Antivirus hackers handbook

42 Part I ■ Antivirus Basics
pthread_mutex_init((pthread_mutex_t *)(v4 + 144), 0LL);
memset(&v5[12], 0, 0x7EuLL);
g_user_callbacks = (__int64)v5;
result = g_Engine->baseclass_0->CAEEngineDispatch_SetUserCallBack
(g_Engine, v5);
if ( result < 0 )
{
fwrite("SetUserCallBack() failed!\n", 1uLL, 0x1AuLL, stderr);
exit(1);
}
This code is used to set a few callbacks. For example, you could install callbacks
to be notified every time a new file is opened, created, read, written, and so on.
Do you want to write a generic unpacker using the Comodo engine? Install a
notification callback and wait for it to be called, copy the temporary file or buffer,
and you are done! Generic unpackers based on antivirus engines are popular.
This is interesting, but the purpose of this demonstration is to reverse-engineer
the core to get sufficient information about how to write a C/C++ SDK to interact
with the Comodo kernel. Now that the maybe_IFrameWork_CreateInstance
function has been analyzed, go back and look at the main function. The next
code after the call to the previously analyzed function will be similar to the
following pseudo-code:
if ( __lxstat(1, filename, &v7) == -1 )
{
v5 = __errno_location();
v6 = strerror(*v5);
fprintf(stderr, "%s: %s\n", filename, v6);
}
else
{
if ( verbose )
fwrite("-----== Scan Start ==-----\n", 1uLL, 0x1BuLL, stdout);
if ( (v8 & 0xF000) == 0x4000 )
scan_directory(filename, verbose, (__int64)&scanned_files,
(__int64)&virus_found);
else
scan_stream(filename, verbose, &scanned_files,
&virus_found);
if ( verbose )
fwrite("-----== Scan End ==-----\n", 1uLL, 0x19uLL, stdout);
fprintf(stdout, "Number of Scanned Files: %d\n",
(unsigned int)scanned_files);
fprintf(stdout, "Number of Found Viruses: %d\n",
(unsigned int)virus_found);
}
This code checks whether the path pointed out by the global variable src
exists. If it does, the code calls either scan_directory or scan_stream, depending
on the flags returned by the call to __lxstat. The function to scan directories