SDK Documentation
SDK Documentation
SDK Documentation
The direct use of libraries of antivirus engine complicated to implement and requires a full
understanding of the process of the antivirus engine. Application developed by you must
arrange loading and unloading of the core, to define the parameters of the work, to provide
scan, follow the thread synchronization.
Disadvantages:
Working through the service is more simple and suitable for programmers who only began to
work with this SDK. All the work in this case is done by the service itself. User application needs
to send a team to provide scanning and get the results.
1. Quick start. You will need a few minutes in order to write your first application.
Disadvantages:
At the same time your application when using the service may not be sufficiently flexible. For
such cases, this SDK includes source code for all submitted applications. You can get the
source code of the service, or any other application as a basis, and write your application that
will meet your needs.
The package also includes examples of both the direct use of the core and the interaction
through the service.
Package contents
app * \ - Contains the source code of the applications submitted to the package
bin * \ - The binaries of AvEngine and utility.
docs * \ - Description and function of SDK
examples * \ - Examples of engine connection to theapplication
include * \ - header files needed for engine connection
lib * \ - library for interaction with the service
System requirements
Processor: 1 GHz or higher
RAM: 512 MB or more
Hard disk space: 80 MB
Operating System: XP SP2/SP3, Vista, Windows 7 (x86 or x64), Windows 8 (x86 or x64), all versions of
Windows 2003 Server, Windows 2008 Server.
Zillya AV Engine Service
The service supports multithreaded scanning, so you can start several scans in a row, and
create any number of applications that use the service functions.
The service works with system privileges, so you will not have problems with access to the
protected files and folders.
Installation
To install the service, you can use the scripts that are in the bin folder of the SDK.
Introduction
Using pipe, this is another way to interact with Zillya! AVEngine Service and verification files for
viruses. Let us consider a simple example of scanning a file.
It is assumed that when writing a program, the developer already has a basic knowledge of
WIN32 API and is able to work with named channels.
To send commands to the service, you have to connect to it. Zillya AVEngine Service waits for a
connection using the channel
1 "\\\\.\\pipe\\ZSDK-{F671A1CA-7BA6-4e57-9E98-0D2AE0985A42}"
After establishing a connection, the service will be expected of your command. The command to
scan a file is a filled zRPCRequest structure, which is need to be sent to the service.
1 BOOL bResult;
2 DWORD cbWritten, dwStatus = 0;
3 zRPCRequest request;
4
5 wcscpy_s(request.szScanPath, MAX_PATH, L
6 "c:\\WINDOWS\\notepad.exe");
7
8 bResult = WriteFile(m_hPipe, (LPVOID)&dwStatus, sizeof(DWORD),
9 &cbWritten, NULL);
10
11 if (!bResult || cbWritten !=
12 sizeof(DWORD))
13
14 return FALSE;
15
16 bResult = WriteFile(m_hPipe, (LPVOID)&request,
17 sizeof(zRPCRequest), &cbWritten, NULL);
18
19 if (!bResult || cbWritten !=
20 sizeof(request))
21
22 return FALSE;
After receiving the command, the service will give anti-virus engine to scan specific files, and
return you to the results of the scan, using the structure zPRCAnswer.
1 BOOL bResult;
2 DWORD cbBytesRead, dwStatus = 0;
3 zPRCAnswer answer;
4
5 bResult = ReadFile(m_hPipe, (LPVOID)&dwStatus, sizeof(DWORD),
6 &cbBytesRead, NULL);
7
8 if(!bResult || cbBytesRead !=
9 sizeof(DWORD))
10
11 return FALSE;
12
13 bResult = ReadFile(m_hPipe, (LPVOID)&answer,
14 sizeof(zPRCAnswer), &cbBytesRead, NULL);
15
16 if(!bResult || cbBytesRead !=
17 sizeof(zPRCAnswer))
18
19 return FALSE;
The results can be returned more than once, depending on how many files were transferred to
the analysis. In this case, the service will return ZSDK_REQUEST_MORE_DATA in dwStatus.
Introduction
zlib- is a library, which allows your application to gave the command to Zillya AVEngine Service.
