?? bingduzhuanshagongju.txt
字號:
Viking的肆虐讓很多受害者忍無可忍,更可氣的是專業軟件公司提供的專殺工具竟然無法徹底清除。
無奈之余自己動手寫了一個,請需要的朋友到這里下載:http://www.chenoe.com
該工具可以有效解除被感染的exe中的病毒并還原exe文件,網上的大部分工具是直接刪除exe文件。另外,本工具還具有Viking免疫功能。
下載后直接運行即可查殺,如果查殺幾次都有無法關閉的進程的,重新啟動一下計算機繼續查殺應該可以殺掉。直到病毒數為0時為止。
另外提供該工具中結束進程部分的代碼,結束進程一般采用TerminateProcess函數,但是對于比較頑固的進程就要用非常規的手段來Kill了。
我的方法是,先提高本程序為Debug級別的權限。再用TerminateProcess關閉,如果失敗就枚舉該進程中的線程并用TerminateThread關閉。然后再用TerminateProcess結束進程。這樣就基本上可以關閉99%的非系統進程了。
還有,對于被注入了病毒dll的進程,要先枚舉進程中的模塊并判斷。然后決定是否Kill,Kill方法同上。
以下為進程、線程、模塊相關的代碼:
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Thread32First Lib "KERNEL32.dll" (ByVal hSnapshot As Long, ByRef lpte As THREADENTRY32) As Long
Private Declare Function Thread32Next Lib "KERNEL32.dll" (ByVal hSnapshot As Long, ByRef lpte As THREADENTRY32) As Long
Private Declare Function Module32First Lib "KERNEL32.dll" (ByVal hSnapshot As Long, ByRef lppe As MODULEENTRY32) As Long
Private Declare Function Module32Next Lib "KERNEL32.dll" (ByVal hSnapshot As Long, ByRef lpme As MODULEENTRY32) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function OpenThread Lib "KERNEL32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwThreadId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const TH32CS_SNAPPROCESS = &H2
Private Const TH32CS_SNAPTHREAD = &H4
Private Const TH32CS_SNAPMODULE As Long = &H8
Private Const PROCESS_TERMINATE As Long = (&H1)
Private Const MAX_PATH As Integer = 260
Private Type PROCESSENTRY32
dwsize As Long
cntusage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * MAX_PATH
End Type
Private Type MODULEENTRY32 '模塊
dwsize As Long
th32ModuleID As Long
th32ProcessID As Long
GlblcntUsage As Long
ProccntUsage As Long
modBaseAddr As Byte
modBaseSize As Long
hModule As Long
szModule As String * 256
szExePath As String * 1024
End Type
Private Type THREADENTRY32 '線程
dwsize As Long
cntusage As Long
th32threadID As Long
th32OwnerProcessID As Long
tpBasePri As Long
tpDeltaPri As Long
dwFlags As Long
End Type
Public Function KillThread(ByVal ProcessID As Long) As Boolean
Dim hThread As Long, r As Long, i As Long
Dim TList() As THREADENTRY32
TList = GetThreadList(ProcessID)
For i = 0 To UBound(TList)
With TList(i)
hThread = OpenThread(PROCESS_TERMINATE, False, .th32threadID) '獲取進程句柄
If hThread <> 0 Then
r = TerminateThread(hThread, 0) '關閉進程
End If
End With
Next
KillThread = r <> 0
End Function
Public Function KillProcess(ByVal ProcessName As String, Optional ByVal bKillThread As Boolean) As Boolean
Dim hProcess As Long, r As Long
Dim PList() As PROCESSENTRY32
Dim Name As String, i As Long
PList = GetProcessList
For i = 0 To UBound(PList)
With PList(i)
Name = Left(.szExeFile, InStr(1, .szExeFile, vbNullChar) - 1)
DoEvents
Form1.lbState.Caption = "正在內存查毒: " & Name
r = InModule(.th32ProcessID, ProcessName)
If LCase(Trim(Name)) = LCase(Trim(ProcessName)) Or r Then
hProcess = OpenProcess(PROCESS_TERMINATE, False, .th32ProcessID) '獲取進程句柄
If hProcess <> 0 Then
r = TerminateProcess(hProcess, 0) '關閉進程
If r Then
AddLog Name, "已結束進程"
Else
If bKillThread Then
If KillThread(.th32ProcessID) Then
AddLog Name, "已結束線程"
Else
AddLog Name, "線程結束失敗"
End If
End If
r = TerminateProcess(hProcess, 0) '關閉進程
If r Then
AddLog Name, "已結束進程"
Else
AddLog Name, "進程結束失敗"
End If
End If
Else
AddLog Name, "無法獲得進程句柄"
End If
End If
End With
Next
End Function
Private Function GetThreadList(ByVal ProcessID As Long) As THREADENTRY32()
Dim i As Long
Dim TList() As THREADENTRY32
Dim TE32 As THREADENTRY32
Dim hThreadSnap As Long
Dim TheLoop As Long
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessID)
TE32.dwsize = Len(TE32)
TheLoop = Thread32First(hThreadSnap, TE32)
While TheLoop <> 0
If TE32.th32OwnerProcessID = ProcessID Then
ReDim Preserve TList(i)
TerminateThread TE32.th32threadID, 0
TList(i) = TE32
i = i + 1
End If
TheLoop = Thread32Next(hThreadSnap, TE32)
Wend
CloseHandle hThreadSnap
GetThreadList = TList
End Function
Private Function GetProcessList() As PROCESSENTRY32()
