简体繁体 English

在 Windows 中，如何在 C 中跟踪子进程读取和写入的文件？

[英]In Windows, how can I trace in C which files a child process reads and writes?

原文 2015-04-02 13:22:08 9 5 c/ windows

My goal is to determine when executing a command, precisely which files it reads and writes.我的目标是确定何时执行命令，准确地读取和写入哪些文件。 On Linux I can do this using ptrace (with work, akin to what strace does) and on FreeBSD and MacOS I can do this with the ktrace system command.在 Linux 上，我可以使用ptrace （工作，类似于strace所做的）来做到这一点，而在FreeBSD和 MacOS 上，我可以使用ktrace系统命令来做到这一点。 What would you use to obtain this information on Windows?在 Windows 上您将使用什么来获取此信息？

My research so far suggests that I either use the debugger interface (similar to ptrace in many ways) or perhaps ETW .到目前为止，我的研究表明我要么使用调试器接口（在很多方面类似于 ptrace），要么使用ETW 。 A third alternative is to interpose a DLL to intercept system calls as they are made.第三种选择是插入一个 DLL 来拦截系统调用。 Unfortunately, I don't have the experience to guess as to how challenging each of these approaches will be.不幸的是，我没有经验来猜测每种方法的挑战性。

Any suggestions?有什么建议？

5 个解决方案

As you suggested, this is a fairly simple task to solve with API hooking with DLL injection.正如您所建议的，这是一个相当简单的任务，可以通过 DLL 注入的 API 挂钩来解决。

This is a pretty good article about the application: API hooking revealed这是一篇关于应用程序的相当不错的文章： API hooking 揭示

I believe you can find more recent articles about the issue.我相信你可以找到更多关于这个问题的最新文章。

However, you probably need to use C++ to implement such a utility.但是，您可能需要使用 C++ 来实现这样的实用程序。 By the way, programs can disable DLL injection.顺便说一下，程序可以禁用 DLL 注入。 For example, I weren't able to use this approach on the trial version of Photoshop .例如，我无法在Photoshop的试用版上使用这种方法。

So, you may want to check if you can inject DLL files in the process you want with an existing solution before you start writing your own.因此，在开始编写自己的解决方案之前，您可能需要检查是否可以使用现有解决方案在所需的进程中注入 DLL 文件。

Unfortunately it seems there is no easy way to intercept file level operations on Windows.不幸的是，似乎没有简单的方法来拦截 Windows 上的文件级操作。

Here are some hints:这里有一些提示：

you could try to use FileMon from Sysinternals if it is enough for your needs, or try to look at the source of the tool如果足够满足您的需要，您可以尝试使用来自Sysinternals 的 FileMon ，或者尝试查看该工具的来源
you could make use of commercial software like Detours - beware, I never used that myself and I'm not sure it really meets your needs你可以使用像Detours这样的商业软件——当心，我自己从来没有用过，我不确定它是否真的满足你的需求

If you want a better understanding and are not frightened at doing it by hand , the Windows way of intercepting file I/O is using a File System Filter Driver .如果您想更好地理解并且不害怕手动完成，Windows 拦截文件 I/O 的方法是使用文件系统过滤器驱动程序。 In fact, there is a FilterManager embedded in Windows system that can forward all file system calls to minifilters .实际上，Windows 系统中嵌入了一个FilterManager ，可以将所有文件系统调用转发给minifilters 。

To build it, the interface with the system is provided by the FilterManager, and you have just (...) to code and install the minifilter that does the actual filtering - beware again never tested that ...要构建它，与系统的接口由 FilterManager 提供，您只需 (...) 编写代码并安装执行实际过滤的微过滤器- 再次注意从未测试过...

Please, take a look to the article CDirectoryChangeWatcher - ReadDirectoryChangesW all wrapped up .请查看文章CDirectoryChangeWatcher - ReadDirectoryChangesW all wrap up 。

It is a very old, but running, way to watch directory changes.这是一种非常古老但正在运行的监视目录更改的方法。

Microsoft owns a bunch of tools called Sysinternals .微软拥有一系列名为Sysinternals的工具。 There is a program called Process Monitor that will show you all the file accesses for a particular process.有一个名为Process Monitor的程序，它将向您显示特定进程的所有文件访问。 This is very likely what you want.这很可能是您想要的。

Check this particular Stack Overflow question out for your question... This might help you: Is there something like the Linux ptrace syscall in Windows?检查这个特定的堆栈溢出问题以解决您的问题...这可能对您有所帮助： Windows 中是否有类似 Linux ptrace 系统调用的东西？

Also, if you are running lower versions like Windows XP then you should check out Process Monitor .此外，如果您运行的是Windows XP等较低版本，那么您应该查看Process Monitor 。

Also, I would like you to check this out... Monitoring certain system calls done by a process in Windows另外，我想让你检查一下...... 监视由 Windows 中的进程完成的某些系统调用