下面我们用代码亲自来实践一个杀毒程序,清除程序的可读可写,并扫描程序的特征码,对病毒进行删除

 

 

 

#include "stdafx.h"
#include "ScanDisk.h"
#include "ScanDiskDlg.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

UINT ThreadProc(LPVOID param){
CScanDiskDlg *ScanDisk=(CScanDiskDlg*)param;
CString part;
int i=0;
int cy=ScanDisk->m_Disk.GetLength()/2;
do{
	part=ScanDisk->m_Disk.Mid(2*i,2);
    ScanDisk->SearchFolder((char*)part.GetBuffer(0));	
	i++;
}while(i<cy&&ScanDisk->Status);

char s[256];
sprintf(s,"扫描的文件总数 =%d",ScanDisk->TotalFileNum);
ScanDisk->m_Static.SendMessage(WM_SETTEXT,0,(LPARAM)(LPCTSTR)s);
return 0;
}
/
// CScanDiskDlg dialog

CScanDiskDlg::CScanDiskDlg(CWnd* pParent /*=NULL*/)
	: CDialog(CScanDiskDlg::IDD, pParent)
{
	//{{AFX_DATA_INIT(CScanDiskDlg)
	m_Disk = _T("");
	//}}AFX_DATA_INIT
	// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
	TotalFileNum=0;  //扫描文件总数
}

void CScanDiskDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CScanDiskDlg)
	DDX_Control(pDX, IDC_STATIC1, m_Static);
	DDX_Control(pDX, IDC_LIST1, m_List);
	DDX_Control(pDX, IDC_Bstart, m_Bstart);
	DDX_Text(pDX, IDC_Epartition, m_Disk);
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CScanDiskDlg, CDialog)
	//{{AFX_MSG_MAP(CScanDiskDlg)
	ON_WM_PAINT()
	ON_WM_QUERYDRAGICON()
	ON_BN_CLICKED(IDC_Bstart, OnBstart)
	ON_BN_CLICKED(IDC_Bstop, OnBstop)
	ON_EN_CHANGE(IDC_Epartition, OnChangeEpartition)
	ON_BN_CLICKED(IDC_Bsave, OnBsave)
	//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/
// CScanDiskDlg message handlers

BOOL CScanDiskDlg::OnInitDialog()
{
	CDialog::OnInitDialog();

	// Set the icon for this dialog.  The framework does this automatically
	//  when the application's main window is not a dialog
	SetIcon(m_hIcon, TRUE);			// Set big icon
	SetIcon(m_hIcon, FALSE);		// Set small icon
	
DWORD disk=GetLogicalDrives();
DWORD va=1;
char s[]="A:";
for(int i=0;i<32;i++){
	if(disk&(va<<i)){
        s[0]=0x41+(char)i;
        m_Disk+=s;
}}
UpdateData(FALSE);
Status=FALSE;
	
	return TRUE;  // return TRUE  unless you set the focus to a control
}

// If you add a minimize button to your dialog, you will need the code below
//  to draw the icon.  For MFC applications using the document/view model,
//  this is automatically done for you by the framework.

void CScanDiskDlg::OnPaint() 
{
	if (IsIconic())
	{
		CPaintDC dc(this); // device context for painting

		SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);

		// Center icon in client rectangle
		int cxIcon = GetSystemMetrics(SM_CXICON);
		int cyIcon = GetSystemMetrics(SM_CYICON);
		CRect rect;
		GetClientRect(&rect);
		int x = (rect.Width() - cxIcon + 1) / 2;
		int y = (rect.Height() - cyIcon + 1) / 2;

		// Draw the icon
		dc.DrawIcon(x, y, m_hIcon);
	}
	else
	{
		CDialog::OnPaint();
	}
}

// The system calls this to obtain the cursor to display while the user drags
//  the minimized window.
HCURSOR CScanDiskDlg::OnQueryDragIcon()
{
	return (HCURSOR) m_hIcon;
}


void CScanDiskDlg::OnBstart() 
{
if(Status==FALSE){
  m_List.ResetContent();
  TotalFileNum=0;
  Status=TRUE;
  SubThread=(CWinThread*)AfxBeginThread(&ThreadProc,this,THREAD_PRIORITY_BELOW_NORMAL,0,0);
  m_Bstart.SetWindowText("停止");
}
else{
  Status=FALSE;
  m_Bstart.SetWindowText("开始");
}	
}

