简单的API挂钩可以防止文件删除？

Question

我想拦截当用户通过挂钩所需的API函数来删除任何目录上的文件时,可以在mesagebox中询问一个简单的布尔问题,Really Would you like to Delete this file?"问题是一个表达我想要的例子控制文件,删除文件或防止删除.

我的操作系统是Windows 8 x64,但我想在其他Windows操作系统和它们的arquitechtures中编写一种通用方法(如果这不会让人头疼更难).

在这个SO问题中,我已经读过,最好的选择是通过我看到的方式挂钩NtSetFileInformation函数Intercept FIleSytemCall for Deletion,它存在一个名为WinAPI的函数DeleteFile,也是接口ICopyHook,我不知道它们之间的差异,但是反正我真的不知道怎么开始这样做......

我想澄清一下,我正在寻找一个VBNET解决方案,我很头疼,因为这些API-Hooking库上没有任何VBNET代码示例,而且当复杂的代码是复杂的代码时,C#代码转换为VBNET是非常错误的.参与其中.

编辑:我发现了一个EasyHook库示例,NtSetFileInformation其中似乎是完美的满足我的需求,但它是C#代码,我试图翻译它没有成功:使用EasyHook挂钩NtdCreateFile API(c#)

所以,我已经尝试使用Deviare库2.6,但什么也没做:

Public Class Form1

    Private _mgr As Deviare2.NktSpyMgr = Nothing
    Private WithEvents _hook As Deviare2.NktHook = Nothing
    Private _proc As Deviare2.INktProcess = Nothing

    Private Shadows Sub Shown() Handles MyBase.Shown

        _mgr = New Deviare2.NktSpyMgr()
        _hook = _mgr.CreateHook("ntdll.dll!NtSetFileInformation", Nothing)
        _hook.Hook()

    End Sub

    Private Sub OnFunctionCalled(ByVal proc As Deviare2.INktProcess,
                                 ByVal callInfo As Deviare2.INktHookCallInfo,
                                 ByVal rCall As Deviare.IRemoteCall) Handles _hook.OnFunctionCalled

        MsgBox("Caught function call in " & proc.Name)

    End Sub

End Class

基本上上面的代码与在@mazoula这里回答挂钩另一个程序调用vb.net中的winapi函数一样,他说代码对他有用,但我已经按原样尝试了(没有在上面做我的修改)并且扔了我一个_hook.Attach(_mgr.Processes)指令中的异常.

我也尝试过这个库,EasyHook但是当我从Explorer.exe或CMD中删除文件时再没有做任何事情,代码是这个C#代码的翻译http://www.codeproject.com/Questions/528094/DeleteFileplushookingpluswithplusEasyHookplussucce:

Imports System.Runtime.InteropServices
Imports EasyHook

Public Class Form1

    <DllImport("kernel32.dll", CharSet:=CharSet.Unicode, CallingConvention:=CallingConvention.StdCall)>
    Private Shared Function DeleteFile(filename As String) As Integer
    End Function

    <UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet:=CharSet.Unicode)>
    Private Delegate Function DeleteFileHandler(filename As String) As Integer

    Private Shared deleted As Boolean = False

    public Function DeleteFileHookInstance(filename As String) As Integer
        MsgBox("works?")
        If deleted Then
            deleted = False
            Return 1
        End If
        If MessageBox.Show((Convert.ToString("Do you really want to delete file ") & filename) + "?", "Confirm delete file", MessageBoxButtons.YesNo, MessageBoxIcon.Question) = DialogResult.Yes Then
            deleted = True
            Return DeleteFile(filename)
        Else
            Return 1
        End If
        'Assume the call is successfull
    End Function

    Public Sub Run()

        Dim hook As EasyHook.LocalHook

        Try
            MsgBox("Creating...")
            hook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "DeleteFileW"), New DeleteFileHandler(AddressOf DeleteFileHookInstance), Me)
            'It stops here, the main interface receives the reported status 'Creating...' seemly forever, I understand that is for the unexpected restarting of explorer.exe
            MsgBox("Completing...")
            hook.ThreadACL.SetExclusiveACL(New Integer() {0})
            RemoteHooking.WakeUpProcess()
            MsgBox("OK")
        Catch ex As Exception
            MsgBox("CreateHook failed: " + ex.Message)
            System.Diagnostics.Process.GetCurrentProcess().Kill()
        End Try
        While True
            Application.DoEvents()
        End While
    End Sub

    Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
        Run()
    End Sub

End Class

Answer 1

几天前，我写了这个方法来暂时解决问题，但我不能 100% 保证该方法在所有情况下都能正常工作（例如用户可以按ctrl+z来恢复文件删除，而我的方法逻辑使用文件的日期时间属性来尝试选择最后删除的文件（我不是 100% 安全），这现在可以工作，但我想学习如何 API 挂钩而不是这样做。

\n\n

显然，这不适用于永久文件删除。

\n\n

Imports System.IO\nImports Shell32\n\nPublic Class Test\n\n    Private SH As New Shell\n    Private RecycleBin As Folder = SH.NameSpace(ShellSpecialFolderConstants.ssfBITBUCKET)\n    Private WithEvents FSW As New FileSystemWatcher\n\n    Private Shadows Sub Load() _\n    Handles MyBase.Load\n\n        With FSW\n            .Path = "C:\\Test"\n            .IncludeSubdirectories = True\n            .Filter = "*"\n            .NotifyFilter = NotifyFilters.FileName Or NotifyFilters.DirectoryName\n            .EnableRaisingEvents = True\n        End With\n\n    End Sub\n\n    Private Sub OnItemDeleted(sender As FileSystemWatcher, e As FileSystemEventArgs) _\n    Handles FSW.Deleted\n\n        Dim DeletedItems As IEnumerable(Of FolderItem) =\n            RecycleBin.Items.Cast(Of FolderItem).\n                             Where(Function(Item) Item.Name = e.Name).\n                             OrderBy(Function(Item) Item.ModifyDate)\n\n        Dim LastDeletedItem As Shell32.FolderItem = DeletedItems.LastOrDefault\n\n        If LastDeletedItem IsNot Nothing Then\n\n            If (LastDeletedItem.IsFolder AndAlso Directory.Exists(e.FullPath)) _\n               OrElse (Not LastDeletedItem.IsFolder AndAlso File.Exists(e.FullPath)) Then\n\n                Throw New Exception(String.Format("\xc2\xbf Item has been restored ?: {0}", e.FullPath))\n                Exit Sub\n\n            End If\n\n            LastDeletedItem.InvokeVerb("undelete")\n\n        End If\n\n    End Sub\n\nEnd Class\n

\n