文件监测，哪些文件被进程读取？

besfanfei 2011-03-06 12:04:06

请问怎么能实现监测指定文件目录下，哪些文件被程序读取了？

...全文

185 7 打赏收藏转发到动态举报

写回复

用AI写文章

7 条回复

切换为时间正序

请发表友善的回复…

发表回复

野男孩 2011-03-09

打赏
举报

嗯，都总结完了，只能帮顶啦！

chzhn 2011-03-08

打赏
举报





NtCreateFileProc   g_OldNtCreateFile = 0; 



NTSTATUS __stdcall NewNtCreateFile(

								   OUT PHANDLE FileHandle,

								   IN ACCESS_MASK DesiredAccess,

								   IN POBJECT_ATTRIBUTES ObjectAttributes,

								   OUT PIO_STATUS_BLOCK IoStatusBlock,

								   IN PLARGE_INTEGER AllocationSize OPTIONAL,

								   IN ULONG FileAttributes,

								   IN ULONG ShareAccess,

								   IN ULONG CreateDisposition,

								   IN ULONG CreateOptions,

								   IN PVOID EaBuffer OPTIONAL,

								   IN ULONG EaLength

								   )

{

	PEPROCESS eprocess = IoGetCurrentProcess();

	

	DbgPrint("当前的进程是【%s】，操作的文件是【%wZ】。\n",(ULONG)eprocess+0x174,ObjectAttributes->ObjectName);



	return g_OldNtCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);

}



NTSTATUS HookSSDTFunction(int nSerialNumber,PVOID newFunction,PULONG saveAddress)

{

	int uAttr;

	__asm

	{

		//关闭中断

		push eax;

		mov eax, cr0;

		mov uAttr, eax;

		and eax, 0FFFEFFFFh; // CR0 16 BIT = 0

		mov cr0, eax;

		pop eax;

		cli



		//根据序号获取存放函数的地址，放在eax中

		mov eax,nSerialNumber;

		add eax,eax;

		add eax,eax;

		mov ecx,[KeServiceDescriptorTable];

		mov ecx,[ecx]

		add eax,ecx

		

		//保存原来函数的地址

		push esi

		mov ecx,[eax]

		mov esi,saveAddress

		mov [esi],ecx

		pop esi

		//改写函数的地址为新函数地址

		mov ecx,newFunction;

		mov [eax],ecx;



		//开启中断

		sti

		push eax;

		mov eax, uAttr; //恢原有 CR0 性

		mov cr0, eax;

		pop eax;

	}

	return STATUS_SUCCESS;

}



NTSTATUS HookNtCreateFile()

{

	return HookSSDTFunction(0x25,(PVOID)NewNtCreateFile,(PULONG)&g_OldNtCreateFile);

}