实时监控文件复制(在线等待。。。。) ( 积分: 200 )

问题描述：<br>1：实时监控文件复制操作（不知道源文件及目标文件），获取复制的源文件名及目标文件名？<br>2：如果该源文件满足某种规则时需要特殊处理。比如说：copy c:/123.txt 到 a:/123.txt时，拷贝到a盘的实际上是c:/123.txt 的一个加密文件。如何做到实时加密？<br>请高手们指点谜经！！！<br>我只有这么多分，不够以后补。。。。。！

问题描述：<br>1：实时监控文件复制操作（不知道源文件及目标文件），获取复制的源文件名及目标文件名？<br>2：如果该源文件满足某种规则时需要特殊处理。比如说：copy c:/123.txt 到 a:/123.txt时，拷贝到a盘的实际上是c:/123.txt 的一个加密文件。如何做到实时加密？<br>请高手们指点谜经！！！<br>我只有这么多分，不够以后补。。。。。！

这是个很难的问题<br>用apihook不一定能够完全监控到文件访问<br>另外，从驱动级来考虑也不一定能够确定是不是拷贝的操作<br>个人看法

to:iamy <br>是不是只能用VXD 或者 WDM来写呀。我还没有头绪呢

基本上,可以通过HOOK来实现,安道理上说,能拦截决大多数的文件操作<br>因为多数程序为了实现容易都是使用了API或者封装了API的东西来实现文件操作<br>不过对于那些基于硬件的文件操作只有底层的硬件编程来实现(需要拦截中断向量INT13实现)并且在NT内核的系统(就是winnt,2000,xp,2003)内不允许用户程序直接对硬件操作(为了系统安全起见)

还是晕呀，有没有人能指点一二？

所谓：不知道源文件及目标文件<br>是你要自己输入源文件及目标文件名呢？还是在机器上有别的程序进行该动作，而你要截获？

ref to the example CopyHook, which shipped with delphi5 or earlier.

to wangergulei ：操作人员的动作，比如说你随便从c:拷贝一个文件到d: 要截获c:盘的文件名

参考 http://www.xker.com/article/articleview/2005-5-1/article_view_1261.htm 类似帖子网上有很多，我编译后只能在98下起作用。

to newsmile:这个程序能起到监控作用，但他不能区分拷贝和新建立的文件，把拷贝和新建立的文件都表现为‘建立文件’，而且不能截获拷贝动作。比如说：copy c:/1.txt d:/1.txt 能否做到截获这个拷贝动作，让他不拷贝到d:/1.txt 而是拷贝到我默认的e:盘下面？

有没有人能指点一下呀，分数不够可以再加。

我同意铁男的说法。<br>但是我想，可能不必关心硬件或Int13，只要知道是哪个DLL来完成文件拷贝操作的，而且对这个DLL有详细了解，那么替换这个DLL,可以记录拷贝过程和实现加密处理。

