- 注册时间
- 2011-11-6
- 最后登录
- 2011-12-22
- 阅读权限
- 10
- 积分
- 11
- 精华
- 0
- 帖子
- 8
- 贡献
- 0 点
- 威望
- 1 点
- 金钱
- 1038 元
- 经验
- 0 点
- 精华
- 0
|
发表于 2011-11-24 13:13:49
|显示全部楼层
凡本论坛原创内容,其作者享有著作权,未经许可谢绝转载。
卡巴对文件的查毒是调用的AVP_ProcessObject,然后经历了打开获取句柄、确定大小、格式识别和_GetFirstEntry后,就到了CBaseWork::DoRecords(WORD Type, R_File_CureData** curedata)中。这个帖子就扯下CBaseWork::DoRecords()。, D4 h+ c5 W B4 [% W
在此之前小哭一下,_GetFirstEntry和_GetNextEntry似乎是蛮重要的代码,卡巴似乎把一个文件分成了多个Entry,然后_GetFirstEntry和_GetNextEntry将每个Entry读取到- typedef struct _CWorkArea{
$ ]% D4 ]! @+ F4 E1 p2 D+ @ - BYTE m_Header[HEADER_SIZE];6 x# m% c# C0 J/ V p1 ]! G+ g2 |
- BYTE m_Page_A[PAGE_A_SIZE];$ p1 O2 e3 z6 Y# C0 c
- BYTE m_Page_B[PAGE_B_SIZE];1 D; i2 X( Y. v3 k j9 {! [. w( T& X+ U
- BYTE m_Page_E[PAGE_E_SIZE];
: z: r, j f& m7 y) v% G - BYTE m_Page_C[PAGE_C_SIZE];
/ J7 _+ n/ p: A- o- H% W& Ivoid* CBaseWork::DoRecords(WORD Type, R_File_CureData** curedata) 中做的事很简单,遍历每个病毒库,让他们都void* CBase::DoRecords(WORD type,CWorkArea* pWorkArea, R_File_CureData** curedata)一次,谁查到就返回了。
0 [( H# t, Y# Q. @6 X, Q' W& D6 L, ^* j3 E+ P& [8 M" n0 q+ {
CBase::DoRecords依据参数type来进行不同类型的查毒,我就只关注RT_FILE文件类型的查毒了,呃,这个,这个代码被我重名和注释后似乎也比较容易理解,我就直接贴代码了- void* CBase::DoRecords(WORD type,CWorkArea* pWorkArea, R_File_CureData** curedata){
+ i1 d1 R& F: F( {% Z' I, j# h6 X - DWORD SubType=(DWORD)pWorkArea->m_SubType;6 f- i- M2 r* ~) X8 O
- BData* _bdata=bdata;
$ t% B: J# N0 s& F6 d. w1 V - switch(type)3 p! Y- ^$ ^+ k' z
- {: p9 Y T6 z8 o D( K
- case RT_FILE:' K6 M* y0 W; `" y
- {
6 s1 x, ? _3 L0 ^2 k+ `0 n - DWORD SubType=(DWORD)pWorkArea->m_SubType;
# y( E4 u: l# T - UINT nSubTypeBitNo = GetSubtypeBitNo((BYTE)SubType); //获取子类型
" b7 f* }! o7 k- h/ @ - BYTE* pSubQueue = m_SubTypeRangeArray[nSubTypeBitNo].pSubQueue;
( b5 _$ w; k/ h& a - & J3 z% P$ V& s% ?! n
- if(!pSubQueue)
/ A& z# F6 G4 R. s - break;4 h& Z# q; k! q0 s3 W
0 {8 g: j( K' F$ q& ^3 q( g Z- R_File_Cutted* rp0 = (R_File_Cutted*)(m_RPtrTable[type]);/ z4 P+ {- f0 H6 E
- ' j- a6 k- G9 U ^- r5 S
- unsigned int nThisType = *pSubQueue; // 取出本子类记录的个数
P: j( `& r! w& S" L% J& L B - pSubQueue++;! p+ X, n j5 z8 X7 e6 f
- unsigned int nNotThisType = *pSubQueue; " ^6 J4 _( [/ g/ a. ~1 V
- pSubQueue++;; j: I) \/ d4 O% M1 V: l
7 E& u5 W6 c; w1 L4 `- // pRecordCutted pRecordShort 指向当前的记录
$ j6 t y1 [1 d5 `! ?, y8 t) H9 o - R_File_Cutted* pRecordCutted=(R_File_Cutted*)(rp0 + (m_SubTypeRangeArray[nSubTypeBitNo].idx - 1));- T8 B/ Q8 U& w
