|
|
#include <windows.h>
#include "stdtypes.h"
/*
** VIRWINN.C ** ** This is an attempt at virus detection. The routine FVirCheck ** should be called sometime during the boot process, and takes ** one argument, a handle to the application instance. The ** ComplainAndQuit() call should be replaced with code appropriate ** to your application. It is recommended that this bring up ** a dialog with an error message, and give the user the option of ** continuing (defaults to terminating). If the user chooses to ** terminate (or if the option is not given), ComplainAndQuit() ** should clean up anything that has been done so far, and exit. */ /* WARNING!! Do not change WHashGood at all!!
** WARNING!! WHashGood must be a near procedure, compiled native. */
/*
** EXE header format definitions. Lifted from linker. */
#define EMAGIC 0x5A4D /* Old magic number */
#define ERES2WDS 0x000A /* No. of reserved words in e_res2 */
struct exe_hdr /* DOS 1, 2, 3 .EXE header */ { unsigned short e_magic; /* Magic number */ unsigned short e_cblp; /* Bytes on last page of file */ unsigned short e_cp; /* Pages in file */ unsigned short e_crlc; /* Relocations */ unsigned short e_cparhdr; /* Size of header in paragraphs */ unsigned short e_minalloc; /* Minimum extra paragraphs needed */ unsigned short e_maxalloc; /* Maximum extra paragraphs needed */ unsigned short e_ss; /* Initial (relative) SS value */ unsigned short e_sp; /* Initial SP value */ unsigned short e_csum; /* Checksum */ unsigned short e_ip; /* Initial IP value */ unsigned short e_cs; /* Initial (relative) CS value */ unsigned short e_lfarlc; /* File address of relocation table */ unsigned short e_ovno; /* Overlay number */ unsigned long e_sym_tab; /* offset of symbol table file */ unsigned short e_flags; /* old exe header flags */ unsigned short e_res; /* Reserved words */ unsigned short e_oemid; /* OEM identifier (for e_oeminfo) */ unsigned short e_oeminfo; /* OEM information; e_oemid specific */ unsigned short e_res2[ERES2WDS]; /* Reserved words */ long e_lfanew; /* File address of new exe header */ };
/*
** NEW EXE format definitions. Lifted from linker */
#define NEMAGIC 0x454E /* New magic number */
#define NERESBYTES 8 /* Eight bytes reserved (now) */
#define NECRC 8 /* Offset into new header of NE_CRC */
struct new_exe /* New .EXE header */ { unsigned short ne_magic; /* Magic number NE_MAGIC */ unsigned char ne_ver; /* Version number */ unsigned char ne_rev; /* Revision number */ unsigned short ne_enttab; /* Offset of Entry Table */ unsigned short ne_cbenttab; /* Number of bytes in Entry Table */ long ne_crc; /* Checksum of whole file */ unsigned short ne_flags; /* Flag word */ unsigned short ne_autodata; /* Automatic data segment number */ unsigned short ne_heap; /* Initial heap allocation */ unsigned short ne_stack; /* Initial stack allocation */ long ne_csip; /* Initial CS:IP setting */ long ne_sssp; /* Initial SS:SP setting */ unsigned short ne_cseg; /* Count of file segments */ unsigned short ne_cmod; /* Entries in Module Reference Table */ unsigned short ne_cbnrestab; /* Size of non-resident name table */ unsigned short ne_segtab; /* Offset of Segment Table */ unsigned short ne_rsrctab; /* Offset of Resource Table */ unsigned short ne_restab; /* Offset of resident name table */ unsigned short ne_modtab; /* Offset of Module Reference Table */ unsigned short ne_imptab; /* Offset of Imported Names Table */ long ne_nrestab; /* Offset of Non-resident Names Table */ unsigned short ne_cmovent; /* Count of movable entries */ unsigned short ne_align; /* Segment alignment shift count */ unsigned short ne_cres; /* Count of resource entries */ unsigned char ne_exetyp; /* Target operating system */ unsigned char ne_flagsothers; /* Other .EXE flags */ char ne_res[NERESBYTES]; /* Pad structure to 64 bytes */ };
