I seem to be a bit stuck on exactly how fopen works (this is in a Linux environment - I'm not sure if it's different from Windows in this regard).
I'm using this simple code bit:
Code:
if (fp = fopen("./eicar.com", "a+"))
prinft("Success!\n");
else
printf("Failed.\n");
Now, when specifying a file owned by root (not accessbile for the user running the program), the if statement works, and the result is "Failed." Changing ownership of the file to the running user results in "Success". So, this seems to work as basic as possible on files which are accessible/inaccesible due to ownership.
However, when it comes to file scanners (anti-virus/malware scanners), I cannot get it to work the same way. I'm using an "on-access" scanner which, as far as I know, uses fuse to access the file system real-time.
When I try to open a malware sample (Eicar, the standard test sample for all anti-malware engines) with f.ex. vim, or gedit (LInux notepad look-alike), the scanner stops it and I get "Access denied". However, when running the program with the above C code on the file, it returns "Success". So, for some reason, fopen can open a file which the file system denies access to for other applications.
So, my question is: How does fopen open a file. Is it possible to "emulate" opening a file (for reading, and also for writing) in an application with fopen?
As allways, all hints and/or suggestions are greatly appreciated.