membuat antivirus sederhana dengan menggunakan visual basic
DESCRIPTION
AntivirusTRANSCRIPT
Membuat Antivirus Sederhana Dengan Menggunakan Visual BasicPublished on April 8, 2013 by Pernando Setiarman Sihombing · 9 Comments
PENDAHULUAN
Sekarang kehadiran para virus maker (–selanjutnya disingkat jadi VM saja) lokal telah membuat gerah para user
komputer tanah air. Bisa dibayangkan bila dari sekian banyak virus lokal tidak satu-dua yang menghancurkan data
(terutama bagi file office; word, excel, dll…). Bagi para vendor Anti Virus (–selanjutnya disingkat menjadi AV saja)
fenomena ini adalah lahan bisnis untuk produk mereka. Sebut saja NORMAN, yang kini men-support perusahaan
konsultan virus lokal (–VAKSIN.COM) , Symantec, McAffe, NOD32, dan sebagainya. Dengan menawarkan update
definisi software AV tercepat, engine scanner paling sensitif, dan lain-lain merupakan kiat untuk memancing para
korban virus membeli dan menggunakan software AV mereka. Bagi penulis sendiri hal ini memang agak
memberatkan mengingat update file definisi atau engine AV tsb haruslah melalui koneksi internet. Lalu bagaimana
yang tidak mempunyai akses sama sekali? Konsekuensinya iyalah tertinggal dalam hal pengenalan varian virus baru
yang pada ujung-ujungnya membuat AV yang sudah terinstall bagai ‘Macan Ompong’. Kalau kita membuat AV
sendiri bagaimana? dengan database definisi yang bisa diupdate oleh kita bahkan dapat saling tukar dengan teman?
Bisa saja, dengan syarat mau mempelajari sedikit teknik pemograman.Pertama kita harus mengerti bagaimana cara
kerja sebuah AV sederhana, pada dasarnya sebuah software AV mempunyai komponen-komponen :
1. Engine scanner, ini merupakan komponen utama AV dalam mengenali sebuah pattern virus. Engine ini
dapat dikelompokkan menjadi statis dan dinamis. Statis dalam hal ini dapat disebut menjadi spesifik
terhadap pattern tertentu dari sebuah file virus. Checksum merupakan salah satu contoh dari engine
statis ini. Dinamis dalam artian dia mengenali perilaku ‘umum’ sebuah virus. Heuristic menjadi salah
satu contohnya.
2. Database definition, menjadi sebuah referensi dari sebuah pattern file virus. Engine statis sangat
bergantung kepada komponen ini.
3. Decompress atau unpacking engine, khusus untuk pengecekan file-file yang terkompresi (*.rar, *.zip,
dll) atau kompresi atau packing untuk file PE seperti UPX, MeW , dll.
Tidak jarang hasil dari pengecekan terhadap file suspect virus menghasilkan false-positive bahkan false-negative (–
false-positive berarti file yang bersih dianggap thread oleh AV, dan false-negative berarti file yang 100% thread akan
dianggap bersih). Semua itu dapat diakibatkan oleh ketidak-sempurnaan dari engine scanner itu sendiri.
Misal pada contoh kasus Engine String scanner (–Engine scanner yang menyeleksi string-string dari file text-based),
bila diterapkan rule 3 out of 5 (– bila AV menemukan 3 dari daftar 5 string kategori malicious) maka AV akan
memberikan bahwa file terindikasi sebuah thread yang positif. Padahal file tsb nyatanya tidak menimbulkan efek
berbahaya bila dijalankan atau dieksekusi. Kesalahan scanning macam ini lazim ditemukan untuk file-file *.VBS,
*.HTML, dll. Untuk penggunaan engine checksum sangat banyak ditemui di beberapa software AV lokal. Checksum
yang lazim digunakan diantaranya CRC16, CRC32, MD5, dll. Dikarenakan mudah untuk diimplementasikan. Engine
ini sendiri bukannya tanpa cacat, Checksum bekerja dengan memproses byte demi byte dari sebuah file dengan
sebuah algoritma tertenu (– tergantung dari jenis checksum yang digunakan) sehingga menghasilkan sebuah format
tertentu dari file tsb. Contoh checksum menggunakan CRC32 dan MD5 :
* calCrc = CRC32(file_name_and_path)
* calMD5 = MD5(file_name_and_path)
Maka isi dari string calCrc adalah 7AF9E376, sedangkan untuk MD5nya adalah
529CA8050A00180790CF88B63468826A. Perlu diketahui bila virus menerapkan rutin yang mengubah byte tertentu
dari badan virus tsb setiap kali maka penggunaan engine checksum ini akan kurang optimal karena bila 1 byte
berubah dari file maka checksum juga akan berubah.
Mari kita belajar membuat sebuah AV sederhana, yang diperlukan :
1. Software Visual Basic 6.0
2. Sedikit pemahaman akan pemograman Visual Basic 6.0
3. Sampel file bersih atau virus (– opsional)
Baiklah Sobat PalComSter , Setelah memahami Pendahuluan diatas. langsung saja kita ke isi materi hari ini
yaitu Membuat Antivirus Sederhana Dengan Menggunakan Visual Basic. Berikut caranya :
Langkah 1
Buka program microsoft visual basic 6.0 -> Standard EXE -> OK.
Maka akan tampil form baru sesuai dengan gambar di bawah,desain form sesuai keinginan anda.
Beri nama form tersebut : frmUtama
Langkah 2
Setelah form selesai di rubah namanya tambahkan component Mscomctl.Ocx dengan cara. Klik Project -
> Components -> Microsoft Windows Common Controls 6.0 -> lalu klik OK Contoh seperti gambar di bawah.
