Untitled
unknown
c_cpp
3 years ago
9.2 kB
6
Indexable
//************************************
// Scan 1 file
// Check if this file have suspicious
// behaviour
//************************************
void ScanOneFile(_In_ HWND hwnd, _In_ LPCTSTR lpszFullPath) {
// PUT CODE HERE
// Initialize the neccessary variable
PBYTE pViewFile = NULL;
HANDLE hFile = NULL;
HANDLE hMappingObject = NULL;
PDWORD pLocation = NULL;
DWORD dwDifference = NULL;
BYTE aFirst16Bytes[16] = { 0x60, 0xe8, 0, 0, 0, 0, 0x5d, 0x8b, 0xc5, 0x81, 0xed, 0xce, 0xb2, 0x01, 0x20, 0x2b};
CHAR aClear[1000000] = {0};
DWORD dwHieuSystem_OEP = NULL;
DWORD dwFileSize = NULL;
// Create file
hFile = CreateFileA(lpszFullPath, GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if(hFile == INVALID_HANDLE_VALUE) {
return;
}
hMappingObject = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, NULL);
if(hMappingObject == INVALID_HANDLE_VALUE) {
return;
}
pViewFile = (PBYTE) MapViewOfFile(hMappingObject, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
// Initialize some headers of file
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pViewFile;
// We check MZ header here
if(pDosHeader -> e_magic == IMAGE_DOS_SIGNATURE) {
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((UINT_PTR)pViewFile + pDosHeader -> e_lfanew);
// Next, we check PE header
if(pNtHeaders -> Signature == IMAGE_NT_SIGNATURE) {
WORD wNumberOfSections = pNtHeaders -> FileHeader.NumberOfSections;
WORD wSizeOfOptionalHeader = pNtHeaders -> FileHeader.SizeOfOptionalHeader;
PIMAGE_FILE_HEADER pFileHeader = &(pNtHeaders -> FileHeader);
PIMAGE_SECTION_HEADER pSection1 = (PIMAGE_SECTION_HEADER)( ((UINT_PTR)pFileHeader) + sizeof(IMAGE_FILE_HEADER) + wSizeOfOptionalHeader);
PIMAGE_OPTIONAL_HEADER pOptionalHeader = &(pNtHeaders -> OptionalHeader);
// Let's check some characteristics of the virus Ramnit32
PIMAGE_SECTION_HEADER pFinalSection = &pSection1[wNumberOfSections - 1];
PIMAGE_SECTION_HEADER pPenultimateSection = &pSection1[wNumberOfSections - 2];
LPBYTE lpFinalSectionName = pFinalSection -> Name;
// This is the sign of Ramnit Virus
if( (memcmp((PBYTE)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aFirst16Bytes, 16) == 0) && *((PBYTE)(UINT_PTR)pViewFile + 0x1e) != 0x58 ) {
// We 'bout to find the difference between the old EP and new EP
// This is saved at the location that have rva = last_sec -> VirtualAddress + 771
// variable location save the address and difference save the dword value at that
pLocation = PDWORD((UINT_PTR)pViewFile + pFinalSection -> VirtualAddress + 0x771 + pFinalSection -> PointerToRawData - pFinalSection -> VirtualAddress);
dwDifference = pLocation[0];
// First we change the ep to the original
pOptionalHeader -> AddressOfEntryPoint = pOptionalHeader ->AddressOfEntryPoint - dwDifference;
// Cut the virus code
memcpy((PVOID)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aClear, pFinalSection -> SizeOfRawData);
// Next, we decrease the NumberOfSections
pFileHeader -> NumberOfSections -= 1;
// Finally, we delete the content of the infected section
memcpy((PBYTE)(pFinalSection), aClear, 0x28);
UpdateScanResult(hwnd, TEXT("Cleaned"), TEXT("Ramnit32"), (LPTSTR)lpszFullPath);
}
// This is the sign of Hieusystem Virus
if( *((PBYTE)(UINT_PTR)pViewFile + 0x1e) == 0x58 && (memcmp((PBYTE)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aFirst16Bytes, 16) != 0) && (memcmp((PBYTE)((UINT_PTR)pViewFile + pPenultimateSection -> PointerToRawData), aFirst16Bytes, 16) != 0) ) {
// First we delete the infected sign
memcpy((PBYTE)((UINT_PTR)pViewFile + 0x1e), aClear, 1);
// This virus save oep at the 4 bytes end of file
dwFileSize = GetFileSize(hFile, 0);
// Save the OEP
dwHieuSystem_OEP = *((PDWORD)( (UINT_PTR)pViewFile + dwFileSize - 4));
pOptionalHeader -> AddressOfEntryPoint = dwHieuSystem_OEP - pOptionalHeader -> ImageBase;
// clear the virus code
memcpy((PVOID)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aClear, pFinalSection -> SizeOfRawData);
// clear the content of virus section
