简体繁体 English

在Linux中拦截磁盘写入

[英]Intercepting disk write in Linux

原文 2013-08-16 09:23:44 6 1 linux/ filesystems

I want to intercept every disk write operation in a Linux server. 我想拦截Linux服务器中的所有磁盘写操作。 In detail, I want to catch every disk write operation right at the time when it happens and be able to work out which process initiated the call, where it is trying to write and so on. 详细地讲，我想在发生磁盘写入操作时就抓住它，并能够确定哪个进程发起了调用，尝试在哪里进行写操作等等。 To make it simple, for now, I am concentrating on ext3 only. 为简单起见，目前，我仅关注ext3。 I am aware of auditfs and other 'watchers' which only will let you know once the operation has happened. 我知道auditfs和其他“观察程序”只会在操作发生后才通知您。 As said earlier, I want to intercept as it happens and be able to retrieve all information about the operation (process information, target location, content being written). 如前所述，我想在发生时进行拦截，并能够检索有关该操作的所有信息（过程信息，目标位置，正在编写的内容）。 If there is an interrupt/call back kind of mechanism (for example receiving a notification of any write operation by a process, process group or session - pid, pgid, sid), it will be even better. 如果存在中断/回调类型的机制（例如，接收到进程，进程组或会话的任何写操作的通知-pid，pgid，sid），则效果会更好。

Thanks 谢谢

1 个解决方案

I did some searching on this very issue, and these look promising: • Copyhook Handlers - for MSDOS Shell, lodge an interception DLL in WinReg • NtSetInformationFile • Minifilters - I think these are portable for cross-platform • Installable File system drivers - well, of course 我在这个问题上进行了一些搜索，这些看上去很有希望：•Copyhook处理程序-对于MSDOS Shell，在WinReg中放置一个拦截DLL•NtSetInformationFile•微型过滤器-我认为它们可跨平台移植•可安装文件系统驱动程序-嗯，当然

File Share type: some filesystems support audit and protection hardening, but may be only "After-The-Fact". 文件共享类型：某些文件系统支持审核和保护强化，但可能只是“事后”。

CopyHook looks promisingly simple: Intercepting shell file manipulation calls in windows: CopyHook看起来非常简单：在Windows中拦截shell文件操作调用：

https://msdn.microsoft.com/en-us/library/bb776048.aspx https://msdn.microsoft.com/en-us/library/bb776048.aspx

The driver-level stuff gets very hairy, very quickly ... 驾驶员级别的东西变得非常多毛，很快。