Setelah component sukses di tambahkan langkah selanjutnya adalah menambah Command Button,Textbox,Listview,
Picture Box
disini saya menggunakan desain yang sangat sederhana,desain bisa anda rubah sendiri sesuai kreatifitas anda.
- Tambahkan Listview kedalam form dan beri nama lvScan
yang saya kasih garis merah adalah listview yang telah di tambahkan ke dalam form.
setelah itu setting listview dengan cara
Klik Listview -> Disebelah kanan bawah ada kotak properties -> Custom
lalu ikuti settingan seperti pada gambar di bawah ini.
Lalu pada tab Column Headers klik insert column
- Column 1 beri nama : Virus Name
- Column 2 beri nama : Path
- Column 3 beri nama : Checksum Virus
- Column 4 beri nama : Status Virus
lalu klik Ok
Tambahkan picture box buat picture box itu sekecil mungkin dan beri nama sIcon
Setting :
Appearance : Flat
Auto Redraw : True
Border Style : None
Visible : False
Tambahkan Textbox ke dalam form dengan nama txtPath
Setting :
Appearance : Flat
Border Style : None
Tambahkan Command Button dengan nama cmdBrowse di samping Textbox yang telah di buat tadi
Setting :
Caption : …
Masukan Code ini ke dalam cmdBrowse.
Spoiler:
Code:<code>Dim Pathnya As StringPathnya = ""Pathnya = BrowseFolder("Pilih folder yang akan di Scan:", Me)If Pathnya <> "" ThentxtPath.Text = PathnyaEnd If</code>
Code di atas berfungsi untuk membuka kotak dialog yang berisi path” yang ada di dalam komputer.
Lalu mencetaknya ke dalam textbox yang bernama txtPath.
Tambahkan label dengan nama default.
Setting :Caption : Dir Scanned
Tambahkan label dengan nama lblDirScan
Setting :
Caption : 0
Tambahkan label dengan nama default
Setting :
Caption : Detected
Tambahkan label dengan nama lblFileDet
Setting :
Caption : 0
Tambahkan label dengan nama default
Setting :
Caption : File Scanned
Tambahkan label dengan nama lblFileScan
Setting :
Caption : 0
Tambahkan Textbox dengan nama txtFileScan
Setting :
Multiline : TrueScroll Bar : 2-Vertical
Tambahkan Command Button dengan nama cmdScan
Setting :
Caption : &Scan
123456789101112131415161718192
Spoiler:'Code:If cmdScan.Caption = "Scan" ThenPathnya = txtPath.TextIf Mid(Pathnya, 2, 1) <> ":" Or Pathnya = "" ThenMsgBox "Direktori Tidak Ditemukan", vbCritical, "Error"Exit SubElselvScan.Enabled = FalsecmdEnable False, False, Falseclear_logcmdScan.Caption = "Stop"StopScan = FalseFindFilesEx txtPath.Text, CBool(chkSubDir.Value)MsgBox "Scan finished !" & vbNewLine & vbNewLine & "Total Dir Scanned = " &vbNewLine & "Total File Scanned = " & lblFileScan.Caption & vbNewLine & "Totalation, "Finish"If lblFileDet.Caption <> "0" ThencmdEnable True, True, TrueElsecmdEnable False, False, TrueEnd IflvScan.Enabled = TruecmdScan.Caption = "Scan"End IfElsecmdScan.Caption = "Scan"StopScan = TrueEnd If
02122232425262728
fungsi kode di atas adalah untuk memulai scan pada antivirus
Tambahkan Command Button dengan nama cmdAction
Setting :
Caption : &Delete
Tambahkan Command Button dengan nama cmdAction
Setting :
Caption : &Quarantine
Tambahkan Command Button dengan nama cmdViewQ
Setting :
Caption : &View Quarantine File
Tambahkan Command Button dengan nama cmdAction
Setting :
Caption : &Delete
Tambahkan kode ini di dalamnya
1 Spoiler:
2345678910111213141516
'Code:<pre>Dim DftrFile As StringDftrFile = GetSelected(lvScan)If DftrFile = "" ThenMsgBox "No Detected File(s) Selected", vbCritical, ""Exit SubEnd IfSelect Case IndexCase 0clean = Action(DftrFile, lvScan, "D")MsgBox clean & " File(s) has been deleted"Case 1clean = Action(DftrFile, lvScan, "Q")MsgBox clean & " File(s) has been quarantine"End Select
Fungsi di atas adalah fungsi untuk menghapus/mengkarantina file yang terdeteksi
Tambahkan Command Button dengan nama cmdAction
Setting :
Caption : &Quarantine
Tambahkan Command Button dengan nama cmdViewQ
Setting :
Caption : &View Quarantine File
Lalu masukan code ini ke dalamnya
Spoiler:
Me.hide
frmquarantine.show
Code di atas berfungsi untuk memunculkan form quarantine dan meng enabled form utama
nah selesai untuk memasukan control ke dalam formnya
contoh form yang telah selesai.
lalu klik kanan pada form masukan kode di bawah ini
1234567891011121314151617
Spoiler:
/Code: Private Sub lvScan_ItemCheck(ByVal Item As MSComctlLib.ListItem) UnSelect lvScan, "Di Karantina" UnSelect lvScan, "Di Hapus" End Sub
Private Function cmdEnable(hapus As Boolean, Quarantine As Boolean, openQuarantine As Boolean) cmdAction(0).Enabled = hapus cmdAction(1).Enabled = Quarantine cmdViewQ.Enabled = openQuarantine End Function
Private Function clear_log() lblDirScan.Caption = 0 lblFileScan.Caption = 0 lblFileDet.Caption = 0 lvScan.ListItems.Clear jumlahDir = 0 jumlahFile = 0 jumlahVirus = 0 End Function
181920212223
lalu di Form_load() masukan kode ini
Spoiler:
‘Code:
On Error Resume Next
MkDir "Quarantine"
BuildDatabase
Lalu buatlah 1 module dengan nama modAPI.
