开发者

Hooking Disk Write Operations ? Win32/64

开发者 https://www.devze.com 2023-04-09 20:00 出处:网络
Is there any way to hook all disk writes going thru the system, and receive the file names of whatever\'s being modified, using the Win32 API? Or is this something that would require writ开发者_如何学

Is there any way to hook all disk writes going thru the system, and receive the file names of whatever's being modified, using the Win32 API? Or is this something that would require writ开发者_如何学Going a driver?


You can't do this in user mode, it needs to be kernel mode and so that means a driver. You need a File System Filter Driver.


If you don't care about intercepting the actual data, and only want to know which files are being modified/created/deleted then you can use the ReadDirectoryChangesW API to get that info from userland. Note however that it's one of the hardest functions to use effectively and efficiently, and you should be familiar with IOCP to use it correctly.

0

精彩评论

暂无评论...
验证码 换一张
取 消