antiviru.c

文件系统的vxd(杀毒用) 一个简单的vdx程序

#define WANTVXDWRAPS

#include <basedef.h>
#include <vmm.h>
#include <debug.h>
#include <vxdwraps.h>
#include <vwin32.h>
#include <winerror.h>
#include <ifs.h>
#include <ifsmgr.h>

#define TRUE 1
#define FALSE 0
#define SUB_DIR 0x4 //The 3rd bit of Flags
#define INSTALL_HOOK 1
#define REMOVE_HOOK 2
#define GET_WIN_DIR 3

typedef unsigned short USHORT;
typedef unsigned long ULONG;

#define CVXD_VERSION 0x400

#define CVXD_V86_FUNCTION1 1
#define CVXD_V86_FUNCTION2 2
#define CVXD_PM_FUNCTION1  1
#define CVXD_PM_FUNCTION2  2
#define NUM_FILES 5
typedef DIOCPARAMETERS *LPDIOC;

#pragma VxD_LOCKED_CODE_SEG
#pragma VxD_LOCKED_DATA_SEG


DWORD _stdcall CVXD_W32_DeviceIOControl(DWORD, DWORD, DWORD, LPDIOC);
DWORD _stdcall CVXD_CleanUp(void);
int     _cdecl OurFileHook(pIFSFunc pfn, int nFunction, int nDrive, int nResources, int Cp, pioreq pir);
int FormNetPath(char *FileNm, pioreq pir);
DWORD _stdcall InstallHook(DWORD dwDDB, DWORD hDevice, LPDIOC lpDIOCParms);
DWORD _stdcall RemoveHook(DWORD dwDDB, DWORD hDevice, LPDIOC lpDIOCParms);
DWORD _stdcall GetWinDir(DWORD dwDDB, DWORD hDevice, LPDIOC lpDIOCParms);

BOOL ComparePath(char OurDir[], char Path[]);
BOOL CompareExt(char Path[]);

ppIFSFileHookFunc ppPrevHook;
DWORD pHandle, bRead;
//char ProtectorFileName[MAX_PATH];
char FileNm[256];
//unsigned char *UserPathPtr;
//char LoggedUser[20] = "Guest";
//unsigned char *UsersAndPaths=0;
//extern PVOID HeapAllocateAsm(ULONG, ULONG);
//extern ULONG HeapFreeAsm(ULONG, ULONG);
extern WORD strlen(char *);
extern void strcpy(char *, const char*);
extern void strcat(char *, const char*);
extern WORD strcmp(char *, const char*);
extern DWORD SystemBox(VSEB *Vseb);

char Monitor[NUM_FILES];
long Handles[NUM_FILES];
char MonitorTheFile=0;
char WindowsPathPtr[MAX_PATH], WindowsSysPathPtr[MAX_PATH], MsgStr[300];
char Caption[]="ANTIVIRUS File Modification WARNING", CaptionDele[]="ANTIVIRUS Windows System File Deletion WARNING";
VSEB Vseb; 

/****************************************************************************
                  CVXD_W32_DeviceIOControl
****************************************************************************/
DWORD _stdcall CVXD_W32_DeviceIOControl(DWORD  dwService,
                                        DWORD  dwDDB,
                                        DWORD  hDevice,
                                        LPDIOC lpDIOCParms)
{
    DWORD dwRetVal = 0;
    // DIOC_OPEN is sent when VxD is loaded w/ CreateFile 
    //  (this happens just after SYS_DYNAMIC_INIT)
    if ( dwService == DIOC_OPEN )
    {
        Out_Debug_String("ANTIVIRUS: WIN32 DEVIOCTL supported here!\n\r");
        // Must return 0 to tell WIN32 that this VxD supports DEVIOCTL
        dwRetVal = 0;
        return dwRetVal;
    }
    // DIOC_CLOSEHANDLE is sent when VxD is unloaded w/ CloseHandle
    //  (this happens just before SYS_DYNAMIC_EXIT)
    else if ( dwService == DIOC_CLOSEHANDLE )
    {
        // Dispatch to cleanup proc
        Out_Debug_String("ANTIVIRUS: Closing!\n\r");
        dwRetVal = CVXD_CleanUp();
        return(dwRetVal);
    }
    else if(dwService==INSTALL_HOOK)
    {
        // CALL requested service
        dwRetVal = InstallHook(dwDDB, hDevice, lpDIOCParms);
        return(dwRetVal);
    }
    else if(dwService==REMOVE_HOOK){
        dwRetVal = RemoveHook(dwDDB, hDevice, lpDIOCParms);
        return(dwRetVal);
    }
    else if(dwService==GET_WIN_DIR){
        dwRetVal = GetWinDir(dwDDB, hDevice, lpDIOCParms);
        return(dwRetVal);
    }
    return(dwRetVal);
}

