📄 filemon.c
字号:
FilemonConvertPath( CONVERT_STANDARD, Drive, origir, CodePage, fullpathname );
} else {
sprintf( fullpathname, "%c:", Drive+'A'-1);
}
TIME_DIFF();
log = FALSE;
switch( origir->ir_flags ) {
case CREATE_DIR:
sprintf(data, "CREATE");
if( FilterDef.logwrites ) log = TRUE;
break;
case DELETE_DIR:
sprintf(data,"DELETE");
if( FilterDef.logwrites ) log = TRUE;
break;
case CHECK_DIR:
sprintf(data,"CHECK");
if( FilterDef.logreads ) log = TRUE;
break;
default:
sprintf(data,"QUERY");
if( FilterDef.logreads ) log = TRUE;
break;
}
if( log ) {
LogRecord( timelo, datetimelo, datetimehi, "%s\tDirectory\t%s\t%s\t%s",
processname,
fullpathname,
data, ErrorString( retval ));
}
break;
case IFSFN_SEEK:
FilemonGetFullPath( origir->ir_fh, fullpathname, Drive, ResType, CodePage, origir );
if( FilterDef.logreads) {
TIME_DIFF();
sprintf(data, "%s Offset: %ld / New offset: %ld",
origir->ir_flags == FILE_BEGIN ? "Beginning" : "End",
origir->ir_pos, origir->ir_pos );
LogRecord( timelo, datetimelo, datetimehi, "%s\tSeek\t%s\t%s\t%s",
processname, fullpathname,
data, ErrorString( retval ));
}
break;
case IFSFN_COMMIT:
FilemonGetFullPath( origir->ir_fh, fullpathname, Drive, ResType, CodePage, origir );
if( FilterDef.logwrites) {
TIME_DIFF();
sprintf(data, "%s", origir->ir_options == FILE_COMMIT_ASYNC ?
"ASYNC" : "NOACCESSUPDATE" );
LogRecord( timelo, datetimelo, datetimehi, "%s\tCommit\t%s\t%s\t%s",
processname, fullpathname,
data, ErrorString( retval ));
}
break;
case IFSFN_FILELOCKS:
FilemonGetFullPath( origir->ir_fh, fullpathname, Drive, ResType, CodePage, origir );
if( FilterDef.logreads) {
TIME_DIFF();
sprintf(data, "Offset: %ld Length:%ld", origir->ir_pos, origir->ir_locklen );
LogRecord( timelo, datetimelo, datetimehi, "%s\t%s\t%s\t%s\t%s",
processname, origir->ir_flags == LOCK_REGION ? "Lock" : "Unlock",
fullpathname,
data, ErrorString( retval ));
}
break;
case IFSFN_FINDOPEN:
if( FilterDef.logreads) {
FilemonConvertPath( CONVERT_FINDOPEN, Drive, origir, CodePage, fullpathname );
TIME_DIFF();
if( !retval ) {
finddata = (_WIN32_FIND_DATA *) origir->ir_data;
UniToBCS( data, finddata->cFileName, wstrlen(finddata->cFileName), MAXPATHLEN-1, BCS_WANSI, &result );
data[ result.ddLower ] = 0;
}
LogRecord( timelo, datetimelo, datetimehi, "%s\tFindOpen\t%s\t%s\t%s",
processname, fullpathname,
data, ErrorString( retval ));
}
FilemonLogHash( Drive, pir->ir_fh, fullpathname );
break;
case IFSFN_FINDNEXT:
FilemonGetFullPath( origir->ir_fh, fullpathname, Drive, ResType, CodePage, origir );
if( FilterDef.logreads) {
TIME_DIFF();
if( !retval ) {
finddata = (_WIN32_FIND_DATA *) origir->ir_data;
UniToBCS( data, finddata->cFileName, wstrlen(finddata->cFileName), MAXPATHLEN-1, BCS_WANSI, &result );
data[ result.ddLower ] = 0;
}
LogRecord( timelo, datetimelo, datetimehi, "%s\tFindNext\t%s\t%s\t%s",
processname, fullpathname,
data, ErrorString( retval ));
}
break;
case IFSFN_FINDCLOSE:
FilemonGetFullPath( origir->ir_fh, fullpathname, Drive, ResType, CodePage, origir );
if( FilterDef.logreads) {
TIME_DIFF();
LogRecord( timelo, datetimelo, datetimehi, "%s\tFindClose\t%s\t\t%s",
processname, fullpathname,
ErrorString( retval ));
}
FilemonFreeHashEntry( Drive, origir->ir_fh );
break;
case IFSFN_FILEATTRIB:
if( FilterDef.logreads) {
FilemonConvertPath( CONVERT_STANDARD, Drive, origir, CodePage, fullpathname );
TIME_DIFF();
switch(origir->ir_flags ) {
case GET_ATTRIBUTES:
sprintf(data,"GetAttributes");
break;
case SET_ATTRIBUTES:
sprintf(data, "SetAttributes" );
break;
case GET_ATTRIB_COMP_FILESIZE:
sprintf(data, "GET_ATTRIB_COMP_FILESIZE" );
break;
case SET_ATTRIB_MODIFY_DATETIME:
