At present, the domestic Windows9x platform anti-virus products are mostly static anti-virus software. The guiding ideology is "dominated by kill". The disadvantage of this method is that the virus may have caused a serious harmful anti-virus software before being cleared. "Taking preventive main, killing as a supplement", remove it when the virus invaded, which is real-time anti-virus technology.
---- Windows9x uses both IntelCPUs RING0 and RING3 two protection levels. The system process is running in RING0, thus having access to the system all resources; and the ordinary user process runs in Ring3, only to access its own program space, not allowing the system resource to access many operations to be limited. Obviously this ordinary user process is unable to work with real-time anti-virus, and must make the background monitoring process run in Ring0 priority, and the foundation of this is VXD technology.
I. Characteristics of VXD technology
--- VXD, is a virtual device driver, used as an interface between Windows9x systems and physical devices. But it is not only suitable for hardware devices, but also applicable to various software "devices" prepared by VXD specification.
---- VXD technology is the essence of VXD, by loading VXD with RING0 highest priority, the application running on RING3 can control the action of VXD at a certain interface, thereby achieving the purpose of the control system. Real-time anti-virus software to use VXD technology, the key is 2: (1) VXD has the system of the system
Right permissions (2) Many Windows9x system underlayers can only be called in VXD, and if the application is to be used as an intermediary with a VXD. Vxd as an agent in the system, the application passes it to complete anything you can't do. Through this means, the Windows9x system has left the expansion interface for ordinary applications. Unfortunately, this technology also used the virus, CiH virus is using VXD technology to resident, infecting documents, destroying hard drives and Flashbios.
---- WINDOWS9X system has many VXDs, each VXD provides 4 services, pm (protection mode) API, V86 (virtual 86) API, Win32 service, and VXD service, the first three suppliers 16-bit protection mode, V86 mode, and 32-bit protection mode, VXD services are only available for other VXDs to develop VXDs developed with users. In addition, the application can communicate with VXD supporting the IOCTL interface by calling the API function DeviceIoControl, performs low-level operations that Win32API not supported.
Second, the implementation of VXD technology
---- VXD operation Based on the register, it is generally written in assembly language. Its key part is a similar control process similar to the message processing process of the normal window. The difference is that its processing object is the system. Control message. These messages have a total of 51 species. In VxD self-loaded to the entire life cycle, the operating system continues to send various control messages to it, and VXD is selected according to their own needs, and the rest is ignored. When the system sends a control message to the VXD, the message is placed in the EAX register and puts the system virtual machine (VM) handle in the EBX register.
---- For dynamic VXD, the most important news has three: sys_dynamic_device_init, sys_dynamic_device_exit, and W32_DeviceioControl, the message code is 1BH, 1CH, 23H, respectively. When VXD is dynamically loaded to memory.
The system sends a SYS_DYNAMIC_DEVICE_INIT message, and VXD should complete the initial setting and establish the necessary data structure. When VXD will be removed, the system sends SYS_DYNAMIC_DEVICE_EXIT messages vxd to clear the settings and release the relevant data. Structure; When the application call API function DeviceIOCONTROL communicates with VXD, the system sends a W32_DeviceIocontrol message to VXD, which is an important means of the application and VXD contact. At this time, the ESI register points to a DiocParams structure, VXD acquires the application from the input buffer. The data is transmitted, and the result is placed in the output buffer to return the application to achieve the purpose of transmitting data. ---- Application When you send a DeviceIocontrol call to the VXD, the second parameter is used to specify what is controlled, and the control process acquires this control code from DiocParams Structure 0CH and then performs the code number and meaning of the corresponding processing control code by the application and VXD is agreed, the system prefers two control code for Dioc_getversion (0) and Dioc_CloseHandle (-1), when the application calls the API function createfile (". Vxdname", ". VxDName", when the system is loaded, the system first VXD control process sends a sys_dynamic_Device_init control message. If VxD returns successfully, the system will send the W32_DeviceIoControl message with the VXD to VXD to determine if this VXD can support the device IOCTL interface, VXD must be clear The zero EAX register indicates the support IOCTL interface. At this time, CREATEFILE will return a device handle HDEvice, and the application can be controlled using the DeviceIocontrol function using the DeviceIocontrol function. The same VXD can be opened multiple times with CreateFile, and each of which returns a unique handle of this VXD, but only one VXD is retained in the system memory, and the system maintains a reference count for each VXD, each opens a count value plus 1. When the application call API function closeHandle (HDEvice) turns off the VXD handle, VXD will receive the system's distributed Dioc_CloseHandleW32_Deviceiocontrol message, at the same time that the VXD is reduced by 1, when the final reference count is 0, the system is sent to VXD Control Message Sys_Dynamic_Device_exit, then clear it from memory. In very few cases, the application can also call the API function deletefile (". Vxdname") ignoring the value of the reference count directly to the VXD, which will give a devastating impact on other applications using the same VXD, should be avoided.