- R_File_Short* pRecordShort = m_pFileShort + (m_SubTypeRangeArray[nSubTypeBitNo].idx - 1);- i5 \+ w4 ], K& O' b6 t& Z. j
- & Y! o+ U/ y$ [& b
- // 这个循环是由 nThisType 控制的
& T; h9 ^% f- C3 g2 l, |8 D7 } - while (true) h# T: A: N, \$ I
- {
" l" [. Y: n6 ]1 t: L - pRecordCutted++;
. w+ O7 q- r! z# L7 o - pRecordShort++;0 T0 z% e4 R; k! ]' r2 Z! J
% S& q% o+ ~9 S* ~6 I3 o; v- // 确保 nThisType 不是0$ _$ d9 E) G" T2 e; i
- if (!nThisType)7 N5 \) n- W% L9 e1 ?% ~! R' v
- {- M, }. q u1 I/ q6 [
- do1 A; e. Y( d1 s- l, I0 R. X
- {; h6 h- C+ r1 m+ A7 I, d- G* c
- pRecordCutted += nNotThisType;
; X) y) f8 ?2 ~) y% J. _* _ - pRecordShort += nNotThisType;! F( ^. V4 ^( x$ X+ L( c0 k+ d& s
: b8 _) J; M- e- nThisType = *pSubQueue; pSubQueue++;- |/ {$ a9 R& m) u# A$ b1 t
- nNotThisType = *pSubQueue; pSubQueue++;3 Q3 {* _1 i3 [# m2 V4 G3 k z
- 8 _& a, T$ h: h+ D+ q4 T) Q( @! v- H
- if (!nThisType && !nNotThisType)
; J* F8 g, u% c# B - {
; F. N$ ]8 y5 j+ ^: ]% t - #ifdef _DEBUG
6 E+ p$ @, A3 _- A0 k - if ((DWORD)(pRecordCutted - rp0) != m_SubTypeRangeArray[nSubTypeBitNo].nash_region_size + m_SubTypeRangeArray[nSubTypeBitNo].idx)
# q7 q% x2 L( I+ Q9 h7 R; U G - {4 O* C$ R; o3 y6 U8 x
- _asm int 3;# r$ \. Q' D- b& d* {2 l, s/ V
- }- T* J) @" _: Y1 t
- #endif
7 {8 T% H* g% @% ? - break;
* Y4 R# H2 i; g) q. y: W - }8 y( m: H3 d2 T/ k% X
/ C* [" k3 r8 F: v" z3 N: E- } while(!nThisType);
/ w) X- A1 o0 T K [
' V, {# e. [. K0 q- if (!nThisType)' ?+ W& i; W9 ~6 u) e/ ^7 _+ s. a
- break;! p2 ]0 `- Q! `& d0 E
- }" H3 H: O7 U% E
- nThisType--;; U9 t, B s& d. V" }: N8 t
) J' [3 s0 J E- B$ S7 d# u- : Y6 |7 y$ U& R! A
- // 长度大于2的记录,则确认ControlWord后CacheSum比较是否一样. w4 d G# z5 F. R
- // 小于2的记录则直接比较 ControlWord
- x0 c0 |4 a* D# R+ r+ y4 X - if(pRecordShort->Len1>2){ 5 k& y, g: E# C6 p! M
- if ( ReadWordPtr(&pRecordShort->ControlWord) != ReadWordPtr((WORD*)(pWorkArea->m_Header + ReadWordPtr(&pRecordShort->Off1))) ) {
9 Y0 p" l5 C0 g9 u, { - continue;
m% }7 M% F- D4 D" Z - }
- _+ {" [" J" D- r U, |5 B! M" M( M - else {
9 g2 q- u* H! m" d/ o3 y: t - AVP_word dwBase = ReadWordPtr(&pRecordShort->ControlWord);
! X T% u$ P+ k1 G6 o6 F5 i - AVP_word dwOff = ReadWordPtr(&pRecordShort->Off1);
3 D* q, F& ]$ _0 G: i+ H& R - unsigned char *pOffset = pWorkArea->m_Header + ReadWordPtr(&pRecordShort->Off1);
6 u ~- r0 @+ T4 O8 g1 O# W - AVP_word dwFile = ReadWordPtr((WORD*)(pWorkArea->m_Header + ReadWordPtr(&pRecordShort->Off1))); ( r' _! G) K, K' i. [
