|
3.2 木马特征码的读取 由于本工具用的是ini文件作为特征库文件,所以木马查杀工具开始运行第一件事就是对特征库文件的读取,获得病毒的特征码。读取的方法是首先打开和工具同一目录下的code.ini文件,首先读取得到总共的病毒数,然后依次循环读出每个section下的属性值,即对应的文件的name属性和size属性,也就是文件名和文件大小。下是基于ini特征库文件读取的代码: paper51.com
CString CIniFile::GetFileString(CString Section,CString Item, CString Value) paper51.com { paper51.com ReadIniFile();//打开文件 内容来自www.paper51.com if(bFileExist== FALSE || FileContainer.GetSize() < 0) paper51.com returnValue;//文件打开出错或文件为空,返回默认值 http://www.paper51.com inti = 0; http://www.paper51.com
intiFileLines = FileContainer.GetSize(); paper51.com
CStringstrline,str; 内容来自www.paper51.com
while(i<iFileLines) 内容来自论文无忧网 www.paper51.com { 内容来自论文无忧网 www.paper51.com
strline= FileContainer.GetAt(i++); 内容来自www.paper51.com strline.TrimLeft(); paper51.com if(strline.GetAt(0)=='[')//查找Section,第一个必须为[ 内容来自论文无忧网 www.paper51.com { 内容来自www.paper51.com str=strline.Left(strline.Find("]"));//去掉]右边 内容来自www.paper51.com str=str.Right(str.GetLength()-str.Find("[")-1);//去掉[左边 内容来自www.paper51.com str.TrimLeft(); 内容来自www.paper51.com str.TrimRight(); copyright paper51.com if(Section== str)//找到Section 内容来自www.paper51.com { http://www.paper51.com
while(i<iFileLines) 内容来自www.paper51.com
{ paper51.com strline= FileContainer.GetAt(i++); http://www.paper51.com strline.TrimLeft(); 内容来自论文无忧网 www.paper51.com if(strline.GetAt(0)=='[') http://www.paper51.com
returnValue;//如果到达下一个[],即找不到,返回默认值 内容来自www.paper51.com str= strline.Left(strline.Find("="));//去掉=右边 内容来自www.paper51.com
str.TrimLeft(); http://www.paper51.com str.TrimRight(); paper51.com if(Item== str)//找到Item 内容来自论文无忧网 www.paper51.com { paper51.com str=strline.Right(strline.GetLength()-strline.Find("=")-1);//去掉=左边 paper51.com str.TrimLeft(); paper51.com str.TrimRight(); 内容来自www.paper51.com returnstr; 内容来自论文无忧网 www.paper51.com } http://www.paper51.com
} paper51.com returnValue;//找不到,返回默认值 内容来自www.paper51.com } 内容来自www.paper51.com
} 内容来自www.paper51.com } 内容来自论文无忧网 www.paper51.com returnValue;//找不到,返回默认值 paper51.com } 内容来自论文无忧网 www.paper51.com
3.3 获得文件MD5特征码 内容来自www.paper51.com 本工具使用MD5做特征码,所以写了一个MD5类来实现对文件的MD5特征码的获得,下面是MD5值的获得的实现步骤和描述: paper51.com 因为本工具是基于特征码来对木马进行查杀的,所以第一步当我们获得一个木马时,就对它进行MD5计算,然后把获得的MD5值保存到ini文件(即特征码库)。 http://www.paper51.com
算法的初始化: copyright paper51.com
md5_init(md5_state_t *pms) 内容来自www.paper51.com { 内容来自论文无忧网 www.paper51.com
pms->count[0] = pms->count[1] = 0; paper51.com
pms->abcd[0] = 0x67452301; 内容来自论文无忧网 www.paper51.com pms->abcd[1] = 0xefcdab89; 内容来自www.paper51.com
pms->abcd[2] = 0x98badcfe; 内容来自论文无忧网 www.paper51.com pms->abcd[3] = 0x10325476; paper51.com } paper51.com 添加字符窜到消息摘要中: copyright paper51.com md5_append(md5_state_t *pms, const md5_byte_t *data,int nbytes) 内容来自www.paper51.com { paper51.com const md5_byte_t *p = data; 内容来自www.paper51.com int left = nbytes; copyright paper51.com int offset = (pms->count[0] >> 3) & 63; http://www.paper51.com md5_word_t nbits = (md5_word_t)(nbytes << 3); 内容来自www.paper51.com if (nbytes <= 0) http://www.paper51.com return; 内容来自www.paper51.com /* Update the message length. */ paper51.com pms->count[1] += nbytes >> 29; 内容来自www.paper51.com pms->count[0] += nbits; 内容来自论文无忧网 www.paper51.com if (pms->count[0] < nbits) copyright paper51.com
