在 Windows 的内核模式下,我能够拦截和监视在特定磁盘上执行的几乎所有操作。当出于任何目的打开文件时,我都会收到一个事件。
现在我想追踪打开它的应用程序。我认为这应该是可能的,但不知道如何实现。
我正在使用 Windows Win32 API 中的标准文件管理函数。
提前致谢。
/罗伯特
最佳答案
Sysinternals Filemon (免费)这样做,更好的是他们描述了他们是如何做到的:
For the Windows 9x driver, the heart of FileMon is in the virtual device driver, Filevxd.vxd. It is dynamically loaded, and in its initialization it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. On Windows NT the heart of FileMon is a file system driver that creates and attaches filter device objects to target file system device objects so that FileMon will see all IRPs and FastIO requests directed at drives. When FileMon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before FileMon started, FileMon will fail to find the mapping in its hash table and will simply present the handle's value instead.
-亚当
关于c++ - 跟踪打开特定文件的进程,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/231547/