简体繁体 English

如何使用C＃拦截Win32 API调用？

[英]How to intercept Win32 API calls with C#?

原文 2014-05-19 00:58:49 6 1 c#/ c++/ winapi/ intercept/ easyhook

I would like to either host a virtual drive and intercept the I/O, or intercept I/O calls to certain folders on a hard drive, and do arbitrary things to that call like write the file to a 2nd location. 我想托管一个虚拟驱动器并拦截I / O，或者拦截对硬盘驱动器上某些文件夹的I / O调用，然后对该调用执行任意操作，例如将文件写入第二个位置。 For example, if Notepad.exe writes a file to C:\\Data\\test.txt - I would like to have access to that file name, and the data of the file. 例如，如果Notepad.exe将文件写入C：\\ Data \\ test.txt-我希望可以访问该文件名以及该文件的数据。 Likewise, I would like to run arbitrary code when any user attempts to read C:\\Data\\test.txt or attempts to get a directory listing for C:\\Data. 同样，当任何用户尝试读取C：\\ Data \\ test.txt或尝试获取C：\\ Data的目录列表时，我想运行任意代码。

Ideally I want to have a handler for when a file is: created, updated, deleted, or opened - and when someone does a directory listing (from command-line or from the Shell). 理想情况下，我希望有一个处理程序，用于何时创建文件，创建文件，更新文件，删除文件或打开文件-以及有人在目录列表中（从命令行或命令行管理程序）进行处理。

I can do the write part with FileSystemWatcher - but I can't intercept disk "reads". 我可以使用FileSystemWatcher进行写操作-但无法拦截磁盘“读取”。 So, I next looked into MS Detours and EasyHook. 因此，我接下来研究了MS Detours和EasyHook。 That won't really work because I'd need to monitor every single process on the computer and hook to OpenFile on ALL of them. 那实际上是行不通的，因为我需要监视计算机上的每个进程并挂接到所有进程上的OpenFile。 I don't want to use a Shell Extension because this behavior needs to exist from the command-line too. 我不想使用Shell Extension，因为这种行为也需要从命令行存在。 So, that leaves either writing a File System MiniFilter driver - or writing my own installable file system in C++. 因此，可以编写文件系统MiniFilter驱动程序-或使用C ++编写我自己的可安装文件系统。

I can have some portion of this in C++ - although the driver stuff is a bit over my head, but ultimately most of the rest of code should be in C#, ideally. 我可以使用C ++来完成其中的一部分-尽管驱动程序的工作有点麻烦，但理想情况下，最终大多数其他代码都应该使用C＃。

Is there some straightforward way to intercept I/O to a specific folder or virtual drive? 是否有一些简单的方法来拦截对特定文件夹或虚拟驱动器的I / O？ If the answer is with EasyHook or a MiniFilter, does anyone have any samples? 如果答案是EasyHook或MiniFilter，是否有人有样品？ EasyHook in particular only has samples from the late-2000s and the API has changed since then. 特别是EasyHook仅提供2000年代后期的示例，此后API发生了变化。 Thanks! 谢谢！

1 个解决方案

Looks like an XY problem. 看起来像XY问题。 What you seem to want are reparse point handlers. 您似乎想要的是解析点处理程序。

Your example of "writing a file to another location" is just a link, and those already exist. 您的“将文件写入另一个位置”的示例只是一个链接，而这些链接已经存在。 Implemented by a standard reparse point handler. 由标准重解析点处理程序实现。

You don't specify exactly what else you want to do, but similar things can be done by custom reparse point handlers. 您没有确切指定要执行的其他操作，但是可以通过自定义重解析点处理程序完成类似的操作。 In short, a reparse point is a small bit of data in place of a file, which (1) specifies which handler should be called, and (2) provides custom data to that handler. 简而言之，重解析点是代替文件的一小部分数据，（1）指定应调用哪个处理程序，（2）向该处理程序提供自定义数据。 For instance, the actual location of the file. 例如，文件的实际位置。 Since it's custom data, you can use any format you like. 由于是自定义数据，因此您可以使用任何喜欢的格式。