How To Write An Anti-Virus Program - I

You open your mail suddenly you saw a mail from your impersonating friend with a attachment file containing zip. When you unzip the file, you clicked it. Unfortunately the file that you clicked is a malware. And none of Antivirus software signature works.

There are often time comes when we have to write our own signature to kill the malware that is present in the computer.

Here is a small program in rust which will add registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

to the machine. And then print hello wait for 10 minutes and print goodbye.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

use winreg::enums::*;
use winreg::RegKey;
use std::time::Duration;
use std::thread;

fn main() -> Result<(), Box<dyn std::error::Error>> {

    let hklm = RegKey::predef(HKEY_LOCAL_MACHINE);
    let (settings, _) = hklm.create_subkey("Software\\Microsoft\\Windows\\CurrentVersion\\Run")?;

    // Set the program to run at startup
    settings.set_value("virus", &"C:\\Tools\\pestudio\\pestudio\\pestudio.exe")?;

    println!("hello");
    thread::sleep(Duration::from_secs(600));
    println!("goodbye");
    Ok(())
}

The registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run will run the program C:\Tools\pestudio\pestudio\pestudio.exe during the startup of the machine.

If we open registry editor we will be able to see the key being added which starts the program during the startup of the machine.

To delete the virus program key so that the virus won’t run during the startup we have to delete the key that is present in the “virus” and the file that points to virus. Below program will delete the key and virus file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

use winreg::enums::*;
use std::fs;
use winreg::RegKey;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let hklm = RegKey::predef(HKEY_LOCAL_MACHINE);
    let run_key = r"Software\Microsoft\Windows\CurrentVersion\Run";
    let run_key = hklm.open_subkey_with_flags(run_key, KEY_SET_VALUE)?;

    // Delete the program from startup
    run_key.delete_value("virus")?;
    fs::remove_file("C:\\Tools\\pestudio\\pestudio\\pestudio.exe")?;

    Ok(())
}