Lalu tambahkan code di bawah ini:
123456789101112131415161718192021
Spoiler:
'Code: Public Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" (ByVal lpFileName Public Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileA" (ByVal hFindFile Public Declare Function FindClose Lib "kernel32" (ByVal hFindFile As Long) As Long Public Declare Function PathIsDirectory Lib "shlwapi.dll" Alias "PathIsDirectoryA" (ByVal Public Declare Function CopyFile Lib "kernel32.dll" Alias "CopyFileA" (ByVal lpExistingFileName Public Declare Function MoveFile Lib "kernel32.dll" Alias "MoveFileA" (ByVal lpExistingFileName Public Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName Public Declare Function PathFileExists Lib "shlwapi.dll" Alias "PathFileExistsA" (ByVal Public Declare Function GetSystemDirectory Lib "kernel32.dll" Alias "GetSystemDirectoryA" Public Declare Function GetWindowsDirectory Lib "kernel32.dll" Alias "GetWindowsDirectoryA" Public Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias "SHGetPathFromIDListA" Public Declare Function SHBrowseForFolder Lib "shell32.dll" Alias "SHBrowseForFolderA" Private Declare Function RealizePalette Lib "gdi32" (ByVal hDC As Long) As Long Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileNames As Any, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Public Declare Function GetFileSize Lib "kernel32" (ByVal hFile As Long, lpFileSizeHigh Public Declare Function VirtualAlloc Lib "kernel32" (lpAddress As Any, ByVal dwSize As Public Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, Long Public Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any,) As Long
22232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
Public Declare Function SetFilePointer Lib "kernel32" (ByVal hFile As Long, ByVal lDistanceToMove Public Declare Function SetEndOfFile Lib "kernel32" (ByVal hFile As Long) As Long
Public Const GENERIC_READ = &H80000000 Public Const GENERIC_WRITE = &H40000000 Public Const FILE_SHARE_READ = &H1 Public Const OPEN_EXISTING = 3 Public Const FILE_ATTRIBUTE_NORMAL = &H80 Public Const INVALID_HANDLE_VALUE = -1 Public Const FILE_END = 2 Public Const FILE_BEGIN = 0 Public Const FILE_CURRENT = 1 Public Const LWA_COLORKEY = &H1 Public Const GWL_EXSTYLE = (-20) Public Const WS_EX_LAYERED = &H80000 Public Const MAX_PATH = 260 Public Const SW_SHOWNORMAL = 1
Public Type FileTime dwLowDateTime As Long dwHighDateTime As Long End Type
Public Type WIN32_FIND_DATA dwFileAttributes As Long ftCreationTime As FileTime ftLastAccessTime As FileTime ftLastWriteTime As FileTime nFileSizeHigh As Long nFileSizeLow As Long dwReserved0 As Long dwReserved1 As Long cFileName As String * MAX_PATH cAlternate As String * 14 End Type
Type BROWSEINFO hOwner As Long pidlRoot As Long pszDisplayName As String lpszTitle As String ulFlags As Long lpfn As Long lParam As Long iImage As Long End Type
'untuk browse folder Public Function BrowseFolder(ByVal aTitle As String, ByVal aForm As Form) As String Dim bInfo As BROWSEINFO Dim rtn&, pidl&, path$, pos% Dim BrowsePath As String bInfo.hOwner = aForm.hWnd bInfo.lpszTitle = aTitle bInfo.ulFlags = &H1 pidl& = SHBrowseForFolder(bInfo)
6869707172737475767778798081828384858687888990919293949596979899100101102103104105106
path = Space(512) t = SHGetPathFromIDList(ByVal pidl&, ByVal path) pos% = InStr(path$, Chr$(0)) BrowseFolder = Left(path$, pos - 1) If Right$(Browse, 1) = "\" Then BrowseFolder = BrowseFolder Else BrowseFolder = BrowseFolder + "\" End If If Right(BrowseFolder, 2) = "\\" Then BrowseFolder = Left(BrowseFolder, Len(BrowseFolder) If BrowseFolder = "\" Then BrowseFolder = "" End Function
Public Function StripNulls(ByVal OriginalStr As String) As String If (InStr(OriginalStr, Chr$(0)) > 0) Then OriginalStr = Left$(OriginalStr, InStr(OriginalStr, Chr(0)) - 1) End If StripNulls = OriginalStr End Function
'fungsi untuk menentukan file script atau bukan Public Function IsScript(Filename As String) As Boolean IsScript = False ext = Split("|vbs|vbe", "|") For i = 1 To UBound(ext) If LCase(Right(Filename, 3)) = LCase(ext(i)) Then IsScript = True Next End Function
Code di atas adalah Fungsi API yang di butuhkan untuk antivirus
Buat 1 module dengan nama modChecksum
masukan code di bawah ini.
1234567891011121314151617181920212223242
Spoiler:
'Code: Public Function GetChecksum(FilePath As String) As String Dim CheckSum(1 To 2) As String CheckSum(1) = CalcBinary(FilePath, 499, 4500) CheckSum(2) = CalcBinary(FilePath, 499, 4000) GetChecksum = CheckSum(1) & CheckSum(2) End Function Public Function CalcBinary(ByVal lpFileName As String, ByVal lpByteCount As Long, Optional) As String On Error GoTo err Dim Bin() As Byte Dim ByteSum As Long Dim i As Long ReDim Bin(lpByteCount) As Byte Open lpFileName For Binary As #1 If StartByte = 0 Then Get #1, , Bin Else Get #1, StartByte, Bin End If Close #1 For i = 0 To lpByteCount ByteSum = ByteSum + Bin(i) ^ 2 Next i CalcBinary = Hex$(ByteSum) Exit Function err: CalcBinary = "00" End Function
52627282930
potongan code di atas di gunakan untuk meng kalkulasi checksum
Buat 1 module lagi dengan nama modDatabase
lalu tambahkan code di bawah ini.
1234567891011121314151617181
Spoiler:
'Code: Public VirusDB(5), IconDB(48), Bahaya(5) As String Public Sub BuildDatabase() Call Checksum_DB Call IconCompare_DB Call Script_DB End Sub Private Sub Checksum_DB() VirusDB(1) = "Alman.A|8911D290F723" VirusDB(2) = "Malingsi.A|A6292EA60230" VirusDB(3) = "Conficker.A|9EC112ABB2F3" VirusDB(4) = "N4B3.A|B5CCD36CDB98" VirusDB(5) = "N4B3.B|A1FE6D6DBE07" End Sub Public Sub IconCompare_DB() On Error Resume Next IconDB(1) = "20938B2" IconDB(2) = "19F4ED6" IconDB(3) = "133BE0B" IconDB(4) = "18EDEAE" IconDB(5) = "1EF89C2" IconDB(6) = "1C915FF" IconDB(7) = "24563C4" IconDB(8) = "1B2DB74" IconDB(9) = "208EA72" IconDB(10) = "22A064D" IconDB(11) = "19B64EE" IconDB(12) = "1D4B7E1" IconDB(13) = "2087762" IconDB(14) = "29C7258" IconDB(15) = "1B18705" IconDB(16) = "1B5FCAB" IconDB(17) = "126D4CF"
9202122232425262728293031323334353637383940414
IconDB(18) = "1C58E5C" IconDB(19) = "15D7730" IconDB(20) = "1FB82B7" IconDB(21) = "112763E" IconDB(22) = "2165AF9" IconDB(23) = "25F46BE" IconDB(24) = "206556B" IconDB(25) = "22A8D69" IconDB(26) = "19237F8" IconDB(27) = "15022B4" IconDB(28) = "1D8B4EB" IconDB(29) = "1DBC1EA" IconDB(30) = "2333F5D" IconDB(31) = "1F37C2F" IconDB(32) = "1C9CCA4" IconDB(33) = "1DFDFB4" IconDB(34) = "1C1283E" IconDB(35) = "1F6598C" IconDB(36) = "27F4C1A" IconDB(37) = "22F92E0" IconDB(38) = "191DBDC" IconDB(39) = "27BFE4A" IconDB(40) = "20E0907" IconDB(46) = "2FA4C88" IconDB(47) = "25AA630" IconDB(48) = "1DE28E2" End Sub Public Sub Script_DB() On Error Resume Next Bahaya(1) = "Scripting.FileSystemObject|Wscript.ScriptFullName|WScript.Shell|.regwrite|.copy" Bahaya(2) = "Wscript.ScriptFullName|createobject|strreverse|.regwrite" Bahaya(3) = "createobject|Wscript.ScriptFullName|.regwrite|[autorun]" Bahaya(4) = "createobject|Wscript.ScriptFullName|specialfolder|.regwrite" Bahaya(5) = "chr(asc(mid(|createobject|Wscript.ScriptFullName|.GetFolder|.RegWrite" End Sub
2434445464748495051525354555657585960616263646
56667686970
potongan code di atas adalah database pada antivirusnya
Buat lagi 1 buah module dengan nama modQuar
masukan code yang ada di bawah ini.
1234567891011121314151617181
Spoiler: Code: Option Explicit Public Function EncodeFile(SourceFile As String, DestFile As String) Dim ByteArray() As Byte, Filenr As Integer Filenr = FreeFile Open SourceFile For Binary As #Filenr ReDim ByteArray(0 To LOF(Filenr) - 1) Get #Filenr, , ByteArray() Close #Filenr Call Coder(ByteArray()) If (PathFileExists(DestFile)) <> 0 Then DeleteFile DestFile Open DestFile For Binary As #Filenr Put #Filenr, , ByteArray() Close #Filenr End Function Public Function DecodeFile(SourceFile As String, DestFile As String) Dim ByteArray() As Byte, Filenr As Integer Filenr = FreeFile Open SourceFile For Binary As #Filenr ReDim ByteArray(0 To LOF(Filenr) - 1) Get #Filenr, , ByteArray() Close #Filenr Call DeCoder(ByteArray()) If (PathFileExists(DestFile)) <> 0 Then DeleteFile DestFile Open DestFile For Binary As #Filenr Put #Filenr, , ByteArray() Close #Filenr End Function Private Sub Coder(ByteArray() As Byte) Dim x As Long Dim Value As Integer Value = 0
9202122232425262728293031323334353637383940414
For x = 0 To UBound(ByteArray) Value = Value + ByteArray(x) If Value > 255 Then Value = Value - 256 ByteArray(x) = Value Next End Sub Private Sub DeCoder(ByteArray() As Byte) Dim x As Long Dim Value As Integer Dim newValue As Integer newValue = 0 For x = 0 To UBound(ByteArray) Value = newValue newValue = ByteArray(x) Value = ByteArray(x) - Value If Value < 0 Then Value = Value + 256 ByteArray(x) = Value Next End Sub
243444546474849
Code di atas adalah code untuk enkripsi/dekripsi pada virus yang akan di karantina
Buat lagi 1 module dengan nama modHeuristic
lalu masukan code di bawah ini:
123456789101112131415161718192021222324
Spoiler:
