scanner.c

一文件过滤与加密,系统监视以及控制的东东,自己看

      while( _istspace(szLine[iNameLast]) ) iNameLast-- ;

      // skip spaces
      i++ ;
      while( _istspace(szLine[i]) ) i++ ;

      iValueFirst = i ;

      while( szLine[i] && szLine[i]!=TEXT('\n') && szLine[i]!=TEXT('\r') ) i++ ;

      iValueLast = i-1 ;

      // remove ending spaces
      while( _istspace(szLine[iValueLast]) ) iValueLast-- ;

      szName = szLine + iNameFirst ;
      szLine[iNameLast+1] = 0 ;

      szValue = szLine + iValueFirst ;
      szLine[iValueLast+1] = 0 ;

      //TRACE_INFO (TEXT("(%s) = (%s)\n"), szName, szValue) ;

      if( ! _tcscmp(TEXT("clamscan"),szName) )
	{
	  _tcslcpy (pConf->szScanner, szValue, MAX_PATH) ;
	  TRACE_INFO ("Scanner = %s\n", pConf->szScanner) ;
	}

      if( ! _tcscmp(TEXT("database"),szName) )
	{
	  _tcslcpy (pConf->szDatabase, szValue, MAX_PATH) ;
	  TRACE_INFO ("Database = %s\n", pConf->szDatabase) ;
	}
    }

  fclose (fp) ;

  // if path is relative, make it absolute
  if( PathIsRelative(pConf->szScanner) )
    {
      TCHAR szTemp[MAX_PATH] ;

      _tcscpy (szTemp, pConf->szScanner) ;
      _tcscpy (pConf->szScanner, szConfFile) ;
      PathRemoveFileSpec (pConf->szScanner) ;
      PathAppend (pConf->szScanner, szTemp) ;

      TRACE_WARNING (TEXT("Scanner path was relative, this is absolute path : %s\n"),
		     pConf->szScanner) ;
    }

  // if path is relative, make it absolute
  if( PathIsRelative(pConf->szDatabase) )
    {
      TCHAR szTemp[MAX_PATH] ;

      _tcscpy (szTemp, pConf->szDatabase) ;
      _tcscpy (pConf->szDatabase, szConfFile) ;
      PathRemoveFileSpec (pConf->szDatabase) ;
      PathAppend (pConf->szDatabase, szTemp) ;

      TRACE_WARNING (TEXT("Database path was relative, this is absolute path : %s\n"),
		     pConf->szDatabase) ;
    }


  return TRUE ;
}

/******************************************************************/
/* Internal function                                              */
/******************************************************************/

BOOL _Scanner_Run (LPTSTR szCmdLine, LPTSTR szDirectory,
		   DWORD*pdwExitCode,
		   LPTSTR szOutput, UINT nOutputMax,
		   DWORD nPriorityClass) 
{
  SECURITY_ATTRIBUTES sa = {0};
  STARTUPINFO         si = {0};
  PROCESS_INFORMATION pi = {0};
  HANDLE              hPipeOutputRead  = NULL;
  HANDLE              hPipeOutputWrite = NULL;

  DWORD		dwBytesRead ;
  BOOL		bSuccess ;
  UINT		nOutputPos = 0 ;

  TRACE_INFO (TEXT("CmdLine = %s\n"), szCmdLine) ;

  sa.nLength		= sizeof(sa) ;
  sa.bInheritHandle	= TRUE ; 
  sa.lpSecurityDescriptor = NULL ;
  
  if( szOutput!=NULL )
    {
      if( ! CreatePipe (&hPipeOutputRead, &hPipeOutputWrite, &sa, 0) )
	TRACE_WARNING (TEXT("CreatePipe failed (error=%d)\n"), GetLastError()) ;
 
      si.cb		= sizeof(si);
      si.dwFlags	= STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
      si.wShowWindow	= SW_HIDE;
      si.hStdInput	= GetStdHandle (STD_INPUT_HANDLE) ;
      si.hStdOutput	= hPipeOutputWrite ;
      si.hStdError	= hPipeOutputWrite ;//GetStdHandle (STD_ERROR_HANDLE) ;
    }
  else
    {
      si.cb		= sizeof(si);
      si.dwFlags	= STARTF_USESHOWWINDOW ;
      si.wShowWindow	= SW_HIDE;
    }
  
  if( ! CreateProcess (NULL, szCmdLine, NULL, NULL, TRUE, nPriorityClass, 
		       NULL, szDirectory, &si, &pi) ) {
    TRACE_ERROR (TEXT("Failed to run scanner\n")) ;
    CloseHandle (hPipeOutputWrite);
    CloseHandle (hPipeOutputRead);
    return FALSE ;
  }
  