Dim i As Long
Dim PList() As PROCESSENTRY32
Dim PE32 As PROCESSENTRY32
Dim hProcessSnap As Long
Dim TheLoop As Long
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
PE32.dwsize = Len(PE32)
TheLoop = Process32First(hProcessSnap, PE32)
While TheLoop <> 0
ReDim Preserve PList(i)
PList(i) = PE32
i = i + 1
TheLoop = Process32Next(hProcessSnap, PE32)
Wend
CloseHandle hProcessSnap
GetProcessList = PList
End Function
Private Function GetModuleList(ByVal ProcessID As Long) As MODULEENTRY32()
Dim i As Long
Dim MList() As MODULEENTRY32
Dim ME32 As MODULEENTRY32
Dim hModuleSnap As Long
Dim TheLoop As Long
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID)
ME32.dwsize = Len(ME32)
TheLoop = Module32First(hModuleSnap, ME32)
While TheLoop <> 0
ReDim Preserve MList(i)
MList(i) = ME32
i = i + 1
TheLoop = Module32Next(hModuleSnap, ME32)
Wend
CloseHandle hModuleSnap
GetModuleList = MList
End Function
Private Function InModule(ByVal ProcessID As Long, ByVal ModuleName As String) As Boolean
Dim i As Long
Dim MList() As MODULEENTRY32
Dim Name As String
On Error GoTo Err:
MList = GetModuleList(ProcessID)
For i = 0 To UBound(MList)
With MList(i)
Name = Left(.szModule, InStr(1, .szModule, vbNullChar) - 1)
If LCase(Name) = LCase(ModuleName) Then
InModule = True
Exit For
End If
End With
Next
Err:
End Function
'這個是顯示的殺毒記錄
Sub AddLog(txt1 As String, txt2 As String)
Dim Item As ListItem
Set Item = Form1.lv.ListItems.Add(, , txt1)
Item.SubItems(1) = txt2
End Sub
以下為設置本程序權限級別的代碼,在程序加載前調用EnableDebugPrivilege即可:
Private Type LARGE_INTEGER
lowpart As Long
highpart As Long
End Type
Private Const ANYSIZE_ARRAY As Long = 1
Private Const SE_PRIVILEGE_ENABLED As Long = &H2
Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20
Private Const TOKEN_QUERY As Long = &H8
Private Type LUID_AND_ATTRIBUTES
LUID As LARGE_INTEGER
Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, ByRef lpLuid As LARGE_INTEGER) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, ByRef NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, ByRef PreviousState As Long, ByRef ReturnLength As Long) As Long
Private Declare Function GetCurrentProcess Lib "KERNEL32.dll" () As Long
Private Declare Function GetCurrentProcessId Lib "KERNEL32.dll" () As Long
Private Declare Function CloseHandle Lib "KERNEL32.dll" (ByVal hObject As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, ByRef TokenHandle As Long) As Long
Private Declare Function GetLastError Lib "KERNEL32.dll" () As Long
Function EnableDebugPrivilege() As Boolean
Dim TP As TOKEN_PRIVILEGES
Dim hToken As Long, r As Long, e As Long
r = OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)
e = GetLastError
' Err.Raise 6
If r And Not e Then
r = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", TP.Privileges(0).LUID)
e = GetLastError
If r And Not e Then
TP.PrivilegeCount = 1
TP.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
r = AdjustTokenPrivileges(hToken, False, TP, LenB(TP), 0, 0)
EnableDebugPrivilege = GetLastError = 0
End If
End If
Call CloseHandle(hToken)
End Function
下面貼出本工具中用到的關閉本地計算機共享目錄的代碼(與其相對應的創建共享的代碼也整理出來一同貼上),實際上用這個代碼還可以關閉網絡中其他計算機的共享目錄,但要保證有足夠的權限(至少可以通過網上鄰居正常訪問到對方計算機)。創建或刪除本機的共享目錄,用127.0.0.1就可以了。
代碼如下:
Option Explicit
'共享類型
Private Const STYPE_ALL As Long = -1
Private Const STYPE_DISKTREE As Long = 0
Private Const STYPE_PRINTQ As Long = 1
Private Const STYPE_DEVICE As Long = 2
Private Const STYPE_IPC As Long = 3
Private Const STYPE_SPECIAL As Long = &H80000000
'共享權限
Private Const ACCESS_READ As Long = &H1
Private Const ACCESS_WRITE As Long = &H2
Private Const ACCESS_CREATE As Long = &H4
Private Const ACCESS_EXEC As Long = &H8
Private Const ACCESS_DELETE As Long = &H10
Private Const ACCESS_ATRIB As Long = &H20
Private Const ACCESS_PERM As Long = &H40
Private Const ACCESS_ALL As Long = ACCESS_READ Or ACCESS_WRITE Or ACCESS_CREATE Or ACCESS_EXEC Or ACCESS_DELETE Or ACCESS_ATRIB Or ACCESS_PERM
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -