我希望能够通过挂钩所需的API函数来拦截用户在任何目录中删除文件的操作,并在消息框中询问一个简单的布尔问题 "
在这个SO问题中,我已经读到最佳选择是通过挂钩
我希望澄清一下,我正在寻找一个VBNET解决方案,因为这些API-Hooking库在Google上缺乏任何VBNET代码示例,而且当涉及到复杂的代码时,C#代码翻译成VBNET会出现很大的错误。编辑:我发现了一个关于NtSetFileInformation的EasyHook库示例,似乎非常适合我的需求,但它是C#代码,我尝试翻译但没有成功:Hooking NtCreateFile API from ntdll.dll with EasyHook (c#)所以,我尝试使用Deviare库2.6,但没有任何效果。
基本上,上面的代码与
此外,我也尝试过使用
Really Would you like to Delete this file?
",这个问题是为了表达我想要控制这个文件,删除它或防止删除它。
我的操作系统是Windows 8 x64
,但我想编写一种通用的方法,适用于其他Windows操作系统和它们的体系结构(如果这不会导致更大的麻烦)。在这个SO问题中,我已经读到最佳选择是通过挂钩
NtSetFileInformation
函数Intercept FIleSytemCall for Deletion。顺便说一下,我发现存在一个名为DeleteFile
的WinAPI函数和接口ICopyHook
,但我不知道它们之间的区别,但无论如何,我真的不知道如何开始做这个...我希望澄清一下,我正在寻找一个VBNET解决方案,因为这些API-Hooking库在Google上缺乏任何VBNET代码示例,而且当涉及到复杂的代码时,C#代码翻译成VBNET会出现很大的错误。编辑:我发现了一个关于NtSetFileInformation的EasyHook库示例,似乎非常适合我的需求,但它是C#代码,我尝试翻译但没有成功:Hooking NtCreateFile API from ntdll.dll with EasyHook (c#)所以,我尝试使用Deviare库2.6,但没有任何效果。
Public Class Form1
Private _mgr As Deviare2.NktSpyMgr = Nothing
Private WithEvents _hook As Deviare2.NktHook = Nothing
Private _proc As Deviare2.INktProcess = Nothing
Private Shadows Sub Shown() Handles MyBase.Shown
_mgr = New Deviare2.NktSpyMgr()
_hook = _mgr.CreateHook("ntdll.dll!NtSetFileInformation", Nothing)
_hook.Hook()
End Sub
Private Sub OnFunctionCalled(ByVal proc As Deviare2.INktProcess,
ByVal callInfo As Deviare2.INktHookCallInfo,
ByVal rCall As Deviare.IRemoteCall) Handles _hook.OnFunctionCalled
MsgBox("Caught function call in " & proc.Name)
End Sub
End Class
基本上,上面的代码与
@mazoula
在这里 hooking another program's calls to winapi functions in vb.net 中的答案相同,他说这段代码对他有用,但我已经尝试过了(没有进行上述修改),并在 _hook.Attach(_mgr.Processes)
指令处抛出了异常。此外,我也尝试过使用
EasyHook
库,但当我从 Explorer.exe 或 CMD 中删除文件时,它什么也没做。该代码是这个 C# 代码的翻译 http://www.codeproject.com/Questions/528094/DeleteFileplushookingpluswithplusEasyHookplussucce:Imports System.Runtime.InteropServices
Imports EasyHook
Public Class Form1
<DllImport("kernel32.dll", CharSet:=CharSet.Unicode, CallingConvention:=CallingConvention.StdCall)>
Private Shared Function DeleteFile(filename As String) As Integer
End Function
<UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet:=CharSet.Unicode)>
Private Delegate Function DeleteFileHandler(filename As String) As Integer
Private Shared deleted As Boolean = False
public Function DeleteFileHookInstance(filename As String) As Integer
MsgBox("works?")
If deleted Then
deleted = False
Return 1
End If
If MessageBox.Show((Convert.ToString("Do you really want to delete file ") & filename) + "?", "Confirm delete file", MessageBoxButtons.YesNo, MessageBoxIcon.Question) = DialogResult.Yes Then
deleted = True
Return DeleteFile(filename)
Else
Return 1
End If
'Assume the call is successfull
End Function
Public Sub Run()
Dim hook As EasyHook.LocalHook
Try
MsgBox("Creating...")
hook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "DeleteFileW"), New DeleteFileHandler(AddressOf DeleteFileHookInstance), Me)
'It stops here, the main interface receives the reported status 'Creating...' seemly forever, I understand that is for the unexpected restarting of explorer.exe
MsgBox("Completing...")
hook.ThreadACL.SetExclusiveACL(New Integer() {0})
RemoteHooking.WakeUpProcess()
MsgBox("OK")
Catch ex As Exception
MsgBox("CreateHook failed: " + ex.Message)
System.Diagnostics.Process.GetCurrentProcess().Kill()
End Try
While True
Application.DoEvents()
End While
End Sub
Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
Run()
End Sub
End Class