  CloseHandle (hPipeOutputWrite);
 
  // wait for process end
  WaitForSingleObject (pi.hProcess, 30000) ;

  GetExitCodeProcess (pi.hProcess, pdwExitCode) ;

  if( szOutput!=NULL )
    {
      while( nOutputPos<nOutputMax-1 )
	{
	  UINT i ;
	  char szBuffer[64] ;
	  
	  // try to read pipe
	  bSuccess = ReadFile (hPipeOutputRead, 
			       szBuffer, 
			       64,
			       &dwBytesRead, NULL) ;  
	  
	  // failed to read ?
	  if( !bSuccess || !dwBytesRead ) break ;
	  
	  for( i=0 ; i<dwBytesRead ; i++ )
	    {
	      switch( szBuffer[i] )
		{
		case '\r':
		  break ;
		case '\n':
		  szOutput[nOutputPos++] = TEXT('\r') ;
		  szOutput[nOutputPos++] = TEXT('\n') ;
		  break ;
		default:
		  szOutput[nOutputPos++] = szBuffer[i] ;
		}
	      
	      if( nOutputPos>=nOutputMax-1 ) break ;
	    }
	}
      
      szOutput[nOutputPos] = 0 ;
    }      
  
  TRACE_INFO (TEXT("Scan result = %u\n"), *pdwExitCode) ;
  
  CloseHandle (hPipeOutputRead);
  CloseHandle (pi.hThread) ;
  CloseHandle (pi.hProcess) ;

  return TRUE ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

UINT _Scanner_ClamWin_ScanFile (CLAMWINCONF * pConf, LPCTSTR szFile,
				LPTSTR szOutput, UINT nOutputMax,
				DWORD nPriorityClass) 
{
  TCHAR		szCmdLine[1024] ;
  DWORD		dwExitCode ;
  BOOL		bSuccess ;
  
  wsprintf (szCmdLine, TEXT("\"%s\" -d \"%s\" --max-space=%u \"%s\""), 
	    pConf->szScanner, pConf->szDatabase, MAX_SPACE/1024, szFile) ;
  
  bSuccess = _Scanner_Run (szCmdLine, NULL,
			   &dwExitCode,
			   szOutput, nOutputMax,
			   nPriorityClass) ;

  if( ! bSuccess ) return SCAN_FAILED ;

  return
    dwExitCode==0 || dwExitCode==54 ? SCAN_NO_VIRUS :
    dwExitCode==1 ? SCAN_VIRUS :
    SCAN_FAILED ;
}



/******************************************************************/
/* Internal function                                              */
/******************************************************************/

BOOL _Scanner_KavWs_Configure (KAVWSCONF * pConf)
{
  HKEY	hkey ;
  LONG	nResult ;
  DWORD	dwSize ;
  DWORD	dwType ;
  TCHAR	szBuffer[MAX_PATH] ;
  BOOL	bFound ;

  nResult = RegOpenKeyEx (HKEY_LOCAL_MACHINE,
			  szKavWsKey, 0,
			  KEY_QUERY_VALUE,
			  &hkey) ;
  if( nResult!=ERROR_SUCCESS ) {
    TRACE_INFO (TEXT("Registry key for KavWs not found\n")) ;
    return FALSE ;
  }

  dwSize = sizeof(szBuffer) ;

  nResult = RegQueryValueEx (hkey,
			     szKavWsFolderValue,
			     NULL,
			     &dwType,
			     (BYTE*)szBuffer,
			     &dwSize) ;
  RegCloseKey (hkey) ;

  if( nResult!=ERROR_SUCCESS ) {
    TRACE_INFO (TEXT("Failed to read folder value for KavWs\n")) ;
    return FALSE ;
  }