'Code: Private Declare Function ExtractIconEx Lib "shell32.dll" Alias "ExtractIconExA" (ByVal l As Long, ByVal nIcons As Long) As Long Private Declare Function DestroyIcon Lib "user32.dll" (ByVal hIcon As Long) As Long Private Declare Function DrawIconEx Lib "user32" (ByVal hDC As Long, ByVal xLeft As Long,ByVal istepIfAniCur As Long, ByVal hbrFlickerFreeDraw As Long, ByVal diFlags As Long) As Private Declare Function ExtractIcon Lib "shell32.dll" Alias "ExtractIconA" (ByVal hInst Private Const DI_MASK = &H1 Private Const DI_IMAGE = &H2 Private Const DI_NORMAL = &H3 Private Const DI_COMPAT = &H4 Private Const DI_DEFAULTSIZE = &H8 Private Const SHGFI_DISPLAYNAME = &H200 Private Const SHGFI_EXETYPE = &H2000 Private Const SHGFI_SYSICONINDEX = &H4000 Private Const SHGFI_LARGEICON = &H0 Private Const SHGFI_SMALLICON = &H1 Private Const ILD_TRANSPARENT = &H1 Private Const SHGFI_SHELLICONSIZE = &H4 Private Const SHGFI_TYPENAME = &H400 Private Const BASIC_SHGFI_FLAGS = SHGFI_TYPENAME Or SHGFI_SHELLICONSIZE Or SHGFI_SYSICONINDEX Private SIconInfo As SHFILEINFO Private SectionHeaders() As IMAGE_SECTION_HEADER Dim i As Integer Dim j As Integer Public Function CekHeuristic(Filename As String) CekHeuristic = "" On Error GoTo hError
25262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
Dim hFile As Long, bRW As Long Dim DOSheader As IMAGE_DOS_HEADER Dim NTHeaders As IMAGE_NT_HEADERS Dim Filedata As String DOS_HEADER_INFO = "" NT_HEADERS_INFO = "" hFile = CreateFile(Filename, ByVal (GENERIC_READ Or GENERIC_WRITE), FILE_SHARE_READ, ByVal ReadFile hFile, DOSheader, Len(DOSheader), bRW, ByVal 0& SetFilePointer hFile, DOSheader.e_lfanew, 0, 0 ReadFile hFile, NTHeaders, Len(NTHeaders), bRW, ByVal 0& If NTHeaders.Signature <> IMAGE_NT_SIGNATURE Then If IsScript(Filename) = True Then Open Filename For Binary As #1 Filedata = Space$(LOF(1)) Get #1, , Filedata Close #1 CekHeuristic = CekHeur(Filedata) End If Exit Function End If CekHeuristic = CekIconBinary(Filename) hError: End Function Private Function CekHeur(Data As String) Dim hsl, asl As Integer strasli = LCase(Replace(Data, vbNewLine, "$")) For i = 1 To UBound(Bahaya) hsl = 0 strData = Split(Bahaya(i), "|") asl = 0 For k = 0 To UBound(strData) xxx = LCase(strData(k)) If InStr(strasli, xxx) > 0 Then hsl = hsl + 1 asl = asl + 1 Next If hsl = asl Then CekHeur = "Malicious-Script" Exit Function End If Next CekHeur = "" End Function Private Function CekIconBinary(PathFile As String) Dim q As Integer Dim IconIDNow As String CekIconBinary = "" IconIDNow = CalcIcon(PathFile) If IconIDNow = "" Then Exit Function For q = 1 To UBound(IconDB) If IconDB(q) = IconIDNow Then CekIconBinary = "Malicious-Icon" Exit Function End If Next q End Function Private Function CalcBinary(ByVal lpFileName As String, ByVal lpByteCount As Long, Optional Dim Bin() As Byte
7172737475767778798081828384858687888990919293949596979899100101102103104105106107
Dim ByteSum As Long Dim i As Long ReDim Bin(lpByteCount) As Byte Open lpFileName For Binary As #1 If StartByte = 0 Then Get #1, , Bin Else Get #1, StartByte, Bin End If Close #1 For i = 0 To lpByteCount ByteSum = ByteSum + Bin(i) ^ 2 Next i CalcBinary = Hex$(ByteSum) End Function Private Function CalcIcon(ByVal lpFileName As String) As String Dim PicPath As String Dim ByteSum As String Dim IconExist As Long Dim hIcon As Long IconExist = ExtractIconEx(lpFileName, 0, ByVal 0&, hIcon, 1) If IconExist <= 0 Then IconExist = ExtractIconEx(lpFileName, 0, hIcon, ByVal 0&, 1) If mUtama.sIcon.hDC, 0, 0, hIcon, 0, 0, 0, 0, DI_NORMAL DestroyIcon hIcon PicPath = Environ$("windir")icPath, FileLen(PicPath)) DeleteFile PicPath CalcIcon = ByteSum End Function
Fungsi di atas adalah fungsi untuk mengecek suatu file dengan metode heuristic icon + heuristic untuk virus
VBS
Buat 1 module dengan nama modIconCompare
lalu masukan code di bawah ini.
