Untitled

mail@pastecode.io avatar
unknown
c_cpp
2 years ago
9.2 kB
2
Indexable
Never
//************************************
// Scan 1 file 
// Check if this file have suspicious
// behaviour
//************************************
void ScanOneFile(_In_ HWND hwnd, _In_ LPCTSTR lpszFullPath) {
	// PUT CODE HERE
	// Initialize the neccessary variable 
	PBYTE pViewFile = NULL;
	HANDLE hFile = NULL;
    HANDLE hMappingObject = NULL;
    PDWORD pLocation = NULL;
	DWORD dwDifference = NULL;
	BYTE aFirst16Bytes[16] = { 0x60, 0xe8, 0, 0, 0, 0, 0x5d, 0x8b, 0xc5, 0x81, 0xed, 0xce, 0xb2, 0x01, 0x20, 0x2b};
	CHAR aClear[1000000] = {0};
	DWORD dwHieuSystem_OEP = NULL;
	DWORD dwFileSize = NULL;

    // Create file
	hFile = CreateFileA(lpszFullPath, GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
	if(hFile == INVALID_HANDLE_VALUE) {
		return;
	}

	
	hMappingObject = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL);

	if(hMappingObject == INVALID_HANDLE_VALUE) {
		return;
	}

	
	pViewFile = (PBYTE) MapViewOfFile(hMappingObject, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);


    // Initialize some headers of file 
    PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pViewFile;
		
	// We check MZ header here
    if(pDosHeader -> e_magic == IMAGE_DOS_SIGNATURE) {
	   
		PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((UINT_PTR)pViewFile + pDosHeader -> e_lfanew);
	    
		// Next, we check PE header
		if(pNtHeaders -> Signature == IMAGE_NT_SIGNATURE) {
     	    
			WORD wNumberOfSections = pNtHeaders -> FileHeader.NumberOfSections;
			WORD wSizeOfOptionalHeader = pNtHeaders -> FileHeader.SizeOfOptionalHeader;
     	    PIMAGE_FILE_HEADER pFileHeader = &(pNtHeaders -> FileHeader);
	        PIMAGE_SECTION_HEADER pSection1 = (PIMAGE_SECTION_HEADER)( ((UINT_PTR)pFileHeader) + sizeof(IMAGE_FILE_HEADER) + wSizeOfOptionalHeader);
			PIMAGE_OPTIONAL_HEADER pOptionalHeader = &(pNtHeaders -> OptionalHeader);
            
            // Let's check some characteristics of the virus Ramnit32
			PIMAGE_SECTION_HEADER pFinalSection = &pSection1[wNumberOfSections - 1];
		    PIMAGE_SECTION_HEADER pPenultimateSection = &pSection1[wNumberOfSections - 2];

			LPBYTE lpFinalSectionName = pFinalSection -> Name;

			// This is the sign of Ramnit Virus
			if( (memcmp((PBYTE)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aFirst16Bytes, 16) == 0) && *((PBYTE)(UINT_PTR)pViewFile + 0x1e) != 0x58  ) {
				 
				 // We 'bout to find the difference between the old EP and new EP 
				 // This is saved at the location that have rva  = last_sec -> VirtualAddress + 771
				 // variable location save the address and difference save the dword value at that 
				 pLocation  = PDWORD((UINT_PTR)pViewFile +  pFinalSection -> VirtualAddress + 0x771  + pFinalSection -> PointerToRawData - pFinalSection -> VirtualAddress);
				 dwDifference = pLocation[0];

				 
				 // First we change the ep to the original 
				 pOptionalHeader -> AddressOfEntryPoint = pOptionalHeader ->AddressOfEntryPoint - dwDifference;
				
				 // Cut the virus code 
				 memcpy((PVOID)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aClear, pFinalSection -> SizeOfRawData);


				 // Next, we decrease the NumberOfSections 
                 pFileHeader -> NumberOfSections -= 1;

				 // Finally, we delete the content of the infected section 
				 memcpy((PBYTE)(pFinalSection), aClear, 0x28);

				 
				 UpdateScanResult(hwnd, TEXT("Cleaned"), TEXT("Ramnit32"), (LPTSTR)lpszFullPath);

		    }
			
			// This is the sign of Hieusystem Virus
			if( *((PBYTE)(UINT_PTR)pViewFile + 0x1e) == 0x58 && (memcmp((PBYTE)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aFirst16Bytes, 16) != 0) && (memcmp((PBYTE)((UINT_PTR)pViewFile + pPenultimateSection -> PointerToRawData), aFirst16Bytes, 16) != 0) ) {
				 
              // First we delete the infected sign
			  memcpy((PBYTE)((UINT_PTR)pViewFile + 0x1e), aClear, 1);

			  // This virus save oep at the 4 bytes end of file
			  dwFileSize = GetFileSize(hFile, 0);

              // Save the OEP 
			  dwHieuSystem_OEP = *((PDWORD)( (UINT_PTR)pViewFile + dwFileSize - 4));
			  pOptionalHeader -> AddressOfEntryPoint = dwHieuSystem_OEP - pOptionalHeader -> ImageBase; 

			  // clear the virus code
			  memcpy((PVOID)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aClear, pFinalSection -> SizeOfRawData);
			  
