Mega Code Archive

 

Categories / Delphi / Examples

 

Making your own anti virus

Title: Making your own anti-virus Question: How to be up to date against VBScript viruses? Just make your own anti-virus! With Delphi, of course. Answer: { Making your own anti-virus for VB-Script files. How to be up to date against VBScript viruses? Just make your own anti-virus! With Delphi, of course. The technique is based on the windows registry and on the way hooks works: A VBScript is a text file that is interpreted by a program called WScript.exe and all .vbs files are opened by this program. This is accomplished by a registry file association at HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command. The key is to hook this file execution by changing the original registry key that points to the WSScript.exe, to our AntiVBS.exe file. Now when Windows try to open a VBS file it will call our program to open it passing the VBS file path as a parameter, and as we now have the power, we just open the VBS file to read some text and to try to identify a virus mark. If a virus mark is found then we warn the user that this file has a virus, else we pass the parameter to the original program, running it with the WinExec API call (don't use ShellExecute!!! If so you will be in a dead lock). Ok. But always a new virus is created I have to change my program to identify it? NO!!! Make a ini file and put the viruses IDs there! The is a sample of this ini file at the end of ths article, and it already works for the Love-Letter virus. Put this file together with the AntiVBS.exe file. Ok, ok. And I would have to make an install program for it? NO!!! The AntiVBS is a self-installer. Just put it in a folder and run it. Ok, ok, ok. And if I would like to remove it and restore the original file association? Just run AntiVBS.exe with the /REMOVE option and all will be restored to the original state. That's all folks!!! Enjoy! *You can copy, paste and compile! (Note that it is a program without units) } {Ths is a program with no units} program AntiVBS; uses Windows, SysUtils, Registry, IniFiles, Classes; {$R *.RES} const AntiVBSName = 'Anti-VBScript'; ExecParameter = ' "%1" %*'; function CheckViruses(Value: array of char): string; var i, j: integer; VirDefs: TStringList; VirIDs : TStringList; begin result := ''; VirDefs:= TStringList.Create; VirIDs := TStringList.Create; try with TIniFile.Create(ChangeFileExt(ParamStr(0),'.ini')) do try ReadSectionValues('VIRUSDEFS',VirDefs); for i:=0 to VirDefs.Count - 1 do begin ReadSectionValues(VirDefs.Values[VirDefs.Names[i]], VirIds); for j:=0 to VirIds.Count - 1 do begin if Pos(AnsiUpperCase(VirIds.Values[VirIds.Names[j]]), AnsiUpperCase(Value)) 0 then begin result := ReadString(VirDefs.Values[VirDefs.Names[i]],'NAME','VBScript - Virus'); exit; end; end; end; finally free; end; finally VirDefs.free; VirIDs.free; end; end; procedure RemoveAntiVBS; var OldValue: string; begin with TRegistry.Create do try RootKey:=HKEY_CLASSES_ROOT; OpenKey('VBSFile\Shell\Open\Command',true); OldValue:=ReadString('Old'); if OldValue '' then WriteString('',OldValue); DeleteValue('Old'); CloseKey; OpenKey('VBSFile\Shell\Open2\Command',true); OldValue:=ReadString('Old'); if OldValue '' then WriteString('',OldValue); DeleteValue('Old'); CloseKey; MessageBox(0,PChar(Format('The %s was uninstalled from your system with success!'#13+ 'In order to reintall it just run it again with no options.',[AntiVBSName])), AntiVBSName, MB_OK or MB_ICONASTERISK); finally free; end; end; procedure SetupRegistry; var OldValue: string; Root, InstalledPath: string; Reg: TRegistry; procedure AddAntiVBS; begin with Reg do begin OpenKey('VBSFile\Shell\Open\Command',true); OldValue:=ReadString(''); if not (Pos(Uppercase(ExtractFileName(ParamStr(0))),UpperCase(OldValue))0) then WriteString('Old',OldValue); WriteString('',ParamStr(0) + ExecParameter); CloseKey; OpenKey('VBSFile\Shell\Open2\Command',true); OldValue:=ReadString(''); if not (Pos(Uppercase(ExtractFileName(ParamStr(0))),UpperCase(OldValue))0) then WriteString('Old',OldValue); WriteString('',ParamStr(0) + ExecParameter); CloseKey; end; MessageBox(0,PChar('The Anti-VBScript was installed in your system with success!'#13+ 'In order to uninstall it just run it with the /REMOVE option.'), AntiVBSName, MB_OK or MB_ICONINFORMATION); end; begin Root:=ParamStr(0) + ExecParameter; Reg:=TRegistry.Create; with Reg do try Access:=KEY_ALL_ACCESS; RootKey:=HKEY_CLASSES_ROOT; if not OpenKey('VBSFile\Shell\Open\Command',true) then abort; InstalledPath:=ReadString(''); Delete(InstalledPath, Pos(ExecParameter,InstalledPath),length(InstalledPath)); CloseKey; if Pos(AnsiUpperCase(ExtractFileName(ParamStr(0))),AnsiUppercase(InstalledPath)) 0 then begin if (AnsiUpperCase(ParamStr(0)) AnsiUppercase(InstalledPath)) then begin if MessageBox(0, PChar(Format('The %s is already installed in you system at'#13+ '%s'#13#13+ 'Do you want to reinstall it from '#13'%s ?', [AntiVBSName, InstalledPath, ParamStr(0)])), AntiVBSName, MB_YESNO or MB_ICONINFORMATION or MB_SYSTEMMODAL) = IDYES then AddAntiVBS; end else MessageBox(0,PChar(Format('The %s is already installed in you system at'#13#13'%s',[AntiVBSName,ParamStr(0)])), AntiVBSName, MB_OK or MB_ICONINFORMATION or MB_SYSTEMMODAL); end else AddAntiVBS; finally free; end; end; var F: file; R: integer; Value: array[1..16384] of char; result: string; begin if ParamCount = 0 then SetupRegistry else if AnsiUpperCase(ParamStr(1)) = '/REMOVE' then RemoveAntiVBS else if FileExists(ParamStr(1)) then begin FillChar(Value,SizeOf(Value),0); AssignFile(F, ParamStr(1)); FileMode:=0; {ReadOnly} Reset(F,1); BlockRead(F,Value[1],SizeOf(Value)-1,R); while (not EOF(F)) or (R 0) do begin result := CheckViruses(Value); if result '' then begin MessageBox(0,PChar(Format('The file %s is possibly infected by a virus:'#13#13' %s'#13#13'Its execution is denied.', [ParamStr(1), '"'+result+'"'])), AntiVBSName, MB_ICONHAND or MB_SYSTEMMODAL); exit; end; BlockRead(F,Value[1],SizeOf(Value)-1,R); end; WinExec(PChar(ParamStr(1)+ParamStr(2)),SW_SHOW); end; end. {======================================================================} The ini file: [VIRUSDEFS] COMMENT= Put here all ID groups. LOVELETTER=LOVELETTER_IDS [LOVELETTER_IDS] COMMENT= Put here the NAME entry and enumerated values that identifies the virus (words that is in the virus file). NAME=Love Letter Virus (vbs macro) 1=loveletter 2=spreadtoemail() 3=MSKernel32.vbs 4=Win32DLL.vbs 5=LOVE-LETTER-FOR-YOU.TXT.vbs ============================== *** Please rate this article !!!