1234567891011121314151617181920212223242
Spoiler:
'Code: Option Explicit Private Const SHGFI_DISPLAYNAME = &H200, SHGFI_EXETYPE = &H2000, SHGFI_SYSICONINDEX = &H4000,NAME = &H400, ILD_TRANSPARENT = &H1, BASIC_SHGFI_FLAGS = SHGFI_TYPENAME Or SHGFI_SHELLICONSIZE Public Type SHFILEINFO hIcon As Long: iIcon As Long: dwAttributes As Long: szDisplayName As String * MAX_PATH: End Type Private Declare Function SHGetFileInfo Lib "shell32.dll" Alias "SHGetFileInfoA" (ByVal pszPatho As Long, ByVal uFlags As Long) As Long Private Declare Function ImageList_Draw Lib "comctl32.dll" (ByVal himl As Long, ByVal i Long Private shinfo As SHFILEINFO, sshinfo As SHFILEINFO Private Declare Function DrawIconEx Lib "user32.dll" (ByVal hDC As Long, ByVal xLeft As ng, ByVal istepIfAniCur As Long, ByVal hbrFlickerFreeDraw As Long, ByVal diFlags As Long) Private SIconInfo As SHFILEINFO
Public Enum IconRetrieve ricnLarge = 32 ricnSmall = 16 End Enum
Public Sub RetrieveIcon(fName As String, DC As PictureBox, icnSize As IconRetrieve) Dim hImgSmall, hImgLarge As Long Debug.Print fName Select Case icnSize Case ricnSmall hImgSmall = SHGetFileInfo(fName$, 0&, shinfo, Len(shinfo), BASIC_SHGFI_FLAGS Or SHGFI_SMALLICON) Call ImageList_Draw(hImgSmall, shinfo.iIcon, DC.hDC, 0, 0, ILD_TRANSPARENT) Case ricnLarge hImgLarge& = SHGetFileInfo(fName$, 0&, shinfo, Len(shinfo), BASIC_SHGFI_FLAGS Or SHGFI_LARGEICON) Call ImageList_Draw(hImgLarge, shinfo.iIcon, DC.hDC, 0, 0, ILD_TRANSPARENT) End Select End Sub Public Function ExtractIcon(Filename As String, AddtoImageList As ImageList, PictureBox Dim SmallIcon As Long Dim NewImage As ListImage Dim IconIndex As Integer On Error GoTo Load_New_Icon If iKey <> "Application" And iKey <> "Shortcut" Then ExtractIcon = AddtoImageList.ListImages(iKey).Index Exit Function End If Load_New_Icon: On Error GoTo Reset_Key RetrieveIcon Filename, PictureBox, PixelsXY IconIndex = AddtoImageList.ListImages.Count + 1
5262728293031323334353637383940414243444546474
Set NewImage = AddtoImageList.ListImages.Add(IconIndex, iKey, PictureBox.Image) ExtractIcon = IconIndex Exit Function Reset_Key: iKey = "" Resume End Function Public Sub GetLargeIcon(icPath$, pDisp As PictureBox) Dim hImgLrg&: hImgLrg = SHGetFileInfo(icPath$, 0&, SIconInfo, Len(SIconInfo), BASIC_SHGFI_FLAGS ImageList_Draw hImgLrg, SIconInfo.iIcon, pDisp.hDC, 0, 0, ILD_TRANSPARENT End Sub
849505152535455
Kode di atas di butuhkan untuk metode heuristic icon pada antivirus
Buat 1 module dengan nama modLV
lalu masukan kode di bawah ini.
123456789101112131415161
Spoiler:
'Code: Public Function GetSelected(TheLV As ListView) Dim Sel As String For i = 1 To TheLV.ListItems.Count If TheLV.ListItems.Item(i).Checked = True Then Sel = Sel & "|" & TheLV.ListItems.Item(i).SubItems(1) End If Next GetSelected = Sel End Function
Public Function SelectedAll(TheLV As ListView) For i = 1 To TheLV.ListItems.Count TheLV.ListItems.Item(i).Checked = True Next End Function
Public Function SelectedNone(TheLV As ListView) For i = 1 To TheLV.ListItems.Count TheLV.ListItems.Item(i).Checked = False Next End Function
Public Function GetIndex(TheLV As ListView, Data As String) As Integer For i = 1 To TheLV.ListItems.Count If TheLV.ListItems.Item(i).SubItems(1) = Data Then GetIndex = i
7181920212223242526272829303132333435363738394
End If Next End Function
Public Function UnSelect(TheLV As ListView, Data As String) For i = 1 To TheLV.ListItems.Count If TheLV.ListItems.Item(i).SubItems(3) = Data Then TheLV.ListItems.Item(i).Checked = False End If Next End Function
Public Function AddDetect(TheLV As ListView, FilePath As String, VirData As String) With TheLV If Left(VirData, 9) <> "Malicious" Then Set lvItm = .ListItems.Add(, , Split(VirData, "|")(0), , frmUtama.ImgSmall.ListImages(1).Index) lvItm.SubItems(1) = FilePath lvItm.SubItems(2) = Split(VirData, "|")(1) lvItm.SubItems(3) = "Virus File" Else Set lvItm = .ListItems.Add(, , VirData, , frmUtama.ImgSmall.ListImages(1).Index) lvItm.SubItems(1) = FilePath lvItm.SubItems(2) = GetChecksum(FilePath) lvItm.SubItems(3) = "Virus File" End If End With End Function
041424344454647484950515253545556
Code di atas berguna untuk dengatur Listview pada saat virus terdeteksi
Buat 1 module dengan nama modPE
lalu masukan code di bawah ini.
