Windows:如何拦截Win32磁盘I/O API [英] Windows: How to intercept Win32 disk I/O API
问题描述
在Windows上,所有磁盘I/O最终都会通过Win32 API调用(例如CreateFile,SetFilePointer等)发生.
On Windows, all disk I/O ultimately happens via Win32 API calls like CreateFile, SetFilePointer, etc.
现在,是否可以拦截这些磁盘I/O Win32调用,并在运行时为所有动态链接的Windows应用程序挂钩自己的代码?也就是说,通过Windows DLL而不是静态C库获得其CreateFile功能的应用程序.
Now, is it possible to intercept these disk I/O Win32 calls and hook in your own code, at run time, for all dynamically-linked Windows applications? That is, applications that get their CreateFile functionality via a Windows DLL instead of a static, C library.
我有一些约束:
-
没有源代码:我没有要拦截的进程的源代码.
No source code: I won't have the source code for the processes I'd like to intercept.
线程安全性:我的挂钩代码可以动态分配自己的内存.此外,由于该内存将与多个截获的进程(及其线程)共享,因此我希望能够序列化对其的访问.
Thread safety: My hook code may dynamically allocate its own memory. Further, because this memory is going to be shared with multiple intercepted processes (and their threads), I'd like to be able to serialize access to it.
有条件的委派和覆盖:在我的挂钩代码中,我希望能够决定是委派给原始Win32 API功能,还是使用我自己的功能,或两者兼而有之. (很像在C ++或Java中子类的重写方法中对超类方法的可选调用.)
Conditional delegation and overriding : In my hook code, I would like to be able to decide whether to delegate to the original Win32 API functionality, or to use my own functionality, or both. (Much like the optional invocation of the super class method in the overriding method of the subclass in C++ or Java.)
常规用户空间代码:我希望能够在无需编写任何设备驱动程序的情况下完成上述操作,这主要是因为编写一个驱动程序很复杂.
Regular user-space code: I want to be able to accomplish the above without having to write any device-driver, mainly due to the complexity involved in writing one.
如果可能的话,我将感谢一些提示.源代码不是必需的,但总是受欢迎的!
If this is possible, I'd appreciate some pointers. Source code is not necessary, but is always welcome!
推荐答案
您可能想研究 mhook 如果弯路"不是您想要的.
You may want to look into mhook if Detours isn't what you want.
在使用挂钩时,您可能会遇到以下两个问题:
Here are a couple of problems you may run into while working with hooks:
- ASLR可以防止注入的代码拦截预期的代码呼叫.
- 如果钩子是全局的(例如,使用AppInit_DLLs),则在加载DLL时仅Kernel32.dll和User32.dll可用.如果您想将功能定位到这些模块之外,请您需要手动确保它们'可用.
- ASLR can prevent injected code from intercepting the intended calls.
- If your hooks are global (using AppInit_DLLs for example), only Kernel32.dll and User32.dll are available when your DLL is loaded. If you want to target functions outside of those modules, you'll need to manually make sure they're available.
这篇关于Windows:如何拦截Win32磁盘I/O API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
