|
阅读:1840回复:1
fileMon监视文件修改时的特征
如题,当文件修改时,fileMon会产生许多的纪录,比如:
1 14:27:45.777 System:4 IRP_MJ_CREATE D:\fileMonTest\test4.txt SUCCESS Attributes: N Options: OpenIf 2 14:27:45.777 System:4 IRP_MJ_CREATE D:\fileMonTest\test4.txt SUCCESS Attributes: N Options: Open 3 14:27:45.777 System:4 IRP_MJ_QUERY_INFORMATION D:\fileMonTest\test4.txt SUCCESS FileInternalInformation 4 14:27:45.777 System:4 FASTIO_QUERY_STANDARD_INFO D:\fileMonTest\test4.txt SUCCESS Size: 7643 5 14:27:45.777 System:4 IRP_MJ_CLEANUP D:\fileMonTest\test4.txt SUCCESS 6 14:27:45.777 System:4 IRP_MJ_CLOSE D:\fileMonTest\test4.txt SUCCESS 7 14:27:45.777 System:4 FSCTL_REQUEST_BATCH_OPLOCK D:\fileMonTest\test4.txt SUCCESS 8 14:27:45.777 System:4 FASTIO_QUERY_NETWORK_OPEN_INFO D:\fileMonTest\test4.txt SUCCESS 9 14:27:45.777 System:4 IRP_MJ_QUERY_INFORMATION D:\fileMonTest\test4.txt SUCCESS FileEaInformation 。。。。 怎样从这些纪录中找到可以标示文件修改的规律,请大家帮忙了,谢谢! |
|
|
沙发#
发布于:2007-06-22 12:52
本地磁盘上:
IRP_MJ_CREATE Options: OpenIf , create, Overwirteif Complete(完成函数HookDone): Irp->IoStatus.Information = FILE_CREATED ,FILE_OVERWRITTEN IRP_MJ_READ 和 IRP_MJ_WRITE Complete: Irp->IoStatus.Information 不为 0 (实际写入的字节) IRP_MJ_SET_INFORMATION currentIrpStack->Parameters.SetFile.FileInformationClass == FileBasicInformation FileDispositionInformation FileLinkInformation FilePositionInformation FileRenameInformation FileAllocationInformation FileEndOfFileInformation FileValidDataLengthInformation 其中: FileRenameInformation Complete: Irp->IoStatus.Status == STATUS_OBJECT_NAME_COLLISION 对文件不改动 FileDispositionInformation: (PFILE_DISPOSITION_INFORMATION)Irp->AssociatedIrp.SystemBuffer->DeleteFile == TRUE 同时IRP_MJ_CREATE中 currentIrpStack->Parameters.Create.SecurityContext->DesiredAccess & DELETE == RRUE IRP_MJ_CLOSE 删除文件 其他的可以看MSDN 你可能还要修改代码才能看得更清楚. |
|
|