A typical VXD control process code is as follows:
BeginProcvxd_Control
CMPEAX, 1BH
; Sys_dynamic_device_init message
JZVXD_DYNAMIC_INIT_HANDLE
CMPEAX, 1CH
; Sys_dynamic_device_exit message
JZVXD_DYNAMIC_EXIT_HANDLE
CMPEAX, 23h
W32_DeviceioControl message
JNZEXIT_CONTROL_PROC
Movecx, [ESI 0CH]
Control code from Diocparams 0CH
....
Treat control code
Endprocvxd_Control
Third, the key technology of real-time anti-virus - Filehooking
---- Application By using dynamically loaded VXD, indirectly obtain control of Windows 9x system, but to achieve real-time monitoring of all files in the system, another key technology - FileHooking, pass Mount a handler, intercept all system calls related to the file IO operation. Windows9X uses a 32-bit protection mode to install file system (IFS), which can be accessed to file system and devices, which receives file IO requests to the system in the form of Win32API function calls, will Request to transfer the file system driver FSD, which is finally accessed by calling the low level IOS system. Each file IOAPI call has a specific FSD function, and ifsmanager is responsible for completing the parameter assembly of the API to FSD, it will call a FiLesystemapiHookFunction before the assembly of the API to FSD. Hooker function. By installing your own HOOKER function, you can intercept the API calls in the system, and perform a virus check on the relevant files in time to implement real-time monitoring.
---- above-mentioned process is completed by the service user VxD call system VxDIFSMgr provided by the VxD provides a wealth of underlying file operating functions: IFSMgr_InstallSyatemApiHook function is used to install FileSystemApiHookFunction, IFSMgr_RemoveSystemApiHook to dismount Hooker, IFSMgr_Ring0_FileIO used for file and disk fan Learning access, etc. When transferring to SystemapiHookFunction by IFSManager, there is 6 parameters:
FileSystemapiHookFunction
PIFSFuncfsdfnaddr,
Corresponding FSD service function address
IntfunctionNum,
FSD service function number corresponding to the API (see below)
INTDRIVE,
Drive code (1 = a, 2 = b, 3 = c ...)
IntResourceFlags,
Resource logo (see below)
IntcodePage,
Code page (0 = ANSI, 1 = OEM)
PiOREQPIR
Pointer to the ioreq structure
)
---- More important in parameters is the FSD function number, drive letter and ioreq structural pointer 3 items. If you need to intercepting a file IOAPI call, just process the corresponding FSD function number in the HOOKER.
---- The system can be mounted multiple Hookers to form a chain. IFSMGR_INSTALLESYSTEMAPIHOOK Install Hooker to return to the previous HOOKER address, each hooker will always call the previous HOOKER before doing a specific process, and finally installed Hooker is first called. Calling other VXD services in VXD, using the INT20H instruction, follow the special format of a double word, where the high character is the ID number called VxD (ID fixed), the low word is the service number of the VXD, this form is called VxdCall, such as:
Int20h
DD00400043H
; Vxdcallifsmgr_installsystemapihook
Int20h
DD00400044H
; Vxdcallifsmgr_removesystemapihook