memcpy((PBYTE)(pFinalSection), aClear, 0x28);
// decrease the NumberOfSections
pFileHeader -> NumberOfSections -= 1;
UpdateScanResult(hwnd, TEXT("Cleaned"), TEXT("Hieusystem"), (LPTSTR)lpszFullPath);
}
// The case if file got infected by 2 viruses
if( *((PBYTE)(UINT_PTR)pViewFile + 0x1e) == 0x58 && ( (memcmp((PBYTE)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aFirst16Bytes, 16) == 0) || (memcmp((PBYTE)((UINT_PTR)pViewFile + pPenultimateSection -> PointerToRawData), aFirst16Bytes, 16) == 0) ) ) {
// Check the info of the final section
if( (pFinalSection -> Misc.VirtualSize == 0x25000) && (pFinalSection -> SizeOfRawData == 0x24200) ) {
// We 'bout to find the difference between the old EP and new EP
// This is saved at the location that have rva = last_sec -> VirtualAddress + 771
// variable location save the address and difference save the dword value at that
pLocation = PDWORD((UINT_PTR)pViewFile + pFinalSection -> VirtualAddress + 0x771 + pFinalSection -> PointerToRawData - pFinalSection -> VirtualAddress);
dwDifference = pLocation[0];
// First we change the ep to the original
pOptionalHeader -> AddressOfEntryPoint = pOptionalHeader ->AddressOfEntryPoint - dwDifference;
// Cut the virus code
memcpy((PVOID)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aClear, pFinalSection -> SizeOfRawData);
// Next, we decrease the NumberOfSections
pFileHeader -> NumberOfSections -= 1;
// Finally, we delete the content of the infected section
memcpy((PBYTE)(pFinalSection), aClear, 0x28);
// Next is Hieusystem delete process
// First we delete the infected sign
memcpy((PBYTE)((UINT_PTR)pViewFile + 0x1e), aClear, 1);
// This virus save oep at the 4 bytes end of file
dwFileSize = GetFileSize(hFile, 0);
// Save the OEP
dwHieuSystem_OEP = *((PDWORD)( (UINT_PTR)pViewFile + dwFileSize - 4));
pOptionalHeader -> AddressOfEntryPoint = dwHieuSystem_OEP - pOptionalHeader -> ImageBase;
// clear the virus code
memcpy((PVOID)((UINT_PTR)pViewFile + pPenultimateSection -> PointerToRawData), aClear, pPenultimateSection -> SizeOfRawData);
// clear the content of virus section
memcpy((PBYTE)(pPenultimateSection), aClear, 0x28);
// decrease the NumberOfSections
pFileHeader -> NumberOfSections -= 1;
}
else {
// First is Hieusystem virus
// First we delete the infected sign
memcpy((PBYTE)((UINT_PTR)pViewFile + 0x1e), aClear, 1);
// This virus save oep at the 4 bytes end of file
dwFileSize = GetFileSize(hFile, 0);
// Save the OEP
dwHieuSystem_OEP = *((PDWORD)( (UINT_PTR)pViewFile + dwFileSize - 4));
pOptionalHeader -> AddressOfEntryPoint = dwHieuSystem_OEP - pOptionalHeader -> ImageBase;
// clear the virus code
memcpy((PVOID)((UINT_PTR)pViewFile + pFinalSection -> PointerToRawData), aClear, pFinalSection -> SizeOfRawData);
// clear the content of virus section
memcpy((PBYTE)(pFinalSection), aClear, 0x28);
// Next is Ramnit delete process
// decrease the NumberOfSections
pFileHeader -> NumberOfSections -= 1;
// We 'bout to find the difference between the old EP and new EP
// This is saved at the location that have rva = last_sec -> VirtualAddress + 771
// variable location save the address and difference save the dword value at that
pLocation = PDWORD((UINT_PTR)pViewFile + pPenultimateSection -> VirtualAddress + 0x771 + pPenultimateSection -> PointerToRawData - pPenultimateSection -> VirtualAddress);
dwDifference = pLocation[0];
// First we change the ep to the original
pOptionalHeader -> AddressOfEntryPoint = pOptionalHeader ->AddressOfEntryPoint - dwDifference;
// Cut the virus code
memcpy((PVOID)((UINT_PTR)pViewFile + pPenultimateSection -> PointerToRawData), aClear, pPenultimateSection -> SizeOfRawData);
// Next, we decrease the NumberOfSections
pFileHeader -> NumberOfSections -= 1;
// Finally, we delete the content of the infected section
memcpy((PBYTE)(pPenultimateSection), aClear, 0x28);
}
UpdateScanResult(hwnd, TEXT("Cleaned"), TEXT("Ramnit32; HieuSysten"), (LPTSTR)lpszFullPath);
}
}
}
UnmapViewOfFile(pViewFile);
CloseHandle(hMappingObject);
CloseHandle(hFile);
}Editor is loading...