之前分析熊猫烧香后写的简单的专杀代码
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Tlhelp32.h>
//遍历进程
BOOL FindTargetProcess(const char *pszProcessName)
{
BOOL bKill = FALSE;
HANDLE hProcess;//用来获取当前进程
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return bKill;
}
PROCESSENTRY32 pe = { 0 };
pe.dwSize = sizeof(pe);
BOOL bRet = Process32First(hProcessSnap, &pe);
while (bRet)
{
if (strcmp(pe.szExeFile, pszProcessName) == 0)
{
//*dwPid = pe.th32ProcessID;
bKill = TRUE;
hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pe.th32ProcessID);
int ret = TerminateProcess(hProcess, 1);
if (ret)
{
printf("成功杀死病毒进程\n");
}
else
{
printf("失败\n");
}
break;
}
bRet = Process32Next(hProcessSnap, &pe);
}
CloseHandle(hProcessSnap);
return bKill;
}
BOOL DelFile(const char * FileName)
{
// 去除文件的隐藏、系统以及只读属性
DWORD dwFileAttributes = GetFileAttributes(FileName);
dwFileAttributes &= ~FILE_ATTRIBUTE_HIDDEN;
dwFileAttributes &= ~FILE_ATTRIBUTE_SYSTEM;
dwFileAttributes &= ~FILE_ATTRIBUTE_READONLY;
SetFileAttributes(FileName, dwFileAttributes);
int delRet = DeleteFile(FileName);
if (delRet)
{
printf("成功杀死病毒文件: %s\n", FileName);
return TRUE;
}
else
{
printf("失败杀死病毒文件: %s\n", FileName);
return FALSE;
}
}
//是否为exe
bool IsExe(const char* pFileName)
{
const char* pTemp = pFileName;
while (*pTemp != 0x00)
{
if (!strcmp(pTemp, ".exe"))
{
return true;
}
++pTemp;
}
return false;
}
//是否为html
bool IsHtml(const char* pFileName)
{
const char* pTemp = pFileName;
while (*pTemp != 0x00)
{
if (!strcmp(pTemp, ".html"))
{
return true;
}
++pTemp;
}
return false;
}
//修复感染exe文件
BOOL ReExe(const char* pstrFilePath)
{
CHAR* pFilebuf = NULL;
//打开文件获取句柄
HANDLE hFile = CreateFile(pstrFilePath,
GENERIC_READ | GENERIC_WRITE,
FALSE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
//MessageBoxA(NULL,"文件打开失败","修复exe",NULL);
return 0;
}
//获取文件大小
DWORD FileSize = GetFileSize(hFile, NULL);
pFilebuf = new CHAR[FileSize]{};
//读文件
DWORD dwCount = 1;
BOOL bRet = ReadFile(hFile, pFilebuf, FileSize, &dwCount, NULL);
if (!bRet)
{
//释放资源 返回失败
CloseHandle(hFile);
delete pFilebuf;
return FALSE;
}
char* pFileOffset = pFilebuf + 0x18200;
SetFilePointer(hFile, 0, 0, FILE_BEGIN);
WriteFile(hFile, pFileOffset, FileSize - 0x18200 - 24, &dwCount, NULL);
SetEndOfFile(hFile);
CloseHandle(hFile);
delete[] pFilebuf;
return TRUE;
}
//将文件读入内存并获取大小
char* GetFileBuf(char* pstrFilePath, _Out_ DWORD* FileSize)
{
char* pFilebuf = NULL;
//打开文件获取句柄
HANDLE hFile = CreateFile(pstrFilePath,
GENERIC_READ,
FALSE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("文件打开失败\n");
return 0;
}
//获取文件大小
*FileSize = GetFileSize(hFile, NULL);
pFilebuf = new char[*FileSize]{};
//读文件
DWORD dwCount = 1;
