKillPe;

interface

uses
  Windows, SysUtils, Messages;

function FindPeVirus(LFileName:string):Integer;
function FindV1:Integer; //.LWY测试用
function FindV2(VirusSec:Integer;VirusVar:String;Result1:Integer):Integer; //按文件入口查

var
 hFile:THandle;
 ImgDosHeader:IMAGE_DOS_HEADER;
 ImgNtHeaders:IMAGE_NT_HEADERS;
 ImgSectionHeader:IMAGE_SECTION_HEADER;
 BytesRead:Cardinal;

 tzName: Array of String;
 tzN: Integer;

implementation
uses Unit1;

//PE特征码
function FindPeVirus(LFileName:string):Integer;
begin
 Result:= 0;

 hFile:=CreateFile(PChar(LFileName),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
// MessageBox(0,PChar(LFileName),'错误',MB_ICONINFORMATION+MB_OK);
 if hFile=INVALID_HANDLE_VALUE then Exit;
 try
  SetFilePointer(hFile, 0, nil, FILE_BEGIN);
  ReadFile(hFile,ImgDosHeader,SizeOf(ImgDosHeader),BytesRead,nil);
  if ImgDosHeader.e_magic<>IMAGE_DOS_SIGNATURE then Exit;//PE文件DOS标记

//查病毒特征

  if FindV1=1 then Result:=1;
  if Result=0 then
   Result:= FindV2($13D8,'4F00750074006C006F006F006B',2);
  if Result=0 then
   Result:= FindV2($F,'33C08BC483C004938B',3);
 finally
  CloseHandle(hFile);
 end;
end;

function FindV1:Integer; //.LWY测试用
var
 I,m:Integer;
begin
 Result:=0;

 tzN:=0;
 SetLength(TzName, tzN+1);
 TzName[0]:='.LWY';

 SetFilePointer(hFile,ImgDosHeader._lfanew,nil,FILE_BEGIN);
 ReadFile(hFile,ImgNtHeaders,SizeOf(ImgNtHeaders),BytesRead,nil);
 if ImgNtHeaders.Signature<>IMAGE_NT_SIGNATURE then Exit;//PE文件NT标记

 for I:=0 to ImgNtHeaders.FileHeader.NumberOfSections-1 do //读节头
 begin
  ReadFile(hFile,ImgSectionHeader,SizeOf(ImgSectionHeader),BytesRead,nil);

  for m:=0 to tzN do
  begin
   if PChar(@ImgSectionHeader.Name[0])=tzName[m] then
   begin
    Result:= 1;
    Break;
   end;
  end;
  if Result=1 then Break;
 end;
end;

function FindV2(VirusSec:Integer;VirusVar:String;Result1:Integer):Integer;
Var
 I: Integer;

 VirusVar_: String;
 Read_Byte: Byte;
 VA_: Integer;
begin
 Result:=0;
 VA_:=0;
 SetFilePointer(hFile,ImgDosHeader._lfanew,nil,FILE_BEGIN);
 ReadFile(hFile,ImgNtHeaders,SizeOf(ImgNtHeaders),BytesRead,nil);
 if ImgNtHeaders.Signature<>IMAGE_NT_SIGNATURE then Exit;//PE文件NT标记

 for I:=1 to ImgNtHeaders.FileHeader.NumberOfSections do //查找文件物理入口
 begin
  ReadFile(hFile,ImgSectionHeader,SizeOf(ImgSectionHeader),BytesRead,nil);

  if ImgNtHeaders.OptionalHeader.AddressOfEntryPoint<ImgSectionHeader.SizeOfRawData+ImgSectionHeader.VirtualAddress then
  begin
   VA_:=ImgNtHeaders.OptionalHeader.AddressOfEntryPoint+ImgSectionHeader.PointerToRawData-ImgSectionHeader.VirtualAddress;
   Break;
  end;
 end;

 SetFilePointer(hFile,VA_+VirusSec,nil,FILE_BEGIN); //进入物理入口
 for i:=1 to Length(VirusVar) do
 begin
  if i mod 2=1 then
  begin
   VirusVar_:=copy(VirusVar,i,2);
   ReadFile(hFile,Read_Byte,SizeOf(Read_Byte),BytesRead,nil);
   if (IntToHex(Read_Byte,2)<>VirusVar_) and (VirusVar_<>'??') then
   begin
    Result:=0;
    Exit;
   end;
  end;
 end;

 Result:=Result1;
end;

end.