2,640
社区成员
发帖
与我相关
我的任务
分享为什么我的仿FileMon程序不能像FileMon一样拦截文件创建\写入\删除等信息啊
我自己写了一个简单的程序调用FileMon的SYS文件来实现监视特定文件夹的读写操作.可是为什么不能监视到文件的读写操作呢?
我的全部代码如下:
// FileMon.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h> // includes basic windows functionality
#include <windowsx.h>
#include <tchar.h>
#include <commctrl.h> // includes the common control header
#include <stdio.h>
#include <string.h>
#include <winioctl.h>
#include "Ioctlcmd.h"
#include "FileMon.h"
static HANDLE SysHandle = INVALID_HANDLE_VALUE;
// Drive name strings
TCHAR DrvNames[][32] = {
_T("UNKNOWN"),
_T("FIXED"),
_T("REMOTE"),
_T("RAM"),
_T("CD"),
_T("REMOVEABLE"),
};
// drives that are hooked
DWORD CurDriveSet;
// The variable that holds the position settings
//POSITION_SETTINGS PositionInfo;
// Buffer into which driver can copy statistics
char Stats[ LOGBUFSIZE ];
// Current fraction of buffer filled
DWORD StatsLen;
// Search string
TCHAR FindString[256];
//FINDREPLACE FindTextInfo;
//DWORD FindFlags = FR_DOWN;
BOOLEAN PrevMatch;
TCHAR PrevMatchString[256];
// Application instance handle
HINSTANCE hInst;
// Are we running on NT or 9x?
BOOLEAN IsNT;
// Filter strings
TCHAR FilterString[MAXFILTERLEN];
TCHAR ExcludeString[MAXFILTERLEN];
TCHAR HighlightString[MAXFILTERLEN];
// Recent filters
char RecentInFilters[NUMRECENTFILTERS][MAXFILTERLEN];
char RecentExFilters[NUMRECENTFILTERS][MAXFILTERLEN];
char RecentHiFilters[NUMRECENTFILTERS][MAXFILTERLEN];
// Filter-related
FILTER FilterDefinition;
// For info saving
TCHAR szFileName[MAX_PATH];
BOOLEAN FileChosen = FALSE;
DWORD Error;
// General buffer for storing temporary strings
static TCHAR msgbuf[MAX_PATH];
// General cursor manipulation
HCURSOR hSaveCursor;
HCURSOR hHourGlass;
// performance counter frequency
LARGE_INTEGER PerfFrequency;
DWORD AbortDriver()
{
if( IsNT ) UnloadDeviceDriver( SYS_NAME );
return (DWORD) -1;
}
int Split( char * line, char delimiter, char * items[] )
{
int cnt = 0;
for (;;) {
items[cnt++] = line;
line = strchr( line, delimiter );
if ( line == NULL )
return cnt;
*line++ = '\0';
}
}
DWORD CopyDriverFile()
{
TCHAR Path[ MAX_PATH ];
TCHAR systemRoot[ MAX_PATH ];
static TCHAR szBuf[MAX_PATH];
TCHAR name[ MAX_PATH ];
TCHAR *File;
WIN32_FIND_DATA findData;
HANDLE findHandle;
FILE_SYSTEM_TYPE fsType;
TCHAR driverPath[ MAX_PATH ];
GetCurrentDirectory( sizeof Path, Path );
findHandle = FindFirstFile( Path, &findData );
if( findHandle == INVALID_HANDLE_VALUE )
{
if( !SearchPath( NULL, SYS_FILE, NULL, sizeof(Path), Path, &File ) )
{
return AbortDriver();
}
} else FindClose( findHandle );
if( !GetEnvironmentVariable( _T("SYSTEMROOT"), systemRoot, sizeof(systemRoot)))
{
return AbortDriver();
}
wsprintf(driverPath,_T("%s\\system32\\drivers\\%s"),systemRoot,SYS_FILE );
if( !CopyFile(Path, driverPath, FALSE ))
{
return AbortDriver();
}
SetFileAttributes( driverPath, FILE_ATTRIBUTE_NORMAL );
}
void InitDriver()
{
//动态加载驱动程序
if(!LoadDeviceDriver(_T("FILEMON"),_T("E:\\Windows\\System32\\Drivers\\FileM.SYS"),&SysHandle,&Error))
{
AbortDriver();
}
unsigned long nb;
DWORD versionNumber;
if( !DeviceIoControl(SysHandle, IOCTL_FILEMON_VERSION,NULL, 0, &versionNumber, sizeof(DWORD), &nb, NULL) )
{
AbortDriver();
}
//初始化驱动
DeviceIoControl( SysHandle, IOCTL_FILEMON_ZEROSTATS,
NULL, 0, NULL, 0, &nb, NULL );
//定义过滤用Filter
