avatar

目录
rmnet感染病毒修复
c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
//.rmnet感染病毒会在PE文件节区表最后添加一个名为.rmnet的节区,并将入口点修改到.rmnet节区
#include <iostream>
#include <stdio.h>
#include <windows.h>
#include <memory.h>
#include<assert.h>
#include <cstring> // for strcpy(), strcat()
#include <io.h>
#include<shlwapi.h>
#pragma comment(lib,"Shlwapi.lib")
using namespace std;

char buffer[256];

HANDLE hFile = NULL;
HANDLE hMap = NULL;
LPVOID lpBase = NULL;
int flag;
char* path;
char* path1;
char name[MAX_PATH];
char drive[MAX_PATH];
int repair(char *filename)
{

hFile = CreateFile((char *)filename, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL); //打开文件
if (GetLastError() != 0)
{
printf("%d", GetLastError());
printf("%s Open fail\n", filename);
return 0;
}

hMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, 0);
if (GetLastError() != 0)
{
printf("%s CreateFileMapping Fail\n", filename);
return 0;
}
lpBase = MapViewOfFile(hMap, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);

PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)lpBase;
PIMAGE_NT_HEADERS pNtHeader = NULL;

//PE文件验证,判断e_magic是否为MZ
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
//printf("%s not MZ\n", filename);
UnmapViewOfFile(lpBase);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
}
//根据e_lfanew来找到Signature标志位
pNtHeader = (PIMAGE_NT_HEADERS)((BYTE*)lpBase + pDosHeader->e_lfanew);
//PE文件验证,判断Signature是否为PE
if (pNtHeader->Signature != IMAGE_NT_SIGNATURE)
{
//printf("%s not PE \n", filename);
UnmapViewOfFile(lpBase);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
}
int nSecNum = pNtHeader->FileHeader.NumberOfSections;
PIMAGE_SECTION_HEADER pSecHeader = (PIMAGE_SECTION_HEADER)((DWORD)
& (pNtHeader->OptionalHeader) + pNtHeader->
FileHeader.SizeOfOptionalHeader);
PIMAGE_SECTION_HEADER pTmpSec = pSecHeader + nSecNum - 1; //最后一个节表
if (strcmp((char*)pTmpSec->Name, ".rmnet") == 0)//判断是否感染
{
printf("%s ", filename);
printf("File has been infected And repair now \n");
memset(pTmpSec, 0, sizeof(pTmpSec)); //清空节表
pNtHeader->OptionalHeader.SizeOfImage -= pTmpSec->Misc.VirtualSize;//修改SizeOfImage
pNtHeader->FileHeader.NumberOfSections -= 1; //修改节表数
DWORD OffsetOfOEP = *(PDWORD)(pTmpSec->PointerToRawData + 0x328 + (int)lpBase);
pNtHeader->OptionalHeader.AddressOfEntryPoint = pTmpSec->VirtualAddress - OffsetOfOEP; //修改OEP
printf("%s ", filename);
printf("Repair Compelete\n");
}
else
printf("%s ", filename);
printf("File has not been infected\n");
FlushViewOfFile(lpBase, 0);
UnmapViewOfFile(lpBase);
CloseHandle(hMap);
CloseHandle(hFile);
}
void num(const char* dir)
{
char dirNew[MAX_PATH];
strcpy(dirNew, dir);
strcat(dirNew, "\\*.*"); // 在目录后面加上"\\*.*"进行第一次搜索

intptr_t handle;
_finddata_t findData;

handle = _findfirst(dirNew, &findData);
if (handle == -1) // 检查是否成功
return;

do
{
if (findData.attrib & _A_SUBDIR)
{
if (strcmp(findData.name, ".") == 0 || strcmp(findData.name, "..") == 0)
continue;

//cout << findData.name << "\t<dir>\n";

// 在目录后面加上"\\"和搜索到的目录名进行下一次搜索
strcpy(dirNew, dir);
strcat(dirNew, "\\");
strcat(dirNew, findData.name);

num(dirNew);
}
else
{
path = (char *)dir;

sprintf(name, "%s\\%s", path,findData.name);
repair(name);
//cout << name << "\n";
/*for (i = 0; i<=200; i++)
{
if (path[i] == '\0'&&path[i-1]!='\\'&&path[i-1]!='\32')
{
path[i] = '\\';
path[i + 1] = '\0';

//sprintf(path, "\\%s", findData.name);
//repair(name);
cout << path << "\n";
break;
}
}
*/
//cout <<dir<<'\\'<< findData.name <<"\t" << findData.size << " bytes.\n";


}
} while (_findnext(handle, &findData) == 0);

_findclose(handle); // 关闭搜索句柄
}
int main()
{
int m, n;
char i;
for (i = 'A'; i <= 'Z'; i++)
{

sprintf(drive, "%c:", i);//盘符
printf("%s\n", drive);
num(drive);
}
//num("C:");
system("pause");
return 0;
}
文章作者: Yenn_
文章链接: https://0xdf1001f.github.io/2019/11/13/rmnet%E6%84%9F%E6%9F%93%E7%97%85%E6%AF%92%E4%BF%AE%E5%A4%8D/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Wei's Blog

评论