antinimda.zip w32

www.pudn.com > antinimda.zip > w32_nimda.cpp
// w32_nimda.cpp: implementation of the w32_nimda_a class. 
// 
////////////////////////////////////////////////////////////////////// 
 
#include "stdafx.h" 
#include "w32_nimda.h" 
 
#ifdef _DEBUG 
#undef THIS_FILE 
static char THIS_FILE[]=__FILE__; 
#define new DEBUG_NEW 
#endif 
 
#define TEMP_FILENAME	"c:\\temp.exe" 
 
////////////////////////////////////////////////////////////////////// 
// Construction/Destruction 
////////////////////////////////////////////////////////////////////// 
 
VirusKiller::SCANRESULT w32_nimda_a::Clean(LPCTSTR file) 
{ 
	/* extract file name */ 
	int brk; 
	CString filename(file); 
	if ((brk=filename.ReverseFind('\\'))==-1) brk=0; 
	filename=filename.Mid(brk+1); 
 
	/* automatically delete dlls that are pure virus */ 
	filename.MakeLower(); 
	if ((filename.Find("riched")!=-1) || (filename=="load.exe") || (filename=="load32.exe") || (filename.Find("tmp.exe")!=-1) ) 
	{ 
		if (DeleteFile(file)) 
			return VIRUS_DELETED; 
		else 
			return VIRUS_ERR; 
	} 
	 
	/* get a handle to the executable */ 
	try{ 
		HMODULE hfile = LoadLibrary(file); 
		if (hfile) { 
	/*		if(!EnumResourceTypes(hfile,s_enumresourcetypes,(long)this)) 
				return VirusKiller::ERR; 
	*/ 
			/* find handle to resource containing origional code */ 
			HRSRC src=FindResource(hfile, MAKEINTRESOURCE(0x66), MAKEINTRESOURCE(0x0A)); 
			if (src) { 
				int origional_file_size=SizeofResource(hfile,src); 
				HGLOBAL origional_file=LoadResource(hfile,src); 
 
				/* save to temp file */ 
				FILE* fp; 
				if (fp=fopen(TEMP_FILENAME,"wb")) { 
					if (fwrite(origional_file, 1, origional_file_size, fp)TAIL_BYTES_TO_READ) 
			VERIFY(f.Seek(-TAIL_BYTES_TO_READ,CFile::end)); 
 
		/* read in the last TAIL_BYTES_TO_READ bytes */ 
		char buffer[TAIL_BYTES_TO_READ+1]; 
		int bytes_read; 
		if(bytes_read=f.Read(buffer,TAIL_BYTES_TO_READ)) { 
			/* find the position of the first ending  */ 
			char* first_close_head=stristr(buffer,""); 
			if (!first_close_head) return VIRUS_ERR; 
 
			/* find virus  after the first closing  */ 
			char* virus_open_head=stristr(first_close_head,""); 
			if (!virus_open_head) return VIRUS_SCANNED; 
 
			/* find virus closing  */ 
			char* virus_close_head=stristr(virus_open_head,""); 
			if (!virus_close_head) return VIRUS_ERR; 
 
			/* we should now be able to find a few confirmation pieces to confirm it is the virus code */ 
			char* confirm; 
			if ( !(confirm=stristr(virus_open_head,"")) || (confirm>virus_close_head) ) return VIRUS_SCANNED; 
			if ( !(confirm=stristr(virus_open_head,"window.open")) || (confirm>virus_close_head) ) return VIRUS_SCANNED; 
 
			/* we are now sure we have isolated the virus code */ 
#if 0 
			CString virus_code(virus_open_head, virus_close_head-virus_open_head+7); 
			TRACE(virus_code); 
#endif 
 
			/* Truncate the file before the virus code (virus code is always appended to the end) */ 
			int new_length = f.GetLength() - bytes_read + (virus_open_head - buffer); 
			f.SetLength(new_length); 
 
			/* close file and return */ 
			f.Close(); 
			return VIRUS_CLEANED; 
		} 
 
		/* close the file */ 
		f.Close(); 
 
		/* unsuccesful read */ 
		return VIRUS_ERR; 
	} 
	} catch(...) { 
		TRACE("Excpetion cleaning file '%s'.\r\n",file); 
		return VIRUS_ERR; 
	} 
	return VIRUS_ERR; 
} 
 
 
VirusKiller::SCANRESULT w32_nimda_c::Clean(LPCTSTR file) 
{ 
	/* delete all files of this type */ 
	if (DeleteFile(file)) 
		return VIRUS_DELETED; 
	else 
		return VIRUS_ERR; 
}