注册表监视,包括内核模式注册表访问? [英] Registry monitoring, including kernel-mode registry accesses?
问题描述
我记得我最后一年的大学项目我写了一个C#注册表监视器,但是,当我将其与Microsoft ProcessMonitor应用程序(我不会记得它的确切名称,但是一个由MSoft购买的公司),我没有捕获很多注册表调用。
I remember for my final year university project i wrote a C# registry monitor, however, when i compared it with the Microsoft ProcessMonitor application (i cant remember its exact name, but was a company bought by MSoft), i wasnt capturing as many registry calls.
这是因为我使用了一个C#包装,因此,它只会捕获用户模式注册表访问?
Was this because i was using a C# wrapper and as such, it would only have been catching user-mode registry accesses?
我使用这个包装器: http://www.codeproject.com/KB/ DLL / EasyHook64.aspx
要捕获内核模式注册表访问,我必须用C ++编写?
To catch the kernel mode registry accesses would i have to write in C++?
推荐答案
进程监视器使用内核驱动程序或ETW(见下文)来捕获注册表事件。我知道Process Monitor使用ETW的一些数据(如网络信息)。
Process Monitor is either using a kernel driver or ETW (see below) to capture registry events. I do know that Process Monitor uses ETW for some of its data (like networking information).
像EasyHook这样的API钩子或迂回机制通常在Win32 API级别例如ADVAPI32.dll中的 RegSetValue 或 RegCreateKeyEx )。因为这个,它有你提到的限制:只捕获用户模式注册表访问。此外,API钩子通常在每个进程的基础上完成,因此您必须将自己注入到要收集数据的每个进程中。
An API hooking or detouring mechanism like EasyHook typically operates at the Win32 API level (e.g. RegSetValue or RegCreateKeyEx in ADVAPI32.dll). Because of this, it has the limitation you mention: only user-mode registry accesses are captured. Additionally, API hooking is usually done on a per-process basis, so you have to inject yourself into each process that you want to collect data on. You would also have to monitor for process creation if you wanted to really capture all accesses across the system.
Windows事件跟踪(ETW)将是一个简单的方法(相对来说)捕获所有注册表访问。 ETW的基本思想是操作系统,运行时,库,甚至日常应用程序开发人员可以向其代码中添加特定的工具来记录有关事件和场景的数据。这种跟踪开销低,可以很容易地收集。 ETW已经有一段时间了,但它确实从Vista开始在整个内核中获得了牵引力。几乎所有主要的内核子系统现在都装有ETW。它现在也是Windows事件日志的基础。
Event Tracing for Windows (ETW) would be an easy way (relatively speaking) to capture all registry accesses. The basic idea behind ETW is that OS, runtime, library, and even everyday application developers can add specific instrumentation to their code to log data about interesting events and scenarios. This tracing is low overhead and can be easily collected. ETW has been around for a while, but it has really gained traction throughout the kernel starting with Vista. Almost all major kernel subsystems are now instrumented with ETW. It is also now the basis for the Windows Event Log.
ETW有一些行李,在一些地区缺乏实质性的文档,但如果你有兴趣,你可以请查看以下内容:
ETW has its fair share of baggage and lacks substantial documentation in some areas, but if you are interested, you can check out the following:
- 09/08 / exploring-and-decoding-etw-providers-using-event-log-channels.aspx> ETW和事件日志
- Xperf (Windows性能工具包的一部分),用于收集和分析跟踪
- logman.exe和tracerpt.exe用于收集和分析跟踪
- TraceEvent ,用于收集和分析ETW事件的.NET库
- 使用本机代码中的NT内核记录器
- ETW MSDN documentation
- ETW and Event Log
- Xperf (part of the Windows Performance Toolkit), used for collecting and analyzing traces
- logman.exe and tracerpt.exe for collecting and analyzing traces
- TraceEvent, a .NET library for collecting and analyzing ETW events
- Using an NT Kernel Logger from native code
要捕获内核模式注册表
访问,我必须用C ++编写?
To catch the kernel mode registry accesses would i have to write in C++?
否,使用上述 TraceEvent 库,您可以使用C#捕获并分析整个系统的内核和用户模式注册表访问。
No, using the TraceEvent library mentioned above, you could use C# to capture and analyze kernel- and user-mode registry accesses across the system.
这篇关于注册表监视,包括内核模式注册表访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