It is created to facilitate the interaction of your application with the service and the fastest
scanning organization. It is enough to call several functions to create minimal application.
Setup
To use the library, you need to include the header file zsdk_def.h. Copy this file to the folder of
the SDK include folder in your project, and write a program's code:
1 #include
2 "zsdk_def.h"
Also, you will need to copy the file zslib.lib from the folder lib of this SDK to a folder with your
project, and connect it to the projects. This can be done using your IDE project settings or
specifying
1 #define _ZSDK_INCLUDE_STATIC
To begin scanning, you need to call the StartScan function. Its only parameter is a path to scan.
1 hScan = StartScan(L
2 "c:\\WINDOWS\\notepad.exe");
To get the results of the scan, you need to call the GetScanData function, passing it the handle
scanning and structure to be filled. If you scan multiple files, function should be called for each
file.
1 do {
2
3
4 if((dwRes = GetScanData(hScan,
5 answer)) == ZSDK_REQUEST_ERROR)
6
7 break;
8
9 ....
10
11 }
12 while(dwRes ==
13 ZSDK_REQUEST_MORE_DATA);
14
15 }
Scan results are contained in answer structures. To verify that the file is infected or not, you can
use the part of ScanStatus structure
1 if(!answer.ScanStatus)
2 printf(
3 "no viruses detected");
4 else
5 printf(
6 "threat detected");
Now we have an application that will connect to the service and to scan files for viruses.
GetScanData
GetScanData
Get the next file scan result
Syntax
1 DWORD GetScanData(
2 DWORD hScan,
3 zPRCAnswer &answer
4 );
Parameters
hScan[in] Scaning thread handle, returned by StartScan
answer[out] Pointer to the zPRCAnswerstructure, that contain information about scan result.
Return value
Constant/Default value Description
StartScan
StartScan
Starts new scan thread
Syntax
1 DWORD StartScan(
2 LPWSTR szPath
3 );
Parameters
szPath[in] Path that will be scanned
Return value
If success, return handle of the new scan, 0 otherwise.
Service Structures
zRPCAnswer
zRPCAnswer
Contains the results of the scan
Syntax
1 typedef struct zRPCAnswer {
2 wchar_t szFileName[MAX_PATH];
3 wchar_t szVirName[VIRNAME_LEN];
4 DWORD ScanStatus;
5 DWORD FilesScanned;
6 DWORD VirCount;
7 DWORD Action;
8 } *pZPRCAnswer;
Members
szFileName File that scanned
ScanStatus File scan status, if file is clean, sets to 0
szVirName Name of virus found
FilesScanned Number of objects scanned (in the case of container> 1)
VirCount The number of bodies discovered viruses
Action Action performed on the file
zRPCRequest
zRPCRequest
Provides information about scanning. Used to initiate a new scan
Syntax
1 typedef struct zRPCRequest {
2 wchar_t szScanPath[MAX_PATH];
3 } *pZRPCRequest;
Members
szScanPath[in] Path, that will scanned
We describe how to create a scanning applications, working directly with the anti-virus engine.
This method is faster and gives you more control over the work of the core, but you will need to
configure your own anti-virus engine for its work. Moreover, in this example, we'll create just one
thread scan.
Lets include the header file engine_n.h, which defines all the functions and structures that are
needed in work. The file itself can be found in the include folder of this SDK.
1 #include
2 "engine_n.h"
Download the core and needed functions. We need three functions to scan the file: coreInit - to
initialize the core, coreFScan - actually scanning, coreFree - to unload the core.
1 PCoreInit coreInit;
2 PCoreFree coreFree;
3 PCoreFScan coreFScan;
4
5 if(!hLib = LoadLibrary(L
6 "CoreMain.dll"))
7
8 return 0;
9
10 coreInit = (PCoreInit)GetProcAddress(hLib,
11 "CoreInit");
12 coreFree = (PCoreFree)GetProcAddress(hLib,
13 "CoreFree");
14 coreFScan = (PCoreFScan)GetProcAddress(hLib,
15 "CoreFScan");
16
17 if(!coreInit || !coreFree ||
18 !coreFScan)
19
20 return 0;
Initialize the core. You need to fill TCoreInit_Interface structure and pass it to a function
CoreInit. For the simplest initialization you need only to specify the core file and virus
databases.