BOOL bRet = ReadFile(hFile, pFilebuf, *FileSize, &dwCount, NULL);
if (bRet)
{
CloseHandle(hFile);
return pFilebuf;
}
//释放资源
CloseHandle(hFile);
delete pFilebuf;
return 0;
}
//是否为感染exe
bool IsInfectedExe(char* pstrFilePath)
{
//感染文件最后一个字节为01
//向前找到00的后五个字节是WhBoy
CHAR* pFileBuf = NULL;
DWORD dwFileSize = 0;
pFileBuf = GetFileBuf(pstrFilePath, &dwFileSize);
if (pFileBuf == 0)
{
return false;
}
BYTE* pFileOffset = (BYTE*)pFileBuf;
*pFileOffset;
pFileOffset += (dwFileSize - 1);
//判断是否为0x01
if (*pFileOffset != 0x01)
{
delete[] pFileBuf;
return false;
}
while (*pFileOffset != 0x00)
{
--pFileOffset;
}
pFileOffset++;
CHAR temp[6] = { 0 };
memcpy_s(temp, 5, pFileOffset, 5);
if (!strcmp(temp, "WhBoy"))
{
delete[] pFileBuf;
return true;
}
delete[] pFileBuf;
return false;
}
//是否为感染html
bool IsInfectedHtml(char* pstrFilePath)
{
//感染html
CHAR* pFileBuf = NULL;
DWORD dwFileSize = 0;
pFileBuf = GetFileBuf(pstrFilePath, &dwFileSize);
if (pFileBuf == 0)
{
return 0;
}
BYTE* pFileOffset = (BYTE*)pFileBuf;
*pFileOffset;
pFileOffset += (dwFileSize - 64);
CHAR temp[32] = { 0 };
memcpy_s(temp, 31, pFileOffset, 31);
if (!lstrcmp(temp, "http://www.ac86.cn/66/index.htm"))
{
delete[] pFileBuf;
return TRUE;
}
delete[] pFileBuf;
return FALSE;
}
//修复感染html文件
bool ReHtml(const char* pstrFilePath)
{
CHAR* pFilebuf = NULL;
//打开文件获取句柄
HANDLE hFile = CreateFile(pstrFilePath,
GENERIC_READ | GENERIC_WRITE,
FALSE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
//MessageBoxA(NULL,"文件打开失败","修复exe",NULL);
return 0;
}
//获取文件大小
DWORD FileSize = GetFileSize(hFile, NULL);
pFilebuf = new CHAR[FileSize]{};
//读文件
DWORD dwCount = 1;
BOOL bRet = ReadFile(hFile, pFilebuf, FileSize, &dwCount, NULL);
if (!bRet)
{
//释放资源 返回失败
CloseHandle(hFile);
delete pFilebuf;
return FALSE;
}
char* pFileOffset = pFilebuf;
SetFilePointer(hFile, 0, 0, FILE_BEGIN);
WriteFile(hFile, pFilebuf, FileSize - 76, &dwCount, NULL);
SetEndOfFile(hFile);
CloseHandle(hFile);
delete[] pFilebuf;
return TRUE;
}
//遍历文件夹删除desktop_.ini
DWORD WINAPI Delini(const char* lpszPath)
{
printf("进入");
WIN32_FIND_DATA stFindFile;
HANDLE hFindFile;
// 扫描路径
char szPath[MAX_PATH];
char szFindFile[MAX_PATH];
char szSearch[MAX_PATH];
const char *szFilter;
int len;
int ret = 0;
szFilter = "*.*";
strcpy(szPath, lpszPath);
len = lstrlen(szPath);
if (szPath[len - 1] != '\\')
{
szPath[len] = '\\';
szPath[len + 1] = '\0';
}
strcpy(szSearch, szPath);
strcat(szSearch, szFilter);
hFindFile = FindFirstFile(szSearch, &stFindFile);
if (hFindFile != INVALID_HANDLE_VALUE)
{
do
{
strcpy(szFindFile, szPath);
strcat(szFindFile, stFindFile.cFileName);
if (stFindFile.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if (stFindFile.cFileName[0] != '.')
