标签:blog io os 使用 sp for 文件 on div
windbg脚本方便灵活,但是语法古怪,使用的人不多。windbg扩展功能强大,但是使用的人也很少。抛砖引玉吧。
此脚本可以监控到
a 任意时机 开关机时刻 (挂shutdown 删文件 或者开机挂回调特定时刻删文件)
b 任意底层穿透驱动 bapidrv tsyskit kisapi pchunter 对文件进行的删除 创建 粉碎等敏感操作
$$***************************************************************** $$ Script by kms_hhl to monitor file create read write delete and show call stack $$ Create Time 2014_11 $$ Execute by $$><D:\BaiduYunTongBu\百度云同步盘\windbg_sc\1sc_file_monitor.txt $$***************************************************************** bp Ntfs!NtfsFsdSetInformation" r $t0=poi(poi(poi(esp+8)+64)+34) as /mu $FileNameA $t0 .block { .if ($spat(\" ${$FileNameA} \",\" *virus.dll* \")) { .echo found the pattern .echo $FileNameA ad * } .else { .echo not found the pattern .echo ‘ $FileNameA ‘ ad * gc } }" bp Ntfs!NtfsSetRenameInfo" r $t1=poi(poi(poi(esp+c)+64)+34) as /mu $FileNameB $t1 .block { .if ($spat(\" ${$FileNameB} \",\" *virus.dll* \")) { .echo found the pattern .echo $FileNameB ad * } .else { .echo not found the pattern .echo ‘ $FileNameB ‘ ad * gc } }" bp Ntfs!NtfsSetDispositionInfo" r $t2=poi(poi(poi(esp+c)+64)+34) as /mu $FileNameC $t2 .block { .if ($spat(\" ${$FileNameC} \",\" *virus.dll* \")) { .echo found the pattern .echo $FileNameC ad * } .else { .echo not found the pattern .echo ‘ $FileNameC ‘ ad * gc } }"
标签:blog io os 使用 sp for 文件 on div
原文地址:http://www.cnblogs.com/kmshhl/p/4116343.html