📄 antivirusmoudle.cpp
字号:
#include "stdafx.h"
#include "AntiVirusMoudle.h"
#include "ASM\disasm.h"
#include <Psapi.h>
#pragma comment(lib,"Psapi.lib")
CVx_AntiVirusDlg* m_dlg;
//提权
void AdjustProcess()
{
HANDLE hToken; // 令牌句柄
TOKEN_PRIVILEGES tkp; // 令牌结构指针
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1; // one privilege to set
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL,0);
}
#define APICOUT 4
char ResetApiName[APICOUT][255] =
{
"ZwCreateFile",
"ZwOpenFile",
"ZwCreateProcess",
"ZwCreateProcessEx"
};
#define NONEHOOK 0
#define ANTIHOOKFAILD 1
#define ANTIHOOKTRUE 2
//恢复原来的代码
int ResetCode(HANDLE theHandle)
{
BYTE code[5] = {0};
BYTE Newcode[5] = {0};
DWORD dwReadnum;
DWORD oldpro;
BOOL ret = NONEHOOK;
for(int i = 0; i < APICOUT; i++)
{
DWORD ApiAddr = (DWORD)GetProcAddress(GetModuleHandle("NTDLL.DLL"),ResetApiName[i]);
if( ApiAddr )
{
VirtualProtectEx(theHandle,(LPVOID)ApiAddr,5,PAGE_EXECUTE_READWRITE,&oldpro);
ReadProcessMemory(theHandle,(LPVOID)ApiAddr,code,5,&dwReadnum);
if( dwReadnum != 0)
{
if( 0xE8 == code[0] )//if Hook
{
DWORD NewAddr = ApiAddr + *(DWORD*)&code[1] + 5;
VirtualProtectEx(theHandle,(LPVOID)NewAddr,5,PAGE_EXECUTE_READWRITE,&oldpro);
ReadProcessMemory(theHandle,(LPVOID)NewAddr,Newcode,5,&dwReadnum);
if( dwReadnum != 0)
{
//restore hook
if( !WriteProcessMemory(theHandle,(LPVOID)ApiAddr,Newcode,5,&dwReadnum) )
{
ret = ANTIHOOKFAILD;
}
else
{
ret = ANTIHOOKTRUE;
}
}
}
}
}
}
return ret;
}
void CloseFileProtect(HANDLE ProcessHandle)
{
HMODULE hSfc;
DWORD dwVersion = GetVersion();
if ((DWORD)(LOBYTE(LOWORD(dwVersion))) == 5)// Windows 2000/XP
{
if((DWORD)(HIBYTE(LOWORD(dwVersion))) == 0)//Windows 2000
{
hSfc = LoadLibrary("sfc.dll");
}
else
{//if((DWORD)(HIBYTE(LOWORD(dwVersion))) = 1) //Windows XP
hSfc = LoadLibrary("sfc_os.dll");
}
}
DWORD func = (DWORD)GetProcAddress(hSfc,MAKEINTRESOURCE(2));
DWORD dwThreadPid;
HANDLE hThread = CreateRemoteThread(ProcessHandle,NULL,0,(DWORD (__stdcall *) (void *))func,NULL,0,&dwThreadPid);
DWORD dw = WaitForSingleObject(hThread, 4000); // attends 4 secondes
CloseHandle(hThread);
}
//修复HOOK
BOOL AntiHook()
{
char path[MAX_PATH] = "";
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == (HANDLE)-1)
{
m_dlg->MessageBox("创建进程快照失败!");
return FALSE;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
int idx = 0;
if (Process32First(hProcessSnap, &pe32))
{
do
{
idx++;
if( idx > 4 )
{
m_dlg->SetCurText(path);
HANDLE theHandle = OpenProcess(PROCESS_ALL_ACCESS,TRUE,pe32.th32ProcessID);
GetModuleFileNameEx(theHandle,NULL,path,MAX_PATH);
if( theHandle )
{
if( idx == 5)//winlogon.exe
{
CloseFileProtect(theHandle);//关闭文件保护
}
int retcode = ResetCode(theHandle);
if( retcode == ANTIHOOKTRUE )
{
m_dlg->InsertText(path,"内存","是","已清除",0);
}
else if( retcode == ANTIHOOKFAILD )
{
m_dlg->InsertText(path,"内存","是","清除失败",0);
}
}
}
}
while (Process32Next(hProcessSnap, &pe32));
}
else
{
m_dlg->MessageBox("枚举进程失败!");
CloseHandle (hProcessSnap);
return FALSE;
}
CloseHandle (hProcessSnap);
return TRUE;
}
//文件感染病毒信息
struct VirusInfo
{
char strpath[MAX_PATH];
HANDLE hFileMap;
HANDLE hFile;
