监视由 Windows 中的进程完成的某些系统调用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/864839/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Monitoring certain system calls done by a process in Windows
提问by JesperE
I would like to be able to monitor certain system calls made by a process, primarily file I/O calls. On Linux I can probably get away using stracewith suitable parameters, but how can I do this on Windows?
我希望能够监视进程发出的某些系统调用,主要是文件 I/O 调用。在 Linux 上,我可能可以使用带有合适参数的strace摆脱困境,但我如何在 Windows 上做到这一点?
I'm primarily interested in running a process and figuring out which files it has read and written.
我主要对运行一个进程并弄清楚它读取和写入了哪些文件感兴趣。
I want to do this programmatically from another process. I'm aware of Process Monitor, but I would like to receive the data in a form which I can import into another program for further analysis.
我想从另一个进程以编程方式执行此操作。我知道Process Monitor,但我想以一种形式接收数据,我可以将其导入另一个程序以进行进一步分析。
If I narrow down my requirements even further, it is probably enough to be able to monitor calls to CreateFile(). I'm really only interested in what files are opened, and if they are opened for read/write or just read. Another requirement which I didn't really state is that speedis fairly important; I was planning on doing this for things like compiling a C++-file, and pulling up a full GUI which generates a 20 MB logfile will have prohibitive overhead.
如果我进一步缩小我的要求,那么能够监视对 CreateFile() 的调用可能就足够了。我真的只对打开的文件感兴趣,以及它们是为了读/写还是只读而打开的。我没有真正说明的另一个要求是速度相当重要;我计划为诸如编译 C++ 文件之类的事情执行此操作,并且拉出一个生成 20 MB 日志文件的完整 GUI 将具有令人望而却步的开销。
It would also be nice if it did not require administrative privileges.
如果它不需要管理权限也很好。
采纳答案by Michael
There are several options on Windows.
Windows 上有几个选项。
Windows Performance Toolkitcan be used to enable tracing of various system events, including file I/O, and includes tools for processing and viewing these events. You can use xperf to begin trace variously classes of events and save to an ETL file that you can then process or view using the same tools later.
Windows Performance Toolkit可用于启用各种系统事件的跟踪,包括文件 I/O,并包括用于处理和查看这些事件的工具。您可以使用 xperf 开始跟踪不同类别的事件并将其保存到 ETL 文件中,然后您可以稍后使用相同的工具处理或查看该文件。
Process Monitorfrom Sysinternalsis another, very easy to use, option, and enables you to quickly see all file and registry accesses any process on the system is doing. http://blogs.msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspxalso shows how to run Process Monitor in an automated fashion.
进程监视器从Sysinternals的是另一种,非常容易使用,选项,使您能够快速查看所有文件和注册表访问系统上做任何处理。http://blogs.msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspx还展示了如何以自动化方式运行进程监视器。
If you'd like to do this completely programmatically, you can use the ETW functions (StartTrace, EnableTrace, etc.) to snap file I/O events and save to an ETL file. Sample code here.
如果您想完全以编程方式执行此操作,您可以使用 ETW 函数(StartTrace、EnableTrace 等)来捕捉文件 I/O 事件并保存到 ETL 文件。示例代码在这里。
回答by kcwu
On Windows, you can use Process Monitorto monitor process activity (I/O and registry). I guess this fits your need if you don't really want to know the system calls.
在 Windows 上,您可以使用进程监视器来监视进程活动(I/O 和注册表)。如果您真的不想知道系统调用,我想这适合您的需要。
And you can use winapioverride32to monitor API calls.
并且您可以使用winapioverride32来监控 API 调用。
回答by ds-bos-msk
API Monitorby Rohitab Batra is very good for system calls.
Rohitab Batra 的API Monitor非常适合系统调用。
回答by Pablo Yabo
Another way is to use Deviare API Hookand intercept all user-mode system calls that you want. Using this framework you can code a generic handler for all calls since the parameters can be read using COM interfaces (for example, each parameter is an INktParam, and you can get the value using INktParam.Value).
另一种方法是使用Deviare API Hook并拦截您想要的所有用户模式系统调用。使用此框架,您可以为所有调用编写通用处理程序,因为可以使用 COM 接口读取参数(例如,每个参数都是一个 INktParam,您可以使用 INktParam.Value 获取值)。
Another alternative, but it will cost some money, is to use SpyStudiofrom the same company. This product has a command-line option that is useful to collect logs without a GUI.
另一种选择,但它会花费一些钱,是使用同一家公司的SpyStudio。该产品有一个命令行选项,可用于在没有 GUI 的情况下收集日志。
回答by Pablo Yabo
Use FileMon(now integrated into Process Monitor).
使用FileMon(现在集成到Process Monitor 中)。
回答by bk1e
Another Windows API tracing tool: logexts.dll(part of the Debugging Tools for Windows), which can be run from inside WinDbg/ntsd/cdb or through a standalone logger.exeprogram.
另一个 Windows API 跟踪工具:logexts.dll(Windows 调试工具的一部分),可以从WinDbg/ntsd/cdb内部或通过独立logger.exe程序运行。
回答by Matt Joiner
Use strace. Example output:
使用strace. 示例输出:
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
getdents64(3, /* 18 entries */, 4096) = 496
getdents64(3, /* 0 entries */, 4096) = 0
close(3) = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f2c000
write(1, "autofs\nbackups\ncache\nflexlm\ngames"..., 86autofsA
