Table of contents
Third, the function of the killing tool
Fourth, the preparation of the killing tool interface
Five, the preparation of the killing tool program
1. Calculate the hash value of the virus program
6. Integrate the program with MFC
A list of experiments
Operating system: windows xp sp3
Software: hash.exe (obtained by my love), vc++ 6.0
Panda burning incense sample: MD5: 87551E33D517442424E586D25A9F8522
CRC32: 89240FCD
2. Review of Virus Behavior
1. The virus itself creates a process named "spoclsv.exe", and the path of the process file is "C:\WINDOWS\system32\drivers\spoclsv.exe".
2. Use the net share command in command line mode to cancel the share in the system. (X)
3. Delete the startup items of the security software in the registry. (X)
4. Create "svcshare" in the registry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" to start the virus located at "C:\WINDOWS\system32\drivers\spoclsv.exe" at boot time program.
5. Modify the registry so that hidden files cannot be displayed through normal settings. The location is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, the virus sets the key value of CheckedValue to 0 .
6. Copy itself to the root directory and name it "setup.exe", and create "autorun.inf" for virus startup. The attributes of these two files are "hidden".
7. Create a hidden file named "Desktop_.ini" in some directory.
8. Send out packets and connect to other machines in the local area network. (X)
For the second and third behaviors of the virus, because we do not know how the partition on the private computer is, nor do we know what antivirus software is installed on the private computer, and the compilation of our special killing tool focuses on generality, Therefore, these two behaviors are not considered.
Regarding the eighth behavior of the virus, once we stop the virus process and delete the virus file, this behavior of the virus will disappear, so we do not consider this point.
Third, the function of the killing tool
1. Check the processes in the system and end the virus process. And delete the files hidden in the hard disk by the process;
2. Check the files created by the virus and delete them. It is necessary to modify the attributes of the virus file here, and judge the virus file according to the check value;
3. Repair the changes made by the virus to the registry. Remove the virus from the self-starting items, and repair the hidden display registry key of the file.
Fourth, the preparation of the killing tool interface
The tool is written in MFC, please refer to related books for specific MFC knowledge.
1. Open VC6.0, create a new project, select "MFC AppWizard(exe)", name "Project Name", and "Confirm";
2. Select "Basic Dialog" and directly "Finish";
3. After the project is established, the following interface will appear. After selecting, "delete" deletes the default three controls;
4. Drag the two controls as shown in the figure below;
5. Change the size of the control appropriately, as shown in the figure below;
6. Take the edit box as an example, select the edit box, right-click - Properties;
7. Change the ID to "IDC_LIST" in the general column; in fact, you can not change it, but the SetDlgItemText function will be used in the code later. It should be noted that the first parameter in the function is consistent with the ID of the edit box.
8. Change the style bar as shown in the figure;
9. In the same way, go to the properties of the button box and change the title of the button;
10. Same as the ninth part, change the title of the dialog box, the final effect:
Five, the preparation of the killing tool program
1. Calculate the hash value of the virus program
The hash value, which can be understood as a fingerprint, uniquely identifies the file, commonly used hash algorithms: MD5, CRC32, SHA1.
DWORD CRC32(BYTE* ptr,DWORD Size)
{
DWORD crcTable[256],crcTmp1;
//动态生成CRC-32表
for (int i=0; i<256; i++)
{
crcTmp1 = i;
for (int j=8; j>0; j--)
{
if (crcTmp1&1) crcTmp1 = (crcTmp1 >> 1) ^ 0xEDB88320L;
else crcTmp1 >>= 1;
}
crcTable[i] = crcTmp1;
}
//计算CRC32值
DWORD crcTmp2= 0xFFFFFFFF;
while(Size--)
{
crcTmp2 = ((crcTmp2>>8) & 0x00FFFFFF) ^ crcTable[ (crcTmp2^(*ptr)) & 0xFF ];
ptr++;
}
return (crcTmp2^0xFFFFFFFF);
}The function has two parameters, one is a pointer to the buffer, and the second is the length of the buffer. It reads the entire file into a buffer and then uses the CRC32 function to calculate the CRC32 hash of the file. The CRC32 hash value of the panda burning incense sample used by you can be obtained through hash.exe.
2. Find the process
OOL FindTargetProcess(char *pszProcessName,DWORD *dwPid)
{
BOOL bFind = FALSE;
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return bFind;
}
PROCESSENTRY32 pe = { 0 };
pe.dwSize = sizeof(pe);
BOOL bRet = Process32First(hProcessSnap,&pe);
while (bRet)
{
if (lstrcmp(pe.szExeFile,pszProcessName) == 0)
{
*dwPid = pe.th32ProcessID;
bFind = TRUE;
break;
}
bRet = Process32Next(hProcessSnap,&pe);
}
CloseHandle(hProcessSnap);
return bFind;
}
The purpose of finding the process is to stop the virus process.