1 initParams.CoreData = &coreData;
2 initParams.EPath = szCorePath;
3 initParams.VPath = szCorePath;
4
5 hCore = coreInit(&initParams);
After initialization, the core can start scanning. You need to fill the scan and call the coreFScan.
The given code is the example of simple filled TCoreFScan_Interface structure, and do not
specify the parameters of extracting archives. This means that files will not be checked.
1 scanParams.FName = L
2 "C:\\WINDOWS\\notepad.exe";
3 scanParams.VName = vNameBuffer;
4 scanParams.BaseMode = 0xffffffff;
5 scanParams.UnpackMode = &unpackMode;
6 scanParams.CoreResult = &scanResult;
7
8 result = coreFScan(hCore, &scanParams);
Function gives back the results of file scanning after finishing. You can find the additional
information in TCoreResult structure.
1 if(result == 0)
2 printf(
3 "no viruses found");
Anti-virus engine is multithreaded CoreAV multimodule kernel. In one application, no matter how
many copies of the kernel is used, must be loaded into memory only one copy of the kernel, but
for each thread (Thread), which will work with anti-virus kernel, you must perform your own
initialization function. Whole kernel supports the ability to work up to 32 streams within a single
application To initialize the main file to load the scan engine (CoreMain.DLL), Handle having
libraries of functions to determine the address of the antivirus engine. Next, for each thread to
scan for viruses to initialize a copy of the kernel (CoreInit), by calling the number you get your
copy of the kernel within the application. This number will always be used to work with the copy
of the kernel. For example: you need to scan files at once anti-virus kernel in 2 threads. In this
case, you call CoreInit twice (saving the return values of two variables, such as H1 and H2).
Further, for that would give the team the first copy of the kernel to check the memory, you only
need from any thread (Thread) application call the CoreFScan (H1, ...). For that would abort the
copy, you need to call CoreStopScan (H1, ...). To change the settings for your copy of the
kernel you are using the CoreOptions (H1, ...). With this you can use two different threads
(Thread) cause the application simultaneously check two or more files, specifying in each call to
a number of copies of the initialized engines. Examples of the use of anti-virus engine in a
single-threaded and multithreaded applications:
Single-threaded application:
Multi-threaded application with equivalent currents:
In the case of checking scanning archives, installers, and other types of containers, from which
anti-virus engine extracts the attached files, test results of the attached files are transferred to
the CallBack function whose address is specified when initializing a copy of the antivirus engine.
Pay attention to the fact that different copies of the antivirus engine you can specify how the
individual functions CallBack, and the exact same one (at all) function, as when it is called anti-
virus kernel is also sent copies of the antivirus engine room.
Antivirus kernel CoreAV is a set of files that are loaded by the loading master file of the engine
as a dynamic link library, and call the initialization function of the library. Files of antivirus
engine:
CoreFree
CoreFree
Closes an open antivirus core handle
Syntax
1 int TCoreFree(
2
3 DWORD CoreHandle
4
5 );
Parameters
CoreHandle[in] Pointer to the open antivirus core handle
Return value
Constant/Default value Description
CoreFScan
CoreFScan
Scans the file for viruses
Syntax
1 int TCoreFScan (
2
3 DWORD CoreHandle,
4
5 const PCoreFScan_Interface params
6
7
8 );
Parameters
CoreHandle[in] Opened antivirus core handle, created by a previous call to the CoreInit
params[in|out] Pointer to the PCoreFScan_Interfacestructure, which contains information about
the scan. It also contains the return value of the scan results.
Return value
Constant/value Description
CoreInit
CoreInit
Initializes the loaded copy of the core. The application must call this function, before before
using the kernel.
Syntax
1 DWORD TCoreInit(
2
3 const PCoreInit_Interface params
4
5 );
Parameters
params[in] Pointer to the TCoreInit_Interfacestructure that have initializes parameters
Return value
Return CoreHandle value, which would subsequently need to pass the rest of the engine
caused by anti-virus functions, or an error code of the kernel initialization.
