市面上所有号称"虚拟机","防火墙"的实时监控杀毒软件无一不是使用的IFSHOOK技术.但是同时也有一些朋友不断写MAIL给我打听如何实现读写的监控.下面给出用VTOOLSD写的代码.也就是所有实时杀毒软件的奥秘.同时,很多拦截文件操作的软件,例如对目录加
2005-12-11 14:34
2086 查看
//=============================================================================
//
//By Lu Lin 2000.5.10
// Apply with VtoolsD 3.01
// DDK version is available if requested.
//Abstract:
// Install a IFS hook, monitoring any read and write access
//
//=============================================================================
// IFSHOOK.c - main module for IFSHOOK
#define DEVICE_MAIN
#include "ifshook.h"
#undef DEVICE_MAIN
//typedef EventHdl(pevent pev,pioreq pir);
typedef struct _Monitored_Files{
struct _Monitored_Files *pNext_Monitored_Files;//pointer to next struct
struct _Monitored_Files *pPre_Monitored_Files;//pointer to previous struct
int sfn;//system file number
int open_count;
char path[260]; //ansi path name
}_Monitored_Files,*pMonitored_Files;
//
//Declare virtual device
//
Declare_Virtual_Device(IFSHOOK)
_Monitored_Files Monitored_Files;
ppIFSFileHookFunc PrevHook;
DefineControlHandler(SYS_VM_INIT, OnSysVMInit);
DefineControlHandler(SYS_DYNAMIC_DEVICE_INIT, OnSysDynamicDeviceInit);
DefineControlHandler(SYS_DYNAMIC_DEVICE_EXIT, OnSysDynamicDeviceExit);
DefineControlHandler(SYS_VM_TERMINATE, OnSysVMTerminate);
PCHAR ConvertPath( int drive, path_t ppath, PCHAR fullpathname )
{
int i = 0;
_QWORD result;
//
// Stick on the drive letter if we know it.
//
if( drive != 0xFF ) {
fullpathname[0] = drive+"A"-1;
fullpathname[1] = ":";
i = 2;
}
UniToBCSPath( &fullpathname[i], ppath->pp_elements, 260 , BCS_WANSI, &result );
return( fullpathname );
}
pMonitored_Files IsFileOpened(int i){
pMonitored_Files p=&Monitored_Files;
while (p){
if (i==p->sfn){
return p;
}
p=p->pNext_Monitored_Files;
}
return 0;
}
BOOL ControlDispatcher(
DWORD dwControlMessage,
DWORD EBX,
DWORD EDX,
DWORD ESI,
DWORD EDI,
DWORD ECX)
{
START_CONTROL_DISPATCH
ON_SYS_VM_INIT(OnSysVMInit);
ON_SYS_DYNAMIC_DEVICE_INIT(OnSysDynamicDeviceInit);
ON_SYS_DYNAMIC_DEVICE_EXIT(OnSysDynamicDeviceExit);
END_CONTROL_DISPATCH
return TRUE;
}
int _cdecl MyIfsHook(pIFSFunc pfn, int fn, int Drive, int ResType,
int CodePage, pioreq pir)
{
int retvar,i;
char fullpathname[260];
_Monitored_Files *FileEntry;
switch(fn){
case IFSFN_OPEN:{
retvar=(*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
ConvertPath( Drive, pir->ir_ppath, fullpathname );
FileEntry=IsFileOpened(pir->ir_sfn);
if (FileEntry){
FileEntry->open_count++;
}else{
FileEntry=&Monitored_Files;
while(1){
if (FileEntry->pNext_Monitored_Files){
FileEntry=FileEntry->pNext_Monitored_Files;
}
else{
break;
}
}
FileEntry->pNext_Mon_itored_Files=/
HeapAllocate( sizeof(_Monitored_Files),HEAPZEROINIT);
FileEntry->pNext_Monitored_Files->pPre_Mon_itored_Files=FileEntry;
FileEntry=FileEntry->pNext_Monitored_Files;
FileEntry->sfn=pir->ir_sfn;
FileEntry->open_count=1;
memcpy(FileEntry->path,fullpathname,260);
}
return retvar;
}
case IFSFN_READ:{
//Do something here,
//eg. Decrypt the file.
