program to monitor read/writes PATH of a program?_问答_开发者

program to monitor read/writes PATH of a program?

开发者 https://www.devze.com 2023-02-21 20:07 出处：网络

I was trying to make a program for a college project, but I got stuck at this: How will you monitor a program as to what files it writes to or reads from?

相关专题：io ptrace

I was trying to make a program for a college project, but I got stuck at this:

How will you monitor a program as to what files it writes to or reads from? I wish to have their path names.

To make the problem more clear, here is an example:

Consider the program we wish to monitor is a.exe, and a.exe first opens a file named "a1" residing in the same folder as a.exe, and then opens another file named "a2".

The program has to give the relative or absolute path of "a1" and "a2" files, irrespective of them being opened for read/write..

How do I implement this in C++?

EDIT : Is it possible to divert the calls for a1 and a2 files to another path?? EDIT2 : ok, let me put it this way: i have moved the firefox.exe from C:\program files to D:\, now when i run firefox.exe it wont work coz it works on many files that are there in C:\program files, firefox.exe would be using rela开发者_Go百科tive paths for accessing the files. What i intend to do is to capture the calls for the files firefox.exe works on and then direct the call to the program files folder. Plz let me know if i have made myself clear..

On linux you can you use 'strace' wich output the different system calls performed by your application. If you need to implement a program which perfoms the same kind of output as strace, a quick implementation could consists in a simple shell program which greps the output of strace. Otherwise looking into the strace code is a good start.

On Windows 'Process monitor' from Sysinternals suite may help you out.

If you want to modify the arguments to open(2), creat(2), truncate(2), and so forth, then you could use the Linux ptrace(2) facility to intercept the systemcalls and replace the filename strings before executing the call.

ptrace(2) is dark magic, so unless it's an advanced course, it might not be what your professor intended. (If the next lecture is on writing a debugger like gdb(1), then this is exactly what your professor intended.)

Another mechanism you can use, and probably much more portably, is library or function interpositioning -- you can write little wrappers around specific functions in a library, and by loading the library with the LD_PRELOAD environment variable (see the ld.so(8) manpage for details on the environment variables that influence library loading), your functions will be called instead of the standard functions.

Library interposition is grey magic; it's better documented than ptrace(2), but still pretty easy to screw up.