开发者

reliably monitor/track/log user file accesses on Windows 7

开发者 https://www.devze.com 2023-03-08 11:14 出处:网络
I need to track all files accessed (created, opened, read) by a user and log these actions for further processing within a separate application. I have investigated and searched for possible ways to a

I need to track all files accessed (created, opened, read) by a user and log these actions for further processing within a separate application. I have investigated and searched for possible ways to achieve this (as simple as possible) and came up with the following solutions:

  1. Hook kernel32.dll and intercept all file specific functions like CreateFileA, OpenFile,etc. I thought of modifying the IAT and provide wrapper functions. I'd still forward the calls to the original functions, but report which files where accessed when to my application. This sounds easy to achieve, but I doubt it will work flawlessly on Windows 7 as it appears to me new security restrictions prevent successful hooking by modifying the import address table. Maybe somebody knows better :)

  2. Write a file system minifilter and make the callback functions report about file accesses. As I haven't written a minifilter before I don't know if this is a feasible approach. I believe development of a minifilter requires far more effort. Maybe somebody can point out some resources like tutorials on writing simple filesystem minifilters.

I know of Microsoft's Detour library but at this stage I would like to avoid to use it, as the hook in general is quite simple. Is there any reliable way of hooking file functions in Windows 7 at all without using Detours or EasyHook? Concerning minifilters: I believe what I want to achieve is quite simple compared to for example filters, which deal with encryption. However I have no experience in writing minifilters and cannot estimate how much effort it takes to achieve my goals. All examples I stumbled upon have dealt with file system filters and not minifilters.

I'm 开发者_JAVA百科thankful for any hints and suggestions :)

Greetings, curiosity


In .NET you can use FileSystemWatcher.


Did you check our CallbackFilter product, which provides a ready-to-use filter driver and lets you write all logic in user mode?

0

精彩评论

暂无评论...
验证码 换一张
取 消