Constant/value Description
CoreMScan
CoreMScan
Scans the memory block for viruses
Syntax
1 int TCoreMScan (
2
3 DWORD CoreHandle,
4
5 const PCoreMScan_Interface params
6
7
8 );
Parameters
CoreHandle[in] Opened antivirus core handle, created by a previous call to the CoreInit
params[in|out] Pointer to the TCoreMScan_Interfacestructure, which contains information about
the scan. It also contains the return value of the scan results.
Return value
Constant/value Description
Remarks
The function CoreMScan not release the memory area containing the object to be scanned.
This should make the application, which allocated memory area after the test result (exit the
CoreMScan).
Function to check the memory buffer CoreMScan most similar to the previous function
CoreFScan (function check the file) and contains only two differences:
1. To test passed is not the way to the file on disk, but memory buffer that contains the
necessary checks for an object (file);
2. The current version of the antivirus engine testing of the memory buffer is only possible mode
of "report" (that is not possible to treat the virus).
All other inbound and outbound parameters are fully consistent with the parameters of the
function checks the file.
CoreOptions
CoreOptions
Sets the options of the antivirus engine
Syntax
1 DWORD CoreOptions (
2
3 DWORD CoreHandle;
4
5 const PCoreOptions_Interface
6 options;
7
8 );
Parameters
CoreHandle[in] Opened antivirus core handle, created by a previous call to the CoreInit
options[in] Pointer to the TCoreOptions_Interfacestructure, which contains information about
the scan options.
Return value
CoreStopScan
CoreStopScan
Stops scanning the object to the specified stream
Syntax
1 DWORD CoreStopScan(
2
3 DWORD CoreHandle
4
5 );
Parameters
CoreHandle[in] Opened antivirus core handle, created by a previous call to the CoreInit
Return value
Remarks
Interruption test object (file, archive, memory array, etc.) is carried out using the function scan
engine CoreStopScan. At the same anti-virus engine finishes last logical operation that is
carried out to test the file and exits caused by the earlier test function object (file or memory
buffer). It is important to bear in mind that in the case of a function call interrupts the scan test
result value of the object, the call is interrupted by this function must be considered invalid. For
example, the object can be checked only part of the anti-virus, or not tested at all, after which
the work was interrupted by anti-virus engine. Use this feature is recommended if necessary
interrupt the scanning process during the test files, installers, and other containers, where no
opportunity to wait for the end of the test object entirely.
CoreRScan
CoreRScan
Scans the registry key for viruses
Syntax
1 int CoreRScan (
2
3 DWORD CoreHandle,
4
5 const PCoreRScan_Interface params
6
7
8 );
Parameters
CoreHandle[in] Opened antivirus core handle, created by a previous call to the CoreInit
params[in|out] Pointer to the TCoreRScan_Interfacestructure, which contains information about
the scan. It also contains the return value of the scan results.
Return value
Constant/value Description
Syntax
1 DWORD CoreInitMerge(
2
3 const PCoreInit_Interface params
4
5 );
Parameters
params[in] Pointer to the TCoreInit_Interfacestructure that have initializes parameters
Return value
Remarks
The core can be initiated in one of two modes: full version of bases, and an reduced version of
bases. If the kernel has been loaded with an reduced version of the database, TCoreInitMerge
performs refilled missing virus entries. For more details see Virus bases boot options
RegInfoCallback
RegInfoCallback
allback function that is called, when the scan engine finishes checking the registry key
Syntax
1 DWORD RegInfoCallback (
2 DWORD CoreHandle,
3 LPCSTR VirusName
4 );
Parameters
CoreHandle Opened antivirus core handle, which identifies the scanning stream.
VirusName The name of the virus found
Return value
If function successed, it should return 0.
UnpackingInfoCalback
UnpackingInfoCalback
allback function that is called, when the scan engine finishes checking the next file in the
archive
Syntax
1 DWORD UnpackingInfoCallback (
2 DWORD CoreHandle,
3 LPCWSTR FileName,
4 CHAR Status,
5 LPCSTR VirusName
6 );
Members
CoreHandle Opened antivirus core handle, which identifies the scanning stream.