3. Elevate permissions
Purpose: To access some restricted system resources.
BOOL EnableDebugPrivilege(char *pszPrivilege)
{
HANDLE hToken = INVALID_HANDLE_VALUE;
LUID luid;
TOKEN_PRIVILEGES tp;
BOOL bRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken);
if (bRet == FALSE)
{
return bRet;
}
bRet = LookupPrivilegeValue(NULL,pszPrivilege,&luid);
if (bRet == FALSE)
{
return bRet;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet = AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
return bRet;
}
4. Find and delete files
DWORD WINAPI FindFiles(LPVOID lpszPath)
{
WIN32_FIND_DATA stFindFile;
HANDLE hFindFile;
// 扫描路径
char szPath[MAX_PATH];
char szFindFile[MAX_PATH];
char szSearch[MAX_PATH];
char *szFilter;
int len;
int ret = 0;
szFilter = "*.*";
lstrcpy(szPath, (char *)lpszPath);
len = lstrlen(szPath);
if(szPath[len-1] != '\\')
{
szPath[len] = '\\';
szPath[len+1] = '\0';
}
lstrcpy(szSearch, szPath);
lstrcat(szSearch,szFilter);
hFindFile = FindFirstFile(szSearch, &stFindFile);
if(hFindFile != INVALID_HANDLE_VALUE)
{
do
{
lstrcpy(szFindFile, szPath);
lstrcat(szFindFile, stFindFile.cFileName);
if(stFindFile.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if(stFindFile.cFileName[0] != '.')
{
FindFiles(szFindFile);
}
}
else
{
if(!lstrcmp(stFindFile.cFileName,"Desktop_.ini"))
{
// 去除文件的隐藏、系统以及只读属性
DWORD dwFileAttributes = GetFileAttributes(szFindFile);
dwFileAttributes &= ~FILE_ATTRIBUTE_HIDDEN;
dwFileAttributes &= ~FILE_ATTRIBUTE_SYSTEM;
dwFileAttributes &= ~FILE_ATTRIBUTE_READONLY;
SetFileAttributes(szFindFile, dwFileAttributes);
// 删除Desktop_.ini
BOOL bRet = DeleteFile(szFindFile);
csTxt += szFindFile;
if (bRet)
{
csTxt += _T("被删除!\r\n");
}
else
{
csTxt += _T("无法删除\r\n");
}
}
}
ret = FindNextFile(hFindFile, &stFindFile);
}while(ret != 0);
}
FindClose(hFindFile);
return 0;
}5. Writing the main program
(1) Main program writing ideas
1) Find the virus process FindTargetProcess();
2) Elevate the system privilege EnableDebugPrivilege();
3) Open and try to end the virus process, OpenProcess(), TerminateProcess();
4) Find the virus file in the entire disk, if found, compare the hash value, Remove relevant attributes and delete virus files;
5) Repair registry content, delete virus startup items in the self-starting items, and repair the hidden display of files.
(2) Programming
//CDialog::OnOK();
BOOL bRet = FALSE;
DWORD dwPid = 0;
///
// 结束spoclsv.exe进程,并删除病毒程序本身
///
bRet = FindTargetProcess("spoclsv.exe", &dwPid);
if (bRet == TRUE)
{
csTxt = _T("检查系统内存...\r\n");
csTxt += _T("系统中存在病毒进程:spoclsv.exe\r\n");
csTxt += _T("准备进行查杀...\r\n");
SetDlgItemText(IDC_LIST,csTxt);
// 提升权限
bRet = EnableDebugPrivilege(SE_DEBUG_NAME);
if (bRet == FALSE)
{
csTxt += _T("提升权限失败\r\n");
}
else
{
csTxt += _T("提升权限成功!\r\n");
}
SetDlgItemText(IDC_LIST,csTxt);
// 打开并尝试结束病毒进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
if (hProcess == INVALID_HANDLE_VALUE)
{
csTxt += _T("无法结束病毒进程\r\n");
return ;
}
bRet = TerminateProcess(hProcess,0);
if (bRet == FALSE)
{
csTxt += _T("无法结束病毒进程\r\n");