FilterDefinition.excludefilter[0] = 0;
FilterDefinition.includefilter[0] = 0;
strcpy(FilterDefinition.excludefilter , " ");
strcpy(FilterDefinition.includefilter , "*");
FilterDefinition.logreads=true;
FilterDefinition.logwrites=true;
//设置过滤条件到驱动程序中
DeviceIoControl( SysHandle, IOCTL_FILEMON_SETFILTER,
&FilterDefinition, sizeof(FILTER), NULL,
0, &nb, NULL );
//获取当前所有驱动器ID
CurDriveSet = GetLogicalDrives();
CurDriveSet = 124;
//设置驱动器ID到驱动程序中
DeviceIoControl( SysHandle, IOCTL_FILEMON_SETDRIVES,
&CurDriveSet, sizeof CurDriveSet,
&CurDriveSet, sizeof CurDriveSet,
&nb, NULL );
//开始过滤
DeviceIoControl( SysHandle, IOCTL_FILEMON_STARTFILTER,
NULL, 0, NULL, 0, &nb, NULL );
}
BOOL ListAppend(char * line )
{
char *items[NUMCOLUMNS];
int itemcnt = 0;
//printf("%s\n",line);
itemcnt = Split( line, '\t', items );
if ( itemcnt == 0 )
return FALSE;
if(strcmp(items[0],"")==0)
return FALSE;
printf("%s>%s>%s>%s\n",items[0],items[1],items[2],items[3]);
return TRUE;
}
void ScanFileOperation()
{
for(;;){
// DWORD startTime = GetTickCount();
for(;;)
{
DeviceIoControl( SysHandle, IOCTL_FILEMON_GETSTATS,
NULL, 0, &Stats, sizeof Stats,
&StatsLen, NULL ) ;
if ( StatsLen == 0 )
break;
if ( StatsLen != 0 ){
PENTRY ptr;
ptr =(ENTRY *) Stats;
ListAppend(ptr->text );
}
//if( GetTickCount() - startTime > 1000 ) break;
}
}
}
int _tmain(int argc, _TCHAR* argv[])
{
CopyDriverFile();
InitDriver();
ScanFileOperation();
return 0;
}
我的全部代码如下:
// FileMon.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h> // includes basic windows functionality
#include <windowsx.h>
#include <tchar.h>
#include <commctrl.h> // includes the common control header
#include <stdio.h>
#include <string.h>
#include <winioctl.h>
#include "Ioctlcmd.h"
#include "FileMon.h"
static HANDLE SysHandle = INVALID_HANDLE_VALUE;
// Drive name strings
TCHAR DrvNames[][32] = {
_T("UNKNOWN"),
_T("FIXED"),
_T("REMOTE"),
_T("RAM"),
_T("CD"),
_T("REMOVEABLE"),
};
// drives that are hooked
DWORD CurDriveSet;
// The variable that holds the position settings
//POSITION_SETTINGS PositionInfo;
// Buffer into which driver can copy statistics
char Stats[ LOGBUFSIZE ];
// Current fraction of buffer filled
DWORD StatsLen;
// Search string
TCHAR FindString[256];
//FINDREPLACE FindTextInfo;
//DWORD FindFlags = FR_DOWN;
BOOLEAN PrevMatch;
TCHAR PrevMatchString[256];
// Application instance handle
HINSTANCE hInst;
// Are we running on NT or 9x?
BOOLEAN IsNT;
// Filter strings
TCHAR FilterString[MAXFILTERLEN];
TCHAR ExcludeString[MAXFILTERLEN];
TCHAR HighlightString[MAXFILTERLEN];
// Recent filters
char RecentInFilters[NUMRECENTFILTERS][MAXFILTERLEN];
char RecentExFilters[NUMRECENTFILTERS][MAXFILTERLEN];
char RecentHiFilters[NUMRECENTFILTERS][MAXFILTERLEN];
// Filter-related
FILTER FilterDefinition;
// For info saving
TCHAR szFileName[MAX_PATH];
BOOLEAN FileChosen = FALSE;
DWORD Error;
// General buffer for storing temporary strings
static TCHAR msgbuf[MAX_PATH];
// General cursor manipulation
HCURSOR hSaveCursor;
HCURSOR hHourGlass;
// performance counter frequency
LARGE_INTEGER PerfFrequency;
DWORD AbortDriver()
{
if( IsNT ) UnloadDeviceDriver( SYS_NAME );
return (DWORD) -1;
}
int Split( char * line, char delimiter, char * items[] )
{
int cnt = 0;
for (;;) {
items[cnt++] = line;
line = strchr( line, delimiter );
if ( line == NULL )
return cnt;
