拦截 FIleSytemCall 以进行删除 [英] Intercept FIleSytemCall for Deletion

问题描述

有没有办法在 windows 执行删除之前检测文件的删除?我找到了 FileSystemWatcher 类，但仅在执行删除操作后才引发事件，但我想在用户/进程选择删除它时捕获删除操作.您可以监视文件系统表，但要寻找更好的方法.感谢您的帮助.

Is there a way to detect deletion of a file before windows performs the deletion? I found FileSystemWatcher class but the event is raised only after the delete action is performed but I want to trap the delete action once the user/process chooses to delete it. You can monitor the file system table but looking for a better approach. Thanks for your help.

推荐答案

我认为最简单的方法是使用钩子来获得通知(并最终停止)进程.它不能在 .NET 中完成，因此您必须 DllImport 大量结构和少量函数来 P/Invoke.

I think the simpliest way is to use a hook to get notified (and eventually to stop) the process. It can't be done in .NET so you have to DllImport a lot of structures and few functions to P/Invoke.

让我们从 NtSetFileInformation(未记录的)函数开始您的工作.当需要删除文件时(使用 FileDispositionInformation 结构)，它是由其他任何东西调用的函数.

Let's start your job with the NtSetFileInformation (undocumented) function. It's the function called by anything else when a file need to be deleted (with the FileDispositionInformation structure).

现在的问题是如何挂钩该函数(祝你好运，这并不容易).一个不错的选择是使用 Microsoft Detours.查看这篇文章的例子.它的问题是它不是免费的.另一种解决方案(价格合理并带有 .NET 界面)是 Deviare 但我从来没有尝试过他们的免费版本，所以我不知道它有多好.如果别人知道一个好的拦截工具...

Now the problem is how to hook that function (good luck, it's not easy). A good choice can be to use Microsoft Detours. Take a look to this article for an example. Its problem is that it's not free. An alternative solution (with a reasonable price and with a .NET interface) is Deviare but I never tried even their free version so I don't know how much it's good. If someone else knows a good interception tool...

这篇关于拦截 FIleSytemCall 以进行删除的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！