我自己写了一个简单的程序调用FileMon的SYS文件来实现监视特定文件夹的读写操作.可是为什么不能监视到文件的读写操作呢?
我的全部代码如下:// FileMon.cpp : 定义控制台应用程序的入口点。
//#include "stdafx.h"
#include <windows.h> // includes basic windows functionality
#include <windowsx.h>
#include <tchar.h>
#include <commctrl.h> // includes the common control header
#include <stdio.h>
#include <string.h>
#include <winioctl.h>
#include "Ioctlcmd.h"
#include "FileMon.h"static HANDLE SysHandle = INVALID_HANDLE_VALUE;// Drive name strings
TCHAR DrvNames[][32] = {
_T("UNKNOWN"),
_T("FIXED"),
_T("REMOTE"),
_T("RAM"),
_T("CD"),
_T("REMOVEABLE"),
}; // drives that are hooked
DWORD CurDriveSet;// The variable that holds the position settings
//POSITION_SETTINGS PositionInfo;// Buffer into which driver can copy statistics
char Stats[ LOGBUFSIZE ];
// Current fraction of buffer filled
DWORD StatsLen;// Search string
TCHAR FindString[256];
//FINDREPLACE FindTextInfo;
//DWORD FindFlags = FR_DOWN;
BOOLEAN PrevMatch;
TCHAR PrevMatchString[256]; // Application instance handle
HINSTANCE hInst;// Are we running on NT or 9x?
BOOLEAN IsNT;// Filter strings
TCHAR FilterString[MAXFILTERLEN];
TCHAR ExcludeString[MAXFILTERLEN];
TCHAR HighlightString[MAXFILTERLEN];// Recent filters
char RecentInFilters[NUMRECENTFILTERS][MAXFILTERLEN];
char RecentExFilters[NUMRECENTFILTERS][MAXFILTERLEN];
char RecentHiFilters[NUMRECENTFILTERS][MAXFILTERLEN];// Filter-related
FILTER FilterDefinition;// For info saving
TCHAR szFileName[MAX_PATH];BOOLEAN FileChosen = FALSE;
DWORD Error;
// General buffer for storing temporary strings
static TCHAR msgbuf[MAX_PATH];// General cursor manipulation
HCURSOR hSaveCursor;
HCURSOR hHourGlass;// performance counter frequency
LARGE_INTEGER PerfFrequency;DWORD AbortDriver()
{
if( IsNT ) UnloadDeviceDriver( SYS_NAME );
return (DWORD) -1;
}int Split( char * line, char delimiter, char * items[] )
{
int cnt = 0;
for (;;) {
items[cnt++] = line;
line = strchr( line, delimiter );
if ( line == NULL )
return cnt;
*line++ = '\0';
}
}DWORD CopyDriverFile()
{
TCHAR Path[ MAX_PATH ];
TCHAR systemRoot[ MAX_PATH ];
static TCHAR szBuf[MAX_PATH];
TCHAR name[ MAX_PATH ];
TCHAR *File;
WIN32_FIND_DATA findData;
HANDLE findHandle;
FILE_SYSTEM_TYPE fsType;
TCHAR driverPath[ MAX_PATH ];
GetCurrentDirectory( sizeof Path, Path );
findHandle = FindFirstFile( Path, &findData );
if( findHandle == INVALID_HANDLE_VALUE )
{
if( !SearchPath( NULL, SYS_FILE, NULL, sizeof(Path), Path, &File ) )
{
return AbortDriver();
} } else FindClose( findHandle ); if( !GetEnvironmentVariable( _T("SYSTEMROOT"), systemRoot, sizeof(systemRoot)))
{
return AbortDriver();
}
wsprintf(driverPath,_T("%s\\system32\\drivers\\%s"),systemRoot,SYS_FILE );
if( !CopyFile(Path, driverPath, FALSE ))
{
return AbortDriver();
}
SetFileAttributes( driverPath, FILE_ATTRIBUTE_NORMAL );
}
void InitDriver()
