|
阅读:2931回复:3
ZwSetInformationFile删除文件的FileInformationClass值
我想监视文件的删除操作,Hook了ZwSetInformationFile,却发现,使用Shift+Delete删除文件的时候FileInformationClass值是FileDispositionInformation,但是使用Delete删除的时候,得不到FileInformationClass的值,程序如下:
status = ObReferenceObjectByHandle(FileHandle, 0, 0, KernelMode, &FileObject, NULL); if (NT_SUCCESS(status)) { //盘符 status = IoVolumeDeviceToDosName(pFileObject->DeviceObject, &uniDiskName); if (!NT_SUCCESS(status)) { DbgPrint("Error.\n"); return 原ZwSetInformationFile; } else { //文件名 RtlUnicodeStringToAnsiString(&ansiDiskName, &uniDiskName, TRUE); RtlUnicodeStringToAnsiString(&ansiFileName, &pFileObject->FileName, TRUE); sprintf(chCurFolder, "%s%s", ansiDiskName.Buffer, ansiFileName.Buffer); DbgPrint("[%s]\n", chCurFolder); RtlFreeAnsiString(&ansiDiskName); RtlFreeAnsiString(&ansiFileName); } switch(FileInformationClass) { case FileRenameInformation: DbgPrint("FileRenameInformation\n"); break; case FileBasicInformation: DbgPrint("FileBasicInformation\n"); break; case FileDispositionInformation: DbgPrint("FileDispositionInformation\n"); break; case FileEndOfFileInformation: DbgPrint("FileEndOfFileInformation\n"); break; case FileLinkInformation: DbgPrint("FileLinkInformation\n"); break; case FilePositionInformation: DbgPrint("FilePositionInformation\n"); break; case FileShortNameInformation: DbgPrint("FileShortNameInformation\n"); break; case FileValidDataLengthInformation: DbgPrint("FileValidDataLengthInformation\n"); break; default: DbgPrint("Other parameter\n"); break; } ObDereferenceObject(pFileObject); } else { // ObDereferenceObject(pFileObject); DbgPrint("Error.\n"); return 原ZwSetInformationFile; } 不知道是什么原因,是不是Delete删除文件的时候用这个函数监视不到啊? 还请老牛们不吝赐教,谢谢 |
|
|
沙发#
发布于:2009-04-15 21:32
难道调用ntdeletefile
|
|
|
板凳#
发布于:2009-04-17 00:08
如果不是彻底删除,实际windows做的是改名操作,把文件目录改到回收站了。你在delete的时候 监控一下改名
|
|
|
地板#
发布于:2009-04-23 15:15
rename
|
|