实时监控技术
大多数已知的防病毒软件都具有实时监控功能,这意味着它可以在文件被访问或执行之前对其进行扫描。如何实施这样的技术? .NET 中有一个叫做 filewatcher
的东西,我不知道这是否与 AntiVirus 中使用的想法相同。
Most known AntiVirus software has a real-time monitoring feature, which means it can scan files before been accessed or executed. How a technique like this can be implemented? There is something in .NET called filewatcher
I don't know if this is the same idea of what is used in AntiVirus.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
通常,防病毒软件会安装一个附加到 Windows 内核中的文件系统驱动程序的过滤驱动程序。因此,针对文件系统驱动程序的所有请求首先被传递到过滤器,然后过滤器确定是转发还是拒绝该请求。
请注意,在用户模式下挂钩 Windows API 或任何其他 API 通常是不够的,因为恶意软件总是可以绕过挂钩的 API 直接向内核发出调用。
Typically, antivirus software will install a filter driver that attaches to a file-system driver in the Windows kernel. All requests towards the file-system driver are thus first delivered to the filter, which then determines whether to forward or deny the request.
Note that hooking Windows API or any other API in user-mode is generally not sufficient, as malicious software can always issue calls to the kernel directly, bypassing the hooked API.
挂钩 (Win)API 函数是此类任务的通用解决方案,但我认为这只是冰山一角。 wiki 中对此几乎没有说明(
Detection
小节)。因此,您需要了解如何挂钩 API 函数以及一般的 Windows 内部结构。我建议 Windows via C++ 作为解决这个全球问题的良好起点。Hooking a (Win)API functions is a general solution for such tasks but I suppose this is just a tip of the iceberg. There is little note about it in wiki (
Detection
subsection). Thus, you need to learn about how to hook API functions and about Windows internals in general. I would suggest Windows via C++ as a good start point for solving this global problem.