本文主要是介绍处理被维金病毒感染的EXE文件,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
维金病毒所谓的感染EXE文件不过是把自身和PE文件捆绑在一起,所以还原EXE文件也非常简单,只需要确定病毒的大小,把原来的EXE文件拷出来即可。
当然,不能排除将来的变种改变感染方式的可能。
我被感染的病毒大小是 $7daf(16进制),通过Hiew分析得到的。此病毒的开始4个字节转化成双字值等于 $454B5A4D (16进制)。
下面给出还原被维金病毒感染的PE文件的Delphi原代码,WinXP SP2测试通过。
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ComCtrls;
type
TForm1 = class(TForm)
ListBox1: TListBox;
Button3: TButton;
lblFileName: TLabel;
lblFileCount: TLabel;
ComboBox1: TComboBox;
Label1: TLabel;
Label2: TLabel;
procedure Button3Click(Sender: TObject);
procedure FormCreate(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
var
g_totalFileCount: Integer = 0;
g_virusFileCount: Integer = 0;
procedure ProcessVirusFile(FileName: string);
const
BEGINPOS = $7daf;
var
dw: DWORD;
fsOld, fsNew: TFileStream;
begin
if UpperCase(ExtractFileExt(FileName)) = '.EXE' then
begin
Inc(g_totalFileCount);
Form1.lblFileName.Caption := FileName;
Form1.lblFileName.Repaint;
Form1.lblFileCount.Caption := Format('Virus count: %d, Scan count: %d', [g_virusFileCount, g_TotalFileCount]);
Form1.lblFileCount.Repaint;
try
fsOld := TFileStream.Create(FileName, fmOpenRead);
fsOld.Read(dw, sizeof(dw));
if dw = $454B5A4D then
begin
fsOld.Position := BEGINPOS;
fsNew := TFileStream.Create(ChangeFileExt(FileName, '.TMP'), fmCreate);
fsNew.CopyFrom(fsOld, fsOld.Size - BEGINPOS);
fsNew.Free;
fsOld.Free;
RenameFile(FileName, FileName + '.VIRUS');
Sleep(100);
RenameFile(ChangeFileExt(FileName, '.TMP'), FileName);
Inc(g_virusFileCount);
form1.ListBox1.Items.Add(FileName);
form1.ListBox1.Repaint;
end;
except
Form1.ListBox1.Items.Add('Kill virus in file "' +FileName+ '" failed.');
end;
end;
end;
procedure DoSearchFile(RootPath: string);
var
Info: TSearchRec;
begin
RootPath := IncludeTrailingBackslash(RootPath);
try
if FindFirst(RootPath + '*.*', faAnyFile, Info) = 0 then
begin
if (Info.Attr and faDirectory) <> faDirectory then //not a directory
ProcessVirusFile(RootPath + Info.Name) else
if (Info.Name <> '.') and (Info.Name <> '..') then //is a valid directory
DoSearchFile(RootPath + Info.Name);
end;
while FindNext(Info) = 0 do
begin
if (Info.Attr and faDirectory) <> faDirectory then //not a directory
ProcessVirusFile(RootPath + Info.Name) else
if (Info.Name <> '.') and (Info.Name <> '..') then //is a valid directory
DoSearchFile(RootPath + Info.Name);
Application.ProcessMessages;
end;
finally
FindClose(Info);
end;
end;
procedure TForm1.Button3Click(Sender: TObject);
begin
if ComboBox1.Text = '' then
Exit;
Button3.Enabled := FALSE;
g_totalFileCount := 0;
g_virusFileCount := 0;
ListBox1.Clear;
DoSearchFile(ComboBox1.Text);
lblFileName.Caption := 'Done.';
lblFileCount.Caption := Format('Virus count: %d, Scan count: %d', [g_virusFileCount, g_TotalFileCount]);
Button3.Enabled := TRUE;
end;
procedure TForm1.FormCreate(Sender: TObject);
var
C: Char;
s: string;
begin
lblFileName.Caption := 'Ready.';
lblFileCount.Caption := '';
for C := 'A' to 'Z' do
begin
s := C + ':/';
if GetDriveType(PChar(s)) = DRIVE_FIXED then
ComboBox1.Items.Add(s);
end;
end;
end.
这篇关于处理被维金病毒感染的EXE文件的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!