Making-your-own-anti-virus


            Title: Making your own anti-virus
Question: How to be up to date against VBScript viruses?
Just make your own anti-virus! With Delphi, of course.
Answer:
{
Making your own anti-virus for VB-Script files.
How to be up to date against VBScript viruses?
Just make your own anti-virus! With Delphi, of course.
The technique is based on the windows registry and on the way hooks works:
A VBScript is a text file that is interpreted by a program called WScript.exe and all
.vbs files are opened by this program. This is accomplished by a registry file association
at HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command.
The key is to hook this file execution by changing the original registry key that points to
the WSScript.exe, to our AntiVBS.exe file.
Now when Windows try to open a VBS file it will call our program to open it passing the VBS
file path as a parameter, and as we now have the power, we just open the VBS file to read
some text and to try to identify a virus mark. If a virus mark is found then we warn
the user that this file has a virus, else we pass the parameter to the original program,
running it with the WinExec API call (don't use ShellExecute!!! If so you will be in a 
dead lock).
Ok. But always a new virus is created I have to change my program to identify it?
NO!!! Make a ini file and put the viruses IDs there! The is a sample of this ini file at the
end of ths article, and it already works for the Love-Letter virus. Put this file together
with the AntiVBS.exe file.
Ok, ok. And I would have to make an install program for it?
NO!!! The AntiVBS is a self-installer. Just put it in a folder and run it.
Ok, ok, ok. And if I would like to remove it and restore the original file association?
Just run AntiVBS.exe with the /REMOVE option and all will be restored to the original state.
That's all folks!!! Enjoy!
*You can copy, paste and compile! (Note that it is a program without units)
}
{Ths is a program with no units}
program AntiVBS;
uses
 Windows,
 SysUtils,
 Registry,
 IniFiles,
 Classes;
{$R *.RES}
const
 AntiVBSName = 'Anti-VBScript';
 ExecParameter = ' "%1" %*';
function CheckViruses(Value: array of char): string;
var
 i, j: integer;
 VirDefs: TStringList;
 VirIDs : TStringList;
begin
 result := '';
 VirDefs:= TStringList.Create;
 VirIDs := TStringList.Create;
 try
 with TIniFile.Create(ChangeFileExt(ParamStr(0),'.ini')) do
 try
 ReadSectionValues('VIRUSDEFS',VirDefs);
 for i:=0 to VirDefs.Count - 1 do
 begin
 ReadSectionValues(VirDefs.Values[VirDefs.Names[i]], VirIds);
 for j:=0 to VirIds.Count - 1 do
 begin
 if Pos(AnsiUpperCase(VirIds.Values[VirIds.Names[j]]), AnsiUpperCase(Value)) 0 then
 begin
 result := ReadString(VirDefs.Values[VirDefs.Names[i]],'NAME','VBScript - Virus');
 exit;
 end;
 end;
 end;
 finally
 free;
 end;
 finally
 VirDefs.free;
 VirIDs.free;
 end;
end;
procedure RemoveAntiVBS;
var
 OldValue: string;
begin
 with TRegistry.Create do
 try
 RootKey:=HKEY_CLASSES_ROOT;
 OpenKey('VBSFile\Shell\Open\Command',true);
 OldValue:=ReadString('Old');
 if OldValue '' then
 WriteString('',OldValue);
 DeleteValue('Old');
 CloseKey;
 OpenKey('VBSFile\Shell\Open2\Command',true);
 OldValue:=ReadString('Old');
 if OldValue '' then
 WriteString('',OldValue);
 DeleteValue('Old');
 CloseKey;