FileName The full path and display name of the extracted files (contains both the way to the
container, and the path to the inside of the container)
Status File check status. The statuc can be one of the list values:
Constant/value Description
Remarks
CallBack function UnpackingInfoCallBack declared in an application that uses anti-virus engine,
and is used to display additional information, initiated by the anti-virus kernel: results of the test
objects inside a container. CallBack function is UnpackingInfoCallBack function for displaying
the status of files retrieved to check out file containers (archives, installers, email databases,
etc.). This function must be declared in the body of an application that uses anti-virus engine.
By using multiple scanning threads, each of them can be passed as a pointer to the different
(individual) functions as well as one and the same function as a unified whole application.
Structures Reference
TCoreData
TCoreData
Contains information about the loaded copy of the kernel
Syntax
1 typedef struct TCoreData {
2 DWORD AVEVers;
3 DWORD AVERecCount;
4 } *PCoreData;
Members
AVEVers Antivirus core version
AVERecCount Antivirus bases records count
Remarks
Structure is filled by the kernel when the CoreInitfunction called. Included in
the TCoreInit_Interfacestructure.
TCoreFScan_Interface
TCoreFScan_Interface
Contains information about the file to be scanned. Return values after the scanning is
also written here.
Syntax
1 typedef struct TCoreFScan_Interface {
2 LPCWSTR FName;
3 DWORD ToDo;
4 DWORD BaseMode;
5 PCoreUnpackMode UnpackMode;
6 LPSTR VName;
7 PCoreResult CoreResult;
8 } *PCoreFScan_Interface;
Members
FName[in] Name of file, that will scanned
ToDo[in] File process mode. This option can be one of this values:
Constant/value Description
BaseMode[in] This parameter sets the range of BaseMode anti-virus and heuristic algorithms
are used to test anti-virus kernel of these objects. This parameter specifies the binary masks:
Constant/value Description
0x0000FF00 additional databases. This mode is active only when the core set of
databases
0xFF000000 additional (extended) heuristic algorithms. This mode is active only when the
base heuristic algorithms
UnpackMode[in] Sets the configuration container extraction, if the file is such. Pointer to
theTCoreUnpackModestructure.
VName[out] Pointer to the virus name buffer. Must be at least 64 characters
CoreResult[out] Pointer to the TCoreResultstructure. Contains the results an object scanning.
TCoreInit_Interface
TCoreInit_Interface
ontains information about the copy of the kernel is initialized
Syntax
1 typedef struct TCoreInit_Interface {
2 LPCWSTR EPath;
3 LPCWSTR VPath;
4 DWORD Options;
5 PUnpakingInfoCalback UnpakingCalback;
6 PRegInfoCalback RegCalback;
7 LPCWSTR LogFPath;
8 PCoreData CoreData;
9 } *PCoreInit_Interface;
Members
EPath The path to the folder that contains anti-virus engine
VPath The path to the folder containing the virus database
Options The options of the core being loaded
Constant/value Description
0x00000001 Stop checking the archive, on detected threats
0x00000002 Run core in debug mode. With this option core writes maximum log
information
TCoreMScan_Interface
TCoreMScan_Interface
Contains information about the memory block to be scanned. Return values after the
scanning is also written here.
Syntax
1 typedef struct TCoreMScan_Interface {
2 LPCVOID MemPointer;
3 DWORD MemSize;
4 DWORD BaseMode;
5 PCoreUnpackMode UnpackMode;
6 LPSTR VName;
7 PCoreResult AVEResult;
8 } PCoreMScan_Interface;
Members
MemPointer[in] A pointer to memory containing the object to be scanned.
MemSize[in] The size of the buffer memory
BaseMode[in] Mode of virus bases usage
UnpackMode[in] A pointer to the TCoreUnpackModestructure parameters and unpacking of
containers
VName[out] Pointer to the virus name buffer. The buffer size can be 64 bytes.
