Windows 防病毒软件如何挂钩文件访问过程?
主题说明了一切。普通的防病毒软件必须拦截所有文件访问,扫描文件,然后选择性地拒绝对文件的访问(甚至可能向用户显示提示)。这怎么能做到呢?
我知道一种称为 API 挂钩的方法,但这是一种非常肮脏的未记录的黑客行为 - 因此并不真正可靠。这样做的“官方”方式是什么?
或者,我对拦截可执行模块(.DLL、.EXE 等)的加载感兴趣,而不仅仅是任意文件读取。
The subject says it all. A normal antivirus has to intercept all file accesses, scan the files and then optionally deny access to the file (possibly even displaying a prompt to the user). How can this be done?
I'm aware of a method called API hooking, but that's a really dirty undocumented hack - and as such isn't really reliable. What's the "official" way of doing this?
Alternatively, I would be interested in intercepting the loading of executable modules (.DLL, .EXE, etc.), not just arbitrary file reads.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
在最新版本的 Windows(至少 XP 及以上)中,存在“过滤器”概念,可以使用 MS Filter Manager(命令提示符下的 fltmc.exe)查看它,
这提供了 AV 程序可以进行的低级 I/O 挂钩访问并自动注册以将所有 I/O 请求传递到文件系统。您可以通过该套件获取驱动程序来开发自己的过滤器。
http://www.microsoft.com/whdc/driver/filterdrv/default.mspx 是获取深入信息的起点。
In the recent versions of windows (at least XP onwards) there is the concept 'filters' which can be viewed using MS Filter Manager, (fltmc.exe from a command prompt)
This provides a low level I/O hook that AV programs can access and automatically register to be passed all I/O requests to the file system. It is a kit you can get the drivers for an develop your own filters for.
http://www.microsoft.com/whdc/driver/filterdrv/default.mspx is a starting place to get in depth info.
正如您已经指出的,挂钩是具有“实时”保护功能的现成 AV 软件的关键。
你可以看看(广泛讨论的)winpooch,它已经做了 API Hooking,
但该软件存在一些重大缺陷。 Winpooch的Sourceforge
Codeproject上也有一篇关于API hooking的文章,提供了一些库
进行“三层”挂钩。 Dll 注入有点困难,你可以
图像。 CodeProject:EasyHook,API Hooking 的重塑
可能对防病毒策略感兴趣,我也建议
看看 ClamAV 或 WinClam,它是开源的(在 GPL 下) ClamAV for windows
但我不知道如何做 API我不得不承认,我对 C# 很着迷。
在 C / C++ 中,这(相当)简单...
添加
您可能对 FileMon 的来源感兴趣,FileMon 是一个广为人知的文件系统监视器,曾经由 SysInternals 提供,现在由 Microsoft 提供:
它使用 Microsoft 的 Driver-Filter API,该 API 至少被认为是脆弱的。
可以在 Sysinternals 论坛中找到链接
As you already noted, hooking is a key to what of-the-shelf AV software with "realtime" protection does.
You could have a look on the (widely discussed) winpooch, which already does API Hooking,
but there are some major flaws in this software. Sourceforge of Winpooch
There is also an article on Codeproject on API hooking, providing some library
to do hooking "in three layers". Dll Injection is somewhat hard, as you can
image. CodeProject: EasyHook, reinvention of API Hooking
As you are probably interested in Antivirus strategies, i also suggest having
a look at ClamAV, or WinClam, which is opensource (under GPL) ClamAV for windows
But i do not have a clue how to do API hooking with C#, i have to admit.
In C / C++ this is (quite) easy...
ADD ON
You may be interested in the sources of FileMon, a widely known FileSystem Monitor that was once by SysInternals and now by Microsoft:
It uses Driver-Filter API by Microsoft, which is at least known as fragile.
Link may be found here in Sysinternals forum
通过文件系统筛选器驱动程序。然而,实现此类驱动程序相当复杂且“脆弱”。
Through File System Filter Drivers. However, implementing such drivers is quite complicated and "fragile".
使用文件系统筛选器驱动程序监视文件访问,该驱动程序有效在内核模式下。过滤器驱动程序不仅可以收到有关文件系统操作的通知,还可以更改通过过滤器传递的数据或拒绝文件系统请求。
您可以自己创建微过滤器,但内核模式代码的维护和支持可能并非易事,尤其是没有内核模式开发经验的情况下。问题之一是各种过滤器之间的冲突。
我们公司提供 CallbackFilter 产品,它提供了一个现成的驱动程序,让您编写业务逻辑,与用户模式下的过滤相关。
File access is monitored using filesystem filter driver, which works in kernel mode. Filter drivers can be not just notified about filesystem operations, but alter the data passed via filters or deny filesystem requests.
You can create a minifilter yourself, yet maintenance and support of your kernel-mode code can be non-trivial, especially without kernel-mode development experience. One of problems is conflicts between various filters.
Our company offers CallbackFilter product, which provides a ready-to-use driver and lets you write business logic, related to filtering, in user mode.
您可以阅读 Microsoft 的detours 库并免费试用 -它允许您在 C# 中编写用户模式挂钩。您无需了解驱动程序:]
但是 - 对于内核模式挂钩 - 您需要了解 c 并使用 DDK - 至少据我所知 :[
大多数现代防病毒软件会拦截相当多的调用 - 注册表 API,线程和进程 api 等 - 不仅仅是文件系统 api。再说一次-据我所知。
编辑:还有一些开源 rootkit - 谷歌搜索它们并查看它们如何执行挂钩,我想这将是有教育意义的。
You can read about the detours library from microsoft and try it for free - it allows you to write user mode hooks in c#. No need for you to learn about drivers :]
However - for kernel mode hooks - you will need to know c and play around with the DDK - atleast afaik :[
And most modern anti-virus software intercept quite a few calls - registry apis, thread and process apis etc - not just the file system api. Again - afaik.
edit: There are also a few open source rootkits - google them and see how they perform their hooking, it will be educational I guess.
一般来说,这些产品拦截函数以获取 OpenProcess 或 NtOpenProcess 等进程的句柄。它们还挂钩远程进程中的 CreateRemoteThread 函数和内存分配:VirtualAlloc 和 VirtualProcect。
一些反病毒软件还挂钩 SetWindowsHookEx 函数来检测全局挂钩以避免键盘记录器。
通过挂钩这些 API,他们可以控制哪些模块(或 dll)可以访问远程进程,并只允许那些用户知道他们在做什么的模块。
您可以使用HookShark查看每个反病毒产品拦截了哪些用户模式功能。
要创建自己的用户挂钩,您可以使用 detours 库,但您必须开发一个代理来运行进程内挂钩,然后与代理服务器进行通信。
您还可以使用 Deviare API Hook,这是一个框架,使所有复杂的工作人员,因此您可以使用任何编程语言在自己的流程中编写挂钩。
In general, these products intercept functions to get a HANDLE to a process like OpenProcess or NtOpenProcess. They also, hook CreateRemoteThread functions and memory allocation in a remote process: VirtualAlloc and VirtualProcect.
Some AVs also hook SetWindowsHookEx function to detect global hooks to avoid key loggers.
Hooking these APIs they can control which modules (or dlls) can access remote processes and allow only those that the user know what they are doing.
You can use HookShark to see what user-mode functions are intercepted by each AV product.
To make your own user hooks you can use detours library but you have to develop an agent to run your in-process hooks and then communicate with an agent server.
You can also use Deviare API Hook which is a framework that makes all the complex staff so you can code your hooks in your own process using any programming language.