- } 6 `- i' g S) R
- }+ Y: r" Y8 B( b- p
- else switch(pRecordShort->Len1){
8 o% {2 M! v! N3 R# Y" E - case 1:
% _, x. r9 J, k x( r - if (((BYTE) ReadWordPtr(&pRecordShort->ControlWord)) != *(BYTE*)(pWorkArea->m_Header + ReadWordPtr(&pRecordShort->Off1)) ) continue; U) Y" U3 N) |9 y
- goto cklnk;2 E: J$ `6 W* ~* @4 C3 y5 l1 i, D/ j1 t
- : ]( R3 h0 g& W1 f" V# q
- case 2:
f, ~7 m) b& [ l# j8 ~: _ - if (ReadWordPtr(&pRecordShort->ControlWord) != ReadWordPtr((WORD*)(pWorkArea->m_Header + ReadWordPtr(&pRecordShort->Off1))) ) continue;
7 k7 @& X* p. p/ [1 ~ - goto cklnk;9 ?2 a: d7 O- C* s( N9 E, C
# X! X' Q. D. o: P( T) C$ A& [- case 0:2 Q0 B" k; g" ]
- if ( ReadWordPtr(&pRecordCutted->LinkIdx) == (WORD)(-1)) continue;
7 k6 i; R, v7 F( E0 ? - goto lnk;
( d- W7 M! S: {# P+ F - }
; R1 C' o: Y1 g* y. K3 c+ ?6 ?! n - ! d7 ^: ^0 q" V5 u2 W& B& X( w4 E& j
- if ( ReadDWordPtr(&pRecordCutted->Sum1) != CacheSum(pWorkArea->m_Header, ReadWordPtr(&pRecordShort->Off1), pRecordShort->Len1)) continue;7 W6 x. _! v% M7 o* t
- cklnk:
8 t" t# z4 P( Z - // 确认 Sum1 或者 ControlWord 相等后查看是否有 Link,有的话就执行之/ b4 T+ B- }' D2 P, h O. \1 M$ Q! g* S b
- if ( ReadWordPtr(&pRecordCutted->LinkIdx) != (WORD)(-1)) {
9 M) R6 ?) w, Q9 d/ n/ u* ^' p - WORD ret;
( ]' }' S1 T! R: s7 [' ] - lnk:& \; C) [% v Z
- if(pWorkArea->m_pScanObject->SType == OT_MEMORY_FILE) continue;
6 p- y# |* {% E, G8 L4 I
8 I4 [+ E0 r$ d9 p7 J$ U- ret = m_LinkTable[type][ReadWordPtr(&pRecordCutted->LinkIdx)].ExecuteEntry(pWorkArea, 0);7 y. S" D% D r$ L
- if(ret==0) continue; e% ]' C& G' ]/ k
- if(ret==R_DETECT) {
& f: x$ ?" G g$ w/ z- z5 v' O9 L - goto on;
. O. z. C6 C7 S( f% G: }/ x& J - } ^6 Y# `% b0 v% Y4 V: |3 [
- if(ret!=R_PREDETECT) continue;9 g) S& V$ v! a6 d; e
- }
/ Y: {+ D i" V* v% g - * n$ G/ _! R8 ]& y4 S
- if ( !pRecordCutted->Len2 )' _1 k5 A& v' l) N8 {8 K0 J* X- b2 t
- continue;
4 k, @( P* C- M3 Q1 H - " i- a8 y' H& p, X. O
- // 比较 Sum2 是否一样
# w( W. g0 i6 Y8 X3 T J& R - if ( ReadDWordPtr(&pRecordCutted->Sum2) != CalcSum(pWorkArea->m_Header + ReadWordPtr(&pRecordCutted->Off2), pRecordCutted->Len2) )
. \) g1 i) {. c' m - {
: O* ?4 {+ U. J2 V9 r, { - if ( pRecordShort->Len1 < 8 )& C: b' G3 F, c$ b6 _2 j
- continue;
( [) n3 \* ]( {! Z2 @& y6 E) x; i
( l8 M: s& C9 Y+ {! D* T7 s8 K; [. v- if ( SubType == ST_OLE2 )" |& Z, W5 D( w# d: F8 f9 m4 Y. ~$ L# Z
- continue;; t0 c* U5 S. F" V, l6 p! q