char *str;
int j;
str=pir->ir_data;
j=pir->ir_length;
retvar=(*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
FileEntry=IsFileOpened(pir->ir_sfn);
if (!stricmp("c://test.txt",FileEntry->path)){
for (i=0;i<j;i++){
str[i]--;
}
}
return retvar;
}
case IFSFN_WRITE:{
//Do something here
//eg. Encrypt the file
FileEntry=IsFileOpened(pir->ir_sfn);
if (FileEntry){
if (!stricmp("c://test.txt",FileEntry->path)){
for (i=0;i<pir->ir_length;i++){
(((char*)pir->ir_data)[i])++;
}
}
}
return (*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
}
case IFSFN_CLOSE:{
FileEntry=IsFileOpened(pir->ir_sfn);
if (FileEntry){
FileEntry->open_count--;
if (!FileEntry->open_count){
FileEntry->pPre_Monitored_Files->pNext_Mon_itored_Files=/
FileEntry->pNext_Monitored_Files;
FileEntry->pNext_Monitored_Files->pPre_Mon_itored_Files=/
FileEntry->pPre_Monitored_Files;
HeapFree(FileEntry,0);
}
}
return (*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
}
}
return (*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
}
BOOL OnSysVMInit(VMHANDLE hVM){
return OnSysDynamicDeviceInit();
}
BOOL OnSysDynamicDeviceInit()
{
PrevHook = IFSMgr_InstallFileSystemApiHook(MyIfsHook);
Monitored_Files.pNext_Mon_itored_Files=0;
Monitored_Files.pPre_Mon_itored_Files=0;
Monitored_Files.sfn=-1;
Monitored_Files.open_count=0;
Monitored_Files.path[0]=0;
return TRUE;
}
BOOL OnSysDynamicDeviceExit()
{
IFSMgr_RemoveFileSystemApiHook(MyIfsHook);
return TRUE;
}
void OnSysVMTerminate(VMHANDLE hVM){
return OnSysDynamicDeviceExit();
}
//
//By Lu Lin 2000.5.10
// Apply with VtoolsD 3.01
// DDK version is available if requested.
//Abstract:
// Install a IFS hook, monitoring any read and write access
//
//=============================================================================
// IFSHOOK.c - main module for IFSHOOK
#define DEVICE_MAIN
#include "ifshook.h"
#undef DEVICE_MAIN
//typedef EventHdl(pevent pev,pioreq pir);
typedef struct _Monitored_Files{
struct _Monitored_Files *pNext_Monitored_Files;//pointer to next struct
struct _Monitored_Files *pPre_Monitored_Files;//pointer to previous struct
int sfn;//system file number
int open_count;
char path[260]; //ansi path name
}_Monitored_Files,*pMonitored_Files;
//
//Declare virtual device
//
Declare_Virtual_Device(IFSHOOK)
_Monitored_Files Monitored_Files;
ppIFSFileHookFunc PrevHook;
DefineControlHandler(SYS_VM_INIT, OnSysVMInit);
DefineControlHandler(SYS_DYNAMIC_DEVICE_INIT, OnSysDynamicDeviceInit);
DefineControlHandler(SYS_DYNAMIC_DEVICE_EXIT, OnSysDynamicDeviceExit);
DefineControlHandler(SYS_VM_TERMINATE, OnSysVMTerminate);
PCHAR ConvertPath( int drive, path_t ppath, PCHAR fullpathname )
{
int i = 0;
_QWORD result;
//
// Stick on the drive letter if we know it.
//
if( drive != 0xFF ) {
fullpathname[0] = drive+"A"-1;
fullpathname[1] = ":";
i = 2;
}
UniToBCSPath( &fullpathname[i], ppath->pp_elements, 260 , BCS_WANSI, &result );
return( fullpathname );
}
pMonitored_Files IsFileOpened(int i){
pMonitored_Files p=&Monitored_Files;
while (p){
if (i==p->sfn){
return p;
}
p=p->pNext_Monitored_Files;
}
return 0;
}
BOOL ControlDispatcher(
DWORD dwControlMessage,
DWORD EBX,
DWORD EDX,
DWORD ESI,
DWORD EDI,
DWORD ECX)
{
START_CONTROL_DISPATCH
ON_SYS_VM_INIT(OnSysVMInit);
ON_SYS_DYNAMIC_DEVICE_INIT(OnSysDynamicDeviceInit);
ON_SYS_DYNAMIC_DEVICE_EXIT(OnSysDynamicDeviceExit);
END_CONTROL_DISPATCH
return TRUE;
}
int _cdecl MyIfsHook(pIFSFunc pfn, int fn, int Drive, int ResType,
int CodePage, pioreq pir)
{
int retvar,i;
char fullpathname[260];
_Monitored_Files *FileEntry;
switch(fn){
case IFSFN_OPEN:{
retvar=(*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
ConvertPath( Drive, pir->ir_ppath, fullpathname );
FileEntry=IsFileOpened(pir->ir_sfn);
if (FileEntry){
FileEntry->open_count++;
}else{
FileEntry=&Monitored_Files;
while(1){
if (FileEntry->pNext_Monitored_Files){
FileEntry=FileEntry->pNext_Monitored_Files;
}
else{
break;
}
}
FileEntry->pNext_Mon_itored_Files=/
HeapAllocate( sizeof(_Monitored_Files),HEAPZEROINIT);
FileEntry->pNext_Monitored_Files->pPre_Mon_itored_Files=FileEntry;
FileEntry=FileEntry->pNext_Monitored_Files;
FileEntry->sfn=pir->ir_sfn;
FileEntry->open_count=1;
memcpy(FileEntry->path,fullpathname,260);
}
return retvar;
}
case IFSFN_READ:{
//Do something here,
//eg. Decrypt the file.
