 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| 熊猫烧香专杀工具源代码 解除被感染的exe文件 | |||||
作者:不详 文章来源:CnXHacker.Net 点击数: 更新时间:2007-4-25  |
|||||
|
熊猫烧香专杀,解除被感染的exe文件 BY: ww0830 Create: 2007-1-7 */ #include "windows.h" #include <stdio.h> #include <string.h> #include <stdlib.h> #define TEST long g_lCheckFileNumber; //File number checked long g_lClearFileNumber; //Clear number // //Function: //Check if exe file binded by WHBoy virus // //Parameter: // FILE *fp -- file stream to read // //Return: // true -- bind by viruse // false-- not bind by viruse // //Remark: // Don't close fp, will be closed by main bool CheckWHVirus(FILE *fp) { //Get position fpos_t pos = 0x12605; if( fsetpos( fp, &pos ) != 0 ) { printf( "Trouble opening file\n" ); //fclose(fp); return false; } //Read 2byte from fpost char buffer[50]; fread(buffer, sizeof( char ), 2, fp); if (buffer[0] == 'M' && buffer[1] == 'Z') { //Read reverse long repos = -1; fseek(fp, repos, SEEK_END); fread(buffer, sizeof( char ), 1, fp); if (buffer[0] == 0x01) { return true; } } return false; } // //Function: // Clear virus // //Parameter: // File *fp -- virus exe file // char * -- Origin file name // //Return: // void void ClearVirus(FILE *fp, char * strOriginFileName) { long repos = -1; long lFileLen = 0; long lExp = 1; char buffer[50]; //To 0x02 while (1) { repos--; fseek(fp, repos, SEEK_END); fread(buffer, sizeof( char ), 1, fp); if (buffer[0] == 0x02) { break; } //0x02 38 37 lFileLen = (buffer[0]-'0') * lExp + lFileLen; lExp *= 10; } printf("\r\nLen is %d ", lFileLen); //new len char char *strOriginFile = new char[lFileLen]; fpos_t pos = 0x12605; fsetpos(fp, &pos); fread(strOriginFile, sizeof( char ), lFileLen, fp); //rename virus to exe.exe fclose(fp); char strBackupFile[MAX_PATH]; strcpy(strBackupFile, strOriginFileName); strBackupFile[strlen(strBackupFile)-1] = '1'; //ex1 MoveFile(strOriginFileName, strBackupFile); //cout to file FILE *outfp; outfp = fopen(strOriginFileName, "wb"); //ouput to exe fwrite(strOriginFile, sizeof(char), lFileLen, outfp); fclose(outfp); delete []strOriginFile; } //Function: // Visit all folders and files // //Paremeter: // char *lpPath -- path of file // //Return: // void // void VisitAllFiles(char * lpPath) { char szFind[MAX_PATH]; WIN32_FIND_DATA FindFileData; strcpy(szFind,lpPath); strcat(szFind,"\\*.*"); HANDLE hFind=::FindFirstFile(szFind,&FindFileData); if(INVALID_HANDLE_VALUE == hFind) return; while(TRUE) { //If director, visit all sub-folders if(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { if(FindFileData.cFileName[0]!='.') { char szFile[MAX_PATH]; strcpy(szFile,lpPath); strcat(szFile,"\\"); strcat(szFile,FindFileData.cFileName); VisitAllFiles(szFile); } } else { //Judge if exe file int len = strlen(FindFileData.cFileName); const char *p = (char *)&FindFileData.cFileName[len-3]; if ((_stricmp(p, "exe") == 0) //case insentive! || (_stricmp(p, "scr") == 0) ) { g_lCheckFileNumber++; //if exe file, check it char strFileName[MAX_PATH]; strcpy(strFileName,lpPath); strcat(strFileName,"\\"); strcat(strFileName,FindFileData.cFileName); printf("T:%ld,Clear:%ld,check %s\r", g_lCheckFileNumber, g_lClearFileNumber, strFileName); FILE *fp; if ((fp = fopen(strFileName, "rb")) == NULL) { printf("Can't open %s \n", strFileName); } else { if (CheckWHVirus(fp)) { g_lClearFileNumber++; ClearVirus(fp, strFileName); //fp closed in the function printf("Virus Found! %s and cleared\r\n", strFileName); } else { fclose(fp); } } } } //Find next file if(!FindNextFile(hFind,&FindFileData)) break; } FindClose(hFind); } //main int main(int argc, char *argv[]) { //1. Visit all the folders, then get exe file //2. Check if position 0x126005 is the MD //3. If so , check last bit to 0x02, get the origin file Len //4. Copy from 0x126005 to Len, recover to the origin file if (argc < 2) { printf("Usage: exe 0 / exe 1 Folder\n"); return -1; } g_lCheckFileNumber = 0; g_lClearFileNumber = 0; if (atoi(argv[1]) == 1) VisitAllFiles(argv[2]); else { char cLabel; for (cLabel='c'; cLabel<='z'; cLabel++) { char strRootPath[] = {"c:\\"}; strRootPath[0] = cLabel; UINT res; if((res = GetDriveType(strRootPath)) == DRIVE_FIXED) { strRootPath[2] = '\0'; //"c:" VisitAllFiles(strRootPath); } else { if (res == DRIVE_CDROM) continue; else break; } } } printf("\r\nFinished: checked: %d cleard:%d\r\n", g_lCheckFileNumber, g_lClearFileNumber); getchar(); return 0; #ifdef TEST if (argc < 2) { printf("Usage: exe CheckFile.exe\n"); return -1; } //Open file FILE *fp; if ((fp = fopen(argv[1], "rb")) == NULL) { printf("Can't open %s \n", argv[1]); return -1; } //Get position fpos_t pos = 0x12605; if( fsetpos( fp, &pos ) != 0 ) { printf( "Trouble opening file\n" ); fclose(fp); return -1; } //Read 2byte from fpost char buffer[50]; fread(buffer, sizeof( char ), 2, fp); if (buffer[0] == 'M' && buffer[1] == 'Z') { //Read reverse long repos = -1; fseek(fp, repos, SEEK_END); fread(buffer, sizeof( char ), 1, fp); if (buffer[0] == 0x01) { printf("Virus Found!\n"); long lFileLen = 0; long lExp = 1; //To 0x02 while (1) { repos--; fseek(fp, repos, SEEK_END); fread(buffer, sizeof( char ), 1, fp); if (buffer[0] == 0x02) { break; } //0x02 38 37 lFileLen = (buffer[0]-'0') * lExp + lFileLen; lExp *= 10; } printf("Origin file Len is %d ", lFileLen); //new len char char *strOriginFile = new char[lFileLen]; pos = 0x12605; fsetpos(fp, &pos); fread(strOriginFile, sizeof( char ), lFileLen, fp); //rename virus to exe.exe fclose(fp); //agrv[1]_WHboyBackup_byww0830.exe1 char strCommand[1024 * 3]; strcpy(strCommand, "rename \""); strcat(strCommand, argv[1]); strcat(strCommand, "\" \""); strcat(strCommand, argv[1]); strcat(strCommand, "_WHBoyBackup_byww0830.exe1\""); system(strCommand); //cout to file FILE *outfp; outfp = fopen(argv[1], "wb"); //ouput to exe fwrite(strOriginFile, sizeof(char), lFileLen, outfp); fclose(outfp); delete []strOriginFile; printf("Cleard!"); } } else { fclose(fp); printf("Not Virus! Quit\n"); } #else //1. visit and get all the exe file //Check char strFileName[1024 * 2]; // FILE *fp; if ((fp = fopen(strFileName, "rb")) == NULL) { printf("Can't open %s \n", strFileName); return -1; } if (CheckWHVirus(fp)) { printf("Virus Found! %s ", strFileName); ClearVirus(fp, strFileName); //fp closed in the function } else { fclose(fp); } #endif return 0; } |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
| 最新热点 | 最新推荐 | 相关文章 | ||
| 熊猫烧香作者拘留所编写杀毒 破坏力超熊猫烧香 小浩蠕虫技 不输熊猫烧香 小浩病毒可致系 熊猫卫士系列杀毒软件 有不安 红色预警!毒性超熊猫 上网小 U盘寄生虫蝉联病毒榜首 熊猫 “AV终结者”比熊猫烧香作者 AV终结者“绑架”杀毒软件 与 熊猫烧香刚刚走粉红小猫又来 方正熊猫发布可控制54个国家 |
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