DWORD _stdcall InstallHook(DWORD dwDDB, DWORD hDevice, LPDIOC lpDIOCParms)
{
    PDWORD pdw;

    pdw = (PDWORD)lpDIOCParms->lpvOutBuffer;
    Out_Debug_String("ANTIVIRUS: Hook Installed!\n\r");

    ppPrevHook=IFSMgr_InstallFileSystemApiHook(OurFileHook);
    return(NO_ERROR);
}

DWORD _stdcall RemoveHook(DWORD dwDDB, DWORD hDevice, LPDIOC lpDIOCParms)
{
    PDWORD pdw;

    pdw = (PDWORD)lpDIOCParms->lpvOutBuffer;
    pdw[0]=IFSMgr_RemoveFileSystemApiHook(OurFileHook);
    Out_Debug_String("ANTIVIRUS: Hook removed!\n\r");
    return(NO_ERROR);
}

DWORD _stdcall GetWinDir(DWORD dwDDB, DWORD hDevice, LPDIOC lpDIOCParms)
{
    PDWORD pdw;
	char *WinDir, *WinSysDir;

    pdw = (PDWORD)lpDIOCParms->lpvInBuffer;
	WinDir=(char *)pdw[0];
	WinSysDir=(char *)pdw[1];
	strcpy(WindowsPathPtr, WinDir);
	strcpy(WindowsSysPathPtr, WinSysDir);
    Out_Debug_String("ANTIVIRUS: Windows Directory paths copied!\n\r");
    return(NO_ERROR);
}

#pragma VxD_LOCKED_CODE_SEG

int _cdecl OurFileHook(pIFSFunc pfn, int nFunction, int nDrive, int nResources, int Cp, pioreq pir)
{
	int iRet=0, i=0;
	unsigned long fHan;
	DWORD pAction;
	DWORD iLen;

	switch(nFunction){
		case IFSFN_OPEN:
//			if((pir->ir_flags & ACCESS_MODE_MASK) == ACCESS_EXECUTE){
//				for(i=0; i<NUM_FILES; i++){
//					if(Handles[i]==0)
//						break;
//				}
//				iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
//				if(iRet==0){   //Success
//					Handles[i]=pir->ir_fh;
//					Monitor[i]=1;
//				}
//				return iRet;
//			}
//			for(i=0; i<NUM_FILES; i++){
//				if(Monitor[i]==1){
					MonitorTheFile=1;
//					break;
//				}
//				MonitorTheFile=0;
//			}
			if((((pir->ir_flags & ACCESS_MODE_MASK) == ACCESS_READWRITE)||((pir->ir_flags & ACCESS_MODE_MASK) == ACCESS_WRITEONLY)) && MonitorTheFile){
				if((nDrive & 0xFF) != 0xFF){
					FileNm[0]= nDrive + '@';
					FileNm[1]=':';
					iLen=2;
					iLen+=UniToBCSPath(&FileNm[2], pir->ir_ppath->pp_elements, MAX_PATH, BCS_OEM);
				}
				else{
					iLen=FormNetPath(FileNm, pir);
				}
				iLen-=4;
				if(CompareExt(FileNm) == TRUE){  //If it is the registry....
//_asm int 3
					iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
					return iRet;   //Do the normal work
				}
				if(ComparePath(WindowsPathPtr, FileNm) == FALSE){
					iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
					return iRet;   //Do the normal work
				}
				else if((!strcmp(&FileNm[iLen], ".EXE")) || (!strcmp(&FileNm[iLen], ".386")) || (!strcmp(&FileNm[iLen], ".DOC")) || (!strcmp(&FileNm[iLen], ".SCR")) || (!strcmp(&FileNm[iLen], ".CPL")) || (!strcmp(&FileNm[iLen], ".DRV")) || (!strcmp(&FileNm[iLen], ".DLL")) || (!strcmp(&FileNm[iLen], ".OCX")) || (!strcmp(&FileNm[iLen], ".VXD")) || (!strcmp(&FileNm[iLen], ".SYS"))){
//_asm int 3
					Vseb.vseb_b1=3;	//Yes button
					Vseb.vseb_b2=4;	//No button
					Vseb.vseb_b3=9;	//Help button
					Vseb.vseb_pszCaption=Caption;
					Vseb.vseb_pszText=MsgStr;
					strcpy(MsgStr, FileNm);
					strcat(MsgStr, "\nis being accessed for modification!  Allow it?");
					iRet = SystemBox(&Vseb);
					if(iRet==1){    //Yes has been pressed
					    iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
					    return iRet;
					}
					else{   //No has been pressed
						iRet = 5;
						pir->ir_error = 5;       //If the path is protected return "access denied"
						return iRet;
					}
				}
			}
			break;
//		case IFSFN_CLOSE:
//			for(i=0; i<NUM_FILES; i++){
//				if(Handles[i]==pir->ir_fh){
//					Handles[i]=0;
//					Monitor[i]=0;
//					break;
//				}
//			}
//			break;
		case IFSFN_DELETE:
			if((nDrive & 0xFF) != 0xFF){
				FileNm[0]= nDrive + '@';
				FileNm[1]=':';
				iLen=2;
				iLen+=UniToBCSPath(&FileNm[2], pir->ir_ppath->pp_elements, MAX_PATH, BCS_OEM);
			}
			else{
				iLen=FormNetPath(FileNm, pir);
			}
			if(ComparePath(WindowsSysPathPtr, FileNm) == TRUE){
//_asm int 3
				Vseb.vseb_b1=3;	//Yes button
				Vseb.vseb_b2=4;	//No button
				Vseb.vseb_b3=9;	//Help button
				Vseb.vseb_pszCaption=CaptionDele;
				Vseb.vseb_pszText=MsgStr;
				strcpy(MsgStr, FileNm);
				strcat(MsgStr, "\nis being deleted!  Allow it?");
				iRet = SystemBox(&Vseb);
				if(iRet==1){    //Yes has been pressed
					iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
					return iRet;
				}
				else{   //No has been pressed
					iRet = 5;
					pir->ir_error = 5;       //If the path is protected return "access denied"
					return iRet;
				}
			}
			break;

