Mystery of anti-virus software

All the real-time monitoring of "virtual machine" and "firewall" on the market is not a use of IFSHOOK technology. But at the same time, some friends continue to write Mail to inquire about how to achieve read and write. The following is written by vtoolsd. Code. That is, all the mystery of real-time anti-virus software. At the same time, many software that intercepts file operations, such as encryption, file encryption, etc., also adopted minimalism.

Since the code is very simple, it is not analyzed.

/ / =========================================================================================================================================================================================== =============================================== // // Apply with vtoolsd 3.01 // DDK version is Available if Requested. // Abstract: // install a IFS hook, monitoring any read and write access // // ========================== ============================================================================================================================================================================================================= ==

// ifshook.c - Main Module for ifshook

#DEfine device_main #include "ifshook.h" #undef device_main

// TypedEf EventHDL (PEVENT PEV, PIOREQ PIR);

typedef struct _Monitored_Files {struct _Monitored_Files * pNext_Monitored_Files; // pointer to next struct struct _Monitored_Files * pPre_Monitored_Files; // pointer to previous struct int sfn; // system file number int open_count; char path [260]; // ansi path name} _Monitored_Files , * pmonitored_files;

// // Declare Virtual device // declare_virtual_device (ifshook)

_MonitorED_files monitor -_files; ppifsfilehookfunc prevhook

DefineControlHandler (SYS_VM_INIT, OnSysVMInit); DefineControlHandler (SYS_DYNAMIC_DEVICE_INIT, OnSysDynamicDeviceInit); DefineControlHandler (SYS_DYNAMIC_DEVICE_EXIT, OnSysDynamicDeviceExit); DefineControlHandler (SYS_VM_TERMINATE, OnSysVMTerminate); PCHAR ConvertPath (int drive, path_t ppath, PCHAR fullpathname) {int i = 0; _QWORD result;

// // stick on the drive letter if we know it. //Iff (drive! = 0xff) {

Fullpathname [0] = drive 'a'-1; fullpathname [1] =': '; i = 2;} Unitobcspath (& FullPathname [i], ppath-> pp_elements, 260, bcs_wansi, & result); Return (Fullpathname); }

PMonitored_files isFileOpened (INT i) {pmonitored_files p = & monTored_files;

While (p) {if (i == p-> sfn) {return p;} p = p-> pnext_monitored_files;} return 0;

Bool ControlDispatcher (DWORD DWCONTROLMESSAGE, DWORD EBX, DWORD EDI, DWORD ECX) {start_control_dispatch

ON_SYS_VM_INIT (ONSYSVMINIT); ON_SYS_DYNAMIC_DEVICE_INIT (ONSYSDYNAMICDEINIT); ON_SYS_DYNAMIC_DEVICE_EXIT (ONSYSDYNAMICDEVICEEXIT);

END_CONTROL_DISPATCH

Return True;}

int _cdecl MyIfsHook (pIFSFunc pfn, int fn, int Drive, int ResType, int CodePage, pioreq pir) {int retvar, i; char fullpathname [260]; _Monitored_Files * FileEntry; switch (fn) {case IFSFN_OPEN: {retvar = ( * PrevHook) (pfn, fn, Drive, ResType, CodePage, pir); ConvertPath (Drive, pir-> ir_ppath, fullpathname); FileEntry = IsFileOpened (pir-> ir_sfn); if (FileEntry) {FileEntry-> open_count ;} else {FileEntry = & Monitored_Files; while (1) {if (FileEntry-> pNext_Monitored_Files) {FileEntry = FileEntry-> pNext_Monitored_Files;} else {break;}} FileEntry-> pNext_Monitored_Files = / HeapAllocate (sizeof (_Monitored_Files), HEAPZEROINIT); FileEntry -> pNext_Monitored_Files-> pPre_Monitored_Files = FileEntry; FileEntry = FileEntry-> pNext_Monitored_Files; FileEntry-> sfn = pir-> ir_sfn; FileEntry-> open_count = 1; memcpy (FileEntry-> path, fullpathname, 260);} return retvar;} Case IFSFN_READ: {// do something here, // EG. d Ecrypt the File. Char * Str; Int J; Str = Pir-> Ir_Data; J = Pir-> IR_LENGTH; RETVAR = (* Prevhook (PFN, Fn, Drive, Restype, CodePage, Pir); FileEntry = ISFileOpend (PIR -> IR_SFN); if (! stricmp ("c: //test.txt", fileEntry-> PATH)) {for (i = 0; I

Case iFSFN_WRITE: {// do sometying here // EG. Encrypt the file filentry = isfileopened (pir-> r r); if (fileEntry) {if (! stricmp ("c: //test.txt", fileEntry-> Path )) {For (i = 0; i IR_LENGTH; i ) {((char *) pir-> IR_DATA) [i]) ;}}} Return (* Prevhook) (PFN, Fn, Drive, ResType, CodePage, pir);} case IFSFN_CLOSE: {FileEntry = IsFileOpened (pir-> ir_sfn); if (FileEntry) {FileEntry-> open_count--; if (FileEntry-> open_count) {FileEntry-> pPre_Monitored_Files-! > pNext_Monitored_Files = / FileEntry-> pNext_Monitored_Files; FileEntry-> pNext_Monitored_Files-> pPre_Monitored_Files = / FileEntry-> pPre_Monitored_Files; HeapFree (FileEntry, 0);}} return (* PrevHook) (pfn, fn, Drive, ResType, CodePage, pir) }

}

Return (* Prevhook (PFN, FN, Drive, Restype, CodePage, PIR);

Bool Onsysvminit (VMHANDLE HVM) {Return OnsysdyNamicDeviceInit ();

BOOL OnSysDynamicDeviceInit () {PrevHook = IFSMgr_InstallFileSystemApiHook (MyIfsHook); Monitored_Files.pNext_Monitored_Files = 0; Monitored_Files.pPre_Monitored_Files = 0; Monitored_Files.sfn = -1; Monitored_Files.open_count = 0; Monitored_Files.path [0] = 0;

Return True;}

Bool oversysdyNamicDeviceExit () {ifsmgr_removefilesystemapihook; Return True;}

Void OnSysVmterminate (VMHANDLE HVM) {Return OnsysDynamicDeviceExit ();