mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
229 lines
8.4 KiB
229 lines
8.4 KiB
#include <windows.h>
|
|
#include "stdtypes.h"
|
|
/*
|
|
** VIRWINN.C
|
|
**
|
|
** This is an attempt at virus detection. The routine FVirCheck
|
|
** should be called sometime during the boot process, and takes
|
|
** one argument, a handle to the application instance. The
|
|
** ComplainAndQuit() call should be replaced with code appropriate
|
|
** to your application. It is recommended that this bring up
|
|
** a dialog with an error message, and give the user the option of
|
|
** continuing (defaults to terminating). If the user chooses to
|
|
** terminate (or if the option is not given), ComplainAndQuit()
|
|
** should clean up anything that has been done so far, and exit.
|
|
*/
|
|
/* WARNING!! Do not change WHashGood at all!!
|
|
** WARNING!! WHashGood must be a near procedure, compiled native.
|
|
*/
|
|
|
|
/*
|
|
** EXE header format definitions. Lifted from linker.
|
|
*/
|
|
|
|
#define EMAGIC 0x5A4D /* Old magic number */
|
|
#define ERES2WDS 0x000A /* No. of reserved words in e_res2 */
|
|
|
|
struct exe_hdr /* DOS 1, 2, 3 .EXE header */
|
|
{
|
|
unsigned short e_magic; /* Magic number */
|
|
unsigned short e_cblp; /* Bytes on last page of file */
|
|
unsigned short e_cp; /* Pages in file */
|
|
unsigned short e_crlc; /* Relocations */
|
|
unsigned short e_cparhdr; /* Size of header in paragraphs */
|
|
unsigned short e_minalloc; /* Minimum extra paragraphs needed */
|
|
unsigned short e_maxalloc; /* Maximum extra paragraphs needed */
|
|
unsigned short e_ss; /* Initial (relative) SS value */
|
|
unsigned short e_sp; /* Initial SP value */
|
|
unsigned short e_csum; /* Checksum */
|
|
unsigned short e_ip; /* Initial IP value */
|
|
unsigned short e_cs; /* Initial (relative) CS value */
|
|
unsigned short e_lfarlc; /* File address of relocation table */
|
|
unsigned short e_ovno; /* Overlay number */
|
|
unsigned long e_sym_tab; /* offset of symbol table file */
|
|
unsigned short e_flags; /* old exe header flags */
|
|
unsigned short e_res; /* Reserved words */
|
|
unsigned short e_oemid; /* OEM identifier (for e_oeminfo) */
|
|
unsigned short e_oeminfo; /* OEM information; e_oemid specific */
|
|
unsigned short e_res2[ERES2WDS]; /* Reserved words */
|
|
long e_lfanew; /* File address of new exe header */
|
|
};
|
|
|
|
/*
|
|
** NEW EXE format definitions. Lifted from linker
|
|
*/
|
|
|
|
#define NEMAGIC 0x454E /* New magic number */
|
|
#define NERESBYTES 8 /* Eight bytes reserved (now) */
|
|
#define NECRC 8 /* Offset into new header of NE_CRC */
|
|
|
|
struct new_exe /* New .EXE header */
|
|
{
|
|
unsigned short ne_magic; /* Magic number NE_MAGIC */
|
|
unsigned char ne_ver; /* Version number */
|
|
unsigned char ne_rev; /* Revision number */
|
|
unsigned short ne_enttab; /* Offset of Entry Table */
|
|
unsigned short ne_cbenttab; /* Number of bytes in Entry Table */
|
|
long ne_crc; /* Checksum of whole file */
|
|
unsigned short ne_flags; /* Flag word */
|
|
unsigned short ne_autodata; /* Automatic data segment number */
|
|
unsigned short ne_heap; /* Initial heap allocation */
|
|
unsigned short ne_stack; /* Initial stack allocation */
|
|
long ne_csip; /* Initial CS:IP setting */
|
|
long ne_sssp; /* Initial SS:SP setting */
|
|
unsigned short ne_cseg; /* Count of file segments */
|
|
unsigned short ne_cmod; /* Entries in Module Reference Table */
|
|
unsigned short ne_cbnrestab; /* Size of non-resident name table */
|
|
unsigned short ne_segtab; /* Offset of Segment Table */
|
|
unsigned short ne_rsrctab; /* Offset of Resource Table */
|
|
unsigned short ne_restab; /* Offset of resident name table */
|
|
unsigned short ne_modtab; /* Offset of Module Reference Table */
|
|
unsigned short ne_imptab; /* Offset of Imported Names Table */
|
|
long ne_nrestab; /* Offset of Non-resident Names Table */
|
|
unsigned short ne_cmovent; /* Count of movable entries */
|
|
unsigned short ne_align; /* Segment alignment shift count */
|
|
unsigned short ne_cres; /* Count of resource entries */
|
|
unsigned char ne_exetyp; /* Target operating system */
|
|
unsigned char ne_flagsothers; /* Other .EXE flags */
|
|
char ne_res[NERESBYTES];
|
|
/* Pad structure to 64 bytes */
|
|
};
