萬盛學電腦網

 萬盛學電腦網 >> 健康知識 >> 殺毒軟件實時殺毒的奧秘 vxd文件監控

殺毒軟件實時殺毒的奧秘 vxd文件監控

市面上所有號稱“虛擬機”,“防火牆”的實時監控殺毒軟件無一不是使用的IFSHOOK技術。但是同時也有一些朋友不斷寫MAIL給我打聽如何實現讀寫的監控。下面給出用VTOOLSD寫的代碼,也就是所有實時殺毒軟件的奧秘。同時,,很多攔截文件操作的軟件,例如對目錄加密,文件加密等,也采用了雷同的技術。

由於代碼十分簡單,不分析了。

CODE:

//================================================

//

//By Lu Lin 2000.5.10

// Apply with VtoolsD 3.01

// DDK version is available if requested.

//Abstract:

// Install a IFS hook, monitoring any read and write access

//

//================================================

// IFSHOOK.c - main module for IFSHOOK

#define  DEVICE_MAIN

#include "ifshook.h"

#undef  DEVICE_MAIN 

//typedef EventHdl(pevent pev,pioreq pir);

typedef struct _Monitored_Files{

struct _Monitored_Files *pNext_Monitored_Files;//pointer to next struct

struct _Monitored_Files *pPre_Monitored_Files;//pointer to previous struct

int sfn;//system file number

int open_count;

char path[260]; //ansi path name

}_Monitored_Files,*pMonitored_Files;

//

//Declare virtual device

//

Declare_Virtual_Device(IFSHOOK)

_Monitored_Files Monitored_Files;

ppIFSFileHookFunc PrevHook;

DefineControlHandler(SYS_VM_INIT, OnSysVMInit);

DefineControlHandler(SYS_DYNAMIC_DEVICE_INIT, OnSysDynamicDeviceInit);

DefineControlHandler(SYS_DYNAMIC_DEVICE_EXIT, OnSysDynamicDeviceExit);

DefineControlHandler(SYS_VM_TERMINATE, OnSysVMTerminate);

PCHAR ConvertPath( int drive, path_t ppath, PCHAR fullpathname )

{

  int i = 0;

  _QWORD result;

  //

  // Stick on the drive letter if we know it.

  //

  if( drive != 0xFF ) {

    fullpathname[0] = drive "A"-1;

    fullpathname[1] = ":";

    i = 2;

  }

  UniToBCSPath( &fullpathname, ppath->pp_elements, 260 , BCS_WANSI, &result );

  return( fullpathname );

}


·四大殺毒軟件2007最新版試用體驗·各大殺毒軟件比較與引擎介紹!·強者為尊!2007年十大殺毒軟件評測報告·警報-惡性病毒現身:穿透還原卡 殺死殺·不可不知:使用殺毒軟件的十大誤區·諾頓最強 看五款殺毒軟件對決熊貓燒香·德國殺毒軟件小紅傘試用功能詳解·殺毒軟件內存占用真相曝光·殺毒軟件PK台:卡巴斯基 VS NOD32·不用盜版 用上正版殺毒軟件上“正道”

pMonitored_Files IsFileOpened(int i){

pMonitored_Files p=&Monitored_Files;

while (p){

 if (i==p->sfn){

  return p;

 }

 p=p->pNext_Monitored_Files;

}

return 0;

}

BOOL ControlDispatcher(

DWORD dwControlMessage,

DWORD EBX,

DWORD EDX,

DWORD ESI,

DWORD EDI,

DWORD ECX)

{

START_CONTROL_DISPATCH

 ON_SYS_VM_INIT(OnSysVMInit);

 ON_SYS_DYNAMIC_DEVICE_INIT(OnSysDynamicDeviceInit);

 ON_SYS_DYNAMIC_DEVICE_EXIT(OnSysDynamicDeviceExit);

END_CONTROL_DISPATCH

return TRUE;

}

int _cdecl MyIfsHook(pIFSFunc pfn, int fn, int Drive, int ResType,

 int CodePage, pioreq pir)

{

int retvar,i;

char fullpathname[260];

_Monitored_Files *FileEntry;

switch(fn){

 case IFSFN_OPEN:{

  retvar=(*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);

  ConvertPath( Drive, pir->ir_ppath, fullpathname );

  FileEntry=IsFileOpened(pir->ir_sfn);

  if (FileEntry){

  FileEntry->open_count ;

  }else{

  FileEntry=&Monitored_Files;

  while(1){

   if (FileEntry->pNext_Monitored_Files){

   FileEntry=FileEntry->pNext_Monitored_Files;

   }

   else{

   break;

   }

  }


·四大殺毒軟件2007最新版試用體驗·各大殺毒軟件比較與引擎介紹!·強者為尊!2007年十大殺毒軟件評測報告·警報-惡性病毒現身:穿透還原卡 殺死殺·不可不知:使用殺毒軟件的十大誤區·諾頓最強 看五款殺毒軟件對決熊貓燒香·德國殺毒軟件小紅傘試用功能詳解·殺毒軟件內存占用真相曝光·殺毒軟件PK台:卡巴斯基 VS NOD32·不用盜版 用上正版殺毒軟件上“正道”

  FileEntry->pNext_Mon_itored_Files=

   HeapAllocate( sizeof(_Monitored_Files),HEAPZEROINIT);

  FileEntry->pNext_Monitored_Files->pPre_Mon_itored_Files=FileEntry;

  FileEntry=FileEntry->pNext_Monitored_Files;

  FileEntry->sfn=pir->ir_sfn;

  FileEntry->open_count=1;

  memcpy(FileEntry->path,fullpathname,260);

  }

  return retvar;

 }

 case IFSFN_READ:{

  //Do something here,

  //eg. Decrypt the file.

  char *str;

  int j;

  str=pir->ir_data;

  j=pir->ir_length;

  retvar=(*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);

  FileEntry=IsFileOpened(pir->ir_sfn);

  if (!stricmp("c:\test.txt",FileEntry->path)){

  for (i=0;i

copyright © 萬盛學電腦網 all rights reserved