AVEResult[out] A pointer to the TCoreResultstructure of scan results
TCoreOptions_Interface
TCoreOptions_Interface
Contains information about the additional core options
Syntax
1 typedef struct TCoreOptions_Interface {
2 DWORD Options;
3 LPCSTR LogFPath;
4 DWORD Reserved1;
5 DWORD Reserved2;
6 DWORD Reserved3;
7 DWORD Reserved4;
8 DWORD Reserved5;
9 } *PCoreOptions_Interface;
Members
Options Additional options
LogFPath Path to the log file
Reserved1 reserved
Reserved2 reserved
Reserved3 reserved
Reserved4 reserved
Reserved5 reserved
TCoreResult
TCoreResult
Syntax
1 typedef struct TCoreResult {
2 DWORD FilesCount;
3 DWORD VirCount;
4 DWORD InfectionType;
5 DWORD ActionRes;
6 DWORD IsContainer;
7 } *PCoreResult;
Members
0x00000001 Cure
0x00000002 Remove
0x00000001 Cured
0x00000002 Removed
0x00000000 No
0x00000001 Yes
TCoreRScan_Interface
TCoreRScan_Interface
Contains information about the registry key to be scanned.
Syntax
1 typedef struct TCoreRScan_Interface {
2 LPCSTR RegKey;
3 } *PCoreRScan_Interface;
Members
RegKey Pointer to the registry key, that will scanned.
TCoreUnpackMode
TCoreUnpackMode
The structure sets the parameters of TCoreUnpackMode antivirus kernel with archives,
installers, mail databases and other containers which may contain other full-file objects (files)
Syntax
1 typedef struct TCoreUnpackMode {
2 DWORD MaxArchSize;
3 DWORD MaxArchDepth;
4 UINT64 ArchMode;
5 UINT64 InstMode;
6 UINT64 ContMode;
7 UINT64 Reserved1;
8 UINT64 Reserved2;
9 UINT64 Reserved3;
10 UINT64 Reserved4;
11 UINT Flags;
12 } *PCoreUnpackMode;
Members
MaxArchSize The maximum size of the container being unpacked. If 0, no limits.
MaxArchDepth The maximum depth of container extraction. If 0, no limits.
ArchMode Mode of unpacking archives. Formats that are necessary to unpack the bitmask. To
extract all the formats, you must specify a value of -1 Bitmap Type of archive/container
Constant/Default value Description
0x0000000000000001 ZIP
0x0000000000000002 RAR
0x0000000000000004 7Zip
0x0000000000000008 ACE
0x0000000000000010 ARJ
0x0000000000000020 MS CAB
0x0000000000000040 IS CAB
0x0000000000000200 RPM
0x0000000000000400 DEB
0x0000000000000800 LZH
0x0000000000001000 TAR
0x0000000000002000 CPIO
0x0000000000004000 ISO
InstMode Mode of unpackers installers. Formats that are necessary to unpack the bitmask. To
extract all the formats, you must specify a value of -1
Constant/Default value Description
0x0000000000000001 NullSoft NSIS
ContMode Mode of use of different containers unpackers (MSI, CHM files, mail databases and
other types of containers). Formats that are necessary to unpack the bitmask. To extract all the
formats, you must specify a value of -1
Constant/Default value Description
0x0000000000000001 MSI
0x0000000000000002 CHM
0x0000000000000004 MultiEXE
Reserved1 reserved
Reserved2 reserved
Reserved3 reserved
Reserved4 reserved
Flags Additional flags bitmask:
Constant/value Description
There are several modes of loading during core initialization. The kind of boot modes of
databases is determined by the core initialization options.
1. Download of the complete set of bases. In this mode, the scan engine loads all the bases.
2. Download of the subsets of the database. In this mode, the scan engine loads only part of the
whole set of databases.
Shortened base - is the records added to the database in the last year (as well as a few
thousand records, and especially complex mechanisms of detection of complex viruses, worms,
rootkits), plus all of the records that are over three years of the product at least once worked on
the computer of any user of Zillya! antivirus. The information on which viruses were detected,
collected anonymously from users' computers when the user has given his permission to install.