			  // clear the content of virus section
			  memcpy((PBYTE)(pFinalSection), aClear, 0x28);

			  // decrease the NumberOfSections
			  pFileHeader -> NumberOfSections -= 1;


			  UpdateScanResult(hwnd, TEXT("Cleaned"), TEXT("Hieusystem"), (LPTSTR)lpszFullPath);

			}

			// The case if file got infected by 2 viruses 
			if( *((PBYTE)(UINT_PTR)pViewFile + 0x1e) == 0x58 && ( (memcmp((PBYTE)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aFirst16Bytes, 16) == 0) ||  (memcmp((PBYTE)((UINT_PTR)pViewFile + pPenultimateSection -> PointerToRawData), aFirst16Bytes, 16) == 0) ) ) {
			  // Check the info of the final section 
              if( (pFinalSection -> Misc.VirtualSize == 0x25000) && (pFinalSection -> SizeOfRawData == 0x24200) ) {
				   
				 // We 'bout to find the difference between the old EP and new EP 
				 // This is saved at the location that have rva  = last_sec -> VirtualAddress + 771
				 // variable location save the address and difference save the dword value at that 
				 pLocation  = PDWORD((UINT_PTR)pViewFile +  pFinalSection -> VirtualAddress + 0x771  + pFinalSection -> PointerToRawData - pFinalSection -> VirtualAddress);
				 dwDifference = pLocation[0];


				 
				 // First we change the ep to the original 
				 pOptionalHeader -> AddressOfEntryPoint = pOptionalHeader ->AddressOfEntryPoint - dwDifference;
				
				 // Cut the virus code 
				 memcpy((PVOID)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aClear, pFinalSection -> SizeOfRawData);


				 // Next, we decrease the NumberOfSections 
                 pFileHeader -> NumberOfSections -= 1;

				 // Finally, we delete the content of the infected section 
				 memcpy((PBYTE)(pFinalSection), aClear, 0x28);

				 // Next is Hieusystem delete process

				 // First we delete the infected sign
			     memcpy((PBYTE)((UINT_PTR)pViewFile + 0x1e), aClear, 1);

				 // This virus save oep at the 4 bytes end of file
				 dwFileSize = GetFileSize(hFile, 0);
	
				 // Save the OEP 
				 dwHieuSystem_OEP = *((PDWORD)( (UINT_PTR)pViewFile + dwFileSize - 4));
				 pOptionalHeader -> AddressOfEntryPoint = dwHieuSystem_OEP - pOptionalHeader -> ImageBase; 

				 // clear the virus code
				 memcpy((PVOID)((UINT_PTR)pViewFile + pPenultimateSection -> PointerToRawData), aClear, pPenultimateSection -> SizeOfRawData);
			  
			     // clear the content of virus section
				 memcpy((PBYTE)(pPenultimateSection), aClear, 0x28);

			     // decrease the NumberOfSections
			     pFileHeader -> NumberOfSections -= 1;
			  }


			  else {
				  // First is Hieusystem virus
				  // First we delete the infected sign
			      memcpy((PBYTE)((UINT_PTR)pViewFile + 0x1e), aClear, 1);

				  // This virus save oep at the 4 bytes end of file
				  dwFileSize = GetFileSize(hFile, 0);
	
				  // Save the OEP 
				  dwHieuSystem_OEP = *((PDWORD)( (UINT_PTR)pViewFile + dwFileSize - 4));
				  pOptionalHeader -> AddressOfEntryPoint = dwHieuSystem_OEP - pOptionalHeader -> ImageBase; 

				  // clear the virus code
				  memcpy((PVOID)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aClear, pFinalSection -> SizeOfRawData);
			  
			      // clear the content of virus section
				  memcpy((PBYTE)(pFinalSection), aClear, 0x28);

				  // Next is Ramnit delete process
                  // decrease the NumberOfSections
			      pFileHeader -> NumberOfSections -= 1;
			   
				  // We 'bout to find the difference between the old EP and new EP 
				  // This is saved at the location that have rva  = last_sec -> VirtualAddress + 771
				  // variable location save the address and difference save the dword value at that 
				  pLocation  = PDWORD((UINT_PTR)pViewFile +  pPenultimateSection -> VirtualAddress + 0x771  + pPenultimateSection -> PointerToRawData - pPenultimateSection -> VirtualAddress);
				  dwDifference = pLocation[0];


				 
				  // First we change the ep to the original 
				  pOptionalHeader -> AddressOfEntryPoint = pOptionalHeader ->AddressOfEntryPoint - dwDifference;
				 
				  // Cut the virus code 
				  memcpy((PVOID)((UINT_PTR)pViewFile + pPenultimateSection -> PointerToRawData), aClear, pPenultimateSection -> SizeOfRawData);


				  // Next, we decrease the NumberOfSections 
                  pFileHeader -> NumberOfSections -= 1;

				  // Finally, we delete the content of the infected section 
				  memcpy((PBYTE)(pPenultimateSection), aClear, 0x28);
			  }

			  UpdateScanResult(hwnd, TEXT("Cleaned"), TEXT("Ramnit32; HieuSysten"), (LPTSTR)lpszFullPath);
			
		   }
	    }
	}
	UnmapViewOfFile(pViewFile);
	CloseHandle(hMappingObject);
	CloseHandle(hFile);

	
}