  PathCombine (pConf->szScanner, szBuffer, szKavWsExe) ;

  bFound = GetFileAttributes (pConf->szScanner) != 0xFFFFFFFF ;

  if( ! bFound )
    TRACE_WARNING (TEXT("KavWs scanner not found (path=%s)\n"), pConf->szScanner) ;

  return bFound ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

UINT _Scanner_KavWs_ScanFile (KAVWSCONF * pConf, LPCTSTR szFile,
			      LPTSTR szOutput, UINT nOutputMax,
			      DWORD nPriorityClass) 
{
  TCHAR		szCmdLine[1024] ;
  TCHAR		szTmpFile[MAX_PATH] ;
  TCHAR		szTmpDir[MAX_PATH] ;
  DWORD		dwExitCode ;
  BOOL		bSuccess ;
  FILE		*fp ;

  GetTempPath (MAX_PATH, szTmpDir) ;
  GetTempFileName (szTmpDir, PathFindFileName(szFile), 0, szTmpFile) ;
  
  wsprintf (szCmdLine, TEXT("\"%s\" scan \"%s\" /w:\"%s\""), 
	    pConf->szScanner, szFile, szTmpFile) ;
  
  bSuccess = _Scanner_Run (szCmdLine, NULL,
			   &dwExitCode,
			   szOutput, nOutputMax, 
			   nPriorityClass) ;

  if( ! bSuccess ) return SCAN_FAILED ;
  
  fp = _tfopen(szTmpFile, TEXT("rt")) ;
  
  if( fp!=NULL )
    {
      TCHAR szLine[128] ;
      szOutput[0] = 0 ;

      while( _fgetts(szLine,128,fp) )
	_tcscat (szOutput, szLine) ;

      fclose (fp) ;
    }

  return
    dwExitCode==0 ? SCAN_NO_VIRUS :
    dwExitCode==1 ? SCAN_VIRUS :
    SCAN_FAILED ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

BOOL _Scanner_BitDef_Configure (BITDEFCONF * pConf)
{
  HKEY	hkey ;
  LONG	nResult ;
  DWORD	dwSize ;
  DWORD	dwType ;
  BOOL	bFound ;

  nResult = RegOpenKeyEx (HKEY_LOCAL_MACHINE, szBitDefKey, 0,
			  KEY_QUERY_VALUE, &hkey) ;
  if( nResult!=ERROR_SUCCESS ) {
    TRACE_INFO (TEXT("Registry key for BitDefender not found\n")) ;
    return FALSE ;
  }

  dwSize = sizeof(TCHAR)*MAX_PATH ;

  nResult = RegQueryValueEx (hkey,
			     szBitDefFolderValue,
			     NULL,
			     &dwType,
			     (BYTE*)pConf->szFolder,
			     &dwSize) ;
  RegCloseKey (hkey) ;

  if( nResult!=ERROR_SUCCESS ) {
    TRACE_INFO (TEXT("Failed to read folder value for BitDefender\n")) ;
    return FALSE ;
  }

  PathCombine (pConf->szScanner, pConf->szFolder, szBitDefExe) ;

  bFound = GetFileAttributes (pConf->szScanner) != 0xFFFFFFFF ;

  if( ! bFound )
    TRACE_WARNING (TEXT("BitDefender scanner not found (path=%s)\n"), pConf->szScanner) ;

  return bFound ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

UINT _Scanner_BitDef_ScanFile (BITDEFCONF * pConf, LPCTSTR szFile,
			       LPTSTR szOutput, UINT nOutputMax,
			       DWORD nPriorityClass) 
{
  TCHAR		szCmdLine[1024] ;
  DWORD		dwExitCode ;
  BOOL		bSuccess ;
  
  wsprintf (szCmdLine, TEXT("\"%s\" \"%s\" /files"), 
	    pConf->szScanner, szFile) ;
  
  bSuccess = _Scanner_Run (szCmdLine, pConf->szFolder,
			   &dwExitCode,
			   szOutput, nOutputMax,
			   nPriorityClass) ;

  if( ! bSuccess ) return SCAN_FAILED ;

  return
    dwExitCode==0 ? SCAN_NO_VIRUS :
    dwExitCode==1 ? SCAN_VIRUS :
    SCAN_FAILED ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

BOOL _Scanner_LibClamav_Configure (LIBCLAMAVCONF* conf)
{    
  TRACE_INFO (TEXT("Libclamav version : %hs\n"), cl_retver());
    