char *str;
int j;
str=pir->ir_data;
j=pir->ir_length;
retvar=(*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
FileEntry=IsFileOpened(pir->ir_sfn);
if (!stricmp("c://test.txt",FileEntry->path)){
for (i=0;i<j;i++){
str[i]--;
}
}
return retvar;
}
case IFSFN_WRITE:{
//Do something here
//eg. Encrypt the file
FileEntry=IsFileOpened(pir->ir_sfn);
if (FileEntry){
if (!stricmp("c://test.txt",FileEntry->path)){
for (i=0;i<pir->ir_length;i++){
(((char*)pir->ir_data)[i])++;
}
}
}
return (*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
}
case IFSFN_CLOSE:{
FileEntry=IsFileOpened(pir->ir_sfn);
if (FileEntry){
FileEntry->open_count--;
if (!FileEntry->open_count){
FileEntry->pPre_Monitored_Files->pNext_Mon_itored_Files=/
FileEntry->pNext_Monitored_Files;
FileEntry->pNext_Monitored_Files->pPre_Mon_itored_Files=/
FileEntry->pPre_Monitored_Files;
HeapFree(FileEntry,0);
}
}
return (*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
}
}
return (*PrevHook)(pfn, fn, Drive, ResType, CodePage, pir);
}
BOOL OnSysVMInit(VMHANDLE hVM){
return OnSysDynamicDeviceInit();
}
BOOL OnSysDynamicDeviceInit()
{
PrevHook = IFSMgr_InstallFileSystemApiHook(MyIfsHook);
Monitored_Files.pNext_Mon_itored_Files=0;
Monitored_Files.pPre_Mon_itored_Files=0;
Monitored_Files.sfn=-1;
Monitored_Files.open_count=0;
Monitored_Files.path[0]=0;
return TRUE;
}
BOOL OnSysDynamicDeviceExit()
{
IFSMgr_RemoveFileSystemApiHook(MyIfsHook);
return TRUE;
}
void OnSysVMTerminate(VMHANDLE hVM){
return OnSysDynamicDeviceExit();
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- python之文件的读写和文件目录以及文件夹的操作实现代码
- 【转】如何监控某个驱动器或目录及其下面的所有子目录的创建文件的动作
- struts2下面如何同时使用servlet,就是如何实现struts与servlet共存
- 如何使用Python获取某个路径下面所有文件的绝对路径以及其他操作
- 在xml布局文件中,我们既可以设置px,也可以设置dp(或者dip)。一般情况下,我们都会选择使用dp,这样可以保证不同屏幕分辨率的机器上布局一致。但是在代码中,如何处理呢?很多控件的方法中都只提供了
- 一个小型的网站,比如个人网站,可以使用最简单的html静态页面就实现了,配合一些图片达到美化效果,所有的页面均存放在一个目录下,这样的网站对系统架构、性能的要求都很简单,随着互联网业务的不断丰富,网站
- 在 java 的 bin 目录下,jdk 提供了很多使用的工具,下面学习一些监控和故障处理的工具。
- 使用IO技术,创建一个目录,然后复制一个文件到该目录!实现复制的功能。(在博客园上传的第一份代码)
- struts2下面如何同时使用servlet,就是如何实现struts与servlet共存
- struts2下面如何同时使用servlet,就是如何实现struts与servlet共存
- unix下面目录的详细操作(包括实现给定目录遍历下面所有文件)
- python之文件的读写和文件目录以及文件夹的操作实现代码
- node.js 使用fs模块对系统文件及目录进行读写操作
- Perl 文本文件的读写操作、文件的重命名和删除、多个文本文件的合并实现代码
- java 使用线程监控文件目录变化的实现方法
- Android xml资源文件中使用代码代替"..."及空格
- 如何使 FlashGet "正常合法" 下载 Session 中的自定义文件链接呢? JSP/Servlet 实现!
- phpstudy的apache端口没有被占用,也有vc9,防火墙也没开,也开杀毒软件,就是无法启动apache
- Linux监控系统磁盘使用比例,当使用率达到指定比例,删除指定目录下的所有文件的shell脚本