一切都通过将它传递给我的程序

一切都通过将它传递给我的程序

本文介绍了使窗口“打开"一切都通过将它传递给我的程序的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在为学校项目编写自己的防病毒软件.我已经确定了一些基础知识,例如根据已知错误散列库检查文件的 MD5 散列,检查文件中已知的错误字节模式,检查它是否会尝试连接到网络......目前这一切通过将要检查的文件路径作为参数传递给我的程序来工作.

I'm writing my own anti-virus for a school project. I have basics nailed down like checking the MD5 hash of a file against a library of known bad hashes, checking the file for known bad pattern of bytes, checking if it'll try to connect to the net... At the moment this all works by passing the path of the file to check as argument to my program.

我想做的是更类似于真正的防病毒/恶意软件的工作方式,即检查用户双击的每个文件.

What I would like to do is something more similar to the way real anti-virus/malware works that is by checking every file the user double clicks on.

IE:在资源管理器中双击 TEST.exe 时,我希望操作系统使用 TEST.exe 的路径实际调用 ANTIVIRUS.exe,而不是直接启动 TEST.exe.ANTIVIRUS.exe 然后会检查 TEST.exe 并确定启动是否安全.

IE: When double-clicking on TEST.exe in explorer, instead of directly launching TEST.exe I would like the OS to actually call ANTIVIRUS.exe with the path to TEST.exe. ANTIVIRUS.exe will then check TEST.exe and determine if it's safe to launch or not.

我想修改注册表中的打开方式"属性,但我注意到您无法设置打开可执行文件的程序.

I thought about modifying the "Open With" properties in the registry, but I noticed you can't set which program to open an executable with.

如何更改 Windows (XP,7,8) 设置以执行此类操作(如果可能?).如果不能以这种方式完成,其他防病毒软件如何在启动文件时对其进行检查?

How can I change Windows (XP,7,8) settings to do something like this (if it's possible?). If it can't be done this way how do other anti-virus' manage to check files as they're being launched?

推荐答案

所谓的Open"实际上是 ShellExecute.这不是真正的 AV 使用的,因为 ShellExecute 最终会调用 CreateProcess.但是调用CreateProcess的方法还有很多,也许最重要的是可以直接调用.

What you call "Open" is really ShellExecute. That's not what real AV uses, as ShellExecute eventually calls CreateProcess. But there are more ways to call CreateProcess, perhaps most importantly it can be called directly.

@wmz 有另一个合理(但复杂)的提示:您可以在文件系统驱动程序级别进行检查.这不是常规程序,而是作为内核的一部分运行.这使得编程变得更加困难,例如所有 .Net 语言都无法使用.

@wmz has another reasonable (but complex) hint: you can check at file system driver level. This isn't a regular program but runs as part of the kernel. That makes it a lot harder to program, for instance all .Net languages are unusable.

这篇关于使窗口“打开"一切都通过将它传递给我的程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-02 14:58