return ;
}
csTxt += _T("病毒进程已经结束\r\n");
SetDlgItemText(IDC_LIST,csTxt);
CloseHandle(hProcess);
}
else
{
csTxt += _T("系统中不存在spoclsv.exe病毒进程\r\n");
}
Sleep(10);
// 查杀磁盘中是否存在名为spoclsv.exe的病毒文件
char szSysPath[MAX_PATH] = { 0 };
GetSystemDirectory(szSysPath,MAX_PATH);
//lstrcat(szSysPath,"\drivers\spoclsv.exe");
lstrcat(szSysPath,"\\drivers\\spoclsv.exe");
csTxt += _T("检查硬盘中是否存在spoclsv.exe文件...\r\n");
if (GetFileAttributes(szSysPath) == 0xFFFFFFFF)
{
csTxt += _T("spoclsv.exe病毒文件不存在\r\n");
}
else
{
csTxt += _T("spoclsv.exe病毒文件存在,正在计算散列值\r\n");
HANDLE hFile = CreateFile(szSysPath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
AfxMessageBox("Create Error");
return ;
}
DWORD dwSize = GetFileSize(hFile,NULL);
if (dwSize == 0xFFFFFFFF)
{
AfxMessageBox("GetFileSize Error");
return ;
}
BYTE *pFile = (BYTE*)malloc(dwSize);
if (pFile == NULL)
{
AfxMessageBox("malloc Error");
return ;
}
DWORD dwNum = 0;
ReadFile(hFile,pFile,dwSize,&dwNum,NULL);
// 计算spoclsv.exe的散列值
DWORD dwCrc32 = CRC32(pFile,dwSize);
if (pFile != NULL)
{
free(pFile);
pFile = NULL;
}
CloseHandle(hFile);
// 0x89240FCD是“熊猫烧香”病毒的散列值
if (dwCrc32 != 0x89240FCD)
{
csTxt += _T("spoclsv.exe校验和验证失败\r\n");
}
else
{
csTxt += _T("spoclsv.exe校验和验证成功,正在删除...\r\n");
// 去除文件的隐藏、系统以及只读属性
DWORD dwFileAttributes = GetFileAttributes(szSysPath);
dwFileAttributes &= ~FILE_ATTRIBUTE_HIDDEN;
dwFileAttributes &= ~FILE_ATTRIBUTE_SYSTEM;
dwFileAttributes &= ~FILE_ATTRIBUTE_READONLY;
SetFileAttributes(szSysPath, dwFileAttributes);
// 删除spoclsv.exe
bRet = DeleteFile(szSysPath);
if (bRet)
{
csTxt += _T("spoclsv.exe病毒被删除!\r\n");
}
else
{
csTxt += _T("spoclsv.exe病毒无法删除\r\n");
}
}
}
SetDlgItemText(IDC_LIST,csTxt);
Sleep(10);
///
// 删除每个盘符下的setup.exe与autorun.inf,以及Desktop_.ini
///
char szDriverString[MAXBYTE] = { 0 };
char *pTmp = NULL;
//获取字符串类型的驱动器列表
GetLogicalDriveStrings(MAXBYTE, szDriverString);
pTmp = szDriverString;
while( *pTmp )
{
char szAutorunPath[MAX_PATH] = { 0 };
char szSetupPath[MAX_PATH] = { 0 };
lstrcat(szAutorunPath,pTmp);
lstrcat(szAutorunPath,"autorun.inf");
lstrcat(szSetupPath,pTmp);
lstrcat(szSetupPath,"setup.exe");
if (GetFileAttributes(szSetupPath) == 0xFFFFFFFF)
{
csTxt += pTmp;
csTxt += _T("setup.exe病毒文件不存在\r\n");
}
else
{
csTxt += pTmp;
csTxt += _T("setup.exe病毒文件存在,正在进行计算校验和...\r\n");
HANDLE hFile = CreateFile(szSetupPath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
AfxMessageBox("Create Error");
return ;
}
DWORD dwSize = GetFileSize(hFile,NULL);
if (dwSize == 0xFFFFFFFF)
{
AfxMessageBox("GetFileSize Error");
return ;
}
BYTE *pFile = (BYTE*)malloc(dwSize);
if (pFile == NULL)
{
AfxMessageBox("malloc Error");
return ;
}
DWORD dwNum = 0;
ReadFile(hFile,pFile,dwSize,&dwNum,NULL);
DWORD dwCrc32 = CRC32(pFile,dwSize);
if (pFile != NULL)
{
free(pFile);
pFile = NULL;
}
CloseHandle(hFile);
if (dwCrc32 != 0x89240FCD)
{
csTxt += _T("校验和验证失败\r\n");
}
else
{
csTxt += _T("校验和验证成功,正在删除...\r\n");
// 去除文件的隐藏、系统以及只读属性
DWORD dwFileAttributes = GetFileAttributes(szSetupPath);
dwFileAttributes &= ~FILE_ATTRIBUTE_HIDDEN;
