[原创]U盘木马查杀工具源代码(v1.0.4.59final)
技术流2007-03-2815:46:21阅读112评论0字号:大中小订阅
清华校内U盘木马猖獗,我又不爱装杀毒软件(太占空间),就干脆自己写了一
个查U盘自动运行文件的简单程序,试用了半年,效果还不错。这里贴出来造
福一下广大人民群众,呵呵。
原理很简单:首先禁止系统自动运行U盘上的自动运行程序;每隔一秒钟检查
所有的U盘看是否存在及关联文件,如果有,则将其更名并警告。
之所以不删除是因为自动运行程序有时候是有用的,怕误伤无辜(虽然到现在我
也没发现任何一个"无辜"的自动运行程序……:)
建一个StandardWin32工程,用下面的代码覆盖主程序编译即可。用Visual
Studio2005编译通过。
#include"stdafx.h"
#include
#include"RDARM.h"
#pragmawarning(disable:4996)//Bypassannoyingwarningsof
deprecation
intAPIENTRYWinMain(HINSTANCEhInstance,HINSTANCE
hPrevInstance,LPCSTRlpCmdLine,intnCmdShow)
{
DWORDdwFileAttr=0,dwAttrFlag=0,dwBufferLength=0;
charszMsgInf[400],szAutorunFile[50],szBuffer[50],
szDrives[200];
char*lpszCurDrive;
{//Registertheprograminsystemregistryandblocksystem
autoruns.
HKEYhKey;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SoftwareMicrosoftWindowsCurrentVersionRun",0,
KEY_SET_VALUE,&hKey);
RegSetValueEx(hKey,"RemovableDiskAutorunMonitor",0,
REG_SZ,(BYTE*)"C:",30);
RegCloKey(hKey);
DWORDdwValue=0xBD;
RegOpenKeyEx(HKEY_CURRENT_USER,
"SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer",
0,KEY_SET_VALUE,&hKey);
RegSetValueEx(hKey,"NoDriveTypeAutoRun",0,
REG_DWORD,(BYTE*)&dwValue,4);
RegCloKey(hKey);
}
SetErrorMode(SEM_FAILCRITICALERRORS);
while(1)
{
//Note:It'sntialtochangecurrentdirectorybackto
removethedrivesafely.
SetCurrentDirectory("C:");Sleep(1000);
GetLogicalDriveStrings(200,szDrives);lpszCurDrive=
szDrives;
while(dwBufferLength=(DWORD)strlen(lpszCurDrive))
{
if(GetDriveType(lpszCurDrive)==DRIVE_REMOVABLE)
{
SetCurrentDirectory(lpszCurDrive);
dwFileAttr=GetFileAttributes("");
if(dwFileAttr!=INVALID_FILE_ATTRIBUTES)
{
dwAttrFlag=0;
if(dwFileAttr&FILE_ATTRIBUTE_HIDDEN)
dwAttrFlag=1;
if(dwFileAttr&FILE_ATTRIBUTE_SYSTEM)
dwAttrFlag+=2;
SetFileAttributes("",
FILE_ATTRIBUTE_NORMAL);
DeleteFile("_");
MoveFile("","_");
sprintf(szBuffer,"%_",lpszCurDrive);
dwBufferLength=GetPrivateProfileString("autorun",
"open","",szAutorunFile,50,szBuffer);
dwFileAttr=GetFileAttributes(szAutorunFile);
if(dwFileAttr!=INVALID_FILE_ATTRIBUTES)
{
dwAttrFlag+=4;
if(dwFileAttr&FILE_ATTRIBUTE_HIDDEN)
dwAttrFlag+=8;
if(dwFileAttr&FILE_ATTRIBUTE_SYSTEM)
dwAttrFlag+=16;
SetFileAttributes(szAutorunFile,
FILE_ATTRIBUTE_NORMAL);
strcpy(szBuffer,szAutorunFile);
szBuffer[dwBufferLength-1]='_';
DeleteFile(szBuffer);
MoveFile(szAutorunFile,szBuffer);
}
if(dwAttrFlag&8)
sprintf(szMsgInf,"HIGHRISK:nnSuspicious
autorunprogramfoundonremovabledrive%sts
torunprogram%s%salsoexistsandist
andtheautorunprogramhasbeenrenamedtoblockpossibleattack.",
lpszCurDrive,lpszCurDrive,szAutorunFile);
elif((dwAttrFlag&5)==5)
sprintf(szMsgInf,"HIGHRISK:nnSuspicious
autorunprogramfoundonremovabledrive%sts
torunprogram%s%salsoexistsbutis
the
autorunprogramhasbeenrenamedtoblockpossibleattack.",
lpszCurDrive,lpszCurDrive,szAutorunFile);
elif(dwAttrFlag&4)
sprintf(szMsgInf,"MEDIUMRISK:nnSuspicious
autorunprogramfoundonremovabledrive%
theautorunprogram%s%ogramis
theautorunprogramhas
beenrenamedtoblockpossibleattack.",lpszCurDrive,lpszCurDrive,
szAutorunFile);
elif(dwAttrFlag&1)
sprintf(szMsgInf,"LOWRISK:nnAninvalid
oundonremovabledrive%sts
andishidden,butitcontainsnoorinvalidautorun
hmayberemainingofamaliciousprogram,itis
been
_toensuresafety.",lpszCurDrive);
el
sprintf(szMsgInf,"LOWRISK:nnAninvalid
oundonremovabledrive%isible
hmaybe
remainingofamaliciousprogram,itisharmlessnowandcanbe
_to
ensuresafety.",lpszCurDrive);
MessageBox(NULL,szMsgInf,"Warning!",MB_OK+
MB_ICONEXCLAMATION+MB_SYSTEMMODAL);
}
}
lpszCurDrive+=dwBufferLength+1;
}
}
returnTRUE;
}
本文发布于:2023-03-11 07:43:59,感谢您对本站的认可!
本文链接:https://www.wtabcd.cn/fanwen/zuowen/1678491840212662.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文word下载地址:u盘查杀.doc
本文 PDF 下载地址:u盘查杀.pdf
| 留言与评论(共有 0 条评论) |