|
管理员
 
- UID
- 1
- 积分
- 1998
- 活跃度
- 3658
|
楼主
大 中
小 发表于 2008-8-16 10:13 只看该作者
杀毒程序源码/杀毒源码/杀毒程序
/* ****************************************************************************
* SKILL.c - Special virus' killer (06) *
* Copyright (c) 1994-1995-2001 by saming. All rights reserved. *
* This freesoft can be extended through the way which the thesis introduced. *
* ****************************************************************************
*/
#include <dos.h>
#include <dir.h>
#include <io.h>
#include <fcntl.h>
typedef unsigned char byte;
typedef unsigned int word;
main(int argc,char *argv[])
{
printf("\nSKILL.EXE - Special Virus' Killer, Now it can scan and clean: \n");
printf(" 1465; 1990; 3101; 2000; 0627; 1099; * * * \n");
printf("(C)Copyright by saming. 1994-1995-2001, ALL Rights Reserved.\n");
printf("This freesoft can be extended through the way which the thesis introduced.\n");
if(argc!=2){
printf("\n Usage: SKill [PathName]\n\007");
Hauthor_info();
}
else{
cur_dir(argv[1]);
author_info();
}
}
int cur_dir(char *pathname)
{
char fname[256],fnx[256],
subpath[256],subpath1[256];
struct ffblk f;
int nomatch;
printf("\n____________________________");
printf("\nPath=%s",pathname);
strcpy(fname,pathname);
strcat(fname,"\\*.*"); /*查找文件*/
nomatch=findfirst(fname,&f,0x26);
while(!nomatch){
printf("\n %s ",f.ff_name);
strcpy(fnx,pathname);
strcat(fnx,"\\");
strcat(fnx,f.ff_name);
clean(fnx); /*检测并消除文件病毒*/
nomatch=findnext(&f);
}
strcpy(subpath,pathname);
strcat(subpath,"\\*.*");
nomatch=findfirst(subpath,&f,0x16);
while(!nomatch){
if((f.ff_attrib&FA_DIREC)&&stricmp(f.ff_name,".")
&&stricmp(f.ff_name,"..")){
strcpy(subpath1,pathname);
strcat(subpath1,"\\");
strcat(subpath1,f.ff_name);
cur_dir(subpath1); /*递归检索目录*/
}
nomatch=findnext(&f);
}
}
Hauthor_info()
{
printf("\n\nIf your machine would be infected by some viruses,\n");
printf("you might contact with us: \n");
printf(" Addr : No.356 Youyi west road, Xi'an, China \n");
printf(" ZipCode: 710068 \n");
printf(" Tel. : (029)8484230 - 19, 20 \n");
printf(" Email : help@saming.com \n");
printf(" Http : http://www.saming.com/ \n");
}
author_info()
{ printf("\n____________________________\n");
printf(" \nThank you for using Special Virus' KILLer - SKILL.EXE Version 1.0\n");
printf("If your machine would be infected by some viruses,\n");
printf("you might contact with us: \n");
printf(" Addr : No.356 Youyi west road, Xi'an, China \n");
printf(" ZipCode: 710068 \n");
printf(" Tel. : (029)8484230 - 19, 20 \n");
printf(" Email : help@saming.com \n");
printf(" Http : http://www.saming.com/ \n");
}
clean(char *fnx)
{
int k,fp,NoVirus;
struct ftime ft;
if((fp=open(fnx,O_RDWR|O_BINARY))==-1)
printf(" NoVirus!"); /* erroropen */
else{
k=_chmod(fnx,0);
getftime(fp,&ft); /*保存文件属性、日期、时间*/
if(kv1465(fp)==-1) NoVirus =1; /* 1465 --> Dabi/Taiwan */
else printf("...Cleaned!"); /* |___> LittleRed */
if(kv1990(fp)==-1) NoVirus+=1; /* 1990 --> N64 */
else printf("...Cleaned!");
if(kv3101(fp)==-1) NoVirus+=1; /* 3101 --> NewCentury */
else printf("...Cleaned!");
if(kv2000(fp)==-1) NoVirus+=1; /* 2000 --> Wangnengyan */
else printf("...Cleaned!");
if(kv0627(fp)==-1) NoVirus+=1; /* 0627 --> Yf */
else printf("...Cleaned!");
if(kv1099(fp)==-1) NoVirus+=1; /* 1099 --> Da01 */
else printf("...Cleaned!"); /* |___> FormatDisk */
if(NoVirus==06) printf(" No virus!");
}
setftime(fp,&ft);
_chmod(fnx,1,k); /*恢复文件属性、日期、时间*/
close(fp);
}
/* **********************************************************************
* Search & Clean 1465/Dabi/Taiwan/LittleRed virus (EXE+COM) --- NO.001
* ********************************************************************** */
int kv1465(int fp)
{ byte buf[256],msg[0x200];
byte ss[16]={0xb4,0x40,0xeb,0xae,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xe9};
word i,j,k; int s;
unsigned long int fsize;
lseek(fp,0,0);
read(fp,buf,0x20);
if((buf[0]==0x4d)&&(buf[1]==0x5a)){
i=buf[0x10]+buf[0x11]*0x100;
j=buf[0x14]+buf[0x15]*0x100;
if((i-j)==(word)(0x693)){
printf(" Found V1465!");
lseek(fp,-0x200,2);
read(fp,msg,0x200);
s=search(msg,ss,33);
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
t1465(msg,0xa);
for(i=0;i<0xa;i++) buf[0xe+i]=msg ;
k=buf[8]+buf[9]*0x100;
fsize=lseek(fp,-0x200+s+0x95-0x5b9,2)-k*0x10;
j=(fsize+k*0x10)/0x200+1;
i=fsize%0x200;
buf[2]=i%0x100; buf[3]=i/0x100;
buf[4]=j%0x100; buf[5]=j/0x100;
lseek(fp,0,0);
write(fp,buf,0x20);
fsize+=k*0x10;
chsize(fp,fsize);
return 0;
}
else return -1;
}
else
if(buf[0]==0xe9){
i=buf[1]+buf[2]*0x100;
j=buf[3]+buf[4]*0x100;
i=i>>1|i<<15;
if(i==j){
printf(" Found V1465!");
lseek(fp,-0x200,2);
read(fp,msg,0x200);
s=search(msg,ss,33);
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
t1465(msg,0x5);
fsize=lseek(fp,-0x200+s+0x95-0x5b9,2);
for(i=0;i<5;i++) buf=msg;
lseek(fp,0,0);
write(fp,buf,0x20);
chsize(fp,fsize);
return 0;
}
else return -1;
}
else return -1;
}
t1465(byte *msg,byte cl)
{ byte i;
for (i=0;i<cl;i++) msg^=cl-i;
}
/* **********************************************************
* Search and Clean 1990/N64 virus (EXE+COM) --- NO.002
* ********************************************************** */
int kv1990(int fp)
{ byte buf[256],msg[0x200];
byte ss[16]={0x8b,0x26,0x89,0x02,0xfb,0x06,0x1f,0x33,
0xc0,0x2e,0xff,0x2e,0x85,0x02,0x94,0xdc};
word i,j,k; int s;
byte *mk;
unsigned long int fsize;
lseek(fp,0,0);
read(fp,buf,0x20);
if((buf[0]==0x4d)&&(buf[1]==0x5a)){
lseek(fp,-1400,2);
read(fp,msg,0x200);
s=search(msg,ss,69);
if(s==-1) return -1; /*** NoVirus -- TO V1990!! -->.EXE files ***/
else{ printf(" Found V1990!"); /*** s!=-1, is: has virus! ***/
buf[0xe]=msg[6]^0x13;
buf[0xf]=msg[7];
buf[0x10]=msg[4]^0x13;
buf[0x11]=msg[5];
buf[0x14]=msg[0]^0x13;
buf[0x15]=msg[1];
buf[0x16]=msg[2]^0x13;
buf[0x17]=msg[3];
buf[0x12]=buf[0x13]=0;
k=buf[8]+buf[9]*0x100;
fsize=lseek(fp,-1400+s-576-5,2)-k*0x10;
j=(fsize+k*0x10)/0x200+1;
i=fsize%0x200;
buf[2]=i%0x100;
buf[3]=i/0x100;
buf[4]=j%0x100;
buf[5]=j/0x100;
lseek(fp,0,0);
write(fp,buf,0x20);
fsize=fsize+k*0x10-64;
chsize(fp,fsize);
return 0;
}
}
else if((buf[0]==0xb4)&&(buf[1]==0xdf)&&(buf[2]==0xcd)){
if((buf[3]==0x21)&&(buf[4]==0x80)&&(buf[5]==0xfc)){
printf(" Found V1990!");
lseek(fp,500,0);
read(fp,msg,0x200);
s=search(msg,ss,295);
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
fsize=lseek(fp,0,2)-1831;
mk=(byte *)malloc(fsize);
lseek(fp,1536+288,0);
read(fp,mk,fsize);
lseek(fp,0,0);
write(fp,mk,fsize);
free(mk);
chsize(fp,fsize);
return 0;
}
else return -1;
}
else return -1;
}
/* ***************************************************************
* Search and Clean 3101/NewCentury virus (EXE+COM) --- NO.003
* *************************************************************** */
int kv3101(int fp)
{ byte buf[256],msg[0x200];
byte ss[16]={0xcf,0xb4,0x2f,0xcd,0x21,0x06,0x53,0x5a,
0x1f,0x83,0xc2,0x1e,0xe8,0xa1,0x04,0xc3};
word i,j,k; int s;
unsigned long int fsize;
lseek(fp,0,0);
read(fp,buf,0x20);
if((buf[0]==0x4d)&&(buf[1]==0x5a)){
i=buf[0x10]+buf[0x11]*0x100;
j=buf[0x14]+buf[0x15]*0x100;
if((i-j)==(word)(0xc00)){
printf(" Found V3101!");
lseek(fp,-3201,SEEK_END);
read(fp,msg,0x200);
s=search(msg,ss,-0x60);
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
t3101(msg);
for(i=0;i<0xa;i++) buf[0xe+i]=msg;
k=buf[8]+buf[9]*0x100;
fsize=lseek(fp,-3201+s-0x70,SEEK_END)-k*0x10;
j=(fsize+k*0x10)/0x200+1;
i=fsize%0x200;
buf[2]=i%0x100; buf[3]=i/0x100;
buf[4]=j%0x100; buf[5]=j/0x100;
lseek(fp,0,0);
write(fp,buf,0x20);
fsize+=k*0x10;
chsize(fp,fsize);
return 0;
}
else return -1;
}
else if(buf[0]==0xe9){
if((buf[3]==0x64)&&(buf[4]==0x54)){
printf(" Found V3101!");
lseek(fp,-3201,SEEK_END);
read(fp,msg,0x200);
s=search(msg,ss,-0x70);
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
fsize=lseek(fp,-3201+s-0x40,SEEK_END);
for(i=0;i<5;i++) buf=msg;
lseek(fp,0,0);
write(fp,buf,0x20);
chsize(fp,fsize);
return 0;
}
else return -1;
}
else return -1;
}
t3101(byte *msg)
{ byte i;
msg[5]=msg[3]; msg[4]=msg[2];
for(i=0;i<4;i++) msg=msg[i+0x18];
msg[6]=msg[0x16]; msg[7]=msg[0x17];
msg[8]=msg[0x14]; msg[9]=msg[0x15];
}
/* ************************************************************
* Search and Clean 2000/Wangnengyan virus (EXE+COM) --- NO.004
* ************************************************************ */
int kv2000(int fp)
{ byte buf[256],msg[0x200];
byte ss[16]={0x20,0x31,0x39,0x38,0x39,0x20,0x62,0x79,
0x20,0x56,0x65,0x73,0x73,0x65,0x6c,0x69};
word i,j,k; int s;
unsigned long int fsize;
lseek(fp,0,0);
read(fp,buf,0x20);
if((buf[0]==0x4d)&&(buf[1]==0x5a)){
i=buf[0x10]+buf[0x11]*0x100;
j=buf[0x14]+buf[0x15]*0x100;
if((i==0x100)&&(j==0x60)){
printf(" Found V2000!");
lseek(fp,-0x200,SEEK_END);
read(fp,msg,0x200);
s=search(msg,ss,0x35);
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
for(i=0;i<4;i++) buf[0x14+i]=msg;
for(i=0;i<2;i++) buf[0x10+i]=msg[4+i];
for(i=0;i<2;i++) buf[0x0e+i]=msg[6+i];
k=buf[8]+buf[9]*0x100;
fsize=lseek(fp,-2000,SEEK_END)-k*0x10;
j=(fsize+k*0x10)/0x200+1;
i=fsize%0x200;
buf[2]=i%0x100; buf[3]=i/0x100;
buf[4]=j%0x100; buf[5]=j/0x100;
lseek(fp,0,0);
write(fp,buf,0x20);
fsize+=k*0x10;
chsize(fp,fsize);
return 0;
}
else return -1;
}
else if(buf[0]==0xe9){
lseek(fp,-0x200,SEEK_END);
read(fp,msg,0x200);