{
//动态加载驱动程序
if(!LoadDeviceDriver(_T("FILEMON"),_T("E:\\Windows\\System32\\Drivers\\FileM.SYS"),&SysHandle,&Error))
{
AbortDriver();
}
unsigned long nb;
DWORD versionNumber;
if( !DeviceIoControl(SysHandle, IOCTL_FILEMON_VERSION,NULL, 0, &versionNumber, sizeof(DWORD), &nb, NULL) )
{ AbortDriver();
}
//初始化驱动
DeviceIoControl( SysHandle, IOCTL_FILEMON_ZEROSTATS,
NULL, 0, NULL, 0, &nb, NULL );
//定义过滤用Filter
FilterDefinition.excludefilter[0] = 0;
FilterDefinition.includefilter[0] = 0;
strcpy(FilterDefinition.excludefilter , " ");
strcpy(FilterDefinition.includefilter , "*");
FilterDefinition.logreads=true;
FilterDefinition.logwrites=true;
//设置过滤条件到驱动程序中
DeviceIoControl( SysHandle, IOCTL_FILEMON_SETFILTER,
&FilterDefinition, sizeof(FILTER), NULL,
0, &nb, NULL ); //获取当前所有驱动器ID
CurDriveSet = GetLogicalDrives();
CurDriveSet = 124;
//设置驱动器ID到驱动程序中
DeviceIoControl( SysHandle, IOCTL_FILEMON_SETDRIVES,
&CurDriveSet, sizeof CurDriveSet,
&CurDriveSet, sizeof CurDriveSet,
&nb, NULL );
//开始过滤
DeviceIoControl( SysHandle, IOCTL_FILEMON_STARTFILTER,
NULL, 0, NULL, 0, &nb, NULL );}
BOOL ListAppend(char * line )
{
char *items[NUMCOLUMNS];
int itemcnt = 0;
//printf("%s\n",line);
itemcnt = Split( line, '\t', items );
if ( itemcnt == 0 )
return FALSE;
if(strcmp(items[0],"")==0)
return FALSE;
printf("%s>%s>%s>%s\n",items[0],items[1],items[2],items[3]);
return TRUE;
}
void ScanFileOperation()
{
for(;;){
// DWORD startTime = GetTickCount();
for(;;)
{
DeviceIoControl( SysHandle, IOCTL_FILEMON_GETSTATS,
NULL, 0, &Stats, sizeof Stats,
&StatsLen, NULL ) ;
if ( StatsLen == 0 )
break;
if ( StatsLen != 0 ){
PENTRY ptr;
ptr =(ENTRY *) Stats;
ListAppend(ptr->text );
}
//if( GetTickCount() - startTime > 1000 ) break;
} }
}
int _tmain(int argc, _TCHAR* argv[])
{
CopyDriverFile();
InitDriver();
ScanFileOperation();
return 0;
}
我的全部代码如下:// FileMon.cpp : 定义控制台应用程序的入口点。
//#include "stdafx.h"
#include <windows.h> // includes basic windows functionality
#include <windowsx.h>
#include <tchar.h>
#include <commctrl.h> // includes the common control header
#include <stdio.h>
#include <string.h>
#include <winioctl.h>
#include "Ioctlcmd.h"
#include "FileMon.h"static HANDLE SysHandle = INVALID_HANDLE_VALUE;// Drive name strings
TCHAR DrvNames[][32] = {
_T("UNKNOWN"),
_T("FIXED"),
_T("REMOTE"),
_T("RAM"),
_T("CD"),
_T("REMOVEABLE"),
}; // drives that are hooked
DWORD CurDriveSet;// The variable that holds the position settings
//POSITION_SETTINGS PositionInfo;// Buffer into which driver can copy statistics
char Stats[ LOGBUFSIZE ];
// Current fraction of buffer filled
DWORD StatsLen;// Search string
TCHAR FindString[256];
//FINDREPLACE FindTextInfo;
//DWORD FindFlags = FR_DOWN;
BOOLEAN PrevMatch;
TCHAR PrevMatchString[256]; // Application instance handle
HINSTANCE hInst;// Are we running on NT or 9x?
