.const
virusMarks VirusMark <0000h, 00E89C60h>, <024Bh, 40004014h>, <048Ah, 14D14C51h>
szSearchPath db 'C:\virusdemodir\', 0 ;需要修复的目录
szMsgTitle db '提示', 0
szMsgText db '修复工作已完成!', 0
;函数声明处
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RecoverFile proto lpszFilePath:dword
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;代码段
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;用于修复指定路径下所有被感染的文件
RecoverDisk proc uses ebx esi edi, _lpszSearchPath:dword, _dwSearchType:dword
local @szFilePath[MAX_PATH] :byte
local @hFindFile :dword
local @stFindData :WIN32_FIND_DATA
lea ebx, @stFindData
lea esi, @stFindData.cFileName
lea edi, @szFilePath
invoke lstrcpy, edi, _lpszSearchPath
$pushsz '*.*'
push edi
call lstrcat
invoke FindFirstFile, edi, ebx
cmp eax, INVALID_HANDLE_VALUE
je @@FindFileFailed
mov @hFindFile, eax
@@RecoverFile:
cmp byte ptr[esi], '.'
je @@FindNextFile
mov eax, @stFindData.dwFileAttributes
and eax, FILE_ATTRIBUTE_DIRECTORY
test eax, eax
jnz @@RecoverDisk ;递归修复
invoke lstrlen, esi
cmp eax, 4
jna @@FindNextFile
mov eax, [esi + eax - 4] ;文件后缀
cmp eax, _dwSearchType
jne @@FindNextFile
invoke lstrcpy, edi, _lpszSearchPath
invoke lstrcat, edi, esi
invoke RecoverFile, edi
@@RecoverDisk:
invoke lstrcpy, edi, _lpszSearchPath
invoke lstrcat, edi, esi
$pushsz '\' ;目录设定是假设以“\”结尾
push edi
call lstrcat
invoke RecoverDisk, edi, _dwSearchType
jmp @@FindNextFile
@@Ret:
invoke CloseHandle, @hFindFile
@@FindFileFailed:
ret
RecoverDisk endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;用于修复被感染的程序(1、修正入口点;2、清空病毒代码;3、清除感染标记)
RecoverFile proc uses ebx esi edi, _lpszFilePath:dword
local @hOpenedFile :dword
local @hFileMapping :dword
local @hMappedView :dword
invoke CreateFile, _lpszFilePath, FILE_READ_DATA or FILE_WRITE_DATA, \
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
cmp eax, INVALID_HANDLE_VALUE
je @@OpenFileFailed
mov @hOpenedFile, eax