Mega Code Archive

 

Categories / Delphi / System

 

Cleaning infected binary (Antivirus method)

Title: Cleaning infected binary (Antivirus method) Question: The question start after I got infected with a silly virus intend to infect binary files then it open a TCP backdoor in my system and the same time my antivirus didn't detect this, and I notice some of my binary files icons disappeared and whenever I execute these files it drop a backdoor under my windows system folder and add it to the startup registry key. With HEX Viewer program I made a quick examination and comparison for both infected and non infected files, I found the virus hex infection marker at the end of the infected binary as 'SVCH_RU_X' . Answer: Fast response to solve this issue is very important especially when you get infected in a big environment and as security role you have to submit the suspected file to the nearest antivirus support center in order to release a definition against this but if you want to response to this and you don?t want to wait for antivirus center to respond you can take the risk if you are aware of what are you doing and you know all the necessary actions to be taken. //==================================================================== program CleanSVCH; {$APPTYPE CONSOLE} uses Windows,SysUtils,Classes; type TBufferRec=record Position,Size:Int64; Signature:array[0..8] of Char; end; const // hex infection marker name.. HexAlias:string='SVCH_RU_X'; procedure ScanDrive(const sPath,FileExt:string;Dir:boolean); var Rec:TSearchRec; Path:string; Buffer:TBufferRec; MemStream:TMemoryStream; FileBuffer,CleanedFile:TFileStream; begin Path:=IncludeTrailingPathDelimiter(sPath); if FindFirst(Path+FileExt,faAnyFile-faDirectory,Rec)=0 then try repeat WriteLn('Scanning..'+Path+Rec.Name); //Create a file stream for reading the current position // of the stream in its particular Offset parameter and origin should be // one of the following values: // -soFromBeginning // -soFromCurrent // -soFromEnd // and as long the virus hex infection marker at the end of the binary // file we will use(SoFromEnd). FileBuffer:=TFileStream.Create(Path+Rec.Name,fmOpenRead); FileBuffer.Seek(0-SizeOf(Buffer),SoFromEnd); //Read Counted bytes from the stream into a buffer Record where //the number of bytes is known and fixed FileBuffer.ReadBuffer(Buffer,SizeOf(Buffer)); // Compare buffer record signature in file // with the one we are searching for.. if (Buffer.Signature)=HexAlias then begin WriteLn('File '+Path+Rec.Name+' is infected'); // Now we are going to clean the file ..first create // a Memory stream and set reading origin to // the beginning, then copy file up to the infection origin MemStream:=TMemoryStream.Create; FileBuffer.Seek(Buffer.Position,soFromBeginning); MemStream.CopyFrom(FileBuffer,Buffer.Size); MemStream.Seek(0,soFromBeginning); FileBuffer.Free; //Create a new file stream copied from Memory Stream .... CleanedFile:=TFileStream.Create(Path+Rec.Name,fmCreate); CleanedFile.CopyFrom(MemStream,MemStream.Size); CleanedFile.Free; MemStream.Free; WriteLn('File '+Rec.Name+' successfully cleaned'); end else FileBuffer.Free; until FindNext(Rec)0; finally FindClose(Rec); end; if not Dir then Exit; if FindFirst(Path+'*.*',faDirectory,Rec)=0 then try repeat if ((Rec.Attr and faDirectory)0)and(Rec.Name'.')and(Rec.Name '..') then ScanDrive(Path+Rec.Name,FileExt,True); until FindNext(Rec)0; finally FindClose(Rec); end; end; //==================================================================== //Program start from here...first get logical drives latter then call //ScanDrive procedure for each Drive founded... var s:string; i,x:integer; Drives:array[1..128] of char; begin // call windows drives function ..... GetLogicalDriveStrings(128,@Drives); i:=1; repeat s:=''; while (i#00) do begin s:=s+Char(Drives[i]); inc(i); end; inc(i); x:=GetDriveType(Pchar(s)); if (length(s)0)and ((x=DRIVE_FIXED))or((x=DRIVE_REMOTE)) then // scan drive........ ScanDrive(s,'*.exe',True); until length(s)=0; end. //***************************