BOOL ResumeProcess(LPCTSTR lpszProcName, DWORD dwExceptThdId = -1)
{
THREADENTRY32 th32;
th32.dwSize = sizeof(th32);
BOOL bRet = TRUE;
DWORD dwPid = ScanProcess(lpszProcName);
if (0 == dwPid)
return FALSE;
HANDLE hThreadSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
if( INVALID_HANDLE_VALUE != hThreadSnap )
{
if ( Thread32First(hThreadSnap, &th32) )
{
do
{
if(th32.th32OwnerProcessID == dwPid && th32.th32ThreadID != dwExceptThdId)
{
DWORD dwCount = 0;
HANDLE oth = OpenThread (THREAD_ALL_ACCESS,FALSE,th32.th32ThreadID);
while( (dwCount = ::ResumeThread(oth)) > 0);
CloseHandle(oth);
}
}while(::Thread32Next(hThreadSnap,&th32));
}
else
bRet = FALSE;
}
else
bRet = FALSE;
::CloseHandle(hThreadSnap);
return bRet;
}
static BOOL ResumeProcess(LPCTSTR lpszProcName, DWORD dwExceptThdId = -1)
{
DWORD dwPid = ScanProcess(lpszProcName);
if (0 == dwPid)
return FALSE;
else
return ResumeProcess(dwPid, dwExceptThdId);
}
DWORD WINAPI ScanThread(LPVOID lpParams) {
while (true) {
DWORD aProcesses[1024], cbNeeded, cProcesses;
EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded);
cProcesses = cbNeeded / sizeof(DWORD);
for (int i = 0; i < cProcesses; i++) {
if (aProcesses[i] != 0) {
ScanProcess(aProcesses[i]);
}
}
}
return 0;
}
bool CKillerDlg::IsVirus(CString strFilePath)
{
CString MyExt = PathFindExtension(strFilePath);
// 打开检查的文件
BOOL bValid = FALSE;
DWORD dwRead;
if(MyExt==".exe" || MyExt==".dll") // 是 PE 文件 进行检测
{
HANDLE hFile = ::CreateFile(strFilePath, GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile == INVALID_HANDLE_VALUE)
{
GetDlgItem(IDC_EDIT_SAFE)->SetWindowText( _T("无效文件!"));
return false;
}
// 定义PE文件中的DOS头
IMAGE_DOS_HEADER dosHeader;
// 读取DOS头
::ReadFile(hFile, &dosHeader, sizeof(dosHeader), &dwRead, NULL);
if(dosHeader.e_magic == IMAGE_DOS_SIGNATURE) // 是不是有效的DOS头?
{
char Buffer[VIRUSDATA_LEN+1];
// 判断是否被感染,因为在一般情况下这个位置(0x7f)都应该不变,为0x00
::SetFilePointer(hFile,0x7f, NULL,FILE_BEGIN);
::ReadFile(hFile,Buffer,sizeof(Buffer),&dwRead,NULL);
if(Buffer[0]!=0x00)
{
GetDlgItem(IDC_EDIT_SAFE)->SetWindowText(strFilePath+"此文件已被感染...");
}
else
{
//遍历整个链表
for (VirusList::iterator it = m_VirusLibLIst.begin(); it != m_VirusLibLIst.end(); ++it)
{
VIRUS_DATA da=(*it);
::SetFilePointer(hFile,da.offset, NULL,FILE_BEGIN);
::ReadFile(hFile,Buffer,da.dataLen,&dwRead,NULL);
// 从文件的路径中得到 文件名
CString FileName=strFilePath.Right(strFilePath.GetLength()-strFilePath.ReverseFind('\\')-1);
// 当特征码匹配 或者 病毒名字相同时 认为是可疑文件
if( !strcmp(Buffer,(char *)da.VirusData ) || FileName==(CString)(*it).VirusName )
{
// 加入可疑文件列表
::EnterCriticalSection(&g_VirusCs);
m_VirusList.push_back(strFilePath);
GetDlgItem(IDC_EDIT_SAFE)->SetWindowText("\t\t\t此文件已构成威胁!开始内存扫描...");
::LeaveCriticalSection(&g_VirusCs);
ScanProcess(strFilePath);// 扫描进程
}
else
{
GetDlgItem(IDC_EDIT_SAFE)->SetWindowText("\t\t\t此文件安全!");
}
}//for
}//else
}//if dos
::CloseHandle(hFile);
}// if
else if(MyExt==".txt")
{
CString strSum=_T("");
CString strLine;
CStdioFile fpTxtFile;
//只读方式打开文件
if( !fpTxtFile.Open( strFilePath, CFile::modeRead))
{
return FALSE;
}
//循环读取行
while(fpTxtFile.ReadString(strLine))
{
strSum+=strLine;
}
fpTxtFile.Close();
//遍历整个病毒库链表
for (VirusList::iterator it = m_VirusLibLIst.begin(); it != m_VirusLibLIst.end(); ++it)
{
VIRUS_DATA da=(*it);
// 当特征码匹配 认为是可疑文件
if(-1!=strSum.Find(CString(da.VirusData)))
{
// 加入可疑文件列表
::EnterCriticalSection(&g_VirusCs);
m_VirusList.push_back(strFilePath);
GetDlgItem(IDC_EDIT_SAFE)->SetWindowText("\t\t\t此文件已构成威胁!");
::LeaveCriticalSection(&g_VirusCs);
}
else
{
GetDlgItem(IDC_EDIT_SAFE)->SetWindowText("\t\t\t此文件安全!");
}
}
}
return true;
}