你如何制作一个实时处理MD5#扫描仪? [英] How do you make a real-time proccess MD5# scanner?
问题描述
目前,我正在尝试构建一个扫描所有正在运行的进程的程序,获取该进程的MD5#,并将其与具有MD5哈希列表的.txt文件进行比较。如果MD5#匹配,那么我将使用MessageBox进行操作。
麻烦的是,我不知道如何完成这项任务。这是我发现的一些代码,但没有函数读取其中包含MD5哈希值的.txt文件,然后将哈希值与正在运行的进程进行比较。
Currently, I'm trying to build a program which scans all running processes, gets the MD5# of that process, and compares it to a .txt file which has a list of MD5 hashes. If the MD5# matches, then I will do an action with a MessageBox.
The trouble is, I'm not sure how to do this task. Here is some code I've found, but there is no function which reads the .txt file which has the MD5 hashes in it, then compares the hash to a running process.
Option Strict On
Option Explicit On
Public Class Form1
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
Dim procs() As System.Diagnostics.Process = System.Diagnostics.Process.GetProcesses
Dim f As String
For Each proc As System.Diagnostics.Process In procs
f = GetProcessFileName(proc)
If f.Length > 0 Then
ListBox1.Items.Add(f)
ListBox1.Items.Add("MD5: " & GetMD5String(f))
ListBox1.Items.Add(String.Empty)
End If
Next
End Sub
Private Function GetProcessFileName(proc As System.Diagnostics.Process) As String
Dim strRet As String = String.Empty
Try
strRet = proc.MainModule.FileName
Catch ex As Exception
' This catch used to ignore "Access is denied" exception.
End Try
Return strRet
End Function
Private Function GetMD5String(ByVal strFilename As String) As String
Dim cMD5 = System.Security.Cryptography.MD5.Create
Dim bytHash As Byte()
Dim sb As New System.Text.StringBuilder
Using cStream As New IO.FileStream(strFilename, IO.FileMode.Open, IO.FileAccess.Read, IO.FileShare.Read)
bytHash = cMD5.ComputeHash(cStream)
End Using
For Each b In bytHash
sb.Append(b.ToString("X2"))
Next
Return sb.ToString
End Function
End Class
那么,你如何完成这项任务?
谢谢!
我尝试了什么:
看了各种项目试图帮助我。
So, how do you complete this task?
Thanks!
What I have tried:
Looked at various projects to try and help me.
推荐答案
看起来你正试图做一个内存vi rus扫描程序通过检查可执行文件的MD5而不会工作,就像你在磁盘上的文件上尝试它时所做的那样。并且出于完全相同的原因,再加上一些。
例如,不仅MD5仍然遇到与您尝试的基于文件的版本相同的问题:我的filesystemwatcher1代码出了什么问题? [ ^ ]但是一个现代应用程序不包含在单个EXE文件中,这是所有进程将给你。它还会加载一个数字 - 通常是相当多的 - 包含大量代码的DLL程序集(或本机DLL文件)。
再次,你会给出一种虚假的安全感。找到一个不希望病毒以这种原始方式工作的项目:它们没有。
THat looks like you are trying to make a "in memory" virus scanner by checking the MD5 of a executable- and that isn't going to work, any more than it did when you tried it on files on disk. And for exactly the same reasons, plus some more.
For example, not only does the MD5 still have the same problems as the file based version you tried: What's wrong with my filesystemwatcher1 code?[^] but a modern app isn't contained in a single EXE file, which is all the Process will give you. It also loads a number - often quite a large number - of DLL assemblies (or native DLL files) which contain the bulk of the code.
So again, you will be giving a false sense of security. Find yourself a project that doesn't expect viruses to work in such a primitive way: they don't.
目前,我正在尝试构建一个扫描所有正在运行的进程的程序,获取该进程的MD5#,并将其与具有MD5哈希列表的.txt文件进行比较。
Currently, I'm trying to build a program which scans all running processes, gets the MD5# of that process, and compares it to a .txt file which has a list of MD5 hashes.
从一开始看起来是一个坏主意。
很可能你的参考MD5永远不会匹配。原因是可执行磁盘文件永远不会与进程相同。
部分加载过程是解决代码中的内部和外部跳转。这些跳转的分辨率取决于进程的加载地址和加载进程使用的外部代码的地址。
另外说,为了运行进程得到相同的MD5,它意味着整个系统有两次都开始完全一样。这包括所有先前进程的完全相同的动态内存分配。
Looks like a bad idea from the beginning.
Chances are that your reference MD5 will never match. The reason is that the executable disk file is never the same as the process.
Part of the loading process is to resolve internal and external jumps in code. The resolution of those jumps depend on loading address of the process and loading addresses of external code the process use.
Said otherwise, to get the same MD5 for a running process, it imply that the whole system have started exactly the same way both times. this include an exact same dynamic memory allocation for all previous processes.
您的文本文件应包含具有完整路径的行和由分隔序列分隔的MD5总和。逐行读取该文件,并将每一行拆分为路径和MD5总和部分。如果文件名匹配(应该与Windows一致)返回一个状态,指示MD5总和是否匹配。到达文件末尾时,返回一个未找到文件的状态。
编写此类代码是任何编程语言的基本任务。可以通过在网络上搜索vb.net逐行读取文本文件之类的内容找到示例: File.ReadAllLines方法(字符串)(System.IO) [ ^ ]
将字符串拆分为组件也是一项基本任务。每种编程语言都提供了以特定字符分割字符串的功能: String.Split方法(Char [])(系统) [ ^ ]
在您的方案中,您还可以使用字典(TKey,TValue)类(System.Collections.Generic) [ ^ ]执行查找。这可以在程序启动时从文本文件创建,也可以在创建相应的序列化文件时使用序列化加载。
Your text file should contain lines with the full path and the MD5 sum separated by a delimiting sequence. Read that file line by line and split each line into the path and MD5 sum part. If a file name matches (should be case insentive with Windows) return a state that indicates if the MD5 sum matches or not. When reaching the end of the file, return a state that the file has not been found.
Writing such code is a basic task in any programming language. Examples can be found by searching the web for something like "vb.net read text file line by line": File.ReadAllLines Method (String) (System.IO)[^]
Splitting a string into components is again a basic task. Each programming language provides functions to split strings at specific characters: String.Split Method (Char[]) (System)[^]
In your scenario you might also use a Dictionary(TKey, TValue) Class (System.Collections.Generic)[^] to perform the lookup. That can be created at program start from the text file or be loaded using serialisation when you have created a corresponding serialised file.
这篇关于你如何制作一个实时处理MD5#扫描仪?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
