熊猫烧香专杀工具源代码 解除被感染的exe文件
来源:T4nk
/*
熊猫烧香专杀,解除被感染的exe文件
BY: ww0830
Create: 2007-1-7
*/
#include "windows.h"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define TEST
long g_lCheckFileNumber; //File number checked
long g_lClearFileNumber; //Clear number
//
//Function:
//Check if exe file binded by WHBoy virus
//
//Parameter:
// FILE *fp -- file stream to read
//
//Return:
// true -- bind by viruse
// false-- not bind by viruse
//
//Remark:
// Don't close fp, will be closed by main
bool CheckWHVirus(FILE *fp)
{
//Get position
fpos_t pos = 0x12605;
if( fsetpos( fp, &pos ) != 0 )
{
printf( "Trouble opening file\n" );
//fclose(fp);
return false;
}
//Read 2byte from fpost
char buffer[50];
fread(buffer, sizeof( char ), 2, fp);
if (buffer[0] == 'M'
&& buffer[1] == 'Z')
{
//Read reverse
long repos = -1;
fseek(fp, repos, SEEK_END);
fread(buffer, sizeof( char ), 1, fp);
if (buffer[0] == 0x01)
{
return true;
}
}
return false;
}
//
//Function:
// Clear virus
//
//Parameter:
// File *fp -- virus exe file
// char * -- Origin file name
//
//Return:
// void
void ClearVirus(FILE *fp, char * strOriginFileName)
{
long repos = -1;
long lFileLen = 0;
long lExp = 1;
char buffer[50];
//To 0x02
while (1)
{
repos--;
fseek(fp, repos, SEEK_END);
fread(buffer, sizeof( char ), 1, fp);
if (buffer[0] == 0x02)
{
break;
}
//0x02 38 37
lFileLen = (buffer[0]-'0') * lExp + lFileLen;
lExp *= 10;
}
printf("\r\nLen is %d ", lFileLen);
//new len char
char *strOriginFile = new char[lFileLen];
fpos_t pos = 0x12605;
fsetpos(fp, &pos);
fread(strOriginFile, sizeof( char ), lFileLen, fp);
//rename virus to exe.exe
fclose(fp);
char strBackupFile[MAX_PATH];
strcpy(strBackupFile, strOriginFileName);
strBackupFile[strlen(strBackupFile)-1] = '1'; //ex1
MoveFile(strOriginFileName, strBackupFile);
//cout to file
FILE *outfp;
outfp = fopen(strOriginFileName, "wb");
//ouput to exe
fwrite(strOriginFile, sizeof(char), lFileLen, outfp);
fclose(outfp);
delete []strOriginFile;
}
//Function:
// Visit all folders and files
//
//Paremeter:
// char *lpPath -- path of file
//
//Return:
// void
//
void VisitAllFiles(char * lpPath)
{
char szFind[MAX_PATH];
WIN32_FIND_DATA FindFileData;
strcpy(szFind,lpPath);
strcat(szFind,"\\*.*");
HANDLE hFind=::FindFirstFile(szFind,&FindFileData);
if(INVALID_HANDLE_VALUE == hFind)
return;
while(TRUE)
{
//If director, visit all sub-folders
if(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if(FindFileData.cFileName[0]!='.')
{
char szFile[MAX_PATH];
strcpy(szFile,lpPath);
strcat(szFile,"\\");
strcat(szFile,FindFileData.cFileName);
VisitAllFiles(szFile);
}
}
else
{
//Judge if exe file
int len = strlen(FindFileData.cFileName);
const char *p = (char *)&FindFileData.cFileName[len-3];
if ((_stricmp(p, "exe") == 0) //case insentive!
