市面上所有號稱“虛擬機”,“防火牆”的實時監控殺毒軟件無一不是使用的IFSHOOK技術。但是同時也有一些朋友不斷寫MAIL給我打聽如何實現讀寫的監控。下面給出用VTOOLSD寫的代碼,也就是所有實時殺毒軟件的奧秘。同時,,很多攔截文件操作的軟件,例如對目錄加密,文件加密等,也采用了雷同的技術。
由於代碼十分簡單,不分析了。
CODE:
//================================================
//
//By Lu Lin 2000.5.10
// Apply with VtoolsD 3.01
// DDK version is available if requested.
//Abstract:
// Install a IFS hook, monitoring any read and write access
//
//================================================
// IFSHOOK.c - main module for IFSHOOK
#define DEVICE_MAIN
#include "ifshook.h"
#undef DEVICE_MAIN
//typedef EventHdl(pevent pev,pioreq pir);
typedef struct _Monitored_Files{
struct _Monitored_Files *pNext_Monitored_Files;//pointer to next struct
struct _Monitored_Files *pPre_Monitored_Files;//pointer to previous struct
int sfn;//system file number
int open_count;
char path[260]; //ansi path name
}_Monitored_Files,*pMonitored_Files;
//
//Declare virtual device
//
Declare_Virtual_Device(IFSHOOK)
_Monitored_Files Monitored_Files;
ppIFSFileHookFunc PrevHook;
DefineControlHandler(SYS_VM_INIT, OnSysVMInit);
DefineControlHandler(SYS_DYNAMIC_DEVICE_INIT, OnSysDynamicDeviceInit);
DefineControlHandler(SYS_DYNAMIC_DEVICE_EXIT, OnSysDynamicDeviceExit);
DefineControlHandler(SYS_VM_TERMINATE, OnSysVMTerminate);
PCHAR ConvertPath( int drive, path_t ppath, PCHAR fullpathname )
{
int i = 0;
_QWORD result;
//
// Stick on the drive letter if we know it.
//
if( drive != 0xFF ) {
fullpathname[0] = drive "A"-1;
fullpathname[1] = ":";
i = 2;
}
UniToBCSPath( &fullpathname, ppath->pp_elements, 260 , BCS_WANSI, &result );
return( fullpathname );
}
·四大殺毒軟件2007最新版試用體驗·各大殺毒軟件比較與引擎介紹!·強者為尊!2007年十大殺毒軟件評測報告·警報-惡性病毒現身:穿透還原卡 殺死殺·不可不知:使用殺毒軟件的十大誤區·諾頓最強 看五款殺毒軟件對決熊貓燒香·德國殺毒軟件小紅傘試用功能詳解·殺毒軟件內存占用真相曝光·殺毒軟件PK台:卡巴斯基 VS NOD32·不用盜版 用上正版殺毒軟件上“正道”
pMonitored_Files IsFileOpened(int i){
pMonitored_Files p=&Monitored_Files;
while (p){
if (i==p->sfn){
return p;
}
p=p->pNext_Monitored_Files;
}
return 0;
}
BOOL ControlDispatcher(
DWORD dwControlMessage,
DWORD EBX,
DWORD EDX,
DWORD ESI,
DWORD EDI,
DWORD ECX)
{
START_CONTROL_DISPATCH
ON_SYS_VM_INIT(OnSysVMInit);
ON_SYS_DYNAMIC_DEVICE_INIT(OnSysDynamicDeviceInit);
ON_SYS_DYNAMIC_DEVICE_EXIT(OnSysDynamicDeviceExit);
END_CONTROL_DISPATCH
return TRUE;
}
int _cdecl MyIfsHook(pIFSFunc pfn, int fn, int Drive, int ResType,
int CodePage, pioreq pir)
{
int retvar,i;
char fullpathname[260];
_Monitored_Files *FileEntry;
switch(fn){
case IFSFN_OPEN:{
retvar=(*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
ConvertPath( Drive, pir->ir_ppath, fullpathname );
FileEntry=IsFileOpened(pir->ir_sfn);
if (FileEntry){
FileEntry->open_count ;
}else{
FileEntry=&Monitored_Files;
while(1){
if (FileEntry->pNext_Monitored_Files){
FileEntry=FileEntry->pNext_Monitored_Files;
}
else{
break;
}
}
·四大殺毒軟件2007最新版試用體驗·各大殺毒軟件比較與引擎介紹!·強者為尊!2007年十大殺毒軟件評測報告·警報-惡性病毒現身:穿透還原卡 殺死殺·不可不知:使用殺毒軟件的十大誤區·諾頓最強 看五款殺毒軟件對決熊貓燒香·德國殺毒軟件小紅傘試用功能詳解·殺毒軟件內存占用真相曝光·殺毒軟件PK台:卡巴斯基 VS NOD32·不用盜版 用上正版殺毒軟件上“正道”
FileEntry->pNext_Mon_itored_Files=
HeapAllocate( sizeof(_Monitored_Files),HEAPZEROINIT);
FileEntry->pNext_Monitored_Files->pPre_Mon_itored_Files=FileEntry;
FileEntry=FileEntry->pNext_Monitored_Files;
FileEntry->sfn=pir->ir_sfn;
FileEntry->open_count=1;
memcpy(FileEntry->path,fullpathname,260);
}
return retvar;
}
case IFSFN_READ:{
//Do something here,
//eg. Decrypt the file.
char *str;
int j;
str=pir->ir_data;
j=pir->ir_length;
retvar=(*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
FileEntry=IsFileOpened(pir->ir_sfn);
if (!stricmp("c:\test.txt",FileEntry->path)){
for (i=0;i