BYTE* pvFile;
int idx;
};
//修复文件
void RepairFile(VirusInfo* info);
BOOL bOnlyCheck;//只查毒
HANDLE dwFindThread = 0;
HANDLE dwVirusThread = 0;
deque<CString> strdeque;
BOOL bStopFind = FALSE;
CRITICAL_SECTION cs;
BOOL IsExeExtendName(char* strname)
{
if( !strname ) return FALSE;
char* p = strchr(strname,'.');
if( !p ) return FALSE;
if( _stricmp(p,".EXE") == 0 )
{
return TRUE;
}
return FALSE;
}
void FindFileInDirectory(char* strpath)
{
WIN32_FIND_DATA fileinfo = {0};
HANDLE handle = FindFirstFile( strpath, &fileinfo );
if (NULL != handle && INVALID_HANDLE_VALUE != handle)
{
do
{
if( fileinfo.cFileName[0] != '.' )
{
if ((FILE_ATTRIBUTE_DIRECTORY & fileinfo.dwFileAttributes) == FILE_ATTRIBUTE_DIRECTORY)
{
char strdirpath[MAX_PATH];
strcpy_s(strdirpath,MAX_PATH,strpath);
strdirpath[strlen(strdirpath)-1] = 0;
strcat_s(strdirpath,MAX_PATH,fileinfo.cFileName);
strcat_s(strdirpath,MAX_PATH,"\\*");
FindFileInDirectory(strdirpath);
}
else if( m_dlg->bScanAllFile || IsExeExtendName(fileinfo.cFileName) )
{
char strfilepath[MAX_PATH] = "";
strcpy_s(strfilepath,MAX_PATH,strpath);
strfilepath[strlen(strfilepath)-1] = 0;
strcat_s(strfilepath,MAX_PATH,fileinfo.cFileName);
m_dlg->SetCurText(strfilepath);
EnterCriticalSection(&cs);
strdeque.push_back(strfilepath);
LeaveCriticalSection(&cs);
}
}
}while (FindNextFile( handle, &fileinfo ));
FindClose(handle);
}
}
DWORD WINAPI FindFileThread(LPVOID lp)
{
char strpath[30] = "";
for(int i=1;i<=25;i++)
{
//sprintf_s(strpath,10,"%c:\\",'A'+i);
sprintf_s(strpath,30,"%c:\\",'A'+i);
if(GetDriveType(strpath) != DRIVE_NO_ROOT_DIR)
{
strcat_s(strpath,10,"*");
FindFileInDirectory(strpath);
}
}
bStopFind = TRUE;
return 0;
}
//检验是否染毒
void VaildVirus(CString strPath)
{
if(strPath == "") return;
HANDLE hFile = CreateFile(strPath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
DWORD dw = GetLastError();
return;
}
DWORD dwFileSize = GetFileSize(hFile, NULL);
if( dwFileSize < 2048 )
{
CloseHandle(hFile);
return;
}
HANDLE hFileMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE,0,dwFileSize,NULL);
if (hFileMap == NULL)
{
CloseHandle(hFile);
return;
}
DWORD pvFile = (DWORD)MapViewOfFile(hFileMap, FILE_MAP_WRITE, 0, 0, 0);
if (pvFile == NULL)
{
CloseHandle(hFileMap);
CloseHandle(hFile);
return;
}
IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *)pvFile;
IMAGE_NT_HEADERS *Nt_Header = (IMAGE_NT_HEADERS *)(pvFile+dos_header->e_lfanew);
if( *(WORD*)pvFile != IMAGE_DOS_SIGNATURE || //检测MZ头
(DWORD)dos_header->e_lfanew > dwFileSize || //检测偏移是否有问题
Nt_Header->Signature != IMAGE_NT_SIGNATURE || //检测PE头
(Nt_Header->FileHeader.Characteristics & IMAGE_FILE_DLL) == IMAGE_FILE_DLL || //检测是否是DLL
(Nt_Header->FileHeader.TimeDateStamp != 'evol' && //检测是否已经感染过
Nt_Header->FileHeader.TimeDateStamp != 'love') ||
Nt_Header->FileHeader.TimeDateStamp == '\0bug' //已修复PE文件
)
{
UnmapViewOfFile((LPVOID)pvFile);
CloseHandle(hFileMap);
CloseHandle(hFile);
return;
}
if( !bOnlyCheck )
{
VirusInfo* virusinfo = new VirusInfo;
memset(virusinfo,0,sizeof(VirusInfo));
strcpy_s( virusinfo->strpath, MAX_PATH, strPath );
virusinfo->pvFile = (BYTE*)pvFile;