|
|
|
|
/*
|
|
** WHashGood()
|
|
**
|
|
** This returns the correct hash value.
|
|
**
|
|
** WARNING!! This routine must not be altered in ANY way. It gets
|
|
** patched and/or rewritten by VIRPATCH!!
|
|
*/
|
|
|
|
unsigned near WHashGood ( void );
|
|
unsigned near WHashGood ()
|
|
{
|
|
return (0x1234);
|
|
}
|
|
|
|
/*
|
|
** WHash(wHash, rgb, cb)
|
|
**
|
|
** Update hash value to account for cb new bytes pointed to by rgb.
|
|
** Old hash value is wHash; returns new hash value.
|
|
**
|
|
** We do the hash on a word basis; the hash function is a simple
|
|
** rotate and add.
|
|
*/
|
|
|
|
unsigned WHash ( unsigned wHash, BYTE rgb[], int cb );
|
|
unsigned WHash ( unsigned wHash, BYTE rgb[], int cb )
|
|
{
|
|
while (cb > 1)
|
|
{
|
|
#pragma warning(disable:4213) /* nonstandard extension : cast on l-value */
|
|
wHash = (wHash << 3) + (wHash >> 13) + *((int *)rgb)++;
|
|
#pragma warning(default:4213)
|
|
cb -= 2;
|
|
}
|
|
if (cb != 0)
|
|
wHash = (wHash << 3) + (wHash >> 13) + *rgb;
|
|
return (wHash);
|
|
}
|
|
|
|
/*
|
|
** FVirCheck(hinst)
|
|
**
|
|
** This is the main virus detection routine. It should be called
|
|
** during boot, with a handle to the application instance.
|
|
** The detection method used is to hash the EXE headers; this
|
|
** hash value will change if the number or type of segments change,
|
|
** or if their length changes.
|
|
*/
|
|
|
|
BOOL FVirCheck ( HANDLE hinst );
|
|
BOOL FVirCheck ( HANDLE hinst )
|
|
{
|
|
int fh;
|
|
unsigned wHash;
|
|
unsigned cb, cbT;
|
|
long lPos;
|
|
char sz[256];
|
|
BYTE rgb[512];
|
|
#define pehdr ((struct exe_hdr *)rgb)
|
|
#define pnex ((struct new_exe *)rgb)
|
|
|
|
/* First we have to get a handle to the executable file.
|
|
Unfortunately, although Windows already has this file open,
|
|
there's no way to use its handle. Instead we have to reopen
|
|
the file. */
|
|
|
|
if (GetModuleFileName(hinst, (char far *)sz, 256) == 0)
|
|
return TRUE; //This shouldn't happen but still continue loading
|
|
|
|
if ((fh = OpenFile((LPSTR)sz, (LPOFSTRUCT)rgb, OF_READ)) == -1)
|
|
{
|
|
/* We can't open the file. This should never happen; if
|
|
it does, it means we're in a weird state, and probably
|
|
did something wrong in this code. We'll just say
|
|
everything is OK, and continue the boot. */
|
|
return TRUE;
|
|
}
|
|
/* Read old header */
|
|
if (_lread(fh, (LPSTR)rgb, sizeof (struct exe_hdr)) != sizeof (struct
|
|
exe_hdr) ||
|
|
pehdr->e_magic != EMAGIC)
|
|
goto Corrupted;
|
|
/* Hash old header */
|
|
wHash = WHash(0, rgb, sizeof (struct exe_hdr));
|
|
lPos = pehdr->e_lfanew;
|
|
/* Read new header (and some more) */
|
|
if (lPos == 0 || _llseek(fh, lPos, 0) != lPos ||
|
|
_lread(fh, (LPSTR)rgb, 512) != 512 || pnex->ne_magic != NEMAGIC)
|
|
goto Corrupted;
|
|
/* Figure out size of total header; nonresident table is last part
|
|
of header. */
|
|
cb = (unsigned)(pnex->ne_nrestab - lPos) + pnex->ne_cbnrestab;
|
|
/* Do hash on buffer basis */
|
|
while (cb > 512)
|
|
{
|
|
/* Hash this buffer */
|
|
wHash = WHash(wHash, rgb, 512);
|
|
cb -= 512;
|
|
cbT = (cb > 512 ? 512 : cb);
|
|
/* and read in next */
|
|
if (_lread(fh, (LPSTR)rgb, cbT) != cbT)
|
|
goto Corrupted;
|
|
}
|
|
/* Update hash for final partial buffer, and compare with good value. */
|
|
if (WHash(wHash, rgb, cb) != WHashGood())
|
|
{
|
|
Corrupted:
|
|
/* We've got an error reading the file or, more likely,
|
|
a hash mismatch. Close the file, give an error, and
|
|
quit. */
|
|
_lclose(fh);
|
|
/* CHANGE THE FOLLOWING LINE TO CODE APPROPRIATE TO YOUR
|
|
** APPLICATION!!
|
|
** This should be replaced with code giving an error message (such as
|
|
** "Application file is corrupted"). It is recommended that this
|
|
** bring up
|
|
** a dialog with an error message, and give the user the option of
|
|
** continuing (defaults to terminating). If the user chooses to
|
|
** terminate (or if the option is not given), ComplainAndQuit()
|
|
** should clean up anything that has been done so far, and exit.
|
|
*/
|
|
|
|
/* MessageBox(NULL, "Executable File Corrupted",
|
|
* "WARNING", MB_ICONSTOP | MB_OK);
|
|
*/
|
|
|
|
/* ComplainAndQuit();
|
|
*/
|
|
/* END OF CHANGE */
|
|
return FALSE;
|
|
}
|
|
/* Everything's OK. Just close the file, and continue. */
|
|
_lclose(fh);
|
|
return TRUE;
|
|
#undef pehdr
|
|
#undef pnex
|
|
}
|