void CScanDiskDlg::OnBstop() 
{
Status=FALSE;
ExitProcess(0);	
}
//处理搜索到的可执行文件
BOOL CScanDiskDlg::ProcessFile(char *FileName)
{
CFile file;
CFileStatus rStatus;
CString inf;
DWORD FileLen=0;
BOOL re;
IMAGE_DOS_HEADER      dos_header;
IMAGE_NT_HEADERS      nt_header;
IMAGE_SECTION_HEADER  section_header;
DWORD len;
BYTE *ptr;
//inf=FileName;
//inf.MakeLower();
//if(-1==inf.Find("\\aaa.exe",1))return FALSE;
//m_List.AddString(FileName);
//return FALSE;
re=file.GetStatus(FileName,rStatus);    //包含了文件的时间、属性等 
if(!re){
//    inf="无法操作的文件:";
//    inf+=FileName;
//    m_List.AddString(inf);
    return FALSE;
}
  
if(rStatus.m_attribute==1){  //只读
  re=SetFileAttributes(FileName,rStatus.m_attribute-1);//去掉只读属性
  if(re){
    inf="无法修改只读属性:";
    inf+=FileName;
    m_List.AddString(inf);
    return FALSE;
  }
} 

if(file.Open(FileName,CFile::modeReadWrite|CFile::typeBinary)){
  FileLen=file.GetLength();
  if(FileLen==0)goto endthis_1;//文件长度为0,不处理
  len=file.Read(&dos_header,sizeof(IMAGE_DOS_HEADER));
  if(dos_header.e_magic==0x5a4d&&len==sizeof(IMAGE_DOS_HEADER)){//含有"MZ"
  //判断dos_header.e_lfanew防止偶然
  if(dos_header.e_lfanew&&(FileLen>(DWORD)dos_header.e_lfanew+sizeof(IMAGE_NT_HEADERS))){
//        m_List.AddString(FileName);
//  	  goto endthis_1;
    file.Seek(dos_header.e_lfanew,CFile::begin);
    len=file.Read(&nt_header,sizeof(IMAGE_NT_HEADERS));
    if(nt_header.Signature==0x4550&&len==sizeof(IMAGE_NT_HEADERS)){  //含有"PE"
	//定位到最后一个节
      file.Seek(dos_header.e_lfanew+sizeof(IMAGE_NT_HEADERS)+
		(nt_header.FileHeader.NumberOfSections-1)*sizeof(IMAGE_SECTION_HEADER),CFile::begin);
      len=file.Read(§ion_header,sizeof(section_header));
	  if((len==sizeof(section_header))&&(!strncmp((char*)section_header.Name,".SD-3",5))){//发现SD-3并处理病毒
//  m_List.AddString(FileName);
//  goto endthis_1;
		BYTE VirusChar[15]={0x55,0x8b,0xec,0x81,0xc4,0xb8,   //病毒特征码
		  0xfe,0xff,0xff,0x60,0xb0,0x2a,0x88,0x45,0xfa};
        file.Seek(section_header.PointerToRawData,CFile::begin);
	    ptr=new BYTE[section_header.Misc.VirtualSize];
	    file.Read(ptr,section_header.Misc.VirtualSize);

        for(int i=0;i<(int)section_header.Misc.VirtualSize-15;i++){
			if(!memcmp(ptr+i,VirusChar,15)){  //发现了病毒特征码
              file.Seek(section_header.PointerToRawData+i-4,CFile::begin);
			  DWORD oldEntry;
			  file.Read(&oldEntry,4);   //把特征码上面的jmp oldEntry的原来入口地址值读出
              //得到原来入口地址相对虚拟地址
              //例如在0x00403059行,有 0xE9A2D8FFFF   jmp 1000
			  //则计算方法为section_header.VirtualAddress+i=0x305E
			  //0x305E+0xFFFFd8A2=0x1000
			  //0x305E为指令jmp 1000的下条指令的相对虚拟地址