|| (_stricmp(p, "scr") == 0)
)
{
g_lCheckFileNumber++;
//if exe file, check it
char strFileName[MAX_PATH];
strcpy(strFileName,lpPath);
strcat(strFileName,"\\");
strcat(strFileName,FindFileData.cFileName);
printf("T:%ld,Clear:%ld,check %s\r",
g_lCheckFileNumber, g_lClearFileNumber, strFileName);
FILE *fp;
if ((fp = fopen(strFileName, "rb"))
== NULL)
{
printf("Can't open %s \n", strFileName);
}
else
{
if (CheckWHVirus(fp))
{
g_lClearFileNumber++;
ClearVirus(fp, strFileName); //fp closed in the function
printf("Virus Found! %s and cleared\r\n", strFileName);
}
else
{
fclose(fp);
}
}
}
}
//Find next file
if(!FindNextFile(hFind,&FindFileData))
break;
}
FindClose(hFind);
}
//main
int main(int argc, char *argv[])
{
//1. Visit all the folders, then get exe file
//2. Check if position 0x126005 is the MD
//3. If so , check last bit to 0x02, get the origin file Len
//4. Copy from 0x126005 to Len, recover to the origin file
if (argc < 2)
{
printf("Usage: exe 0 / exe 1 Folder\n");
return -1;
}
g_lCheckFileNumber = 0;
g_lClearFileNumber = 0;
if (atoi(argv[1]) == 1)
VisitAllFiles(argv[2]);
else
{
char cLabel;
for (cLabel='c'; cLabel<='z'; cLabel++)
{
char strRootPath[] = {"c:\\"};
strRootPath[0] = cLabel;
UINT res;
if((res = GetDriveType(strRootPath))
== DRIVE_FIXED)
{
strRootPath[2] = '\0'; //"c:"
VisitAllFiles(strRootPath);
}
else
{
if (res == DRIVE_CDROM)
continue;
else
break;
}
}
}
printf("\r\nFinished: checked: %d cleard:%d\r\n", g_lCheckFileNumber, g_lClearFileNumber);
getchar();
return 0;
#ifdef TEST
if (argc < 2)
{
printf("Usage: exe CheckFile.exe\n");
return -1;
}
//Open file
FILE *fp;
if ((fp = fopen(argv[1], "rb"))
== NULL)
{
printf("Can't open %s \n", argv[1]);
return -1;
}
//Get position
fpos_t pos = 0x12605;
if( fsetpos( fp, &pos ) != 0 )
{
printf( "Trouble opening file\n" );
fclose(fp);
return -1;
}
//Read 2byte from fpost
char buffer[50];
fread(buffer, sizeof( char ), 2, fp);
if (buffer[0] == 'M'
&& buffer[1] == 'Z')
{
//Read reverse
long repos = -1;
fseek(fp, repos, SEEK_END);
fread(buffer, sizeof( char ), 1, fp);
if (buffer[0] == 0x01)
{
printf("Virus Found!\n");
long lFileLen = 0;
long lExp = 1;
//To 0x02
while (1)
{
repos--;
fseek(fp, repos, SEEK_END);
fread(buffer, sizeof( char ), 1, fp);
if (buffer[0] == 0x02)
{
break;
}
//0x02 38 37
lFileLen = (buffer[0]-'0') * lExp + lFileLen;
lExp *= 10;
}
printf("Origin file Len is %d ", lFileLen);
//new len char
char *strOriginFile = new char[lFileLen];
pos = 0x12605;
fsetpos(fp, &pos);
fread(strOriginFile, sizeof( char ), lFileLen, fp);
//rename virus to exe.exe
fclose(fp);
//agrv[1]_WHboyBackup_byww0830.exe1
char strCommand[1024 * 3];
strcpy(strCommand, "rename \"");
strcat(strCommand, argv[1]);
strcat(strCommand, "\" \"");
strcat(strCommand, argv[1]);
strcat(strCommand, "_WHBoyBackup_byww0830.exe1\"");
system(strCommand);
//cout to file
FILE *outfp;
outfp = fopen(argv[1], "wb");
//ouput to exe
fwrite(strOriginFile, sizeof(char), lFileLen, outfp);
fclose(outfp);
delete []strOriginFile;
printf("Cleard!");
}
}
else
{
fclose(fp);
printf("Not Virus! Quit\n");
}
#else
//1. visit and get all the exe file
//Check
char strFileName[1024 * 2];
//
FILE *fp;
if ((fp = fopen(strFileName, "rb"))
== NULL)
{
printf("Can't open %s \n", strFileName);
return -1;
}
if (CheckWHVirus(fp))
{
printf("Virus Found! %s ", strFileName);
ClearVirus(fp, strFileName); //fp closed in the function
}
else
{
fclose(fp);
}
#endif
return 0;
}