예제 #1
0
	BOOL ResumeProcess(LPCTSTR lpszProcName, DWORD dwExceptThdId = -1)
	{
		THREADENTRY32 th32;
		th32.dwSize = sizeof(th32);
		BOOL bRet = TRUE;
		DWORD dwPid = ScanProcess(lpszProcName);
		if (0 == dwPid)
			return FALSE;
		HANDLE hThreadSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
		if( INVALID_HANDLE_VALUE != hThreadSnap )
		{
			if ( Thread32First(hThreadSnap, &th32) )
			{
				do
				{
					if(th32.th32OwnerProcessID == dwPid && th32.th32ThreadID != dwExceptThdId)
					{ 
						DWORD dwCount = 0;
						HANDLE oth =  OpenThread (THREAD_ALL_ACCESS,FALSE,th32.th32ThreadID);
						while( (dwCount = ::ResumeThread(oth)) > 0);
						
						CloseHandle(oth);
					}
				}while(::Thread32Next(hThreadSnap,&th32));
			}
			else
				bRet = FALSE;
		}
		else
			bRet = FALSE;
		::CloseHandle(hThreadSnap);
		return bRet;
	}
예제 #2
0
	static BOOL ResumeProcess(LPCTSTR lpszProcName, DWORD dwExceptThdId = -1)
	{
		DWORD dwPid = ScanProcess(lpszProcName);
		if (0 == dwPid)
			return FALSE;
		else
			return ResumeProcess(dwPid, dwExceptThdId);
	}
예제 #3
0
DWORD WINAPI ScanThread(LPVOID lpParams) {
	while (true) {
		DWORD aProcesses[1024], cbNeeded, cProcesses;
		EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded);
		cProcesses = cbNeeded / sizeof(DWORD);

		for (int i = 0; i < cProcesses; i++) {
			if (aProcesses[i] != 0) {
				ScanProcess(aProcesses[i]);
			}
		}
	}
	return 0;
}
예제 #4
0
bool CKillerDlg::IsVirus(CString strFilePath)
{
	CString MyExt = PathFindExtension(strFilePath);
	// 打开检查的文件
	BOOL bValid = FALSE;
	DWORD dwRead;
	if(MyExt==".exe" || MyExt==".dll") // 是 PE 文件 进行检测
	{
		HANDLE hFile = ::CreateFile(strFilePath, GENERIC_READ, 
			FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
		if(hFile == INVALID_HANDLE_VALUE)
		{
			GetDlgItem(IDC_EDIT_SAFE)->SetWindowText( _T("无效文件!"));
			return false;
		}
		// 定义PE文件中的DOS头
		IMAGE_DOS_HEADER dosHeader;	
		// 读取DOS头
		::ReadFile(hFile, &dosHeader, sizeof(dosHeader), &dwRead, NULL);
		if(dosHeader.e_magic == IMAGE_DOS_SIGNATURE) // 是不是有效的DOS头?
		{
			char Buffer[VIRUSDATA_LEN+1];
			// 判断是否被感染,因为在一般情况下这个位置(0x7f)都应该不变,为0x00
			::SetFilePointer(hFile,0x7f, NULL,FILE_BEGIN);
			::ReadFile(hFile,Buffer,sizeof(Buffer),&dwRead,NULL);
			if(Buffer[0]!=0x00)
			{
				GetDlgItem(IDC_EDIT_SAFE)->SetWindowText(strFilePath+"此文件已被感染...");
			}
			else
			{
				//遍历整个链表
				for (VirusList::iterator it = m_VirusLibLIst.begin(); it != m_VirusLibLIst.end(); ++it)
				{
					VIRUS_DATA da=(*it);
					::SetFilePointer(hFile,da.offset, NULL,FILE_BEGIN);
					::ReadFile(hFile,Buffer,da.dataLen,&dwRead,NULL);
					// 从文件的路径中得到 文件名
					CString FileName=strFilePath.Right(strFilePath.GetLength()-strFilePath.ReverseFind('\\')-1);
					// 当特征码匹配 或者 病毒名字相同时 认为是可疑文件
					if( !strcmp(Buffer,(char *)da.VirusData ) || FileName==(CString)(*it).VirusName )
					{
						// 加入可疑文件列表
						::EnterCriticalSection(&g_VirusCs);
						m_VirusList.push_back(strFilePath);
						GetDlgItem(IDC_EDIT_SAFE)->SetWindowText("\t\t\t此文件已构成威胁!开始内存扫描...");
						::LeaveCriticalSection(&g_VirusCs);
						ScanProcess(strFilePath);// 扫描进程
					}
					else
					{
						GetDlgItem(IDC_EDIT_SAFE)->SetWindowText("\t\t\t此文件安全!");
					}
					
				}//for
				
				
			}//else
			
		}//if dos
		::CloseHandle(hFile);
	}// if
	else if(MyExt==".txt")
	{
		CString   strSum=_T("");
		CString   strLine;
		CStdioFile   fpTxtFile; 
		
		//只读方式打开文件 
		if(   !fpTxtFile.Open( strFilePath, CFile::modeRead)) 
		{ 
			return   FALSE; 
		} 
		//循环读取行 
		while(fpTxtFile.ReadString(strLine)) 
		{ 
			strSum+=strLine;
		} 
		fpTxtFile.Close();
		//遍历整个病毒库链表
		for (VirusList::iterator it = m_VirusLibLIst.begin(); it != m_VirusLibLIst.end(); ++it)
		{
			VIRUS_DATA da=(*it);
			// 当特征码匹配 认为是可疑文件
			if(-1!=strSum.Find(CString(da.VirusData)))
			{
				// 加入可疑文件列表
				::EnterCriticalSection(&g_VirusCs);
				m_VirusList.push_back(strFilePath);
				GetDlgItem(IDC_EDIT_SAFE)->SetWindowText("\t\t\t此文件已构成威胁!");
				::LeaveCriticalSection(&g_VirusCs);
			}
			else
			{
				GetDlgItem(IDC_EDIT_SAFE)->SetWindowText("\t\t\t此文件安全!");
			}
		}
	}

	return true;
}