*line++ = '\0';
}
}
DWORD CopyDriverFile()
{
TCHAR Path[ MAX_PATH ];
TCHAR systemRoot[ MAX_PATH ];
static TCHAR szBuf[MAX_PATH];
TCHAR name[ MAX_PATH ];
TCHAR *File;
WIN32_FIND_DATA findData;
HANDLE findHandle;
FILE_SYSTEM_TYPE fsType;
TCHAR driverPath[ MAX_PATH ];
GetCurrentDirectory( sizeof Path, Path );
findHandle = FindFirstFile( Path, &findData );
if( findHandle == INVALID_HANDLE_VALUE )
{
if( !SearchPath( NULL, SYS_FILE, NULL, sizeof(Path), Path, &File ) )
{
return AbortDriver();
}
} else FindClose( findHandle );
if( !GetEnvironmentVariable( _T("SYSTEMROOT"), systemRoot, sizeof(systemRoot)))
{
return AbortDriver();
}
wsprintf(driverPath,_T("%s\\system32\\drivers\\%s"),systemRoot,SYS_FILE );
if( !CopyFile(Path, driverPath, FALSE ))
{
return AbortDriver();
}
SetFileAttributes( driverPath, FILE_ATTRIBUTE_NORMAL );
}
void InitDriver()
{
//动态加载驱动程序
if(!LoadDeviceDriver(_T("FILEMON"),_T("E:\\Windows\\System32\\Drivers\\FileM.SYS"),&SysHandle,&Error))
{
AbortDriver();
}
unsigned long nb;
DWORD versionNumber;
if( !DeviceIoControl(SysHandle, IOCTL_FILEMON_VERSION,NULL, 0, &versionNumber, sizeof(DWORD), &nb, NULL) )
{
AbortDriver();
}
//初始化驱动
DeviceIoControl( SysHandle, IOCTL_FILEMON_ZEROSTATS,
NULL, 0, NULL, 0, &nb, NULL );
//定义过滤用Filter
FilterDefinition.excludefilter[0] = 0;
FilterDefinition.includefilter[0] = 0;
strcpy(FilterDefinition.excludefilter , " ");
strcpy(FilterDefinition.includefilter , "*");
FilterDefinition.logreads=true;
FilterDefinition.logwrites=true;
//设置过滤条件到驱动程序中
DeviceIoControl( SysHandle, IOCTL_FILEMON_SETFILTER,
&FilterDefinition, sizeof(FILTER), NULL,
0, &nb, NULL );
//获取当前所有驱动器ID
CurDriveSet = GetLogicalDrives();
CurDriveSet = 124;
//设置驱动器ID到驱动程序中
DeviceIoControl( SysHandle, IOCTL_FILEMON_SETDRIVES,
&CurDriveSet, sizeof CurDriveSet,
&CurDriveSet, sizeof CurDriveSet,
&nb, NULL );
//开始过滤
DeviceIoControl( SysHandle, IOCTL_FILEMON_STARTFILTER,
NULL, 0, NULL, 0, &nb, NULL );
}
BOOL ListAppend(char * line )
{
char *items[NUMCOLUMNS];
int itemcnt = 0;
//printf("%s\n",line);
itemcnt = Split( line, '\t', items );
if ( itemcnt == 0 )
return FALSE;
if(strcmp(items[0],"")==0)
return FALSE;
printf("%s>%s>%s>%s\n",items[0],items[1],items[2],items[3]);
return TRUE;
}
void ScanFileOperation()
{
for(;;){
// DWORD startTime = GetTickCount();
for(;;)
{
DeviceIoControl( SysHandle, IOCTL_FILEMON_GETSTATS,
NULL, 0, &Stats, sizeof Stats,
&StatsLen, NULL ) ;
if ( StatsLen == 0 )
break;
if ( StatsLen != 0 ){
PENTRY ptr;
ptr =(ENTRY *) Stats;
ListAppend(ptr->text );
}
//if( GetTickCount() - startTime > 1000 ) break;
}
}
}
int _tmain(int argc, _TCHAR* argv[])
{
CopyDriverFile();
InitDriver();
ScanFileOperation();
return 0;
}
...全文
请发表友善的回复…
发表回复
meiZiNick 2008-05-01
- 打赏
- 举报
等待牛人来答.
scq2099yt 2008-03-13
- 打赏
- 举报
ding
ASCRIBE 2008-03-04
- 打赏
- 举报
我想知道问题最后解决没???
fox1999 2007-08-01
- 打赏
- 举报
sfilter 是什麼?在哪裡有下?
会思考的草 2007-05-23
- 打赏
- 举报
研究文件加密解密的直接看sfilter。
jxnf2k 2007-05-22
- 打赏
- 举报
我的邮箱:zhangbo7364@yahoo.com.cn
jxnf2k 2007-05-22
- 打赏
- 举报
能把filemon发给我一份吗?
谢谢,我正在研究文件加解密
谢谢,我正在研究文件加解密
会思考的草 2007-05-22
- 打赏
- 举报
没有挂上volume object吧。
ktcserver 2007-05-21
- 打赏
- 举报
up
ktcserver 2007-05-21
- 打赏
- 举报
调试能通过,也能显示出拦截信息来,但是没有IRPWRITE一类的信息,估计是过滤器出了点问题
rageliu 2007-05-21
- 打赏
- 举报
没看代码
估计是没挂接上volume,调试看看
估计是没挂接上volume,调试看看
AthlonxpX86 2007-05-16
- 打赏
- 举报
up
