发表新帖
发表新帖

Intercept FIleSytemCall for Deletion

后端 未结
关注
3 1868
长发绾君心
长发绾君心 2020-12-12 06:34

Is there a way to detect deletion of a file before windows performs the deletion? I found FileSystemWatcher class but the event is raised only after the delete action is per

3条回答
  • 轮回少年
    轮回少年 (楼主)
    2020-12-12 07:07

    I think the simpliest way is to use a hook to get notified (and eventually to stop) the process. It can't be done in .NET so you have to DllImport a lot of structures and few functions to P/Invoke.

    Let's start your job with the NtSetFileInformation (undocumented) function. It's the function called by anything else when a file need to be deleted (with the FileDispositionInformation structure).

    Now the problem is how to hook that function (good luck, it's not easy). A good choice can be to use Microsoft Detours. Take a look to this article for an example. Its problem is that it's not free. An alternative solution (with a reasonable price and with a .NET interface) is Deviare but I never tried even their free version so I don't know how much it's good. If someone else knows a good interception tool...

    0 讨论(0)
 看不清?
提交回复
热议问题