Scan VMDK for Virus
Signatures
One of the
Use Cases for the Virtual Disk Library is to scan a VMDK for
virus signatures. Using our sample program framework, this example function
implements the
-virus
command-line option,
using hypothetical library routine
SecureVirusScan()
, supplied by
an antivirus software vendor. The library routine scans a buffer against the
vendor’s latest pattern library, returning TRUE if it identifies a virus.
extern int SecureVirusScan(const uint8 *buf, size_t n); /* * DoVirusScan - Scan the content of a virtual disk for virus signatures. */ static void DoVirusScan(void) { VixDisk disk(appGlobals.connection, appGlobals.diskPath, appGlobals.openFlags); VixDiskLibDiskInfo info; uint8 buf[VIXDISKLIB_SECTOR_SIZE]; VixDiskLibSectorType sector; VixError vixError = VixDiskLib_GetInfo(disk.Handle(), &info); CHECK_AND_THROW(vixError); cout << "capacity = " << info.capacity << " sectors" << endl; // read all sectors even if not yet populated for (sector = 0; sector < info.capacity; sector++) { vixError = VixDiskLib_Read(disk.Handle(), sector, 1, buf); CHECK_AND_THROW(vixError); if (SecureVirusScan(buf, sizeof buf)) { printf("Virus detected in sector %d\n", sector); } } cout << info.capacity << " sectors scanned" << endl; }
This function calls
VixDiskLib_GetInfo()
to
determine the number of sectors allocated in the virtual disk. The number of
sectors is available in the
VixDiskLibDiskInfo
structure,
but normally not in the metadata. With
SPARSE
type layout, data can
occur in any sector, so this function reads all sectors, whether filled or not.
VixDiskLib_Read()
continues
without error when it encounters an empty sector full of zeroes.
The following difference list shows the
remaining code changes necessary for adding the
-virus
option to the
vixDiskLibSample.cpp
sample
program:
43a44 > #define COMMAND_VIRUS_SCAN (1 << 10) 72a74 > static void DoVirusScan(void); 425a429 > printf(" -virus: scan source vmdk for virus signature \n"); 519a524,525 > } else if (appGlobals.command & COMMAND_VIRUS_SCAN) { > DoVirusScan(); 564a571,572 > } else if (!strcmp(argv[i], "-virus")) { > appGlobals.command |= COMMAND_VIRUS_SCAN;