123456
Spoiler:
'Code: Public Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer
78910111213141516171819202122232425262728293031323334353637383940414243444546474849505152
e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(1 To 4) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(1 To 10) As Integer e_lfanew As Long End Type
Public Type IMAGE_SECTION_HEADER nameSec As String * 6 PhisicalAddress As Integer
VirtualSize As Long VirtualAddress As Long SizeOfRawData As Long PointerToRawData As Long PointerToRelocations As Long PointerToLinenumbers As Long NumberOfRelocations As Integer NumberOfLinenumbers As Integer Characteristics As Long
End Type
Public Type IMAGE_DATA_DIRECTORY VirtualAddress As Long size As Long End Type
Public Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUninitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer
53545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798
MinorSubsystemVersion As Integer Win32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long Subsystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY End Type
Public Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type
Public Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type
Public Type IMAGE_EXPORT_DIRECTORY Characteristics As Long TimeDateStamp As Long MajorVersion As Integer MinorVersion As Integer Name As Long Base As Long NumberOfFunctions As Long NumberOfNames As Long AddressOfFunctions As Long AddressOfNames As Long AddressOfNameOrdinals As Long End Type
Public Type IMAGE_IMPORT_DESCRIPTOR OriginalFirstThunk As Long TimeDateStamp As Long ForwarderChain As Long Name As Long FirstThunk As Long End Type
Public Type IMAGE_IMPORT_BY_NAME Hint As Integer
9910010110210310410510610710810911011111211311411511611711811912012112
Name As String * 255 End Type
Public Const IMAGE_SIZEOF_SECTION_HEADER = 40 Public Const IMAGE_DOS_SIGNATURE = &H5A4D Public Const IMAGE_NT_SIGNATURE = &H4550 Public Const IMAGE_ORDINAL_FLAG = &H80000000
Public Enum SECTION_CHARACTERISTICS IMAGE_SCN_LNK_NRELOC_OVFL = &H1000000 'Section contains extended relocations. IMAGE_SCN_MEM_DISCARDABLE = &H2000000 'Section can be discarded. IMAGE_SCN_MEM_NOT_CACHED = &H4000000 'Section is not cachable. IMAGE_SCN_MEM_NOT_PAGED = &H8000000 'Section is not pageable. IMAGE_SCN_MEM_SHARED = &H10000000 'Section is shareable. IMAGE_SCN_MEM_EXECUTE = &H20000000 'Section is executable. IMAGE_SCN_MEM_READ = &H40000000 'Section is readable. IMAGE_SCN_MEM_WRITE = &H80000000 'Section is writeable. End Enum
Public Enum IMAGE_DIRECTORY IMAGE_DIRECTORY_ENTRY_EXPORT = 0 ' Export Directory IMAGE_DIRECTORY_ENTRY_IMPORT = 1 ' Import Directory IMAGE_DIRECTORY_ENTRY_RESOURCE = 2 ' Resource Directory IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3 ' Exception Directory IMAGE_DIRECTORY_ENTRY_SECURITY = 4 ' Security Directory IMAGE_DIRECTORY_ENTRY_BASERELOC = 5 ' Base Relocation Table IMAGE_DIRECTORY_ENTRY_DEBUG = 6 ' Debug Directory IMAGE_DIRECTORY_ENTRY_ARCHITECTURE = 7 ' Architecture Specific Data IMAGE_DIRECTORY_ENTRY_GLOBALPTR = 8 ' RVA of GP IMAGE_DIRECTORY_ENTRY_TLS = 9 ' TLS Directory IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10 ' Load Configuration Directory IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11 ' Bound Import Directory in headers IMAGE_DIRECTORY_ENTRY_IAT = 12 ' Import Address Table IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT = 13 ' Delay Load Import Descriptors IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14 ' COM Runtime descriptor End Enum
212312412512612712812913013113213313413513613713813914014114214314414
5146147148149150151152153154155156
Kode di atas berfungsi untuk pengecekan PE HEADER
buat 1 module dengan nama modScanning
lalu tambahkan code di bawah ini.
Spoiler:
12345678910111
'Code: Public jumlahDir As Long, jumlahFile As Long, jumlahVirus As Long Public StopScan As Boolean
Public Function CekVirus(FilePath As String) As String CekVirus = "" For i = 1 To UBound(VirusDB) If GetChecksum(FilePath) = Split(VirusDB(i), "|")(1) Then CekVirus = VirusDB(i) Exit Function End If Next If FileLen(FilePath) / 1024 <= 512 Then CekVirus = CekHeuristic(FilePath) End If End Functioni As Long Dim hSearch As Long, WFD As WIN32_FIND_DATA Dim Result As Long, CurItem As StringtViri = "" dirCount = -1 ScanInfo = "Scan File" If Right$(lpFolderName, 1) = "\" Then RealPathalPath & "*", WFD) If Not hSearch = INVALID_HANDLE_VALUE Then Result = True Do While ResultrItem = "." And Not CurItem = ".." Then If PathIsDirectory(RealPath & CurItem) <> 0 Then jumlahDir = jumlahDir + 1
2131415161718192021222324252627282930313233343
frmUtama.lblDirScan.Caption = jumlahDir If SubDirs = True Then dirCount = dirCount + 1 ReDim Preserve tempDir(dirCount) As String tempDir(dirCount) = RealPath & CurItem End If Else jumlahFile = jumlahFile + 1 frmUtama.lblFileScan.Caption = jumlahFile frmUtama.txtFileScan.Text = RealPath & CurItem frmUtama.txtFileScan.SelStart = Len(frmUtama.txtFileScan.Text) If WFD.nFileSizeLow > 5120 Or WFD.nFileSizeHigh > 5120 Then GetViri = CekVirus(RealPath & CurItem) If GetViri <> "" Then AddDetect frmUtama.lvScan, RealPath & CurItem, GetViri jumlahVirus = jumlahVirus + 1 frmUtama.lblFileDet.Caption = jumlahVirus End If End If End If End If Result = FindNextFile(hSearch, WFD) Loop FindClose hSearch
If SubDirs = True Then If dirCount <> -1 Then For i = 0 To dirCount FindFilesEx tempDir(i), True Next i End If End If End If End Sub
536373839404142434445464748
Kode di atas adalah code untuk scan file & folder pada antivirus
Buat 1 module dengan nama modEtc
Masukan code di bawah ini.
