?? ukillpe.pas
字號:
unit UKillPe;
interface
uses
Windows, SysUtils, Messages;
function FindPeVirus(LFileName:string):Integer;
function FindV1:Integer; //.LWY測試用
function FindV2(VirusSec:Integer;VirusVar:String;Result1:Integer):Integer; //按文件入口查
var
hFile:THandle;
ImgDosHeader:IMAGE_DOS_HEADER;
ImgNtHeaders:IMAGE_NT_HEADERS;
ImgSectionHeader:IMAGE_SECTION_HEADER;
BytesRead:Cardinal;
tzName: Array of String;
tzN: Integer;
implementation
uses Unit1;
//PE特征碼
function FindPeVirus(LFileName:string):Integer;
begin
Result:= 0;
hFile:=CreateFile(PChar(LFileName),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
// MessageBox(0,PChar(LFileName),'錯誤',MB_ICONINFORMATION+MB_OK);
if hFile=INVALID_HANDLE_VALUE then Exit;
try
SetFilePointer(hFile, 0, nil, FILE_BEGIN);
ReadFile(hFile,ImgDosHeader,SizeOf(ImgDosHeader),BytesRead,nil);
if ImgDosHeader.e_magic<>IMAGE_DOS_SIGNATURE then Exit;//PE文件DOS標記
//查病毒特征
if FindV1=1 then Result:=1;
if Result=0 then
Result:= FindV2($13D8,'4F00750074006C006F006F006B',2);
if Result=0 then
Result:= FindV2($F,'33C08BC483C004938B',3);
finally
CloseHandle(hFile);
end;
end;
function FindV1:Integer; //.LWY測試用
var
I,m:Integer;
begin
Result:=0;
tzN:=0;
SetLength(TzName, tzN+1);
TzName[0]:='.LWY';
SetFilePointer(hFile,ImgDosHeader._lfanew,nil,FILE_BEGIN);
ReadFile(hFile,ImgNtHeaders,SizeOf(ImgNtHeaders),BytesRead,nil);
if ImgNtHeaders.Signature<>IMAGE_NT_SIGNATURE then Exit;//PE文件NT標記
for I:=0 to ImgNtHeaders.FileHeader.NumberOfSections-1 do //讀節頭
begin
ReadFile(hFile,ImgSectionHeader,SizeOf(ImgSectionHeader),BytesRead,nil);
for m:=0 to tzN do
begin
if PChar(@ImgSectionHeader.Name[0])=tzName[m] then
begin
Result:= 1;
Break;
end;
end;
if Result=1 then Break;
end;
end;
function FindV2(VirusSec:Integer;VirusVar:String;Result1:Integer):Integer;
Var
I: Integer;
VirusVar_: String;
Read_Byte: Byte;
VA_: Integer;
begin
Result:=0;
VA_:=0;
SetFilePointer(hFile,ImgDosHeader._lfanew,nil,FILE_BEGIN);
ReadFile(hFile,ImgNtHeaders,SizeOf(ImgNtHeaders),BytesRead,nil);
if ImgNtHeaders.Signature<>IMAGE_NT_SIGNATURE then Exit;//PE文件NT標記
for I:=1 to ImgNtHeaders.FileHeader.NumberOfSections do //查找文件物理入口
begin
ReadFile(hFile,ImgSectionHeader,SizeOf(ImgSectionHeader),BytesRead,nil);
if ImgNtHeaders.OptionalHeader.AddressOfEntryPoint<ImgSectionHeader.SizeOfRawData+ImgSectionHeader.VirtualAddress then
begin
VA_:=ImgNtHeaders.OptionalHeader.AddressOfEntryPoint+ImgSectionHeader.PointerToRawData-ImgSectionHeader.VirtualAddress;
Break;
end;
end;
SetFilePointer(hFile,VA_+VirusSec,nil,FILE_BEGIN); //進入物理入口
for i:=1 to Length(VirusVar) do
begin
if i mod 2=1 then
begin
VirusVar_:=copy(VirusVar,i,2);
ReadFile(hFile,Read_Byte,SizeOf(Read_Byte),BytesRead,nil);
if (IntToHex(Read_Byte,2)<>VirusVar_) and (VirusVar_<>'??') then
begin
Result:=0;
Exit;
end;
end;
end;
Result:=Result1;
end;
end.?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -