老是得不到FileMon中的日志，怎么办？

楼主^#

更多发布于：2005-07-28 10:33

  我按照FileMon中EXE目录下的工程的启动Filem.sys方式，启动该驱动，然后设置要过滤的本地磁盘，可是老是得不到该日志，可是直接运行Filemon.exe，却可以得到，而是只要运行过Filemon.exe一次，我自己写的也就可以，如果重新启动机器，第一次运行我的机器，我的得不到日志，每次都必须运行Filemon.exe后，我的才可以。请大家帮我看看，我的代码：谢谢！

1,启动Filem.sys
void CTExeDlg::Init()
{
   static DWORD MaxDriveSet = 0;
   static HMENU DriveMenu;
  static HWND hWndTT;
   static HWND hWndToolbar;
   static POINTS hoverPoints;
   DWORD nb, versionNumber;
   DWORD drive, drivetype;
   static TCHAR driverPath[ MAX_PATH ];
   TCHAR Path[ MAX_PATH ];
   TCHAR systemRoot[ MAX_PATH ];
   static TCHAR szBuf[MAX_PATH];
   TCHAR name[ MAX_PATH ];
   DWORD error;

   GetCurrentDirectory( sizeof Path, Path );
   _stprintf( Path+lstrlen(Path), _T("\\Debug\\%s"), SYS_FILE );

   if( !GetEnvironmentVariable( "SYSTEMROOT", systemRoot, sizeof(systemRoot)))
   {
   return ;
   }

   sprintf( driverPath, _T("%s\\system32\\drivers\\%s"),
   systemRoot, SYS_FILE );
   if( !LoadDeviceDriver( SYS_NAME, driverPath, &SysHandle, &error ) ) {

   if( !CopyFile( Path, driverPath, FALSE ))
   {

   return ;
   }
   SetFileAttributes( driverPath, FILE_ATTRIBUTE_NORMAL );
   if( !LoadDeviceDriver( SYS_NAME, driverPath, &SysHandle, &error ) ) {

   UnloadDeviceDriver( SYS_NAME );
   if( !LoadDeviceDriver( SYS_NAME, driverPath, &SysHandle, &error ) ) {

   _stprintf( msgbuf, _T("Error loading %s (%s): %d"),
   SYS_NAME, Path, error );
   DeleteFile( driverPath );
   return;
   }
   }
   DeleteFile( driverPath );
   }

   // Correct driver version?
   if( !DeviceIoControl( SysHandle, IOCTL_FILEMON_VERSION,
   NULL, 0, &versionNumber, sizeof(DWORD), &nb, NULL ) ||
   versionNumber != FILEMONVERSION ) {

   return;
   }

   // Have driver zero information
   if ( ! DeviceIoControl( SysHandle, IOCTL_FILEMON_ZEROSTATS,
   NULL, 0, NULL, 0, &nb, NULL ) ) {
   return ;
   }

   // Set up the filter
   FilterDefinition.excludefilter[0] = 0;
   FilterDefinition.includefilter[0] = 0;
   if( strcmp( ExcludeString, " " ) )
   strcpy( FilterDefinition.excludefilter, ExcludeString );
   if( strcmp( FilterString, " " ) )
   strcpy( FilterDefinition.includefilter, FilterString );

   // Give the user to change initial filter
   if( strcmp( FilterString, "*" ) ||
   (*ExcludeString && strcmp( ExcludeString, " ")))
   {

   }
   else
   {
   // tell the driver the initial filter
   if ( ! DeviceIoControl( SysHandle, IOCTL_FILEMON_SETFILTER,
   &FilterDefinition, sizeof(FILTER), NULL,
   0, &nb, NULL ) )
   {
   return ;
   }
   }

   // Tell driver to start filtering
   if ( ! DeviceIoControl( SysHandle, IOCTL_FILEMON_STARTFILTER,
   NULL, 0, NULL, 0, &nb, NULL ) ) {

   return ;
   }

   // Get available drives we can monitor
   MaxDriveSet = GetLogicalDrives();
   if( PositionInfo.curdriveset != (DWORD) -1 )
   CurDriveSet = PositionInfo.curdriveset;
   else
   CurDriveSet = MaxDriveSet;
   for ( drive = 0; drive < 32; ++drive ) {
   if ( MaxDriveSet & (1 << drive) ) {
   _stprintf( name, _T("%c:\\"), 'A'+drive );
   switch ( GetDriveType( name ) ) {
   // We don't like these: remove them
   case 0: // The drive type cannot be determined.
   case 1: // The root directory does not exist.
   drivetype = DRVUNKNOWN;
   CurDriveSet &= ~(1 << drive);
   break;
   case DRIVE_REMOVABLE: // The drive can be removed from the drive.
   drivetype = DRVREMOVE;
   CurDriveSet &= ~(1 << drive);
   break;
   case DRIVE_CDROM: // The drive is a CD-ROM drive.
   drivetype = DRVCD;
   CurDriveSet &= ~(1 << drive);
   break;

   // We like these types
   case DRIVE_FIXED: // The disk cannot be removed from the drive.
   drivetype = DRVFIXED;
   break;
   case DRIVE_REMOTE: // The drive is a remote (network) drive.
   drivetype = DRVREMOTE;
   break;
   case DRIVE_RAMDISK: // The drive is a RAM disk.
   drivetype = DRVRAM;
   break;
   }
   _stprintf( name, _T("Drive &%c: (%s)"), 'A'+drive, DrvNames[drivetype] );

   }
   }

   // Have driver hook the selected drives
   CurDriveSet = 44;
   CurDriveSet = HookDrives( DriveMenu, MaxDriveSet, CurDriveSet );
}
2,去获取日志信息
void CTExeDlg::OnUpdate()
{
   // Have driver fill Stats buffer with information
   if ( ! DeviceIoControl( SysHandle, IOCTL_FILEMON_GETSTATS,
   NULL, 0, &Stats, sizeof Stats,
   &StatsLen, NULL ) )
   {
   return;
   }

   PENTRY ptr;
   BOOLEAN itemsAdded = FALSE;
   char *items[NUMCOLUMNS];
   int totitems, i;
   for ( ptr = (ENTRY *)Stats; (char *)ptr < min(Stats+StatsLen,Stats + sizeof (Stats)); )
   {

   ULONG len = strlen(ptr->text);

   int itemcnt = Split( ptr->text, '\t', items );
   if ( itemcnt == 0 )
   return;

   for(int j = 0;j< itemcnt;j++)
   {
   m_editInfo += (CString)items[j];
   m_editInfo += " ###";
   }
   m_editInfo +="\r\n";
   UpdateData(FALSE);

   len += 4; len &= 0xFFFFFFFC; // +1 for null-terminator +3 for 32bit alignment
   ptr = (ENTRY *)(ptr->text + len);
   }
}
我单步调试机器重新启动后，我第一次运行我的程序，启动Filem.sys过程都是成功的，
，当我在自己监视硬盘上操作文件时，就是获取不到日志信息，只要运行fileMon.exe后，就可以，是不是跟注册表有什么关系？
谢谢大家关注

喜欢0

cococut 驱动牛犊注册日期2005-06-27 最后登录2005-09-23 粉丝0 关注0 积分50分威望10点贡献值0点好评度0点原创分0分专家分0分加关注写私信	沙发^# 发布于：2005-07-28 10:34 我想要的完成的任务就是，在我的程序中，启动Filem.sys，对本地磁盘进行监视，然后调用if ( ! DeviceIoControl( SysHandle, IOCTL_FILEMON_GETSTATS, NULL, 0, &Stats, sizeof Stats, &StatsLen, NULL ) ) 去获取日志信息。可是老是获取为空。大家帮我看看我的启动是否有问题？
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

老是得不到FileMon中的日志，怎么办？

最新喜欢：