123456789101112
Spoiler:
'Code: Public Function Action(Data As String, TheLV As ListView, Mode As String) Dim Filedata() As String Dim fName, tmp, Status As String Dim y As Integer Filedata = Split(Data, "|") For i = 1 To UBound(Filedata) a = a + 1 If Mode = "Q" Then fName = GetFileName(Filedata(i)) EncodeFile Filedata(i), AppPath & "Quarantine\" & Left$(fName, Len(fName) - Len(GetExt(Filedata(i)))) & ".avq" AddQList TheLV, Filedata(i), Left$(fName, Len(fName) - Len(GetExt(Filedata(i)))) & ".avq"
13141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758
DeleteFile Filedata(i) Status = "Di Karantina" ElseIf Mode = "D" Then DeleteFile Filedata(i) Status = "Di Hapus" End If y = GetIndex(TheLV, Filedata(i)) With TheLV.ListItems.Item(y) .SubItems(3) = Status .Checked = False .SmallIcon = frmUtama.ImgSmall.ListImages(2).Index End With Next Action = a End Function
Public Function AddQList(TheLV As ListView, FilePath As String, Source As String) Dim Dat As String Dat = AppPath & "Quarantine\HN.dat" If PathFileExists(Dat) <> 0 Then Open Dat For Input As #1 Input #1, isi Close #1 DeleteFile Dat Else isi = "" End If namavir = TheLV.ListItems(GetIndex(TheLV, FilePath)) If InStrRev(isi, Source, , vbTextCompare) = 0 Then Open Dat For Output As #2 Print #2, isi & "|" & namavir & "?" & FilePath & "?" & Source Close #2 Else Open Dat For Output As #3 Print #3, isi Close #3 End If End Function
Public Function GetFileName(PathFile As String) As String Dim i As Long Dim DirString As Long For i = 1 To Len(PathFile) If Mid$(PathFile, i, 1) = "\" Then DirString = i Next i GetFileName = Right$(PathFile, Len(PathFile) - DirString) End Function
Public Function GetExt(ByVal lpFileName As String) Dim sTemp As String Dim i As Long sTemp = GetFileName(lpFileName) If InStr(lpFileName, ".") Then For i = 0 To Len(sTemp) - 1 If Mid$(sTemp, Len(sTemp) - i, 1) = "." Then GetExt = Mid$(sTemp, Len(sTemp) - i, i)
5960616263646566676869707172737475
Exit Function End If Next i End If End Function
Code di atas adalah kumpulan fungsi etc untuk scanning, karantina, delete
Ini adalah tampilan antivirus setelah di berikan module :
Langkah 3
Sekarang tinggal cara membuat form quarantinenya, caranya adalah sebagai berikut pada gambar berikut:
setelah form baru sudah di buat,lalu rubah nama formnya menjadi frmQuarantine.
Tambah 1 buah listview dengan nama lvQ
Lalu setting listview tersebut sesuai dengan gambar di bawah ini,cara setting listview sudah tertera diatas.
Tambahkan 3 buah Command button dengan nama
- cmdDelete
- cmdRestore
- cmdRestore(1)
Tambahkan code di bawah ini ke dalam Command [ cmdDelete ]
123456789101112
Spoiler:
'Code: If lvQ.ListItems.Count = 0 Then Exit Sub Dim Data() As String If PathFileExists(Dat) <> 0 Then Open Dat For Input As #1 Input #1, isi Close #1 DeleteFile Dat Else isi = "" End If Data = Split(isi, "|") For i = 1 To UBound(Data) namafile = lvQ.SelectedItem.SubItems(2) If namafile <> Split(Data(i), "?")(1) Then nyu = nyu & "|" & Data(i)
1314151617181920212223242526
End If Next DeleteFile AppPath & "Quarantine\" & lvQ.SelectedItem.SubItems(1) Open Dat For Output As #2 Print #2, nyu Close #2 MsgBox "Success Deleting File !!!", vbInformation, "" UpdateQ
code di atas berfungsi untuk menghapus file yang telah di karantina
Masukan code di bawah ini ke Command [ cmdRestore ]
1234567891011
Spoiler:
'Code: If lvQ.ListItems.Count = 0 Then Exit Sub Select Case Index Case 0 DecodeFile AppPath & "Quarantine\" & lvQ.SelectedItem.SubItems(1), lvQ.SelectedItem.SubItems(2) MsgBox "File Restored to " & Chr(34) & lvQ.SelectedItem.SubItems(2) & Chr(34) & " !!!", Case 1 sTitle = "Select path:" & vbNewLine & "Select path to restore file." ThePath = BrowseFolder(sTitle, Me) If ThePath <> "" Then DecodeFile AppPath & "Quarantine\" & lvQ.SelectedItem.SubItems(1), ThePath & GetFileName(lvQ.SelectedItem.SubItems(2)) MsgBox "File Restored to " & Chr(34) & ThePath & GetFileName(lvQ.SelectedItem.SubItems(2))rmation, ""
1213141516171819202122232425262728293031323334
End If End Select
Fungsi code di atas berguna untuk me restore file kembali ke asalnya.
lalu pada Form_Load() tambahkan code di bawah ini.
Spoiler:
'Code: frmUtama.Enabled = False Dat = AppPath & "Quarantine\HN.dat" UpdateQ
Masukan code di bawah ini ke dalam frmQuarantine yang telah anda buat tadi.
Spoiler:
'Code: Dim Dat As String Private Sub UpdateQ() lvQ.ListItems.Clear Dim Data() As String If PathFileExists(Dat) = 0 Then Exit Sub Open Dat For Input As #1 Input #1, isi Close #1 Data = Split(isi, "|") For i = 1 To UBound(Data) With lvQ.ListItems.Add(, , Split(Data(i), "?")(0)) .SubItems(1) = Split(Data(i), "?")(2) .SubItems(2) = Split(Data(i), "?")(1) End With Next Me.Caption = "Quarantine (" & lvQ.ListItems.Count & ")" End Sub
35363738394041424344454647484950
Berfungsi untuk memanggil data yang ada di folder karantina.
Hanya itu ilmu yang bisa saya bagikan. sekarang kita bukan hanya sebagai pemakai atau user sekrang kita sudah bi
sa mmembuat antivirus.
Dan ini adalah Screenshot antivirus yang kita buat tadi saat melakukan scanning.
Note : Jika anda membaca dan mencoba dengan teliti dan seksama anda pasti berhasil.
Orang yang berhasil adalah orang yang banyak mecoba.