              //修改入口地址
              nt_header.OptionalHeader.AddressOfEntryPoint=section_header.VirtualAddress+i+oldEntry;
			  //得到病毒代码开始区域在文件中的偏移
			  DWORD strPos=section_header.PointerToRawData+i;
              //需要抹去的病毒区域长度
			  len=file.GetLength()-strPos;
//  inf.Format("len=%x,strPos=%x,i=%x--",len,strPos,i);
//  m_List.AddString(inf+FileName);
//  goto endthis_1;
              delete []ptr;
			  ptr=new BYTE[len];
			  //清0
			  memset(ptr,0,len);
              file.Seek(strPos,CFile::begin);
			  file.Write(ptr,len);//覆盖病毒区域
              file.Seek(dos_header.e_lfanew,CFile::begin);
			  strcpy((char*)section_header.Name,".kill");   //修改节名
			  //修改PE头(包含有入口地址)
			  file.Write(&nt_header,sizeof(nt_header));
			  //定位到最后一个节表位置,修改
              file.Seek(dos_header.e_lfanew+sizeof(nt_header)+(nt_header.FileHeader.NumberOfSections-1)*
				  sizeof(section_header),CFile::begin);
              file.Write(§ion_header,sizeof(section_header));
			  delete []ptr;
			  inf="发现SD-3,清除:";
			  inf+=FileName;
              m_List.AddString(inf+FileName);
			  break;
			}
		}
	  }
  }
  }
  }
endthis_1:
  file.Close();
  file.SetStatus(FileName,rStatus);
  }
/*
else{   //不能打开文件,则只读方式打开。只分析有无病毒
  if(!file.Open(FileName,CFile::modeRead|CFile::typeBinary)){
   inf="不能修改:";
   inf+=FileName;
   m_List.AddString(inf);
  }
  FileLen=file.GetLength();
  if(FileLen==0)goto endthis_2;//文件长度为0,不处理
  len=file.Read(&dos_header,sizeof(IMAGE_DOS_HEADER));
  if(dos_header.e_magic==0x5a4d&&len==sizeof(IMAGE_DOS_HEADER)){//含有"MZ"
  //考虑到后面的dos_header.e_lfanew-1,必要
  if(dos_header.e_lfanew&&FileLen>(DWORD)dos_header.e_lfanew){
    file.Seek(dos_header.e_lfanew,CFile::begin);
    len=file.Read(&nt_header,sizeof(IMAGE_NT_HEADERS));
    if(nt_header.Signature==0x4550&&len==sizeof(IMAGE_NT_HEADERS)){  //含有"PE"
      file.Seek(dos_header.e_lfanew+sizeof(IMAGE_NT_HEADERS)+
		(nt_header.FileHeader.NumberOfSections-1)*sizeof(IMAGE_SECTION_HEADER),CFile::begin);
      file.Read(§ion_header,sizeof(section_header));  
	  if(!strncmp((char*)section_header.Name,".SD-3",5)){//发现SD-3病毒
        BYTE VirusChar[15]={0x55,0x8b,0xec,0x81,0xc4,0xb8,   //病毒特征码
		  0xfe,0xff,0xff,0x60,0xb0,0x2a,0x88,0x45,0xfa};
        file.Seek(section_header.PointerToRawData,CFile::begin);
	    ptr=new BYTE[section_header.Misc.VirtualSize];
	    file.Read(ptr,section_header.Misc.VirtualSize);
        for(int i=0;i<(int)section_header.Misc.VirtualSize-15;i++){
			if(!memcmp(ptr+i,VirusChar,15)){  //发现了病毒特征码
		      inf="无法清除的SD-3病毒:";
              inf+=FileName;
              m_List.AddString(inf);
	  }}}

}}}

endthis_2:
  file.Close();
  file.SetStatus(FileName,rStatus);
}
*/
return TRUE;
}
//搜索其下所有子目录及文件.
void CScanDiskDlg::SearchFolder(char *path)
{
HANDLE h;
WIN32_FIND_DATA dat;
BOOL re;
char dir[300];
strcpy(dir,path);
strcat(dir,"\\*.*");
h=FindFirstFile(dir,&dat);
if(h==INVALID_HANDLE_VALUE){
  //AfxMessageBox(dir);
  return;
}
char FullName[300];
do{
  re=FindNextFile(h,&dat);
  if(!re)break;
  if(!strncmp(dat.cFileName,"..",2))continue;
  if(!(FILE_ATTRIBUTE_DIRECTORY&dat.dwFileAttributes)){  //不是目录
    strcpy(FullName,path);  
    strcat(FullName,"\\\0");
    strcat(FullName,dat.cFileName);
	//CString exe=dat.cFileName;
	//exe.MakeLower();
    //if(-1!=exe.Find(".exe",2))m_List.AddString(FullName); 
    m_Static.SendMessage(WM_SETTEXT,0,(LPARAM)(LPCTSTR)FullName);
    ProcessFile(FullName);
    TotalFileNum++;
  }
  else {     //是目录,进入子目录
   char next[300];
   strcpy(next,path);
   strcat(next,"\\\0");
   strcat(next,dat.cFileName);
   //m_List.AddString(next); 
   SearchFolder(next);
  }
}while(Status);                    
FindClose(h);
}

void CScanDiskDlg::OnChangeEpartition() 
{
UpdateData();
}

void CScanDiskDlg::OnBsave() 
{
AfxMessageBox("结果保存在c:\\inf.txt");	
CFile fp;
fp.Open("c:\\inf.txt",CFile::modeCreate|CFile.modeWrite);
if(!fp)return;
int col=m_List.GetCount();
if(col==LB_ERR){ fp.Close(); return; }
char s[400];
for(int i=0;i<col;i++){
  memset(s,0,400);
  m_List.GetText(i,s);
  strcat(s,"\r\n");
  fp.Write(s,strlen(s));
}
fp.Close();
}