sprintf(data, "SET_ATTRIB_MODIFY_DATETIME");
break;
case SET_ATTRIB_LAST_ACCESS_DATETIME:
sprintf(data, "SET_ATTRIB_LAST_ACCESS_DATETIME");
break;
case GET_ATTRIB_LAST_ACCESS_DATETIME:
sprintf(data, "GET_ATTRIB_LAST_ACCESS_DATETIME");
break;
case SET_ATTRIB_CREATION_DATETIME:
sprintf(data, "SET_ATTRIB_CREATION_DATETIME");
break;
case GET_ATTRIB_CREATION_DATETIME:
sprintf(data, "GET_ATTRIB_CREATION_DATETIME");
break;
}
LogRecord( timelo, datetimelo, datetimehi, "%s\tAttributes\t%s\t%s\t%s",
processname, fullpathname,
data, ErrorString( retval ));
}
break;
case IFSFN_FILETIMES:
FilemonGetFullPath( origir->ir_fh, fullpathname, Drive, ResType, CodePage, origir );
if( FilterDef.logreads) {
TIME_DIFF();
switch( origir->ir_flags ) {
case GET_MODIFY_DATETIME:
sprintf(data, "Get Modify");
break;
case SET_MODIFY_DATETIME:
sprintf(data, "Set Modify");
break;
case GET_LAST_ACCESS_DATETIME:
sprintf(data, "Get Access");
break;
case SET_LAST_ACCESS_DATETIME:
sprintf(data, "Set Access");
break;
case GET_CREATION_DATETIME:
sprintf(data, "Get Creation");
break;
case SET_CREATION_DATETIME:
sprintf(data, "Set Creation");
break;
}
LogRecord( timelo, datetimelo, datetimehi, "%s\tAttributes\t%s\t%s\t%s",
processname, fullpathname,
data, ErrorString( retval ));
}
break;
case IFSFN_FLUSH:
if( FilterDef.logwrites) {
TIME_DIFF();
LogRecord( timelo, datetimelo, datetimehi, "%s\tFlushVolume\t\t\t%s",
processname, ErrorString( retval ));
}
break;
case IFSFN_DELETE:
if( FilterDef.logwrites) {
FilemonConvertPath( CONVERT_STANDARD, Drive, origir, CodePage, fullpathname );
TIME_DIFF();
LogRecord( timelo, datetimelo, datetimehi, "%s\tDelete\t%s\t\t%s",
processname, fullpathname, ErrorString( retval ));
}
FilemonFreeHashEntry( Drive, origir->ir_fh );
break;
case IFSFN_SEARCH:
if( FilterDef.logreads ) {
if( origir->ir_flags == SEARCH_FIRST )
FilemonConvertPath( CONVERT_STANDARD, Drive, origir, CodePage, fullpathname );
else
sprintf(fullpathname, "SearchNext" );
TIME_DIFF();
if( !retval ) {
j = 0;
if( origir->ir_attr & FILE_ATTRIBUTE_LABEL ) {
sprintf(data, "VolumeLabel: " );
j = strlen( data );
}
search = (struct srch_entry *) origir->ir_data;
for( i = 0; i < 13; i++ )
if( search->se_name[i] != ' ' ) data[j++] = search->se_name[i];
data[j] = 0;
}
LogRecord( timelo, datetimelo, datetimehi, "%s\tSearch\t%s\t%s\t%s",
processname, fullpathname, data, ErrorString( retval ));
}
break;
case IFSFN_GETDISKINFO:
if( FilterDef.logreads ) {
TIME_DIFF();
if( !retval ) sprintf(data, "Free Space");
drivestring[0] = Drive+'A'-1;
drivestring[1] = ':';
drivestring[2] = 0;
LogRecord( timelo, datetimelo, datetimehi, "%s\tGetDiskInfo\t%s\t%s\t%s",
processname, drivestring, data, ErrorString( retval ));
}
break;
case IFSFN_RENAME:
if( FilterDef.logwrites) {
FilemonConvertPath( CONVERT_RENAME_SOURCE, Drive, origir, CodePage, fullpathname );
TIME_DIFF();
LogRecord( timelo, datetimelo, datetimehi, "%s\tRename\t%s\t%s\t%s",
processname, fullpathname,
FilemonConvertPath( CONVERT_RENAME_TARGET, Drive, origir, CodePage, data ),
ErrorString( retval ));
}
break;
case IFSFN_IOCTL16DRIVE:
if( FilterDef.logreads || FilterDef.logwrites) {
TIME_DIFF();
sprintf(data, "Subfunction: %02Xh", origir->ir_flags );
drivestring[0] = Drive+'A'-1;
drivestring[1] = ':';
drivestring[2] = 0;
LogRecord( timelo, datetimelo, datetimehi, "%s\tIoctl\t%s\t%s\t%s",
processname, drivestring, data, ErrorString( retval ));
}
break;
}
dprintf("==>%d\n", fn );
return retval;
}
#pragma optimize("", on)
//----------------------------------------------------------------------
//
// OnSysDynamicDeviceInit
//
// Dynamic init. Install a file system filter hook.
