Jump to content

Malware Kill - a simple antimalware program


logmein
 Share

Recommended Posts

This is my antimalware program, database with over 3500 signatures, support online update!

#include <GUIConstants.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <ButtonConstants.au3>
#include <GUIConstants.au3>
#include <process.au3>
#include <Date.au3>

Opt("TrayMenuMode", 1)
HotKeySet('{Esc}', 'terminate')
;=================================================================
Dim $dbpath = @ScriptDir & '\Database.3db'
Dim $read = FileRead($dbpath)
Dim $url = 'http://vantimalware.do.am/database.3db'
Dim $split2 = StringReplace($read, @CRLF, @TAB)
Dim $split = StringSplit($split2, @TAB)
Dim $backuppath = @ScriptDir & '\Backup\'
Dim $size1 = '',$size2 = '',$terminate = False
Dim $temp = @SystemDir & '\DatabaseBackupforURL.ini'

;=================================================================
ConsoleWrite ('completed!')
#Region ### START Koda GUI section ### Form=C:\Program Files\Forms\main.kxf
$Form = GUICreate("MalwareKill v 1.0.0.0 db : 00001", 374, 142, -1, -1)
$Label1 = GUICtrlCreateLabel("Choose a directory to scan :", 8, 8, 136, 17)
$Input = GUICtrlCreateInput("", 8, 32, 334, 21)
$browse = GUICtrlCreateButton("...", 344, 31, 27, 24, 0)
GUICtrlSetCursor (-1, 0)
$remove = GUICtrlCreateCheckbox("&Remove infected item(s)", 8, 64, 137, 17)
$backup = GUICtrlCreateCheckbox("&Create backup", 8, 88, 97, 17)
$scan = GUICtrlCreateButton("&Scan", 8, 112, 75, 25, 0)
GUICtrlSetFont(-1, 10, 800, 0, "MS Sans Serif")
GUICtrlSetCursor (-1, 0)
$about = GUICtrlCreateButton("&About", 216, 112, 75, 25, 0)
GUICtrlSetCursor (-1, 0)
$exit = GUICtrlCreateButton("&Exit", 296, 112, 75, 25, 0)
GUICtrlSetCursor (-1, 0)
$vault = GUICtrlCreateLabel("[...]", 104, 90, 24, 17)
GUICtrlSetFont(-1, 8, 800, 0, "MS Sans Serif")
GUICtrlSetColor(-1, 0x0000FF)
GUICtrlSetCursor (-1, 0)

TraySetClick("9")
$mOpen = TrayCreateItem("&Open Control Panel")
$MenuItem9 = TrayCreateItem("")
$mVault = TrayCreateItem("&Vaults")
$MenuItem7 = TrayCreateItem("")
$mCheck = TrayCreateItem("&Check for Updates")
$MenuItem12 = TrayCreateItem("")
$mExit = TrayCreateItem("&Exit")
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE
            GUISetState (@SW_HIDE,$Form)
        Case $scan
            If GUICtrlRead ($Input) = '' Then
                MsgBox (16,'Error!','Please select a directory to scan.','',$Form)
            Else
                go (GUICtrlRead ($Input))
            EndIf
        Case $exit
            Exit
        case $vault
            ShellExecute ($backuppath)
    EndSwitch
    $tmsg = TrayGetMsg ()
    Switch $tmsg
        Case $mExit
            Exit
        Case $mOpen
            GUISetState (@SW_SHOW,$Form)
        case $mCheck
            _update ()
        case $mvault
            ShellExecute ($backuppath)
    EndSwitch
    
WEnd

Func Go($parameter)
    If not FileExists ($parameter) Then
        MsgBox (32,'Error!','The selected directory not found!','',$Form)
        Return
    EndIf
    GUISetState (@SW_HIDE,$Form)
    ProgressOn ('Scanning... Press Esc to abort',$parameter,'....',-1,-1,18)
    $size1 = DriveSpaceTotal  ($parameter) * 1024 * 1024
    ConsoleWrite($size1 & $parameter)
    $timer = TimerInit()
    $terminate = False
    $fileCount = 0

    $searchLocation = $parameter

    If StringRight($searchLocation, 1) = "\" Then $searchLocation = StringTrimRight($searchLocation, 1)

    $searchHandle = FileFindFirstFile($searchLocation & "\*.*")
    If ($searchHandle == -1) Then
        MsgBox(0, "Error", "The folder could not be opened.")
        Return
    EndIf
; Check if the folder was empty
    If (@error == 1) Then
        MsgBox(0, "Error", "The folder is empty")
        Return
    EndIf


    $answer = search($searchHandle, $searchLocation)
    If Not $answer Then Return

    FileClose($searchHandle)
    MsgBox (64,'Info','Done!','',$Form)
    ProgressOff ()
    Return
;GUICtrlSetData($ScanningFileI, "Completed!")

