处理被维金病毒感染的EXE文件

本文主要是介绍处理被维金病毒感染的EXE文件，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

维金病毒所谓的感染EXE文件不过是把自身和PE文件捆绑在一起，所以还原EXE文件也非常简单，只需要确定病毒的大小，把原来的EXE文件拷出来即可。

当然，不能排除将来的变种改变感染方式的可能。

我被感染的病毒大小是 $7daf(16进制)，通过Hiew分析得到的。此病毒的开始4个字节转化成双字值等于 $454B5A4D (16进制)。

下面给出还原被维金病毒感染的PE文件的Delphi原代码，WinXP SP2测试通过。

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, ComCtrls;

type
  TForm1 = class(TForm)
    ListBox1: TListBox;
    Button3: TButton;
    lblFileName: TLabel;
    lblFileCount: TLabel;
    ComboBox1: TComboBox;
    Label1: TLabel;
    Label2: TLabel;
    procedure Button3Click(Sender: TObject);
    procedure FormCreate(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

var
  g_totalFileCount: Integer = 0;
  g_virusFileCount: Integer = 0;

procedure ProcessVirusFile(FileName: string);
const
  BEGINPOS = $7daf;
var
  dw: DWORD;
  fsOld, fsNew: TFileStream;
begin
  if UpperCase(ExtractFileExt(FileName)) = '.EXE' then
  begin
    Inc(g_totalFileCount);
    Form1.lblFileName.Caption := FileName;
    Form1.lblFileName.Repaint;
    Form1.lblFileCount.Caption := Format('Virus count: %d, Scan count: %d', [g_virusFileCount, g_TotalFileCount]);
    Form1.lblFileCount.Repaint;

    try
      fsOld := TFileStream.Create(FileName, fmOpenRead);
      fsOld.Read(dw, sizeof(dw));

      if dw = $454B5A4D then
      begin
        fsOld.Position := BEGINPOS;

        fsNew := TFileStream.Create(ChangeFileExt(FileName, '.TMP'), fmCreate);
        fsNew.CopyFrom(fsOld, fsOld.Size - BEGINPOS);
        fsNew.Free;

        fsOld.Free;

        RenameFile(FileName, FileName + '.VIRUS');
        Sleep(100);
        RenameFile(ChangeFileExt(FileName, '.TMP'), FileName);

        Inc(g_virusFileCount);
        form1.ListBox1.Items.Add(FileName);
        form1.ListBox1.Repaint;
      end;
    except
      Form1.ListBox1.Items.Add('Kill virus in file "' +FileName+ '" failed.');
    end;
  end;
end;

procedure DoSearchFile(RootPath: string);
var
  Info: TSearchRec;
begin
  RootPath := IncludeTrailingBackslash(RootPath);
  try
    if FindFirst(RootPath + '*.*', faAnyFile, Info) = 0 then
    begin
      if (Info.Attr and faDirectory) <> faDirectory then //not a directory
          ProcessVirusFile(RootPath + Info.Name) else
          if (Info.Name <> '.') and (Info.Name <> '..') then //is a valid directory
              DoSearchFile(RootPath + Info.Name);
    end;

    while FindNext(Info) = 0 do
    begin
       if (Info.Attr and faDirectory) <> faDirectory then //not a directory
           ProcessVirusFile(RootPath + Info.Name) else
           if (Info.Name <> '.') and (Info.Name <> '..') then //is a valid directory
               DoSearchFile(RootPath + Info.Name);

      Application.ProcessMessages;
    end;
  finally
    FindClose(Info);
  end;
end;

procedure TForm1.Button3Click(Sender: TObject);
begin
  if ComboBox1.Text = '' then
     Exit;

  Button3.Enabled := FALSE;

  g_totalFileCount := 0;
  g_virusFileCount := 0;

  ListBox1.Clear;

  DoSearchFile(ComboBox1.Text);

  lblFileName.Caption := 'Done.';
  lblFileCount.Caption := Format('Virus count: %d, Scan count: %d', [g_virusFileCount, g_TotalFileCount]);

  Button3.Enabled := TRUE;
end;

procedure TForm1.FormCreate(Sender: TObject);
var
  C: Char;
  s: string;
begin
  lblFileName.Caption := 'Ready.';
  lblFileCount.Caption := '';

  for C := 'A' to 'Z' do
  begin
    s := C + ':/';
    if GetDriveType(PChar(s)) = DRIVE_FIXED then
       ComboBox1.Items.Add(s);
  end;
end;

end.

这篇关于处理被维金病毒感染的EXE文件的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---