virusinfo->hFile = hFile;
virusinfo->hFileMap = hFileMap;
virusinfo->idx = m_dlg->InsertText(strPath.GetBuffer(0),"文件","是","未清除",(DWORD)virusinfo);
RepairFile(virusinfo);
}
else
{
m_dlg->InsertText(strPath.GetBuffer(0),"文件","是","未清除",0);
}
}
DWORD WINAPI FindVirusThread(LPVOID lp)
{
while(!bStopFind)
{
while(strdeque.size())
{
EnterCriticalSection(&cs);
CString strPath = strdeque.front();
VaildVirus(strPath);
strdeque.pop_front();
LeaveCriticalSection(&cs);
}
}
m_dlg->SetCurText("");
m_dlg->m_ProgressCtrl.End();
m_dlg->m_ProgressCtrl.Reset();
m_dlg->SetStatusText("杀毒完毕");
return 0;
}
IMAGE_DOS_HEADER* image_dos_header;
IMAGE_NT_HEADERS* image_nt_header;
IMAGE_SECTION_HEADER *image_section_header;
BYTE* EpAddr = NULL;
DWORD PEAlign(DWORD dwTarNum,DWORD dwAlignTo)
{
DWORD dwtemp;
dwtemp=dwTarNum/dwAlignTo;
if((dwTarNum%dwAlignTo)!=0)
{
dwtemp++;
}
dwtemp=dwtemp*dwAlignTo;
return(dwtemp);
}
int FindSectionIndex(DWORD addr)
{
int i = 0;
for ( i = 0; i < image_nt_header->FileHeader.NumberOfSections; i++ )
{
if (addr >= image_section_header[i].VirtualAddress &&
addr < image_section_header[i].VirtualAddress + image_section_header[i].Misc.VirtualSize)
{
break;
}
}
if ( i < image_nt_header->FileHeader.NumberOfSections )
return (i);
else
return (-1);
}
DWORD RvaToOffset(DWORD addr)
{
int i = FindSectionIndex(addr);
if (i >= 0)
return (addr - image_section_header[i].VirtualAddress + image_section_header[i].PointerToRawData);
return (NULL);
}
BYTE pushcode = 0x50;
DWORD jmpaddr;
BYTE OldByteCode[5] = {0};
DWORD ModifyAddr;
VirusInfo* m_info;
BYTE xorkey;
BYTE* pMem;//对齐后的内存
void InitpMem()
{
int Cout = 0;
for ( int i = 0; i < image_nt_header->FileHeader.NumberOfSections; i++ )
{
Cout += PEAlign(image_section_header[i].Misc.VirtualSize,image_nt_header->OptionalHeader.SectionAlignment);
}
pMem = (BYTE*)GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT,Cout+0x1000);
BYTE* paddr = pMem + image_nt_header->OptionalHeader.SectionAlignment;
Cout = 0;
for ( int i = 0; i < image_nt_header->FileHeader.NumberOfSections; i++ )
{
memcpy(paddr,m_info->pvFile+image_section_header[i].PointerToRawData,image_section_header[i].SizeOfRawData);
paddr += PEAlign(image_section_header[i].Misc.VirtualSize,image_nt_header->OptionalHeader.SectionAlignment);
}
}
void decode(BYTE* addr,int len);
BYTE* VirusStartAddr;
BYTE* VirusEndAddr;
//解密数据
BYTE decodekey;//解密KEY
int method;//方法,0减法,1是异或
BOOL UseAdd;//是否使用加法
BOOL AddNum;
DWORD decodereg;//变形用的寄存器
int nAddrReg;//解码起始地址寄存器
int postion = 0;//0 之前 1 之中 2 之后 3 循环之后 4 jmp reg 结束
int CaclOEP(BYTE* addr,DWORD VirtualAddress,DWORD HookAddr,BOOL bLevel);
//搜索病毒头
void FindVirusEP(BYTE* addr,DWORD VirtualAddress,BOOL bLevel);
int FindBaseInfo_Proc(BYTE* BaseAddr,BYTE* code,DWORD VirtualAddress)
{
t_disasm da;
int ret = Disasm((char*)code,16,VirtualAddress,&da,DISASM_CODE);
if( !_stricmp(da.vm_name,"VXCHG_MEM08_REG08") ||
!_stricmp(da.vm_name,"VMOV_REG08_MEM08") ||
!_stricmp(da.vm_name,"VMOV_MEM08_REG08")
)
{
if( postion == 0 )
{
postion = 1;//decode之中
}
else if( postion == 1 )
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -