Jump to content
Sign in to follow this  
logmein

Malware Kill - a simple antimalware program

Recommended Posts

logmein

This is my antimalware program, database with over 3500 signatures, support online update!

#include <GUIConstants.au3>
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <ButtonConstants.au3>
#include <GUIConstants.au3>
#include <process.au3>
#include <Date.au3>

Opt("TrayMenuMode", 1)
HotKeySet('{Esc}', 'terminate')
;=================================================================
Dim $dbpath = @ScriptDir & '\Database.3db'
Dim $read = FileRead($dbpath)
Dim $url = 'http://vantimalware.do.am/database.3db'
Dim $split2 = StringReplace($read, @CRLF, @TAB)
Dim $split = StringSplit($split2, @TAB)
Dim $backuppath = @ScriptDir & '\Backup\'
Dim $size1 = '',$size2 = '',$terminate = False
Dim $temp = @SystemDir & '\DatabaseBackupforURL.ini'

;=================================================================
ConsoleWrite ('completed!')
#Region ### START Koda GUI section ### Form=C:\Program Files\Forms\main.kxf
$Form = GUICreate("MalwareKill v 1.0.0.0 db : 00001", 374, 142, -1, -1)
$Label1 = GUICtrlCreateLabel("Choose a directory to scan :", 8, 8, 136, 17)
$Input = GUICtrlCreateInput("", 8, 32, 334, 21)
$browse = GUICtrlCreateButton("...", 344, 31, 27, 24, 0)
GUICtrlSetCursor (-1, 0)
$remove = GUICtrlCreateCheckbox("&Remove infected item(s)", 8, 64, 137, 17)
$backup = GUICtrlCreateCheckbox("&Create backup", 8, 88, 97, 17)
$scan = GUICtrlCreateButton("&Scan", 8, 112, 75, 25, 0)
GUICtrlSetFont(-1, 10, 800, 0, "MS Sans Serif")
GUICtrlSetCursor (-1, 0)
$about = GUICtrlCreateButton("&About", 216, 112, 75, 25, 0)
GUICtrlSetCursor (-1, 0)
$exit = GUICtrlCreateButton("&Exit", 296, 112, 75, 25, 0)
GUICtrlSetCursor (-1, 0)
$vault = GUICtrlCreateLabel("[...]", 104, 90, 24, 17)
GUICtrlSetFont(-1, 8, 800, 0, "MS Sans Serif")
GUICtrlSetColor(-1, 0x0000FF)
GUICtrlSetCursor (-1, 0)

TraySetClick("9")
$mOpen = TrayCreateItem("&Open Control Panel")
$MenuItem9 = TrayCreateItem("")
$mVault = TrayCreateItem("&Vaults")
$MenuItem7 = TrayCreateItem("")
$mCheck = TrayCreateItem("&Check for Updates")
$MenuItem12 = TrayCreateItem("")
$mExit = TrayCreateItem("&Exit")
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE
            GUISetState (@SW_HIDE,$Form)
        Case $scan
            If GUICtrlRead ($Input) = '' Then
                MsgBox (16,'Error!','Please select a directory to scan.','',$Form)
            Else
                go (GUICtrlRead ($Input))
            EndIf
        Case $exit
            Exit
        case $vault
            ShellExecute ($backuppath)
    EndSwitch
    $tmsg = TrayGetMsg ()
    Switch $tmsg
        Case $mExit
            Exit
        Case $mOpen
            GUISetState (@SW_SHOW,$Form)
        case $mCheck
            _update ()
        case $mvault
            ShellExecute ($backuppath)
    EndSwitch
    
WEnd

Func Go($parameter)
    If not FileExists ($parameter) Then
        MsgBox (32,'Error!','The selected directory not found!','',$Form)
        Return
    EndIf
    GUISetState (@SW_HIDE,$Form)
    ProgressOn ('Scanning... Press Esc to abort',$parameter,'....',-1,-1,18)
    $size1 = DriveSpaceTotal  ($parameter) * 1024 * 1024
    ConsoleWrite($size1 & $parameter)
    $timer = TimerInit()
    $terminate = False
    $fileCount = 0

    $searchLocation = $parameter

    If StringRight($searchLocation, 1) = "\" Then $searchLocation = StringTrimRight($searchLocation, 1)

    $searchHandle = FileFindFirstFile($searchLocation & "\*.*")
    If ($searchHandle == -1) Then
        MsgBox(0, "Error", "The folder could not be opened.")
        Return
    EndIf
; Check if the folder was empty
    If (@error == 1) Then
        MsgBox(0, "Error", "The folder is empty")
        Return
    EndIf


    $answer = search($searchHandle, $searchLocation)
    If Not $answer Then Return

    FileClose($searchHandle)
    MsgBox (64,'Info','Done!','',$Form)
    ProgressOff ()
    Return
;GUICtrlSetData($ScanningFileI, "Completed!")

EndFunc;==>Go

Func search($searchHandle, $searchLocation)
    $toReturn = ""
    $terminate = False
    $fileCount = 0
    While (True)
        If $terminate = True Then
            $toReturn = ''
            ProgressOff ()
            GUISetState (@SW_SHOW,$Form)
            ExitLoop
        EndIf
        $file = FileFindNextFile($searchHandle)
        If @error Then
            ExitLoop
        EndIf

        $toReturn = $toReturn & $searchLocation & "\" & $file

;ConsoleWrite ($toReturn)
        $fileCount += 1
        $size2 += FileGetSize ($toReturn)
        ProgressSet (($size2 * 100)/$size1,FileGetShortName($toReturn,1))
        
        _scanfile($toReturn)
        
        $toReturn = ''
        $md5 = ''
        $attrib = FileGetAttrib($searchLocation & "\" & $file)
        If StringInStr($attrib, "D") Then
            $search2 = FileFindFirstFile($searchLocation & "\" & $file & "\*.*")
            $toReturn = $toReturn & search($search2, $searchLocation & "\" & $file)
        EndIf

    WEnd

    Return $toReturn
EndFunc;==>search
Func _scanfile($parameter)
    Local $i = 0
    If $terminate = true then
        $toReturn = '' 
        ProgressOff ()
        GUISetState (@SW_SHOW,$Form)
        Return
    EndIf
    
    Local $y = 0, $count = 0, $size = 0
    If Not StringInStr(FileGetAttrib($parameter), 'D') Then
        $md5 = _MD5ForFile($parameter)
;ConsoleWrite ($md5 & @CRLF)
    Else
        Return
    EndIf


    For $i = 1 To $split[0]
        If $split[$i] = $md5 Then
;create backup
            If GUICtrlRead ($backup) = 1 Then
                FileCopy ($parameter,$backuppath & StringReplace(StringReplace(_NowCalc (),'/',' '),':',' ') & '.bku',9)
                FileWriteLine ($backuppath & StringReplace(StringReplace(_NowCalc (),'/',' '),':',' ') & '.bku','backup')
            EndIf
;remove infected file
            If GUICtrlRead ($remove) = 4 Then
                $msg1 = MsgBox (4+262144+16,'Malware found!','Location : ' & $parameter & @CRLF & 'Size : ' & Round(FileGetSize ($parameter)/1024,2) & '  kB' & @CRLF & 'Malware found : ' & $split[$i-1],'',$Form)
                If $msg1 = 6 Then
                    _RunDOS  ('DEL ' & '"' & $parameter & '" /F /Q')
                Else
                    Return
                EndIf
            Else
                _RunDOS  ('DEL ' & '"' & $parameter & '" /F /Q')
            EndIf
            
        EndIf

    Next


;EndIf
    $toReturn = ''
    $md5 = ''
EndFunc;==>_scanfile

Func Terminate()
    $terminate = True
    If @InetGetActive Then
        InetGet ('abort')
    EndIf
    
EndFunc;==>Terminate
Func _MD5ForFile($sFile)

    Local $a_hCall = DllCall("kernel32.dll", "hwnd", "CreateFileW", _
            "wstr", $sFile, _
            "dword", 0x80000000, _; GENERIC_READ
            "dword", 1, _; FILE_SHARE_READ
            "ptr", 0, _
            "dword", 3, _; OPEN_EXISTING
            "dword", 0, _; SECURITY_ANONYMOUS
            "ptr", 0)

    If @error Or $a_hCall[0] = -1 Then
        Return SetError(1, 0, "")
    EndIf

    Local $hFile = $a_hCall[0]

    $a_hCall = DllCall("kernel32.dll", "ptr", "CreateFileMappingW", _
            "hwnd", $hFile, _
            "dword", 0, _; default security descriptor
            "dword", 2, _; PAGE_READONLY
            "dword", 0, _
            "dword", 0, _
            "ptr", 0)

    If @error Or Not $a_hCall[0] Then
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFile)
        Return SetError(2, 0, "")
    EndIf

    DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFile)

    Local $hFileMappingObject = $a_hCall[0]

    $a_hCall = DllCall("kernel32.dll", "ptr", "MapViewOfFile", _
            "hwnd", $hFileMappingObject, _
            "dword", 4, _; FILE_MAP_READ
            "dword", 0, _
            "dword", 0, _
            "dword", 0)

    If @error Or Not $a_hCall[0] Then
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)
        Return SetError(3, 0, "")
    EndIf

    Local $pFile = $a_hCall[0]
    Local $iBufferSize = FileGetSize($sFile)

    Local $tMD5_CTX = DllStructCreate("dword i[2];" & _
            "dword buf[4];" & _
            "ubyte in[64];" & _
            "ubyte digest[16]")

    DllCall("advapi32.dll", "none", "MD5Init", "ptr", DllStructGetPtr($tMD5_CTX))