{
Delini(szFindFile);
}
}
else
{
if (!strcmp(stFindFile.cFileName, "Desktop_.ini"))
{
// 去除文件的隐藏、系统以及只读属性
DWORD dwFileAttributes = GetFileAttributes(szFindFile);
dwFileAttributes &= ~FILE_ATTRIBUTE_HIDDEN;
dwFileAttributes &= ~FILE_ATTRIBUTE_SYSTEM;
dwFileAttributes &= ~FILE_ATTRIBUTE_READONLY;
SetFileAttributes(szFindFile, dwFileAttributes);
// 删除Desktop_.ini
BOOL bRet = DeleteFile(szFindFile);
if (bRet)
{
printf("成功杀死病毒文件: %s\n", szFindFile);
}
else
{
printf("失败杀死病毒文件: %s\n", szFindFile);
}
}
else if(IsExe(stFindFile.cFileName)) //判断是否是exe
{
if (IsInfectedExe(szFindFile))
{
printf("exe文件被感染: %s\n", szFindFile);
if (ReExe(szFindFile))
{
printf("exe文件修复成功: %s\n", szFindFile);
}
else
{
printf("exe文件修复失败: %s\n", szFindFile);
}
}
else
{
printf("exe文件没有被感染: %s\n", szFindFile);
}
}
else if (IsHtml(stFindFile.cFileName)) //判断是否是html
{
if (IsInfectedHtml(szFindFile))
{
printf("html文件被感染: %s\n", szFindFile);
if (ReHtml(szFindFile))
{
printf("html文件修复成功: %s\n", szFindFile);
}
else
{
printf("html文件修复失败: %s\n", szFindFile);
}
}
else
{
printf("html文件没有被感染: %s\n", szFindFile);
}
}
}
//printf("文件: %s\n", szFindFile);
ret = FindNextFile(hFindFile, &stFindFile);
} while (ret != 0);
}
FindClose(hFindFile);
return 0;
}
void RecoveryReg()
{
// 首先检查启动项
char RegRun[] = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
HKEY hKeyHKCU = NULL;
LONG lSize = MAXBYTE;
char cData[MAXBYTE] = { 0 };
long lRet = RegOpenKey(HKEY_CURRENT_USER, RegRun, &hKeyHKCU);
if (lRet == ERROR_SUCCESS)
{
lRet = RegQueryValueEx(hKeyHKCU, "svcshare", NULL, NULL, (unsigned char *)cData, (unsigned long *)&lSize);
if (lRet == ERROR_SUCCESS)
{
if (strcmp(cData, "C:\\WINDOWS\\system32\\drivers\\spo0lsv.exe") == 0)
{
printf("注册表启动项中存在病毒信息\n");
}
lRet = RegDeleteValue(hKeyHKCU, "svcshare");
if (lRet == ERROR_SUCCESS)
{
printf("注册表启动项中的病毒信息已删除!\n");
}
else
{
printf("注册表启动项中的病毒信息无法删除\n");
}
}
else
{
printf("注册表启动项中不存在病毒信息\n");
}
RegCloseKey(hKeyHKCU);
}
else
{
printf("注册表启动项信息读取失败\n");
}
// 接下来修复文件的隐藏显示,需要将CheckedValue的值设置为1
char RegHide[] = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL";
HKEY hKeyHKLM = NULL;
DWORD dwFlag = 1;
long lRetHide = RegOpenKey(HKEY_LOCAL_MACHINE, RegHide, &hKeyHKLM);
if (lRetHide == ERROR_SUCCESS)
{
printf("检测注册表的文件隐藏选项...\r\n");
if (ERROR_SUCCESS == RegSetValueEx(
hKeyHKLM, //subkey handle
"CheckedValue", //value name
0, //must be zero
REG_DWORD, //value type
(CONST BYTE*)&dwFlag, //pointer to value data
4)) //length of value data
{
printf("注册表修复完毕!\n");
}
else
{
printf("无法恢复注册表的文件隐藏选项\n");
}
}
}
int main()
{
char szPath[100];
printf("请输入要查杀的路径:\n");
//scanf("%s", szPath);
DWORD dwPid = 0;
//首先杀死病毒进程
FindTargetProcess("spo0lsv.exe");
//删除C盘根目录下的文件
DelFile("C:\\autorun.inf");
DelFile("C:\\setup.exe");
DelFile("C:\\Windows\\System32\\drivers\\spo0lsv.exe");
//删除desktop_ini文件
Delini("C:\\Program Files\\ClamAV");
//修复注册表
RecoveryReg();
system("pause");
return 0;
}