除了 createfile 和 openfile 之外,还有 Windows API 可以获取文件句柄吗?

发布于 2024-07-04 06:04:39 字数 235 浏览 13 评论 0原文

我正在尝试监听应用程序正在写入的日志文件。

我已成功将 createfile 与 MSR 的 detours 库挂钩,但 createfile 似乎从未被我感兴趣的文件调用。 我也尝试过挂钩 openfile 并得到相同的结果。

我不是一个经验丰富的 Windows/C++ 程序员,所以我最初的两个想法是应用程序在挂接 api 之前调用 createfile,或者有一些其他 API 用于创建文件/获取它们的句柄。

I am trying to snoop on a log file that an application is writing to.

I have successfully hooked createfile with the detours library from MSR, but createfile never seems to be called with file I am interested in snooping on. I have also tried hooking openfile with the same results.

I am not an experienced Windows/C++ programmer, so my initial two thoughts were either that the application calls createfile before I hook the apis, or that there is some other API for creating files/obtaining handles for them.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

请持续率性 2024-07-11 06:04:39

您可以使用 Sysinternal 的 FileMon
它是一个出色的监视器,可以准确地告诉您正在执行哪些与文件相关的系统调用
做了什么,参数是什么。

我认为这种方法比挂钩 API 调用容易得多,而且侵入性也小得多。

You can use Sysinternal's FileMon.
It is an excellent monitor that can tell you exactly which file-related system calls are being
made and what are the parameters.

I think that this approach is much easier than hooking API calls and much less intrusive.

高跟鞋的旋律 2024-07-11 06:04:39

这是一个可能有用的链接:

使用 C# 和 C++ 进行游击式文件监控

可以在不接触 CreateFile API 的情况下创建文件,但我可以问一下您使用的是什么 DLL 注入方法吗? 如果您使用 Windows Hooks 之类的东西,您的 DLL 直到目标应用程序初始化后才会安装,并且您将错过对 CreateFile 的早期调用。 然而,如果您使用 DetourCreateProcessWithDll 之类的东西,则可以在任何应用程序启动代码运行之前安装 CreateFile 挂钩。

根据我的经验,99.9% 的创建/打开的文件都会调用 CreateFile,包括通过 C 和 C++ 库、第三方库等打开的文件。也许有一些未记录的 DDK 函数不会通过 CreateFile 路由,但对于一个典型的日志文件,我对此表示怀疑。

Here's a link which might be of use:

Guerilla-Style File Monitoring with C# and C++

It is possible to create a file without touching CreateFile API but can I ask what DLL injection method you're using? If you're using something like Windows Hooks your DLL won't be installed until sometime after the target application initializes and you'll miss early calls to CreateFile. Whereas if you're using something like DetourCreateProcessWithDll your CreateFile hook can be installed prior to any of the application startup code running.

In my experience 99.9% of created/opened files result in a call to CreateFile, including files opened through C and C++ libs, third-party libs, etc. Maybe there are some undocumented DDK functions which don't route through CreateFile, but for a typical log file, I doubt it.

甩你一脸翔 2024-07-11 06:04:39

sysinternals 的进程监视器也可以提供帮助。

Process Monitor from sysinternals could help too.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文