    If @error Then
        DllCall("kernel32.dll", "int", "UnmapViewOfFile", "ptr", $pFile)
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)
        Return SetError(4, 0, "")
    EndIf

    DllCall("advapi32.dll", "none", "MD5Update", _
            "ptr", DllStructGetPtr($tMD5_CTX), _
            "ptr", $pFile, _
            "dword", $iBufferSize)

    If @error Then
        DllCall("kernel32.dll", "int", "UnmapViewOfFile", "ptr", $pFile)
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)
        Return SetError(5, 0, "")
    EndIf

    DllCall("advapi32.dll", "none", "MD5Final", "ptr", DllStructGetPtr($tMD5_CTX))

    If @error Then
        DllCall("kernel32.dll", "int", "UnmapViewOfFile", "ptr", $pFile)
        DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)
        Return SetError(6, 0, "")
    EndIf

    DllCall("kernel32.dll", "int", "UnmapViewOfFile", "ptr", $pFile)
    DllCall("kernel32.dll", "int", "CloseHandle", "hwnd", $hFileMappingObject)

    Local $sMD5 = Hex(DllStructGetData($tMD5_CTX, "digest"))

    Return SetError(0, 0, $sMD5)

EndFunc;==>_MD5ForFile

Func _update()
    If Not FileExists($dbpath) Then
        MsgBox(16, 'Error!', 'The malware database not found! Reinstall the program may fix the problem!', '', $Form)
        Exit
    EndIf
    
    FileCopy ($dbpath,$temp,9);back up
    
;bat dau lay phien ban
    ProgressOn ('Update Progress','Updating...','Initiazing...',-1,-1,18)
    $si = InetGetSize($Url)
    If @error Then
        MsgBox (16,'Error!','Could not update the database.Please check your network connection!','',$Form)
        ProgressOff ()
        Return
    EndIf
    
    $currentsi = FileGetSize($dbpath)
    
    If $si >= $currentsi Then
        $msg1 = MsgBox(4 + 32 + 262144, 'Auto Update', 'A new database released. Do you want to download it now?', '', $Form)
        If $msg1 = 6 Then

            InetGet($Url, @TempDir & '\database.3db', 1, 1)

            While @InetGetActive
                Sleep (150)
                ProgressSet((@InetGetBytesRead * 100)/$si, 'Downloading... ' & Round(@InetGetBytesRead / 1000, 0) & ' kB/' & Round($si / 1000, 0) & ' kB')
            WEnd
            
            Sleep(5000)
            ProgressOff ()
            
            If FileGetSize (@TempDir & '\database.3db') > FileGetSize ($dbpath) and FileGetSize (@TempDir & '\database.3db') = $si Then
                FileCopy (@TempDir & '\database.3db',$dbpath,9)
            Else
                MsgBox (32,'Error!','Database update progress failed!','',$Form)
                Return
            EndIf
                        
        Else
            MsgBox(64, 'Info', 'You have the latest database version!', '', $Form)
            ProgressOff ()
            Return
        EndIf
    Else
        MsgBox(64, 'Info', 'You have the latest database version!', '', $Form)
        ProgressOff ()
        Return
    EndIf

EndFunc;==>_update

Database : [download]

Special Thanks to :

- Prab

- trancexx

Edited by logmein

Share this post


Link to post
Share on other sites
LittleCoderNthai

Great!!!!!!!!! Tuyệt. Em cũng là Vietnamese nè. Cho em nick y! đi!

Share this post


Link to post
Share on other sites
dexto

wow... thats a lot of work...

Share this post


Link to post
Share on other sites
trancexx

@logmein; you are not obligated by anything to credit me for the code written by me and used by you. But if you do, please do it properly. If I wanted to be T, I wouldn't be t.

...nothing more.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
dexto

MD5 with DllCalls looks really appetizing... is that your code trancexx?

Share this post


Link to post
Share on other sites
trancexx

Yes it is.

Thanks for the correction logmein.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites
Info

Amazing work! Keep it coming!

Share this post


Link to post
Share on other sites
euverve

I think it needs this....

case $browse

$var = FileSelectFolder("Choose a folder.", "")

if @error = 1 then ContinueLoop

GUICtrlSetData($Input, $var)

Share this post


Link to post
Share on other sites
sloppyprogrammer

Very nice! :)


[center]They say that there is only 10 kinds of people that understand binary code; those who do, and those who don't...[/center][center]Get it? :P[/center]

Share this post


Link to post
Share on other sites
Jman

I think the database is too small. Who can help me improve it?

I would like to help, however what is the best editor for the .3db file.

Sadly I found your database at: Malwarepatrol.net

Just want to advise anyone to read the terms on there site before use of there db file.

Edited by Jman

Share this post


Link to post
Share on other sites
neology

i have more than 17K files' MD5 hashes known as malware..it is embed in my Neo Virus Remover database.. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×