pms->count[1]++; 内容来自论文无忧网 www.paper51.com /* Process an initial partial block. */ paper51.com if (offset) { copyright paper51.com intcopy = (offset + nbytes > 64 ? 64 - offset : nbytes); 内容来自www.paper51.com memcpy(pms->buf+ offset, p, copy); 内容来自论文无忧网 www.paper51.com if(offset + copy < 64) http://www.paper51.com return; copyright paper51.com p+= copy; 内容来自www.paper51.com left-= copy; copyright paper51.com md5_process(pms,pms->buf); http://www.paper51.com
} http://www.paper51.com /* Process full blocks. */ copyright paper51.com for (; left >= 64; p += 64, left -= 64) 内容来自www.paper51.com md5_process(pms,p); paper51.com
/* Process a final partial block. */ paper51.com
if (left) http://www.paper51.com
memcpy(pms->buf,p, left); 内容来自论文无忧网 www.paper51.com
} 内容来自www.paper51.com 完成消息摘要并返回: http://www.paper51.com md5_finish(md5_state_t *pms, md5_byte_t digest[16]) 内容来自www.paper51.com { copyright paper51.com static const md5_byte_t pad[64] = { 内容来自论文无忧网 www.paper51.com 0x80,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 内容来自www.paper51.com 0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, copyright paper51.com
0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, http://www.paper51.com 0,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 内容来自论文无忧网 www.paper51.com }; 内容来自论文无忧网 www.paper51.com md5_byte_t data[8]; 内容来自论文无忧网 www.paper51.com
int i; http://www.paper51.com /* Save the length before padding. */ paper51.com for (i = 0; i < 8; ++i) 内容来自www.paper51.com data[i]= (md5_byte_t)(pms->count[i >> 2] >> ((i & 3) << 3)); 内容来自www.paper51.com /* Pad to 56 bytes mod 64. */ copyright paper51.com md5_append(pms, pad, ((55 - (pms->count[0] >> 3)) & 63) +1); copyright paper51.com /* Append the length. */ copyright paper51.com md5_append(pms, data, 8); 内容来自www.paper51.com
for (i = 0; i < 16; ++i) 内容来自论文无忧网 www.paper51.com digest[i]= (md5_byte_t)(pms->abcd[i >> 2] >> ((i & 3) << 3)); copyright paper51.com } 内容来自论文无忧网 www.paper51.com
MD5算法的主要变换过程: 内容来自论文无忧网 www.paper51.com
md5_process(md5_state_t *pms, const md5_byte_t *data/*[64]*/) paper51.com { 内容来自论文无忧网 www.paper51.com md5_word_t http://www.paper51.com
a= pms->abcd[0], b = pms->abcd[1], paper51.com c= pms->abcd[2], d = pms->abcd[3]; 内容来自论文无忧网 www.paper51.com md5_word_t t; 内容来自www.paper51.com #ifndef ARCH_IS_BIG_ENDIAN 内容来自论文无忧网 www.paper51.com # define ARCH_IS_BIG_ENDIAN 1 /* slower, default implementation */ 内容来自www.paper51.com #endif http://www.paper51.com #if ARCH_IS_BIG_ENDIAN 内容来自www.paper51.com * On big-endian machines,we must arrange the bytes in the right copyright paper51.com
* order. (This also works on machines of unknownbyte order.) paper51.com
md5_word_t X[16]; 内容来自www.paper51.com
const md5_byte_t *xp = data; 内容来自论文无忧网 www.paper51.com int i; http://www.paper51.com for (i = 0; i < 16; ++i, xp+= 4) 内容来自论文无忧网 www.paper51.com X[i]= xp[0] + (xp[1] << 8) + (xp[2] << 16) + (xp[3] << 24); 内容来自论文无忧网 www.paper51.com #else /*!ARCH_IS_BIG_ENDIAN */ copyright paper51.com /* 内容来自论文无忧网 www.paper51.com
* On little-endianmachines, we can process properly aligned data paper51.com * without copying it. paper51.com */ paper51.com md5_word_t xbuf[16]; copyright paper51.com const md5_word_t *X; http://www.paper51.com if (!((data - (const md5_byte_t *)0) & 3)) { 内容来自论文无忧网 www.paper51.com /*data are properly aligned */ copyright paper51.com X= (const md5_word_t *)data; 内容来自论文无忧网 www.paper51.com
