www.pudn.com > antivirus_code.rar > CKillVir.h
#include#include #pragma comment(lib, "psapi.lib") //最长病毒特征长度 #define MAX_VIRSIGN_LEN 36 //病毒特征代码结构 typedef struct tagVIRID { DWORD dwSize; DWORD dStartAddr; DWORD dEndAddr; byte bVirSign[MAX_VIRSIGN_LEN]; }VIRID; class CKillVir { public: private: VIRID m_virid; public: //设置病毒特征代码 void SetVirusID(VIRID* svirid) { //lstrcpyn(m_virid,svirid,sizeof(VIRID)); m_virid.dwSize =svirid->dwSize; m_virid.dEndAddr =svirid->dEndAddr; m_virid.dStartAddr =svirid->dStartAddr; int len=m_virid.dwSize; while (len) { m_virid.bVirSign[len-1]=svirid->bVirSign[len-1]; len--; } //lstrcpyn((LPSTR)m_virid.bVirSign,(LPSTR)svirid->bVirSign,MAX_VIRSIGN_LEN); } bool ScanFile(char* szfilename) { return false; } bool ScanProcess() { DWORD aProcesses[1024], cbNeeded, cProcesses,cModules; if (!EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) { printf("无法获取系统进程列表\n"); return false; } printf("PID 路径\n"); // 进程数。 cProcesses = cbNeeded / sizeof(DWORD); for (int i = 0; i < cProcesses; i++ ) { // 每一个进程ID。 DWORD dwPID=aProcesses[i]; //排除系统进程 if (dwPID>8) { if (ValidProcess(dwPID)) { char* szProcessPath=GetProcessPath(dwPID); printf("%-8d %s\n",dwPID,szProcessPath); } } } return TRUE; } //通过进程ID获取进程的路径 char* GetProcessPath(DWORD idProcess) { char sPath[MAX_PATH]; HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE, idProcess ); if( NULL != hProcess ) { HMODULE hMod; DWORD cbNeeded; if( EnumProcessModules( hProcess, &hMod, sizeof( hMod ), &cbNeeded ) ) { DWORD dw = GetModuleFileNameEx( hProcess, hMod, sPath, MAX_PATH ); } CloseHandle(hProcess); } return(sPath); } //判断是否是包含特征代码的进程 bool ValidProcess(DWORD dPID) { HANDLE hProcess=OpenProcess(PROCESS_VM_READ,FALSE, dPID); DWORD rLen=m_virid.dwSize; byte *bBuff = new byte[rLen]; DWORD dByteRead; ReadProcessMemory(hProcess,(LPCVOID)m_virid.dStartAddr,bBuff,rLen,&dByteRead); GetLastError(); while (rLen) { if (bBuff[rLen-1]!=m_virid.bVirSign[rLen-1]) { return false; } rLen--; } return true; } };