minifilter与API Hooking的文件系统操作监视\过滤 [英] minifilter vs. API Hooking for file system operations monitoring \ filtering

问题描述

我需要开发一个应用程序，该应用程序可以监视并可能过滤(拒绝调用)文件操作.

I need to develop an application that monitors, and potentially filters (rejects the calls), file operations.

看来，开发微型过滤器是标准"解决方案. 另一种可能的方法是使用API​​挂钩.

It appears that developing a minifilter is the "standard" solution. another potential method is using API hooks.

这些相关的解决方案吗? (我读过一些地方的API钩子可能不合适-但没有给出解释)

are these relevant solutions? (I read in some places the an API hook may not be suitable - but no explanation was given)

还有其他选择吗?

推荐答案

Microsoft基本上不支持API挂钩(至少在内核空间中).在x64(从Vista或更高版本开始)上，如果patchguard检测到SSDT钩住或系统关键组件的任何更改，它通常会杀死该计算机. API挂钩很难在系统范围内实现，因为Windows所使用的同步原语不会导出，因此即使您设法挂钩代码，也无法保证机器不会由于EIP的时髦值而崩溃.在给定的时刻(这在卸载已钩住函数的驱动程序时尤其有效).

API hooking (at least in kernel space) is essentially not supported by microsoft. On x64 (starting from Vista and up) patchguard will usually kill the machine if it detects SSDT hooking or any change whatsoever in critical components of the system. API hooking is very hard to get on a system-wide level because the synchronization primitives that windows uses are not exported so even if you manage to hook the code there is not guarantee that the machine won't crash due to a funky value of EIP at a given moment (this is especially valid when you are unloading a driver that has hooked a function).

可能最好的选择是-无需使用minifilter驱动程序，而是尝试直接引导内存内核对象挂接.您可能需要查看每个对象窗口都具有的[OBJECT_TYPE_INITIALIZER 定义结构，活动，港口等-在Google周围查看它们)已成为其成员.您对* Procedure函数指针特别感兴趣.

Probably your best bet to do it - without using minifilter driver is to try and to direct memory kernel object hooking. You might want to look at OBJECT_TYPE_INITIALIZER definition structure which every object windows has (FILE, EVENT, PORT etc - google around to see them) has as its member. You are particularly interested in the *Procedure function pointers.

这篇关于minifilter与API Hooking的文件系统操作监视\过滤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！