驱动小牛
|
阅读:1085回复:2
瑞星2007有没有filter?
大家好:
最近研究了几款杀毒软件,发现瑞星并没有attach到设备上去,理由是我用devicetree没有看到.请问有没有谁知道它是怎么实现对文件的实时监控呢?API HOOK?或者是对device的堆栈进行了欺骗处理,或者是其他的什么技术实现? |
|
沙发#
发布于:2007-12-06 12:47
DISPATCH HOOK
|
|
|
驱动小牛
|
板凳#
发布于:2007-12-06 14:48
感谢老牛:
我再补充一下. Module Name: FSHook.c Abstract: I wanted to build a filter driver when I first thought about doing such kind of things. But then I found that it's not realistic 'cause it have to hook every filesystem driver to prevent from missing any IRPs. But we don't know when there's a new driver coming. When we install a virtual CD-ROM program, for instance, it installs a driver to control the virtual CD-ROM. There can be viruses in the image of the disk, so we have to hook that driver as well. Then a new idea, which then I found that it's being used by most of the AV softs, comes out of my head. The driver's final goal is to inercept all the I/O behavior to disk A~Z, so we can use ObReferenceObjectByXXX to get the _FILE_OBJECT of \??\X:\, then we can get the device chain by IoGetRelatedDeviceObject. We are interested in the MajorFunction field of the _DEVICE_OBJECT. We can hook the IRP_MJ_XXX we interest by replacing the entries of the dispatch routines with our own. |
|