钩住一个进程并获取它创建的文件\ deleted \ ampamed [英] Hook a process and get files it`s created\deleted\renamed
问题描述
我创建了一个ac#程序来获取新加载的进程
I have created a c# program which gets new loaded process
startWatch.EventArrived += new ventArrivedEventHandler(startWatch_EventArrived);
并在eventHandler触发时执行操作。
之后我使用:
and doing stuff when eventHandler fire.
afterwards im using:
foreach (var runningProcess in Process.GetProcessesByName(ShortProcessName))
获取当前进程的runningProcess.MainModule数据,之后
to get runningProcess.MainModule data for the current process and after that
foreach (System.Diagnostics.ProcessModule module in MYPROCESS.Modules)
获取子进程和模块的列表。
我的下一个愿望是获得输出创建\ deleted \重命名\的文件已更改\无论我捕获的过程是什么。
我的尝试:
我试过挖掘'过程'结构和模块,但没有找到任何东西。也试过使用filewatcher,但这里也无法让你的父进程负责文件更改。我想这不能用高级语言来完成,例如c#但是更低。
不幸的是我不熟悉降低音。最后我想要一个服务\观察者实时挂钩一个进程并创建一个他一直在弄乱的文件的输出(文件)。
to get list of child process and modules.
My next wish is to get an output of files which created \ deleted \ renamed \ changed \ whatever by the process i catched.
What I have tried:
I have tried digging the 'Process' constructure and modules but didn't find anything for that. also tried using filewatcher, but also here cannot get you the parent process responsible for file changes. i guess this cannot be done using high level language such as c# but lower.
Unfortunatly im not familiar with lowers. in the end i want a service \ watcher to hook a process real-time and create an output (file) of which file he has been messing with.
推荐答案
如果我正确理解了这个问题,你可以利用列出使用的文件 [ ^ ]
另一种选择可能是使用像handle.exe这样的实用程序。请参阅 https://technet.microsoft.com/en-us/sysinternals/handle.aspx [ ^ ]
If I understand the question correctly you could utilize the idea from Listing Used Files[^]
Another option could be to use an utility likehandle.exe. See https://technet.microsoft.com/en-us/sysinternals/handle.aspx[^]
我不认为你可以告诉进程打开文件的原因,但可以告诉进程当前保持打开的文件...
所有你必须深入了解旧的WIN32 API
NtQuerySystemInformation [ ^ ]
此函数记录不多,帮助页面不包含 SystemHandleInformation 第一个参数的枚举值(16),但仍然必须使用它...
你需要调用它两次,一次是las t参数作为所需缓冲区大小的返回值,第二次在最后一个参数处使用NULL来实际检索值...
此函数的结果是所有句柄的列表(的所有类型)所有进程...你必须枚举它们并检查类型和进程拥有句柄...
使用 NtQueryObject [ ^ ]循环(使用ObjectNameInformation作为第二个参数),将为您提供设备句柄所持文件的基本名称...
要查找用户友好名称,必须使用 QueryDosDevice [ ^ ]函数 - 它将映射dev ice to letter ...
两件事:
1.在使用之前,你必须将句柄复制到你的过程中。使用 OpenProcess [ ^ ]使用PROCESS_DUP_HANDLE, DuplicateHandle [ ^ ]之后。
2.如果句柄指向命名管道(bug),NtQueryObject将挂起,所以你应该先尝试在一个新的线程中运行它来检查它,并且只有当线程没有继续并在主线程中使用它时...
---
And ...
有一些现成的解决方案,源代码:
HOWTO:枚举汉dles - Sysinternals论坛 [ ^ ]
检查有关Windows NT系统级基元的信息 [ ^ ]
I do not think you can tell why a process opened a file, but can tell the files the process currently holds open...
First of all you have to dig into old WIN32 API
NtQuerySystemInformation[^]
This function is not much documented and the help page will not contain the SystemHandleInformation enumerated value (16) for the first parameter, but still will have to use it...
You will have to call it twice, once the last parameter as return value of the needed buffers size, and a second time with NULL at the last parameter to actually retrieve the values...
The result of this function is a list of all handles (of all types) for all processes...You have to enumerate them and check the type and the process owns the handle...
Using NtQueryObject[^] in a loop (using ObjectNameInformation as second parameter), will provide you with the device based name of the file the handle holds...
To find the user friendly name you have to use QueryDosDevice[^] function - it will map device to letter...
Two things:
1. You have to duplicate the handle into your process before using it. Do it using OpenProcess[^] with PROCESS_DUP_HANDLE, and DuplicateHandle[^] after that.
2. NtQueryObject will hang if the handle points to named pipe (bug), so you should first try to run it in a new thread to check it, and only if the thread does not hand go on and use it in the main thread...
---
And...
There are some ready-made solutions out there, with source code:
HOWTO: Enumerate handles - Sysinternals Forums[^]
Examine Information on Windows NT System Level Primitives[^]
这篇关于钩住一个进程并获取它创建的文件\ deleted \ ampamed的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
