rmnet感染病毒修复

c

//.rmnet感染病毒会在PE文件节区表最后添加一个名为.rmnet的节区，并将入口点修改到.rmnet节区
#include <iostream>
#include <stdio.h>
#include <windows.h>
#include <memory.h>
#include<assert.h>
#include <cstring>        // for strcpy(), strcat()
#include <io.h>
#include<shlwapi.h>
#pragma comment(lib,"Shlwapi.lib")
using namespace std;

char buffer[256];

HANDLE hFile = NULL;
HANDLE hMap = NULL;
LPVOID lpBase = NULL;
int flag;
char* path;
char* path1;
char name[MAX_PATH];
char drive[MAX_PATH];
int repair(char *filename)
{

	hFile = CreateFile((char *)filename, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
	OPEN_EXISTING,
	FILE_ATTRIBUTE_NORMAL,
	NULL);			//打开文件
	if (GetLastError() != 0)
	{
		printf("%d", GetLastError());
		printf("%s   Open fail\n", filename);
		return 0;
	}
	
	hMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, 0, 0);
	if (GetLastError() != 0)
	{
		printf("%s   CreateFileMapping Fail\n", filename);
		return 0;
	}
	lpBase = MapViewOfFile(hMap, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);

	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)lpBase;
	PIMAGE_NT_HEADERS pNtHeader = NULL;

	//PE文件验证，判断e_magic是否为MZ
	if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
	{
		//printf("%s not MZ\n", filename);
		UnmapViewOfFile(lpBase);
		CloseHandle(hMap);
		CloseHandle(hFile);
		return 0;
	}
	//根据e_lfanew来找到Signature标志位
	pNtHeader = (PIMAGE_NT_HEADERS)((BYTE*)lpBase + pDosHeader->e_lfanew);
	//PE文件验证，判断Signature是否为PE
	if (pNtHeader->Signature != IMAGE_NT_SIGNATURE)
	{
		//printf("%s  not PE \n", filename);
		UnmapViewOfFile(lpBase);
		CloseHandle(hMap);
		CloseHandle(hFile);
		return 0;
	}
	int nSecNum = pNtHeader->FileHeader.NumberOfSections;
	PIMAGE_SECTION_HEADER pSecHeader = (PIMAGE_SECTION_HEADER)((DWORD)
		& (pNtHeader->OptionalHeader) + pNtHeader->
		FileHeader.SizeOfOptionalHeader);
	PIMAGE_SECTION_HEADER pTmpSec = pSecHeader + nSecNum - 1;   //最后一个节表
	if (strcmp((char*)pTmpSec->Name, ".rmnet") == 0)//判断是否感染
	{
		printf("%s   ", filename);
		printf("File has been infected And repair now \n");
		memset(pTmpSec, 0, sizeof(pTmpSec));	//清空节表
		pNtHeader->OptionalHeader.SizeOfImage -= pTmpSec->Misc.VirtualSize;//修改SizeOfImage
		pNtHeader->FileHeader.NumberOfSections -= 1;	//修改节表数
		DWORD OffsetOfOEP = *(PDWORD)(pTmpSec->PointerToRawData + 0x328 + (int)lpBase);
		pNtHeader->OptionalHeader.AddressOfEntryPoint = pTmpSec->VirtualAddress - OffsetOfOEP;  //修改OEP
		printf("%s   ", filename);
		printf("Repair Compelete\n");
	}
	else
		printf("%s   ", filename);
		printf("File has not been infected\n");
	FlushViewOfFile(lpBase, 0);
	UnmapViewOfFile(lpBase);
	CloseHandle(hMap);
	CloseHandle(hFile);
}
void num(const char* dir)
{
	char dirNew[MAX_PATH];
	strcpy(dirNew, dir);
	strcat(dirNew, "\\*.*");    // 在目录后面加上"\\*.*"进行第一次搜索

	intptr_t handle;
	_finddata_t findData;

	handle = _findfirst(dirNew, &findData);
	if (handle == -1)        // 检查是否成功
		return;

	do
	{
		if (findData.attrib & _A_SUBDIR)
		{
			if (strcmp(findData.name, ".") == 0 || strcmp(findData.name, "..") == 0)
				continue;

			//cout << findData.name << "\t<dir>\n";
		
			// 在目录后面加上"\\"和搜索到的目录名进行下一次搜索
			strcpy(dirNew, dir);
			strcat(dirNew, "\\");
			strcat(dirNew, findData.name);

			num(dirNew);
		}
		else
		{
			path = (char *)dir;

			sprintf(name, "%s\\%s", path,findData.name);
			repair(name);
			//cout << name << "\n";
			/*for (i = 0; i<=200; i++)
			{
				if (path[i] == '\0'&&path[i-1]!='\\'&&path[i-1]!='\32')
				{
					path[i] = '\\';
					path[i + 1] = '\0';
					
					//sprintf(path, "\\%s", findData.name);
					//repair(name);
					cout << path << "\n";
					break;
				}
			}
			*/
			//cout <<dir<<'\\'<< findData.name <<"\t" << findData.size << " bytes.\n";
			
			
		}
	} while (_findnext(handle, &findData) == 0);

	_findclose(handle);    // 关闭搜索句柄
}
int main()
{
	int m, n;
	char i;
	for (i = 'A'; i <= 'Z'; i++)
	{
		
		sprintf(drive, "%c:", i);//盘符
		printf("%s\n", drive);
		num(drive);
	}
	//num("C:");
	system("pause");
	return 0;
}