w32_nimda.cpp
资源名称:antinimda.zip [点击查看]
上传用户:leon2013
上传日期:2007-01-10
资源大小:186k
文件大小:6k
源码类别:
杀毒
开发平台:
Visual C++
- // w32_nimda.cpp: implementation of the w32_nimda_a class.
- //
- //////////////////////////////////////////////////////////////////////
- #include "stdafx.h"
- #include "w32_nimda.h"
- #ifdef _DEBUG
- #undef THIS_FILE
- static char THIS_FILE[]=__FILE__;
- #define new DEBUG_NEW
- #endif
- #define TEMP_FILENAME "c:\temp.exe"
- //////////////////////////////////////////////////////////////////////
- // Construction/Destruction
- //////////////////////////////////////////////////////////////////////
- VirusKiller::SCANRESULT w32_nimda_a::Clean(LPCTSTR file)
- {
- /* extract file name */
- int brk;
- CString filename(file);
- if ((brk=filename.ReverseFind('\'))==-1) brk=0;
- filename=filename.Mid(brk+1);
- /* automatically delete dlls that are pure virus */
- filename.MakeLower();
- if ((filename.Find("riched")!=-1) || (filename=="load.exe") || (filename=="load32.exe") || (filename.Find("tmp.exe")!=-1) )
- {
- if (DeleteFile(file))
- return VIRUS_DELETED;
- else
- return VIRUS_ERR;
- }
- /* get a handle to the executable */
- try{
- HMODULE hfile = LoadLibrary(file);
- if (hfile) {
- /* if(!EnumResourceTypes(hfile,s_enumresourcetypes,(long)this))
- return VirusKiller::ERR;
- */
- /* find handle to resource containing origional code */
- HRSRC src=FindResource(hfile, MAKEINTRESOURCE(0x66), MAKEINTRESOURCE(0x0A));
- if (src) {
- int origional_file_size=SizeofResource(hfile,src);
- HGLOBAL origional_file=LoadResource(hfile,src);
- /* save to temp file */
- FILE* fp;
- if (fp=fopen(TEMP_FILENAME,"wb")) {
- if (fwrite(origional_file, 1, origional_file_size, fp)<origional_file_size) {
- TRACE("Writing origional uninfected file from '%s' failed.rn",file);
- fclose(fp);
- return VIRUS_ERR;
- }
- /* close temp file */
- fclose(fp);
- }
- /* close the resource */
- if (!FreeLibrary(hfile)) {
- TRACE("Error deleting infected file '%s', GetLastError returned %d.rn",file,GetLastError());
- return VIRUS_ERR;
- }
- /* delete the infected file */
- if (!DeleteFile(file)) {
- TRACE("Error deleting infected file '%s', GetLastError returned %d.rn",file,GetLastError());
- return VIRUS_ERR;
- }
- /* move to origional filename */
- if (!MoveFile(TEMP_FILENAME,file)) {
- TRACE("Error deleting infected file '%s', GetLastError returned %d.rn",file,GetLastError());
- return VIRUS_ERR;
- }
- return VIRUS_CLEANED;
- }
- else
- return VIRUS_SCANNED;
- }
- else
- return VIRUS_ERR;
- } catch(...) {
- TRACE("Exception happened while attempting to load '%s'!rn",file);
- return VIRUS_ERR;
- }
- }
- #ifdef _DEBUG
- BOOL CALLBACK w32_nimda_a::s_enumresourcetypes(
- HMODULE hModule, // resource-module handle
- LPTSTR lpszType, // pointer to resource type
- LONG lParam // application-defined parameter
- )
- {
- if(!EnumResourceNames(hModule,lpszType,s_enumresourcenames,(long)lParam))
- return VIRUS_ERR;
- return TRUE;
- }
- BOOL CALLBACK w32_nimda_a::s_enumresourcenames(
- HMODULE hModule, // module handle
- LPCTSTR lpszType, // pointer to resource type
- LPTSTR lpszName, // pointer to resource name
- LONG lParam // application-defined parameter
- )
- {
- int sz=0;
- HRSRC src=FindResource(hModule, lpszName, lpszType);
- if (src) {
- sz=SizeofResource(hModule,src);
- }
- return TRUE;
- }
- #endif
- char* stristr(LPCTSTR string, LPCTSTR charset)
- {
- int i;
- while (*string) {
- i=0;
- while (charset[i] && string[i] && (tolower(string[i])==tolower(charset[i]))) i++;
- if (charset[i]==0) return (char*)string;
- string++;
- }
- return NULL;
- }
- #define TAIL_BYTES_TO_READ 200
- VirusKiller::SCANRESULT w32_nimda_b::Clean(LPCTSTR file)
- {
- try {
- CFile f(file, CFile::modeReadWrite);
- if (f.m_hFile) {
- /* seek to 500 bytes before end of file */
- if (f.GetLength()>TAIL_BYTES_TO_READ)
- VERIFY(f.Seek(-TAIL_BYTES_TO_READ,CFile::end));
- /* read in the last TAIL_BYTES_TO_READ bytes */
- char buffer[TAIL_BYTES_TO_READ+1];
- int bytes_read;
- if(bytes_read=f.Read(buffer,TAIL_BYTES_TO_READ)) {
- /* find the position of the first ending </head> */
- char* first_close_head=stristr(buffer,"</html>");
- if (!first_close_head) return VIRUS_ERR;
- /* find virus <html> after the first closing </html> */
- char* virus_open_head=stristr(first_close_head,"<html>");
- if (!virus_open_head) return VIRUS_SCANNED;
- /* find virus closing </head> */
- char* virus_close_head=stristr(virus_open_head,"</html>");
- if (!virus_close_head) return VIRUS_ERR;
- /* we should now be able to find a few confirmation pieces to confirm it is the virus code */
- char* confirm;
- if ( !(confirm=stristr(virus_open_head,"<script language="JavaScript">")) || (confirm>virus_close_head) ) return VIRUS_SCANNED;
- if ( !(confirm=stristr(virus_open_head,"</script>")) || (confirm>virus_close_head) ) return VIRUS_SCANNED;
- if ( !(confirm=stristr(virus_open_head,"window.open")) || (confirm>virus_close_head) ) return VIRUS_SCANNED;
- /* we are now sure we have isolated the virus code */
- #if 0
- CString virus_code(virus_open_head, virus_close_head-virus_open_head+7);
- TRACE(virus_code);
- #endif
- /* Truncate the file before the virus code (virus code is always appended to the end) */
- int new_length = f.GetLength() - bytes_read + (virus_open_head - buffer);
- f.SetLength(new_length);
- /* close file and return */
- f.Close();
- return VIRUS_CLEANED;
- }
- /* close the file */
- f.Close();
- /* unsuccesful read */
- return VIRUS_ERR;
- }
- } catch(...) {
- TRACE("Excpetion cleaning file '%s'.rn",file);
- return VIRUS_ERR;
- }
- return VIRUS_ERR;
- }
- VirusKiller::SCANRESULT w32_nimda_c::Clean(LPCTSTR file)
- {
- /* delete all files of this type */
- if (DeleteFile(file))
- return VIRUS_DELETED;
- else
- return VIRUS_ERR;
- }