BOOLEAN IsNT;// Filter strings
TCHAR FilterString[MAXFILTERLEN];
TCHAR ExcludeString[MAXFILTERLEN];
TCHAR HighlightString[MAXFILTERLEN];// Recent filters
char RecentInFilters[NUMRECENTFILTERS][MAXFILTERLEN];
char RecentExFilters[NUMRECENTFILTERS][MAXFILTERLEN];
char RecentHiFilters[NUMRECENTFILTERS][MAXFILTERLEN];// Filter-related
FILTER FilterDefinition;// For info saving
TCHAR szFileName[MAX_PATH];BOOLEAN FileChosen = FALSE;
DWORD Error;
// General buffer for storing temporary strings
static TCHAR msgbuf[MAX_PATH];// General cursor manipulation
HCURSOR hSaveCursor;
HCURSOR hHourGlass;// performance counter frequency
LARGE_INTEGER PerfFrequency;DWORD AbortDriver()
{
if( IsNT ) UnloadDeviceDriver( SYS_NAME );
return (DWORD) -1;
}int Split( char * line, char delimiter, char * items[] )
{
int cnt = 0;
for (;;) {
items[cnt++] = line;
line = strchr( line, delimiter );
if ( line == NULL )
return cnt;
*line++ = '\0';
}
}DWORD CopyDriverFile()
{
TCHAR Path[ MAX_PATH ];
TCHAR systemRoot[ MAX_PATH ];
static TCHAR szBuf[MAX_PATH];
TCHAR name[ MAX_PATH ];
TCHAR *File;
WIN32_FIND_DATA findData;
HANDLE findHandle;
FILE_SYSTEM_TYPE fsType;
TCHAR driverPath[ MAX_PATH ];
GetCurrentDirectory( sizeof Path, Path );
findHandle = FindFirstFile( Path, &findData );
if( findHandle == INVALID_HANDLE_VALUE )
{
if( !SearchPath( NULL, SYS_FILE, NULL, sizeof(Path), Path, &File ) )
{
return AbortDriver();
} } else FindClose( findHandle ); if( !GetEnvironmentVariable( _T("SYSTEMROOT"), systemRoot, sizeof(systemRoot)))
{
return AbortDriver();
}
wsprintf(driverPath,_T("%s\\system32\\drivers\\%s"),systemRoot,SYS_FILE );
if( !CopyFile(Path, driverPath, FALSE ))
{
return AbortDriver();
}
SetFileAttributes( driverPath, FILE_ATTRIBUTE_NORMAL );
}
void InitDriver()
{
//动态加载驱动程序
if(!LoadDeviceDriver(_T("FILEMON"),_T("E:\\Windows\\System32\\Drivers\\FileM.SYS"),&SysHandle,&Error))
{
AbortDriver();
}
unsigned long nb;
DWORD versionNumber;
if( !DeviceIoControl(SysHandle, IOCTL_FILEMON_VERSION,NULL, 0, &versionNumber, sizeof(DWORD), &nb, NULL) )
{ AbortDriver();
}
//初始化驱动
DeviceIoControl( SysHandle, IOCTL_FILEMON_ZEROSTATS,
NULL, 0, NULL, 0, &nb, NULL );
//定义过滤用Filter
FilterDefinition.excludefilter[0] = 0;
FilterDefinition.includefilter[0] = 0;
strcpy(FilterDefinition.excludefilter , " ");
strcpy(FilterDefinition.includefilter , "*");
FilterDefinition.logreads=true;
FilterDefinition.logwrites=true;
//设置过滤条件到驱动程序中
DeviceIoControl( SysHandle, IOCTL_FILEMON_SETFILTER,
&FilterDefinition, sizeof(FILTER), NULL,
0, &nb, NULL ); //获取当前所有驱动器ID
CurDriveSet = GetLogicalDrives();
CurDriveSet = 124;
//设置驱动器ID到驱动程序中
DeviceIoControl( SysHandle, IOCTL_FILEMON_SETDRIVES,
&CurDriveSet, sizeof CurDriveSet,
&CurDriveSet, sizeof CurDriveSet,
&nb, NULL );
//开始过滤
DeviceIoControl( SysHandle, IOCTL_FILEMON_STARTFILTER,
NULL, 0, NULL, 0, &nb, NULL );}
BOOL ListAppend(char * line )
{
char *items[NUMCOLUMNS];
int itemcnt = 0;
//printf("%s\n",line);
itemcnt = Split( line, '\t', items );
if ( itemcnt == 0 )
return FALSE;
if(strcmp(items[0],"")==0)
return FALSE;
printf("%s>%s>%s>%s\n",items[0],items[1],items[2],items[3]);
return TRUE;
}
void ScanFileOperation()
{
for(;;){
// DWORD startTime = GetTickCount();
for(;;)
{
DeviceIoControl( SysHandle, IOCTL_FILEMON_GETSTATS,
NULL, 0, &Stats, sizeof Stats,
&StatsLen, NULL ) ;
if ( StatsLen == 0 )
break;
if ( StatsLen != 0 ){
PENTRY ptr;
ptr =(ENTRY *) Stats;
ListAppend(ptr->text );
}
//if( GetTickCount() - startTime > 1000 ) break;
} }
}
int _tmain(int argc, _TCHAR* argv[])
{
CopyDriverFile();
InitDriver();
ScanFileOperation();
return 0;
}
估计是没挂接上volume,调试看看
谢谢,我正在研究文件加解密