Windows 防病毒软件如何与文件访问过程挂钩? [英] How does a Windows antivirus hook into the file access process?

问题描述

主题说明了一切.普通的防病毒软件必须拦截所有文件访问，扫描文件，然后选择性地拒绝访问文件(甚至可能向用户显示提示).这怎么办?

The subject says it all. A normal antivirus has to intercept all file accesses, scan the files and then optionally deny access to the file (possibly even displaying a prompt to the user). How can this be done?

我知道一种称为 API 挂钩的方法，但这是一个非常肮脏的无证黑客 - 因此并不可靠.这样做的官方"方式是什么?

I'm aware of a method called API hooking, but that's a really dirty undocumented hack - and as such isn't really reliable. What's the "official" way of doing this?

或者，我对拦截可执行模块(.DLL、.EXE 等)的加载感兴趣，而不仅仅是任意文件读取.

Alternatively, I would be interested in intercepting the loading of executable modules (.DLL, .EXE, etc.), not just arbitrary file reads.

推荐答案

在 Windows 的最新版本(至少是 XP 版本)中，有一个概念过滤器"，可以使用 MS 过滤器管理器(fltmc.exe 来自命令提示符)

In the recent versions of windows (at least XP onwards) there is the concept 'filters' which can be viewed using MS Filter Manager, (fltmc.exe from a command prompt)

这提供了一个低级 I/O 钩子，AV 程序可以访问它并自动注册以将所有 I/O 请求传递给文件系统.这是一个工具包，您可以获得驱动程序以开发您自己的过滤器.

This provides a low level I/O hook that AV programs can access and automatically register to be passed all I/O requests to the file system. It is a kit you can get the drivers for an develop your own filters for.

http://www.microsoft.com/whdc/driver/filterdrv/default.mspx 是获取深入信息的起点.

http://www.microsoft.com/whdc/driver/filterdrv/default.mspx is a starting place to get in depth info.

这篇关于Windows 防病毒软件如何与文件访问过程挂钩?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！