    }
    iRet=(*(*ppPrevHook))(pfn, nFunction, nDrive, nResources, Cp, pir);
    return iRet;
}
BOOL ComparePath(char OurDir[], char Path[])
{
    int i, Len;
    unsigned char *WindowsPathPtrTmp;
    WindowsPathPtrTmp = OurDir;
	Len = strlen(WindowsPathPtrTmp);
	for(i=0; i<Len; i++){  //Compare the upper case path\filenames
		if((Path[i] & 0xDF) != (WindowsPathPtrTmp[i] & 0xDF))
			break;
	}
	if(i==Len)
		return TRUE;
    return FALSE;
}

BOOL CompareExt(char Path[])
{
    int Len;
	Len = strlen(Path)-4;
	if(!strcmp(&Path[Len], ".DAT"))
		return TRUE;

    return FALSE;
}

int FormNetPath(char *FileNm, pioreq pir)
{
 	int		iSizeOfUniPath, iLengthOfPath ;
	char	*UniPath ;
	
	UniPath = (char *)pir->ir_aux3.aux_ptr ;
	_asm
	{
		mov		ebx,	UniPath ;
		xor		ecx,	ecx
	L_MoreInUNI_1:
		cmp		word ptr [ebx],0
		je		L_FoundInUNI_1
		add		ebx,	2
		inc		ecx
		jmp		L_MoreInUNI_1
	L_FoundInUNI_1:
		shl		ecx,	1
		mov		iSizeOfUniPath,ecx	
	}
	iLengthOfPath = UniToBCS(FileNm, pir->ir_aux3.aux_ptr, iSizeOfUniPath,
			MAX_PATH, BCS_OEM ) ;
	
	return iLengthOfPath ;       
}

DWORD _stdcall CVXD_Dynamic_Exit(void)
{
    Out_Debug_String("ANTIVIRUS: Dynamic Exit\n\r");

    return(VXD_SUCCESS);
}

DWORD _stdcall CVXD_CleanUp(void)
{
    Out_Debug_String("ANTIVIRUS: Cleaning Up\n\r");
    return(VXD_SUCCESS);
}
#pragma VxD_ICODE_SEG
#pragma VxD_IDATA_SEG

DWORD _stdcall CVXD_Dynamic_Init(void)
{
    Out_Debug_String("ANTIVIRUS: Dynamic Init\n\r");

    return(VXD_SUCCESS);
}