} else { 内容来自论文无忧网 www.paper51.com /*not aligned */ http://www.paper51.com
memcpy(xbuf,data, 64); http://www.paper51.com X= xbuf; copyright paper51.com } http://www.paper51.com #endif http://www.paper51.com #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x)>> (32 - (n)))) paper51.com /* Round 1. */ copyright paper51.com /* Let [abcd k s i] denote the operation copyright paper51.com
a = b +((a + F(b,c,d) + X[k] + T[i]) <<< s). */ 内容来自论文无忧网 www.paper51.com #define F(x, y, z) (((x) & (y)) | (~(x) &(z))) paper51.com
#define SET(a, b, c, d, k, s, Ti)\ copyright paper51.com t = a +F(b,c,d) + X[k] + Ti;\ copyright paper51.com a =ROTATE_LEFT(t, s) + b http://www.paper51.com /* Do the following 16 operations. */ 内容来自www.paper51.com SET(a, b, c, d, 0, 7, T1); paper51.com ***部分代码省略****** 内容来自www.paper51.com
SET(b, c, d, a, 15, 22, T16); 内容来自论文无忧网 www.paper51.com #undef SET paper51.com /* Round 2. */ http://www.paper51.com
/* Let [abcd k s i]denote the operation http://www.paper51.com a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ 内容来自www.paper51.com #define G(x, y, z) (((x) & (z)) | ((y) &~(z))) 内容来自www.paper51.com #define SET(a, b, c, d, k, s, Ti)\ http://www.paper51.com t = a +G(b,c,d) + X[k] + Ti;\ http://www.paper51.com a =ROTATE_LEFT(t, s) + b paper51.com /* Do the following 16operations. */ paper51.com SET(a, b, c, d, 1, 5, T17); paper51.com SET(d, a, b, c, 6, 9, T18); http://www.paper51.com ***部分代码省略****** copyright paper51.com SET(c, d, a, b, 7, 14, T31); paper51.com SET(b, c, d, a, 12, 20, T32); paper51.com #undef SET paper51.com /* Round 3. */ 内容来自论文无忧网 www.paper51.com /* Let [abcd k s t]denote the operation copyright paper51.com a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ 内容来自论文无忧网 www.paper51.com #define H(x, y, z) ((x) ^ (y) ^ (z)) paper51.com #define SET(a, b, c, d, k, s, Ti)\ 内容来自论文无忧网 www.paper51.com t = a +H(b,c,d) + X[k] + Ti;\ 内容来自www.paper51.com a =ROTATE_LEFT(t, s) + b 内容来自www.paper51.com /* Do the following 16operations. */ paper51.com SET(a, b, c, d, 5, 4, T33); copyright paper51.com ***部分代码省略****** paper51.com
SET(b, c, d, a, 2, 23, T48); copyright paper51.com #undef SET paper51.com /* Round 4. */ copyright paper51.com /* Let [abcd k s t]denote the operation 内容来自论文无忧网 www.paper51.com
a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ paper51.com #define I(x, y, z) ((y) ^ ((x) | ~(z))) 内容来自www.paper51.com
#define SET(a, b, c, d, k, s, Ti)\ http://www.paper51.com t = a +I(b,c,d) + X[k] + Ti;\ http://www.paper51.com
a =ROTATE_LEFT(t, s) + b 内容来自www.paper51.com /* Do the following 16operations. */ 内容来自论文无忧网 www.paper51.com SET(a, b, c, d, 0, 6, T49); paper51.com ***部分代码省略****** copyright paper51.com SET(b, c, d, a, 9, 21, T64); paper51.com #undef SET copyright paper51.com /* Then perform thefollowing additions. (That is increment each http://www.paper51.com ofthe four registers by the value it had before this block http://www.paper51.com was started.) */ 内容来自论文无忧网 www.paper51.com pms->abcd[0] += a; paper51.com pms->abcd[1] += b; paper51.com pms->abcd[2] += c; paper51.com pms->abcd[3] += d; paper51.com } paper51.com |