Six process anti-virus solutions and source code

At the beginning of, the company started to implement a process-based anti-virus function. To protect the service programs of our software, security products such as 360 or rising have the process anti-virus function. After studying for more than a month, I summarized various online anti-virus methods and referred to their code. I would like to summarize the various implementation methods into the following six, and provide their corresponding source code.

The source code has all been modified and debugged by myself, some of which are original ones. The source code has been debugged under vs2005 and tested in various Windows operating systems.

Source Code address: http://download.csdn.net/user/woshiyipihaoma

 

1. ring3 promote the thread to the system thread

Principle: when Windows forces the process to end, it will first end all threads and change the program thread to the system thread to achieve the purpose of anti-kill.

Advantages: ring3 implements process anti-kill, no driver, no hook, simple principles and code, and prevents the task manager from killing processes.

Disadvantage: it can only be effective under XP (it is also related to the patch played by XP, and some XP systems will fail). The anti-virus capability is limited, for example, it cannot prevent tools such as icesword.

This method is based on a friend of csdn practice, the original address is http://blog.csdn.net/KeSummer/archive/2008/05/18/2455379.aspx

 

2. ntquerysysteminformation of hookapi

Principle: hook ntquerysysteminformation to hide the process

Advantages: Process hiding implemented by ring3, no driver, and process hiding in Task Manager

Disadvantage: processes can only be hidden under nt2000, And the versatility is poor.

 

3. Use the detours library to implement process anti-kill.

Principle: similar to 2, hook OpenProcess to prevent and kill Processes

Advantages: strong anti-kill capabilities and versatility, which can be used in nt2000, XP, and 2003

Disadvantage: hookapi is implemented using the detours library. In 2008, kill prevention fails and some process tools cannot be protected.

 

4. Hook the task manager to terminate the process event

Principle: hook the Task Manager window and use the CBT hook to intercept process messages.

Advantage: strong versatility. Any Windows platform can prevent the task manager from killing processes.

Disadvantage: it can only defend against Windows Task Management

 

5. Dual-Process Protection

Principle: The main process and the daemon process monitor each other and start the other when the other party is not found. To avoid parent-child process relationships, the main process starts a temporary process and the temporary process starts a daemon process.

Advantages: strong versatility, strong protection capabilities, and protection of Windows service programs. Hook anti-kill requires interaction between the main program and the desktop, while the service program does not interact with the desktop.

Disadvantages

 

6. Driver-level process protection

Principle: Driver-level zwquerysysteminformation hook to hide or prevent processes

Advantage: strong anti-virus capabilities, passed the test in icesword 1.2.2

Disadvantage: the driver is loaded, and the program implementation is complicated. The driver-level hook is detected as a Trojan by 360 or other anti-virus tools.