 MessageBox(0,PChar(Format('The %s was uninstalled from your system with success!'#13+
 'In order to reintall it just run it again with no options.',[AntiVBSName])),
 AntiVBSName, MB_OK or MB_ICONASTERISK);
 finally
 free;
 end;
end;
procedure SetupRegistry;
var
 OldValue: string;
 Root, InstalledPath: string;
 Reg: TRegistry;
 procedure AddAntiVBS;
 begin
 with Reg do
 begin
 OpenKey('VBSFile\Shell\Open\Command',true);
 OldValue:=ReadString('');
 if not (Pos(Uppercase(ExtractFileName(ParamStr(0))),UpperCase(OldValue))0) then
 WriteString('Old',OldValue);
 WriteString('',ParamStr(0) + ExecParameter);
 CloseKey;
 OpenKey('VBSFile\Shell\Open2\Command',true);
 OldValue:=ReadString('');
 if not (Pos(Uppercase(ExtractFileName(ParamStr(0))),UpperCase(OldValue))0) then
 WriteString('Old',OldValue);
 WriteString('',ParamStr(0) + ExecParameter);
 CloseKey;
 end;
 MessageBox(0,PChar('The Anti-VBScript was installed in your system with success!'#13+
 'In order to uninstall it just run it with the /REMOVE option.'),
 AntiVBSName, MB_OK or MB_ICONINFORMATION);
 end;
begin
 Root:=ParamStr(0) + ExecParameter;
 Reg:=TRegistry.Create;
 with Reg do
 try
 Access:=KEY_ALL_ACCESS;
 RootKey:=HKEY_CLASSES_ROOT;
 if not OpenKey('VBSFile\Shell\Open\Command',true) then
 abort;
 InstalledPath:=ReadString('');
 Delete(InstalledPath, Pos(ExecParameter,InstalledPath),length(InstalledPath));
 CloseKey;
 if Pos(AnsiUpperCase(ExtractFileName(ParamStr(0))),AnsiUppercase(InstalledPath)) 0 then
 begin
 if (AnsiUpperCase(ParamStr(0)) AnsiUppercase(InstalledPath)) then
 begin
 if MessageBox(0, PChar(Format('The %s is already installed in you system at'#13+
 '%s'#13#13+
 'Do you want to reinstall it from '#13'%s ?',
 [AntiVBSName, InstalledPath, ParamStr(0)])),
 AntiVBSName, MB_YESNO or MB_ICONINFORMATION or MB_SYSTEMMODAL) = IDYES then
 AddAntiVBS;
 end
 else
 MessageBox(0,PChar(Format('The %s is already installed in you system at'#13#13'%s',[AntiVBSName,ParamStr(0)])),
 AntiVBSName, MB_OK or MB_ICONINFORMATION or MB_SYSTEMMODAL);
 end
 else
 AddAntiVBS;
 finally
 free;
 end;
end;
var
 F: file;
 R: integer;
 Value: array[1..16384] of char;
 result: string;
begin
 if ParamCount = 0 then
 SetupRegistry
 else
 if AnsiUpperCase(ParamStr(1)) = '/REMOVE' then
 RemoveAntiVBS
 else
 if FileExists(ParamStr(1)) then
 begin
 FillChar(Value,SizeOf(Value),0);
 AssignFile(F, ParamStr(1));
 FileMode:=0; {ReadOnly}
 Reset(F,1);
 BlockRead(F,Value[1],SizeOf(Value)-1,R);
 while (not EOF(F)) or (R 0) do
 begin
 result := CheckViruses(Value);
 if result '' then
 begin
 MessageBox(0,PChar(Format('The file %s is possibly infected by a virus:'#13#13' %s'#13#13'Its execution is denied.',
 [ParamStr(1), '"'+result+'"'])),
 AntiVBSName, MB_ICONHAND or MB_SYSTEMMODAL);
 exit;
 end;
 BlockRead(F,Value[1],SizeOf(Value)-1,R);
 end;
 WinExec(PChar(ParamStr(1)+ParamStr(2)),SW_SHOW);
 end;
end.
{======================================================================}
The ini file:
[VIRUSDEFS]
COMMENT= Put here all ID groups.
LOVELETTER=LOVELETTER_IDS
[LOVELETTER_IDS]
COMMENT= Put here the NAME entry and enumerated values that identifies the virus (words that is in the virus file).
NAME=Love Letter Virus (vbs macro)
1=loveletter
2=spreadtoemail()
3=MSKernel32.vbs
4=Win32DLL.vbs
5=LOVE-LETTER-FOR-YOU.TXT.vbs
==============================
*** Please rate this article !!!
Examples Delphi