' _) j' c! D0 |, L- if ( (ReadWordPtr(&pRecordCutted->Off2) == (PAGE_C_BEGIN+0x4000) )+ _" Y8 C; ?+ Q# \0 N$ A
- && (0x00E8 == ReadWordPtr((WORD*)(pWorkArea->m_Header + ReadWordPtr(&pRecordCutted->Off2))) )! ?8 R) y# J2 C; I }: J
- ) X; \, T5 I' h
- && !(((WORD (*)(void*, void*))m_pBaseWork->_IsProgram) (pWorkArea->m_Header, pWorkArea->m_lpExt))& _3 {% M: G2 e1 B
- )continue;
1 Q/ ?: c& M# Q6 J" V - 8 o/ C+ ^. z) b% ~5 E( _
- pWorkArea->m_dwRFlags|=RF_WARNING;6 Y% z! J s& W3 D* t$ ]
- if ( pWorkArea->m_pScanObject->MFlags & MF_ALLWARNINGS)
) p% D* [9 m0 z5 f3 {% F1 r7 [ - {
) p; m* x* i% j: u: f4 K - char* wn = pWorkArea->m_pScanObject->pWarningName;& t3 g1 y$ ]: h: Y! {+ q
- pWorkArea->m_pScanObject->pWarningName = (char*)ReadDWordPtr(&pRecordCutted->NameIdx);
5 i5 g [/ ?& | - AvpCallback(AVP_CALLBACK_OBJECT_WARNING,(DWORD)pWorkArea->m_pScanObject);
" J/ ]' F4 t" J7 q2 q( V! b - pWorkArea->m_pScanObject->pWarningName=wn;
9 y8 ?: `8 o# d( T- ] - }
. _) m( `; o( P+ Z4 B) E - if(pRecordShort->Len1>_bdata->WarLen){
+ ^/ s4 q8 J8 s1 W; G - _bdata->WarLen=pRecordShort->Len1;+ Q$ b) E" n$ z* n, L- }
- pWorkArea->m_pScanObject->pWarningName=(char*) ReadDWordPtr(&pRecordCutted->NameIdx);
4 d2 y# P) D; [- R2 _" Y - }5 ]0 X r8 q7 J0 `# p! J
- continue;& b1 n" j1 y, K! w$ [1 p% A
- }
* q) k3 w5 s3 O$ V6 G" f - else{2 j; E% B) { A6 s
- pWorkArea->m_pScanObject->pVirusName = (char*) ReadDWordPtr(&pRecordCutted->NameIdx);" P. s& a0 T: G8 g$ `
- }! ]5 I% p- Y( C6 k. y0 q6 M
0 d# q3 n3 Y8 P. w8 x- on:
" j9 O0 m- w+ h6 a( y* @ ~ - // 此处是已经检测到病毒了,获取病毒名的序号
\* D& E2 i+ v P$ M, ? - pWorkArea->m_pScanObject->pVirusName = (char*) ReadDWordPtr(&pRecordCutted->NameIdx);
2 L! s5 C6 \+ {+ m - 1 D0 `0 v' j$ b# r- }9 S
- if(callbackRecords&2){$ i2 {6 J- Q* P( F- i+ L! F' Q
- pWorkArea->m_pCurRecord=pRecordCutted;
9 s8 G' U% K' K y1 M$ ^ - pWorkArea->m_dwCurRecordType=type;
$ ]$ n0 y7 i( `- A& b. o% k9 v' ~, ? - pWorkArea->m_dwCurRecordStatus=2;
% E Z( D7 ]8 d9 ]" J - . Y, a0 Z0 j; r0 o( v k) A
- AvpCallback(AVP_CALLBACK_WA_RECORD,(DWORD)(pWorkArea));+ {) n, _ f& \% X0 S, d& w3 ]
- }. n4 G' x/ o1 t- C
- 3 q! E% W A9 L! Z$ K
- if (pRecordCutted && curedata)
# E, H6 T! z& A [) t - *curedata = GetCureData(pRecordCutted - rp0);
/ x! Q* y+ n" D' L1 @( p - return pRecordCutted;
$ |9 W1 ^1 ?2 ` - }( y) G" G0 o+ b& s" {3 {
- }) T* }, \/ x& `
- break; T: v0 Y7 c% ]. ~% W! t
- case RT_SECTOR:
|
-
总评分: 金钱 + 200
查看全部评分
|
狗仔卡
提升卡
变色卡
,忘记分类了。