dwFileAttributes &= ~FILE_ATTRIBUTE_SYSTEM;
dwFileAttributes &= ~FILE_ATTRIBUTE_READONLY;
SetFileAttributes(szSetupPath, dwFileAttributes);
// 删除setup.exe
bRet = DeleteFile(szSetupPath);
if (bRet)
{
csTxt += pTmp;
csTxt += _T("setup.exe病毒被删除!\r\n");
}
else
{
csTxt += pTmp;
csTxt += _T("setup.exe病毒无法删除\r\n");
}
}
}
// 去除文件的隐藏、系统以及只读属性
DWORD dwFileAttributes = GetFileAttributes(szAutorunPath);
dwFileAttributes &= ~FILE_ATTRIBUTE_HIDDEN;
dwFileAttributes &= ~FILE_ATTRIBUTE_SYSTEM;
dwFileAttributes &= ~FILE_ATTRIBUTE_READONLY;
SetFileAttributes(szAutorunPath, dwFileAttributes);
// 删除autorun.inf
bRet = DeleteFile(szAutorunPath);
csTxt += pTmp;
if (bRet)
{
csTxt += _T("autorun.inf被删除!\r\n");
}
else
{
csTxt += _T("autorun.inf不存在或无法删除\r\n");
}
// 删除Desktop_.ini
FindFiles(pTmp);
// 检查下一个盘符
pTmp += 4;
}
Sleep(10);
///
// 修复注册表内容,删除病毒启动项并修复文件的隐藏显示
///
csTxt += _T("正在检查注册表...\r\n");
SetDlgItemText(IDC_LIST,csTxt);
// 首先检查启动项
char RegRun[] = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
HKEY hKeyHKCU = NULL;
LONG lSize = MAXBYTE;
char cData[MAXBYTE] = { 0 };
long lRet = RegOpenKey(HKEY_CURRENT_USER, RegRun, &hKeyHKCU);
if(lRet == ERROR_SUCCESS)
{
lRet = RegQueryValueEx(hKeyHKCU,"svcshare",NULL,NULL,(unsigned char *)cData,(unsigned long *)&lSize);
if ( lRet == ERROR_SUCCESS)
{
if (lstrcmp(cData,"C:\\WINDOWS\\system32\\drivers\\spoclsv.exe") == 0)
{
csTxt += _T("注册表启动项中存在病毒信息\r\n");
}
lRet = RegDeleteValue(hKeyHKCU,"svcshare");
if (lRet == ERROR_SUCCESS)
{
csTxt += _T("注册表启动项中的病毒信息已删除!\r\n");
}
else
{
csTxt += _T("注册表启动项中的病毒信息无法删除\r\n");
}
}
else
{
csTxt += _T("注册表启动项中不存在病毒信息\r\n");
}
RegCloseKey(hKeyHKCU);
}
else
{
csTxt += _T("注册表启动项信息读取失败\r\n");
}
// 接下来修复文件的隐藏显示,需要将CheckedValue的值设置为1
char RegHide[] = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL";
HKEY hKeyHKLM = NULL;
DWORD dwFlag = 1;
long lRetHide = RegOpenKey(HKEY_LOCAL_MACHINE, RegHide, &hKeyHKLM);
if(lRetHide == ERROR_SUCCESS)
{
csTxt += _T("检测注册表的文件隐藏选项...\r\n");
if( ERROR_SUCCESS == RegSetValueEx(
hKeyHKLM, //subkey handle
"CheckedValue", //value name
0, //must be zero
REG_DWORD, //value type
(CONST BYTE*)&dwFlag, //pointer to value data
4)) //length of value data
{
csTxt += _T("注册表修复完毕!\r\n");
}
else
{
csTxt += _T("无法恢复注册表的文件隐藏选项\r\n");
}
}
///
// 病毒查杀完成
///
csTxt += _T("病毒查杀完成,请使用专业杀毒软件进行全面扫描!\r\n");
SetDlgItemText(IDC_LIST,csTxt);
6. Integrate the program with MFC
1. Right-click the button control, enter the "Class Wizard", and set a single-click message for the button, that is, you can click the "one-click killing" button to execute the killing program.
2. Double-click the button control, add a member function, name it "Onok", and enter;
3. Write the main program into the CPandakillDlg::Onok function; write the four subroutines outside the CPandakillDlg::Onok function.
4. At the beginning of the file, introduce a "TlHelp32.h" header file, and write four sub-functions and a CSting variable as shown in the figure below, which is similar to the meaning of global variables.
7. Experimental effect