#if TRACE_LEVEL>=4
  cl_debug();
#endif

  conf->engine = NULL ;

  if( ! _Scanner_LibClamav_LoadDatabase (conf) )
    return FALSE ;

  conf->options = CL_SCAN_MAIL | CL_SCAN_OLE2 | CL_SCAN_HTML | CL_SCAN_PE | CL_SCAN_ALGORITHMIC ;

  memset (&conf->limits, 0, sizeof(struct cl_limits));
  conf->limits.maxreclevel = 8;
  conf->limits.maxfiles = 1000;
  conf->limits.maxratio = 200;
  conf->limits.archivememlim = 0;
  conf->limits.maxfilesize = (unsigned long int) MAX_SPACE;

  // scanner path is winpooch path
  GetModuleFileName (NULL, conf->szScanner, MAX_PATH) ;  

  FreshClam_Start (_Scanner_LibClamav_DatabaseUpdated, conf) ;

  return TRUE;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

BOOL _Scanner_LibClamav_LoadDatabase (LIBCLAMAVCONF* conf)
{
  struct cl_engine * pNewEngine ;
  struct cl_engine * pOldEngine ;

  int iResult ;
  
  UINT nSignCount = 0 ;
  CHAR szDbDirectory[MAX_PATH] ;

  GetModuleFileNameA (0, szDbDirectory, sizeof(szDbDirectory)-1);
  strrchr(szDbDirectory,'\\')[0] = 0 ;
    
  TRACE_INFO (TEXT("Database directory : %hs\n"), szDbDirectory);

  pNewEngine = NULL ;
  iResult = cl_load (szDbDirectory, &pNewEngine, &nSignCount, CL_DB_STDOPT);
  if( iResult!=0 )
    {
      TRACE_ERROR (TEXT("cl_loaddbdir() failed (%d) %hs\n"), iResult, cl_strerror(iResult));
      return FALSE;
    }

  iResult = cl_build (pNewEngine) ;
  if( iResult!=0 )
    {
      TRACE_ERROR(TEXT("cl_build() failed (%d) %hs\n"),iResult,cl_strerror(iResult));
      cl_free(pNewEngine);
      return FALSE;
    }
  
  iResult = cl_retflevel();
  TRACE_INFO (TEXT("Libclamav loaded %d ClamAV malware signatures (CVD ver:%d).\n"), nSignCount, iResult);

  pOldEngine = conf->engine ;
  conf->engine = pNewEngine ;

  if( pOldEngine )
    {
      Sleep (10000) ;
      cl_free (pOldEngine) ;
    }

  return TRUE ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

UINT _Scanner_LibClamav_ScanFile (LIBCLAMAVCONF* conf, 
				  LPCTSTR wszFile,
				  LPTSTR szOutput, UINT nOutputMax)
{
  int iResultCode;
  unsigned long int scanned;
  LPCSTR szVirname ;
  char csFullPath[MAX_PATH] = {0} ;
      
  // convert filename to ASCII
  wcstombs (csFullPath, wszFile, MAX_PATH-1);
  TRACE_INFO(TEXT("File = %hs\n"), csFullPath);

  iResultCode = cl_scanfile (csFullPath, &szVirname, &scanned, 
			     conf->engine, &conf->limits, conf->options);

  TRACE_INFO(TEXT("Libclamav result = %d\n"), iResultCode);
  
  if( iResultCode == CL_VIRUS )
    {     
      TRACE_INFO (TEXT("%hs : %hs FOUND\n"), csFullPath, szVirname);
      wsprintf (szOutput, TEXT("%hs FOUND"), szVirname) ;
    }
  else if( iResultCode != CL_CLEAN )
    {
      TRACE_ERROR (TEXT("%hs : Error: %hs\n"), csFullPath, cl_strerror(iResultCode));
      wsprintf (szOutput, TEXT("Error: %hs\n"), cl_strerror(iResultCode)) ;    
    }
    
  return
    iResultCode==CL_CLEAN ? SCAN_NO_VIRUS :
    iResultCode==CL_VIRUS ? SCAN_VIRUS :
    SCAN_FAILED ;

  return SCAN_NO_VIRUS ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

VOID _Scanner_LibClamav_DatabaseUpdated (LPVOID pContext) 
{
  _Scanner_LibClamav_LoadDatabase ((LIBCLAMAVCONF*)pContext) ;
}