EndFunc;==>Go

Func search($searchHandle, $searchLocation)
    $toReturn = ""
    $terminate = False
    $fileCount = 0
    While (True)
        If $terminate = True Then
            $toReturn = ''
            ProgressOff ()
            GUISetState (@SW_SHOW,$Form)
            ExitLoop
        EndIf
        $file = FileFindNextFile($searchHandle)
        If @error Then
            ExitLoop
        EndIf

        $toReturn = $toReturn & $searchLocation & "\" & $file

;ConsoleWrite ($toReturn)
        $fileCount += 1
        $size2 += FileGetSize ($toReturn)
        ProgressSet (($size2 * 100)/$size1,FileGetShortName($toReturn,1))
        
        _scanfile($toReturn)
        
        $toReturn = ''
        $md5 = ''
        $attrib = FileGetAttrib($searchLocation & "\" & $file)
        If StringInStr($attrib, "D") Then
            $search2 = FileFindFirstFile($searchLocation & "\" & $file & "\*.*")
            $toReturn = $toReturn & search($search2, $searchLocation & "\" & $file)
        EndIf

    WEnd

    Return $toReturn
EndFunc;==>search
Func _scanfile($parameter)
    Local $i = 0
    If $terminate = true then
        $toReturn = '' 
        ProgressOff ()
        GUISetState (@SW_SHOW,$Form)
        Return
    EndIf
    
    Local $y = 0, $count = 0, $size = 0
    If Not StringInStr(FileGetAttrib($parameter), 'D') Then
        $md5 = _MD5ForFile($parameter)
;ConsoleWrite ($md5 & @CRLF)
    Else
        Return
    EndIf


    For $i = 1 To $split[0]
        If $split[$i] = $md5 Then
;create backup
            If GUICtrlRead ($backup) = 1 Then
                FileCopy ($parameter,$backuppath & StringReplace(StringReplace(_NowCalc (),'/',' '),':',' ') & '.bku',9)
                FileWriteLine ($backuppath & StringReplace(StringReplace(_NowCalc (),'/',' '),':',' ') & '.bku','backup')
            EndIf
;remove infected file
            If GUICtrlRead ($remove) = 4 Then
                $msg1 = MsgBox (4+262144+16,'Malware found!','Location : ' & $parameter & @CRLF & 'Size : ' & Round(FileGetSize ($parameter)/1024,2) & '  kB' & @CRLF & 'Malware found : ' & $split[$i-1],'',$Form)
                If $msg1 = 6 Then
                    _RunDOS  ('DEL ' & '"' & $parameter & '" /F /Q')
                Else
                    Return
                EndIf
            Else
                _RunDOS  ('DEL ' & '"' & $parameter & '" /F /Q')
            EndIf
            
        EndIf

    Next


;EndIf
    $toReturn = ''
    $md5 = ''
EndFunc;==>_scanfile

Func Terminate()
    $terminate = True
    If @InetGetActive Then
        InetGet ('abort')
    EndIf
    
EndFunc;==>Terminate
Func _MD5ForFile($sFile)

    Local $a_hCall = DllCall("kernel32.dll", "hwnd", "CreateFileW", _
            "wstr", $sFile, _
            "dword", 0x80000000, _; GENERIC_READ
            "dword", 1, _; FILE_SHARE_READ
            "ptr", 0, _
            "dword", 3, _; OPEN_EXISTING
            "dword", 0, _; SECURITY_ANONYMOUS
            "ptr", 0)

    If @error Or $a_hCall[0] = -1 Then
        Return SetError(1, 0, "")
    EndIf

    Local $hFile = $a_hCall[0]

    $a_hCall = DllCall("kernel32.dll", "ptr", "CreateFileMappingW", _
            "hwnd", $hFile, _
            "dword", 0, _; default security descriptor
            "dword", 2, _; PAGE_READONLY
            "dword", 0, _
            "dword", 0, _
            "ptr", 0)

    If @error Or Not $a_hCall[0] Then
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFile)
        Return SetError(2, 0, "")
    EndIf

    DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFile)

    Local $hFileMappingObject = $a_hCall[0]

    $a_hCall = DllCall("kernel32.dll", "ptr", "MapViewOfFile", _
            "hwnd", $hFileMappingObject, _
            "dword", 4, _; FILE_MAP_READ
            "dword", 0, _
            "dword", 0, _
            "dword", 0)

    If @error Or Not $a_hCall[0] Then
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)
        Return SetError(3, 0, "")
    EndIf

    Local $pFile = $a_hCall[0]
    Local $iBufferSize = FileGetSize($sFile)

    Local $tMD5_CTX = DllStructCreate("dword i[2];" & _
            "dword buf[4];" & _
            "ubyte in[64];" & _
            "ubyte digest[16]")

    DllCall("advapi32.dll", "none", "MD5Init", "ptr", DllStructGetPtr($tMD5_CTX))

    If @error Then
        DllCall("kernel32.dll", "int", "UnmapViewOfFile", "ptr", $pFile)
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)
        Return SetError(4, 0, "")
    EndIf

    DllCall("advapi32.dll", "none", "MD5Update", _
            "ptr", DllStructGetPtr($tMD5_CTX), _
            "ptr", $pFile, _
            "dword", $iBufferSize)

    If @error Then
        DllCall("kernel32.dll", "int", "UnmapViewOfFile", "ptr", $pFile)
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)
        Return SetError(5, 0, "")
    EndIf

    DllCall("advapi32.dll", "none", "MD5Final", "ptr", DllStructGetPtr($tMD5_CTX))

    If @error Then
        DllCall("kernel32.dll", "int", "UnmapViewOfFile", "ptr", $pFile)
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)
        Return SetError(6, 0, "")
    EndIf

    DllCall("kernel32.dll", "int", "UnmapViewOfFile", "ptr", $pFile)
    DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)

    Local $sMD5 = Hex(DllStructGetData($tMD5_CTX, "digest"))

    Return SetError(0, 0, $sMD5)

EndFunc;==>_MD5ForFile

Func _update()
    If Not FileExists($dbpath) Then
        MsgBox(16, 'Error!', 'The malware database not found! Reinstall the program may fix the problem!', '', $Form)
        Exit
    EndIf
    
    FileCopy ($dbpath,$temp,9);back up
    
;bat dau lay phien ban
    ProgressOn ('Update Progress','Updating...','Initiazing...',-1,-1,18)
    $si = InetGetSize($Url)
    If @error Then
        MsgBox (16,'Error!','Could not update the database.Please check your network connection!','',$Form)
        ProgressOff ()
        Return
    EndIf
    
    $currentsi = FileGetSize($dbpath)
    
    If $si >= $currentsi Then
        $msg1 = MsgBox(4 + 32 + 262144, 'Auto Update', 'A new database released. Do you want to download it now?', '', $Form)
        If $msg1 = 6 Then

            InetGet($Url, @TempDir & '\database.3db', 1, 1)

            While @InetGetActive
                Sleep (150)
                ProgressSet((@InetGetBytesRead * 100)/$si, 'Downloading... ' & Round(@InetGetBytesRead / 1000, 0) & ' kB/' & Round($si / 1000, 0) & ' kB')
            WEnd
            
            Sleep(5000)
            ProgressOff ()
            
            If FileGetSize (@TempDir & '\database.3db') > FileGetSize ($dbpath) and FileGetSize (@TempDir & '\database.3db') = $si Then
                FileCopy (@TempDir & '\database.3db',$dbpath,9)
            Else
                MsgBox (32,'Error!','Database update progress failed!','',$Form)
                Return
            EndIf
                        
        Else
            MsgBox(64, 'Info', 'You have the latest database version!', '', $Form)
            ProgressOff ()
            Return
        EndIf
    Else
        MsgBox(64, 'Info', 'You have the latest database version!', '', $Form)
        ProgressOff ()
        Return
    EndIf

EndFunc;==>_update

Database : [download]

Special Thanks to :

- Prab

- trancexx

Edited by logmein
Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...
  • 1 month later...

I think the database is too small. Who can help me improve it?

I would like to help, however what is the best editor for the .3db file.

Sadly I found your database at: Malwarepatrol.net

Just want to advise anyone to read the terms on there site before use of there db file.

Edited by Jman
Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...