/*
** WHashGood() ** ** This returns the correct hash value. ** ** WARNING!! This routine must not be altered in ANY way. It gets ** patched and/or rewritten by VIRPATCH!! */
unsigned near WHashGood ( void ); unsigned near WHashGood () { return (0x1234); }
/*
** WHash(wHash, rgb, cb) ** ** Update hash value to account for cb new bytes pointed to by rgb. ** Old hash value is wHash; returns new hash value. ** ** We do the hash on a word basis; the hash function is a simple ** rotate and add. */
unsigned WHash ( unsigned wHash, BYTE rgb[], int cb ); unsigned WHash ( unsigned wHash, BYTE rgb[], int cb ) { while (cb > 1) { #pragma warning(disable:4213) /* nonstandard extension : cast on l-value */
wHash = (wHash << 3) + (wHash >> 13) + *((int *)rgb)++; #pragma warning(default:4213)
cb -= 2; } if (cb != 0) wHash = (wHash << 3) + (wHash >> 13) + *rgb; return (wHash); }
/*
** FVirCheck(hinst) ** ** This is the main virus detection routine. It should be called ** during boot, with a handle to the application instance. ** The detection method used is to hash the EXE headers; this ** hash value will change if the number or type of segments change, ** or if their length changes. */
BOOL FVirCheck ( HANDLE hinst ); BOOL FVirCheck ( HANDLE hinst ) { int fh; unsigned wHash; unsigned cb, cbT; long lPos; char sz[256]; BYTE rgb[512]; #define pehdr ((struct exe_hdr *)rgb)
#define pnex ((struct new_exe *)rgb)
/* First we have to get a handle to the executable file.
Unfortunately, although Windows already has this file open, there's no way to use its handle. Instead we have to reopen the file. */
if (GetModuleFileName(hinst, (char far *)sz, 256) == 0) return TRUE; //This shouldn't happen but still continue loading
if ((fh = OpenFile((LPSTR)sz, (LPOFSTRUCT)rgb, OF_READ)) == -1) { /* We can't open the file. This should never happen; if
it does, it means we're in a weird state, and probably did something wrong in this code. We'll just say everything is OK, and continue the boot. */ return TRUE; } /* Read old header */ if (_lread(fh, (LPSTR)rgb, sizeof (struct exe_hdr)) != sizeof (struct exe_hdr) || pehdr->e_magic != EMAGIC) goto Corrupted; /* Hash old header */ wHash = WHash(0, rgb, sizeof (struct exe_hdr)); lPos = pehdr->e_lfanew; /* Read new header (and some more) */ if (lPos == 0 || _llseek(fh, lPos, 0) != lPos || _lread(fh, (LPSTR)rgb, 512) != 512 || pnex->ne_magic != NEMAGIC) goto Corrupted; /* Figure out size of total header; nonresident table is last part
of header. */ cb = (unsigned)(pnex->ne_nrestab - lPos) + pnex->ne_cbnrestab; /* Do hash on buffer basis */ while (cb > 512) { /* Hash this buffer */ wHash = WHash(wHash, rgb, 512); cb -= 512; cbT = (cb > 512 ? 512 : cb); /* and read in next */ if (_lread(fh, (LPSTR)rgb, cbT) != cbT) goto Corrupted; } /* Update hash for final partial buffer, and compare with good value. */ if (WHash(wHash, rgb, cb) != WHashGood()) { Corrupted: /* We've got an error reading the file or, more likely,
a hash mismatch. Close the file, give an error, and quit. */ _lclose(fh); /* CHANGE THE FOLLOWING LINE TO CODE APPROPRIATE TO YOUR
** APPLICATION!! ** This should be replaced with code giving an error message (such as ** "Application file is corrupted"). It is recommended that this ** bring up ** a dialog with an error message, and give the user the option of ** continuing (defaults to terminating). If the user chooses to ** terminate (or if the option is not given), ComplainAndQuit() ** should clean up anything that has been done so far, and exit. */
/* MessageBox(NULL, "Executable File Corrupted",
* "WARNING", MB_ICONSTOP | MB_OK); */
/* ComplainAndQuit();
*/ /* END OF CHANGE */ return FALSE; } /* Everything's OK. Just close the file, and continue. */ _lclose(fh); return TRUE; #undef pehdr
#undef pnex
}
|