Virus 版 (精华区)
发信人: duck (肥猫), 信区: Virus
标 题: 1150/Burglar病毒的分析与消除2
发信站: 紫 丁 香 (Sun Apr 26 08:59:18 1998), 转信
(3)编程自动杀毒
为方便起见,笔者用Turbo C 编制了完整的自动杀毒程序,在兼容
486/66、长城386/33上调试通过,源程序如下:
#include<dir.h>
#include<conio.h>
#include<ctype.h>
#include<io.h>
#include<dos.h>
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
#include<fcntl.h>
void findfile(void);
void scan1150(char *);
void killv(char *);
void chkmem(void);
unsigned flag=0;
void main(int argc,char *argv[])
{
int distdisk,curdisk;
char curpath[MAXPATH];
printf("1150/Burglar Virus Eraser");
printf("Copyright (c) 1996 Luo Wenwei HeBeiBaoDing PLA86
004 CC");
chkmem();
curdisk=getdisk();
if(argc>1)
distdisk=toupper(argv[1][0])-'A';
else
distdisk=curdisk;
setdisk(distdisk);
getcurdir(0,curpath);
chdir("||");
findfile();
chdir(curpath);
setdisk(curdisk);
if (flag==0)printf("\n No 1150/Burglar Virus Found.\n");
else printf("\n Killed OK! %d",flag);
}
void findfile(void)/*搜索目录*/
{
struct ffblk fbk;
int done;
const int TRUE=1;
done=findfirst("*.*",&fbk,0x3f);
while(TRUE)
{
if(done==-1)
done=chdir("..");
if(done==-1) return;
return;
}
if(strstr(fbk.ff-name,".EXE")!=NULL)
scan1150(fbk.ff-name);
else
if((fbk.ff-attrib & FA-DIREC) && fbk.ff-name[0]!='.'
)
{
chdir(fbk.ff-name);
findfile();
}
done=findnext(&fbk);
}
}
void chkmem(void)/*内存检查*/
{
union REGS in,out;
in.x.ax=0xf078;
int86(0x21,&in,&out);
if(out.x.ax==0)
{
printf("Virus 1150/Burglar has been in memory!"\n\x0
);
printf("Please reboot your system!"\n);
exit(0);
}
printf("Scanning files for 1150/Burglar virus...");
}
void scan1150(char *filename) /*文件搜索*/
{
int fp;
char dir[40];
long int offset,size;
unsigned num,start,slen;
unsigned char buffer[1024];
char virus[]="CLHWTBF-WCTK";
getcurdir(0,dir);
printf(" ");
printf("%s\%s...",dir,filename);
fp=open(filename,O-BINARY|O-RDONLY);
if (fp==-1)
{
printf("Can not open file %s",filename);return;}
size=filelength(fp);
lseek(fp,size-1024L,0);
num=-read(fp,buffer,1024);
close(fp);
start=0;
slen=strlen(virus);
while(start<num&&memcmp(&buffer[start],virus,slen))s
tart++;
if(start<num)
{
flag++;
printf("Found 1150/Burglar Virus,killed..\n");
killv(filename);
}
void killv(char *filename)/*清除1150*/
{
int fp;
unsigned exehead[16];
unsigned tempbuf[10];
long reallen,lenpage,lens;
long size;
fp=open(filename,O-BINARY|O-RDWR);
size=filelength(fp);
-read(fp,exehead,sizeof(exehead));
reallen=(long)exehead[2]*512+exehead[1]-1150;
lenpage=reallen/512;
lens=reallen%512;
exehead[1]=lens;
exehead[2]=lenpage;
lseek(fp,0L-123L,2);
-read(fp,tempbuf,10);
exehead[0x0e/2]=(tempbuf[0]^0x7676)^0x7700;
exehead[0x10/2]=(tempbuf[1]^0x7676)^0x7777;
exehead[0x12/2]=(tempbuf[2]^0x7676)^0x7777;
exehead[0x14/2]=(tempbuf[3]^0x7676)^0x7777;
exehead[0x16/2]=(tempbuf[4]^0x7676)^0x7777;
lseek(fp,0L,0);
-write(fp,exehead,sizeof(exehead));
chsize(fp,(size-1150));
close(fp);
}
另:据查,该病毒来源于盗版光盘上,奉劝朋友们尽量不要用盗版
光盘,以免带来不必要的损失。
(作者地址:河北保定86004部队计算中心,071051)
--
※ 来源:.紫 丁 香 bbs.hit.edu.cn.[FROM: oncs.hit.edu.cn]
Powered by KBS BBS 2.0 (http://dev.kcn.cn)
页面执行时间:4.136毫秒