s=search(msg,ss,0x3d);
if(s==-1) return -1; /*** NoVirus -- TO V2000!! -->.COM files ***/
else{ printf(" Found V2000!"); /*** s!=-1, is: has virus! ***/
fsize=lseek(fp,-2000,SEEK_END);
for(i=0;i<3;i++) buf=msg;
lseek(fp,0,0);
write(fp,buf,0x20);
chsize(fp,fsize);
return 0;
}
}
else return -1;
}
/* ********************************************************
* Search and Clean 0627/Yf virus (COM) --- NO.005
* ******************************************************** */
int kv0627(int fp)
{
byte buf[256],msg[0x200];
byte ss[16]={0x01,0x50,0xb9,0x10,0x00,0xf7,0xf1,0xbf,
0x53,0x02,0x89,0x45,0x01,0x58,0x5b,0x2b};
word i; int s;
unsigned long int fsize;
lseek(fp,0,0);
read(fp,buf,15);
if((buf[0]==0x8c)&&(buf[3]==0xca)&&(buf[4]==0x22)){
printf(" Found V627!");
lseek(fp,-0x300,2);
read(fp,msg,0x200);
s=search(msg,ss,-0xe0+7); /*确认病毒体位于文件何处*/
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
fsize=lseek(fp,-0x300+s-0xb,2); /*文件原长*/
read(fp,msg+0x100,15);
for(i=0;i<15;i++) buf=msg;
lseek(fp,0,0);
write(fp,buf,15); /*恢复原文件头*/
chsize(fp,fsize); /*恢复原文件长度*/
return 0;
}
else return -1;
}
/* ********************************************************************
* Search and Clean 1099/Da01/FormatDisk virus (EXE+COM) --- NO.006
* ******************************************************************** */
int kv1099(int fp)
{
byte buf[256],msg[0x200];
byte ss[16]={0x2e,0x8c,0x06,0x32,0x02,0x0e,0x1f,0xb9,
0xda,0x00,0xbe,0x11,0x03,0x6a,0x54,0x07};
/* 1099病毒的一个特征代码组*/
word i,j,k; int s;
unsigned long int fsize;
lseek(fp,0,0);
read(fp,buf,0x20);
if((buf[0]==0x4d)&&(buf[1]==0x5a)){
/* 检测和清除感染EXE文件的病毒 */
i=buf[0x10]; j=buf[0x11];
if((i==0x45)&&(j==0x06)){
printf(" Found V1099!");
lseek(fp,-1200,2);
read(fp,msg,0x200);
s=search(msg,ss,295); /*确认病毒体位于文件何处*/
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
for(i=0;i<4;i++){
buf[0xe+i]=msg[s+i];
buf[0x14+i]=msg[s+4+i];
}
k=buf[8]+buf[9]*0x100;
fsize=lseek(fp,-1200+s-295,2)-k*0x10;/*文件原长?????*/
j=(fsize+k*0x10)/0x200+1;
i=fsize%0x200;
buf[2]=i%0x100; buf[3]=i/0x100;
buf[4]=j%0x100; buf[5]=j/0x100;
buf[0xa]-=0x10;
lseek(fp,0,0);
write(fp,buf,0x20);
fsize+=k*0x10-16; /*文件原长*/
chsize(fp,fsize); /*恢复原文件长度*/
return 0;
}
else return -1;
}
else /* 检测和清除感染COM文件的病毒 */
if((buf[0]==0x0e)&&(buf[1]==0x8c)&&(buf[2]==0xc8)){
if((buf[3]==0x05)&&(buf[4]==0x56)&&(buf[5]==0x0d)){
printf(" Found V1099!");
lseek(fp,-1200,2);
read(fp,msg,0x200);
s=search(msg,ss,295); /*确认病毒体位于文件何处*/
if(s==-1){ printf("\007...Mislead...!");
return -1; /*** It's to say, "Failed"! ***/
}
fsize=lseek(fp,-1200+s-295,2)-5; /*文件原长*/
for(i=0;i<11;i++) buf=msg;
lseek(fp,0,0);
write(fp,buf,11); /*恢复原文件头*/
chsize(fp,fsize); /*恢复原文件长度*/
return 0;
}
else return -1;
}
else return -1;
}
int search(byte *a,byte *b,int place)
{
int i,k=0;
byte *pa,*pb;
for(i=0;i<0x200;i++){
pb=b; pa=&a; k=0;
do{
if(*(pa++)==*(pb++)) ++k;
else k=-1;
if(k==16){
for(k=0;k<0x20;k++)
a[k]=a[k+i+place];
return(i+place);
}
}while(k!=-1);
}
return -1; /** NoMatch virusCode, It's to say, NO virus!! **/
} /** Therefor,"Found Virus" is "...Mislead..."! **/
|