//
//----------------------------------------------------------------------
BOOL
OnSysDynamicDeviceInit(
VOID
)
{
int i;
MEMHANDLE hLog;
//
// Initialize the locks.
//
LogMutex = Create_Semaphore(1);
HashMutex = Create_Semaphore(1);
FilterMutex = Create_Semaphore(1);
//
// Zero hash table.
//
for(i = 0; i < NUMHASH; i++ ) HashTable[i] = NULL;
//
// Allocate the initial output buffer.
//
PageAllocate(LOGBUFPAGES, PG_SYS, 0, 0, 0, 0, NULL, PAGELOCKED,
(PMEMHANDLE) &hLog, (PVOID) &Log );
Log->Handle = hLog;
Log->Len = 0;
Log->Next = NULL;
NumLog = 1;
//
// Hook IFS functions.
//
PrevIFSHookProc = IFSMgr_InstallFileSystemApiHook(FilemonHookProc);
return TRUE;
}
//----------------------------------------------------------------------
//
// OnSysDynamicDeviceExit
//
// Dynamic exit. Unhook everything.
//
//----------------------------------------------------------------------
BOOL
OnSysDynamicDeviceExit(
VOID
)
{
//
// Unhook IFS functions.
//
IFSMgr_RemoveFileSystemApiHook(FilemonHookProc);
//
// Free all memory.
//
FilemonHashCleanup();
FilemonFreeLog();
FilemonFreeFilters();
return TRUE;
}
//----------------------------------------------------------------------
//
// OnW32Deviceiocontrol
//
// Interface with the GUI.
//
//----------------------------------------------------------------------
DWORD
OnW32Deviceiocontrol(
PIOCTLPARAMS p
)
{
PLOG_BUF old;
switch( p->dioc_IOCtlCode ) {
case 0:
return ERROR_SUCCESS;
case IOCTL_FILEMON_ZEROSTATS:
Wait_Semaphore( LogMutex, BLOCK_SVC_INTS );
while ( Log->Next ) {
//
// Release the next entry.
//
old = Log->Next;
Log->Next = old->Next;
Signal_Semaphore( LogMutex );
PageFree( old->Handle, 0 );
Wait_Semaphore( LogMutex, BLOCK_SVC_INTS );
NumLog--;
}
Log->Len = 0;
Signal_Semaphore( LogMutex );
Sequence = 0;
return ERROR_SUCCESS;
case IOCTL_FILEMON_GETSTATS:
//
// Copy buffer into user space.
Wait_Semaphore( LogMutex, BLOCK_SVC_INTS );
if ( LOGBUFSIZE > p->dioc_cbOutBuf ) {
//
// Buffer is too small. Return error.
//
Signal_Semaphore( LogMutex );
return ERROR_INSUFFICIENT_BUFFER;
} else if ( Log->Len || Log->Next ) {
//
// Switch to a new buffer.
//
FilemonNewLog();
//
// Fetch the oldest buffer to give to caller.
//
old = FilemonOldestLog();
Signal_Semaphore( LogMutex );
//
// Copy it into the caller's buffer.
//
memcpy( p->dioc_OutBuf, old->Data, old->Len );
//
// Return length of copied info.
//
*p->dioc_bytesret = old->Len;
//
// Deallocate the buffer.
//
PageFree( old->Handle, 0 );
} else {
//
// There is no unread data.
//
Signal_Semaphore( LogMutex );
*p->dioc_bytesret = 0;
}
return ERROR_SUCCESS;
case IOCTL_FILEMON_STOPFILTER:
FilterOn = FALSE;
return ERROR_SUCCESS;
case IOCTL_FILEMON_STARTFILTER:
FilterOn = TRUE;
return ERROR_SUCCESS;
case IOCTL_FILEMON_SETFILTER:
FilterDef = * (PFILTER) p->dioc_InBuf;
FilemonUpdateFilters();
return ERROR_SUCCESS;
default:
return ERROR_INVALID_FUNCTION;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -