In the process of virus detection , it is very effective to record and monitor the MD5 value of the file. This part of the program uses the open source MD5 calculation library to complete the monitoring mechanism for the specified files.
First, the user is required to input the address information of the monitored file. When there is no monitored file, the monitored file information will be generated first. Specifically: create a monitoring information output file in the specified path, and then call the MD5 library to generate an MD5 value for the specified monitoring file and store the value in the file. The specific code is as follows:
int file_len, i, j;
FILE *pf, *md5_file;
if(judge != 0){
md5_file = fopen("E:\\md5.txt", "w");
pf = fopen(file_addr, "rb");
file_len = fread(file, 1, MAXSIZE, pf);
MD5Update(&md5, file, file_len);
MD5Final(&md5, decrypt);
for(i = 0; i < 16; i++){
fprintf(md5_file, "%02x", decrypt[i]);
}
fclose(pf);
fclose(md5_file);
}
When the generated file already exists, load and output the MD5 value in the current file, the code is as follows:
md5_file = fopen("E:\\md5.txt", "rb+");
pf = fopen(file_addr, "rb");
unsigned char now_md5[16];
for(i = 0; i < 16; i++){
fscanf(md5_file, "%02x", &decrypt[i]);
}
fclose(md5_file);
printf("CURRENT MD5: ");
for(i = 0; i < 16; i++){
printf("%02x", decrypt[i]);
}
printf("\n");
Next, monitor the specified file, and set the flag to allow the user to decide when to exit the monitor. Scan the file and generate MD5 value every second, compare whether the newly generated MD5 value is different from the stored MD5 value, when it changes, re-store the new MD5 value and inform the user of the changed MD5 value. At this time, the user decides whether to exit the monitoring. The specific code is as follows:
bool flag = true;
char ch;
while(flag){
Sleep(1000);
rewind(pf);
file_len = fread(file, 1, MAXSIZE, pf);
MD5_CTX md5;
MD5Init(&md5);
MD5Update(&md5, file, file_len);
MD5Final(&md5, now_md5);
for(i = 0; i < 16; i++){
if(now_md5[i] != decrypt[i]){
md5_file = fopen("E:\\md5.txt", "w");
for(j = 0; j < 16; j++){
fprintf(md5_file, "%02x", now_md5[j]);
decrypt[j] = now_md5[j];
}
fclose(md5_file);
printf("MD5 CHANGED TO: ");
for(j = 0; j < 16; j++){
printf("%02x", now_md5[j]);
}
printf("\n是否停止监控?y/n: ");
getchar(); ch = getchar(); getchar();
if(ch == 'y') flag = false;
break;
}
}
}
To test the monitoring program, first create a file, generate MD5 value and inform the user of the current MD5 value and enter the monitoring state, as follows:
At this time, after changing the file data in the monitoring, you will get the prompt message of the MD5 value change, as follows:
After entering the character "y", stop monitoring and inform the user, as follows:
At this point, check the value in the current MD5 record file, modify and save it successfully, as follows:
The specific code is as follows:
#include <stdio.h>
#include <io.h>
#include <windows.h>
#include <string.h>
#include "MD5.cpp"
#define MAXSIZE 104857600
int main(){
printf("------该程序将完成对指定文件MD5值的监控------\n\n");
char file_addr[1000];
int judge;
do{
printf("请输入监控文件绝对路径:");
scanf("%s", &file_addr);
judge = access(file_addr, 0);
if(judge != 0) printf("------------------------\n该路径错误,请重新输入!");
}while(judge != 0);
char MD5_addr[1000];
printf("监控文件位于:E:\\md5.txt\n");
printf("\n------开始监控------\n");
MD5_CTX md5;
MD5Init(&md5);
unsigned char decrypt[16];
judge = access("E:\\md5.txt", 0);
unsigned char *file = (unsigned char*)malloc(sizeof(unsigned char) * MAXSIZE);
if(file == NULL){
printf("空间申请失败!\n");
system("pause");
return 0;
}
int file_len, i, j;
FILE *pf, *md5_file;
if(judge != 0){
md5_file = fopen("E:\\md5.txt", "w");
pf = fopen(file_addr, "rb");
file_len = fread(file, 1, MAXSIZE, pf);
MD5Update(&md5, file, file_len);
MD5Final(&md5, decrypt);
for(i = 0; i < 16; i++){
fprintf(md5_file, "%02x", decrypt[i]);
}
fclose(pf);
fclose(md5_file);
}
md5_file = fopen("E:\\md5.txt", "rb+");
pf = fopen(file_addr, "rb");
unsigned char now_md5[16];
for(i = 0; i < 16; i++){
fscanf(md5_file, "%02x", &decrypt[i]);
}
fclose(md5_file);
printf("CURRENT MD5: ");
for(i = 0; i < 16; i++){
printf("%02x", decrypt[i]);
}
printf("\n");
bool flag = true;
char ch;
while(flag){
Sleep(1000);
rewind(pf);
file_len = fread(file, 1, MAXSIZE, pf);
MD5_CTX md5;
MD5Init(&md5);
MD5Update(&md5, file, file_len);
MD5Final(&md5, now_md5);
for(i = 0; i < 16; i++){
if(now_md5[i] != decrypt[i]){
md5_file = fopen("E:\\md5.txt", "w");
for(j = 0; j < 16; j++){
fprintf(md5_file, "%02x", now_md5[j]);
decrypt[j] = now_md5[j];
}
fclose(md5_file);
printf("MD5 CHANGED TO: ");
for(j = 0; j < 16; j++){
printf("%02x", now_md5[j]);
}
printf("\n是否停止监控?y/n: ");
getchar(); ch = getchar(); getchar();
if(ch == 'y') flag = false;
break;
}
}
}
printf("\n------监控完成------\n");
system("pause");
free(file);
fclose(pf);
}