在NT系统中一般只要hook住SHOperation就能获取当前复制，删除，重命名文件了

在Windows下有一个未公开函数SHChangeNotifyRegister可以吧你的窗口添加到系统的系统消息监视链中，该函数在Delphi <br><br>中的定义如下： <br>Function <br>SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord; <br><br> &nbsp; &nbsp; &nbsp; &nbsp; lppsIDLSTRUCT):integer;stdcall;external <br>'Shell32.dll' index 2; <br>其中参数hWnd定义了监视系统操作的窗口得句柄，参数uFlags <br>dwEventID定义监视操作参数，参数uMsg定义操作消息，参数cItems <br>定义附加参数，参数lpps指定一个PIDLSTRUCT结构，该结构指定监视的目录。 <br> &nbsp; &nbsp;当函数调用成功之后，函数会返回一个监视操作句柄，同时系统就会将hWnd指定的窗口加入到操作监视链中，当有文件操作发生 <br><br>时，系统会向hWnd发送uMsg指定的消息，我们只要在程序中加入该消息的处理函数就可以实现对系统操作的监视了。 <br>如果要退出程序监视，就要调用另外一个未公开得函数SHChangeNotifyDeregister来取消程序监视。 <br> &nbsp; &nbsp;<br>下面是使用Delphi编写的具体程序实现范例，首先建立一个新的工程文件，然后在Form1中加入一个Button控件和一个Memo控件， <br><br>程序的代码如下： <br>unit MAIN;<br><br>interface<br><br>uses <br> &nbsp;Windows, Messages, SysUtils, Classes, Graphics, Controls, <br>Forms, Dialogs, <br> &nbsp;StdCtrls,shlobj,Activex; <br><br>const <br> &nbsp;SHCNE_RENAMEITEM = $1; <br> &nbsp;SHCNE_CREATE = $2; <br> &nbsp;SHCNE_DELETE = $4; <br> &nbsp;SHCNE_MKDIR = $8; <br> &nbsp;SHCNE_RMDIR = $10; <br> &nbsp;SHCNE_MEDIAINSERTED = $20; <br> &nbsp;SHCNE_MEDIAREMOVED = $40; <br> &nbsp;SHCNE_DRIVEREMOVED = $80; <br> &nbsp;SHCNE_DRIVEADD = $100; <br> &nbsp;SHCNE_NETSHARE = $200; <br> &nbsp;SHCNE_NETUNSHARE = $400; <br> &nbsp;SHCNE_ATTRIBUTES = $800; <br> &nbsp;SHCNE_UPDATEDIR = $1000; <br> &nbsp;SHCNE_UPDATEITEM = $2000; <br> &nbsp;SHCNE_SERVERDISCONNECT = $4000; <br> &nbsp;SHCNE_UPDATEIMAGE = $8000; <br> &nbsp;SHCNE_DRIVEADDGUI = $10000; <br> &nbsp;SHCNE_RENAMEFOLDER = $20000;<br> &nbsp;SHCNE_FREESPACE = $40000; <br> &nbsp;SHCNE_ASSOCCHANGED = $8000000; <br> &nbsp;SHCNE_DISKEVENTS = $2381F; <br> &nbsp;SHCNE_GLOBALEVENTS = $C0581E0; <br> &nbsp;SHCNE_ALLEVENTS = $7FFFFFFF; <br> &nbsp;SHCNE_INTERRUPT = $80000000; <br><br> &nbsp;SHCNF_IDLIST = 0; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; // &nbsp;LPITEMIDLIST <br> &nbsp;SHCNF_PATHA = $1; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; // path name <br> &nbsp;SHCNF_PRINTERA = $2; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// printer friendly name <br> &nbsp;SHCNF_DWORD = $3; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; // DWORD <br> &nbsp;SHCNF_PATHW = $5; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; // path name <br> &nbsp;SHCNF_PRINTERW = $6; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// printer friendly name <br> &nbsp;SHCNF_TYPE = $FF; <br><br> &nbsp;SHCNF_FLUSH = $1000; <br><br> &nbsp;SHCNF_FLUSHNOWAIT = $2000; <br> &nbsp;SHCNF_PATH = SHCNF_PATHW; <br> &nbsp;SHCNF_PRINTER = SHCNF_PRINTERW; <br><br> &nbsp;WM_SHNOTIFY = $401; <br> &nbsp;NOERROR = 0; <br><br>type<br> &nbsp;TForm1 = class(TForm)<br> &nbsp; &nbsp;Memo1: TMemo;<br> &nbsp; &nbsp;Button1: TButton;<br> &nbsp; &nbsp;procedure FormClose(Sender: TObject; var Action: <br>TCloseAction);<br> &nbsp; &nbsp;procedure Button1Click(Sender: TObject);<br> &nbsp; &nbsp;procedure FormCreate(Sender: TObject);<br> &nbsp;private<br> &nbsp; &nbsp;{ Private declarations } <br> &nbsp; &nbsp;procedure WMShellReg(var Message:TMessage);message <br>WM_SHNOTIFY;<br> &nbsp;public<br> &nbsp; &nbsp;{ Public declarations }<br> &nbsp;end;<br><br>type PSHNOTIFYSTRUCT=^SHNOTIFYSTRUCT; <br> &nbsp;SHNOTIFYSTRUCT = record <br> &nbsp; &nbsp;dwItem1 : PItemIDList; <br> &nbsp; &nbsp;dwItem2 : PItemIDList; <br> &nbsp;end; <br><br>Type PSHFileInfoByte=^SHFileInfoByte; <br> &nbsp;_SHFileInfoByte = record <br> &nbsp; &nbsp;hIcon :Integer; <br> &nbsp; &nbsp;iIcon :Integer; <br> &nbsp; &nbsp;dwAttributes : Integer; <br> &nbsp; &nbsp;szDisplayName : array [0..259] of char;<br> &nbsp; &nbsp;szTypeName : array [0..79] of char; <br> &nbsp;end; <br> &nbsp;SHFileInfoByte=_SHFileInfoByte; <br><br>Type PIDLSTRUCT = ^IDLSTRUCT;<br> &nbsp;_IDLSTRUCT = record <br> &nbsp; &nbsp;pidl : PItemIDList;<br> &nbsp; &nbsp;bWatchSubFolders : LongInt;<br> &nbsp;end; <br> &nbsp;IDLSTRUCT =_IDLSTRUCT; <br><br><br>function SHNotify_Register(hWnd : Integer) : Bool; <br>function SHNotify_UnRegister:Bool; <br>function <br>SHEventName(strPath1,strPath2:string;lParam:Integer):string; <br><br>Function <br>SHChangeNotifyDeregister(hNotify:integer):integer;stdcall;<br> &nbsp; &nbsp; &nbsp; &nbsp; external 'Shell32.dll' name <br>'SHChangeNotifyDeregister';<br>Function <br>SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord;<br> &nbsp; &nbsp; &nbsp; &nbsp; lppsIDLSTRUCT):integer;stdcall;external <br>'Shell32.dll' name 'SHChangeNotifyRegister';<br>Function SHGetFileInfoPidl(pidl : PItemIDList; <br> &nbsp; &nbsp; &nbsp; &nbsp; dwFileAttributes : Integer; <br> &nbsp; &nbsp; &nbsp; &nbsp; psfib : PSHFILEINFOBYTE;<br> &nbsp; &nbsp; &nbsp; &nbsp; cbFileInfo : Integer; <br> &nbsp; &nbsp; &nbsp; &nbsp; uFlags : Integer):Integer;stdcall;<br> &nbsp; &nbsp; &nbsp; &nbsp; external 'Shell32.dll' name 'SHGetFileInfoA';<br><br>var<br> &nbsp;Form1: TForm1;<br> &nbsp;m_hSHNotify:Integer; <br> &nbsp;m_pidlDesktop : PItemIDList;<br><br>implementation<br><br>{$R *.dfm}<br>function <br>SHEventName(strPath1,strPath2:string;lParam:Integer):string; <br>var <br> &nbsp;sEvent:String; <br>begin <br> &nbsp;case lParam of &nbsp; &nbsp; &nbsp; &nbsp;//根据参数设置提示消息<br> &nbsp; &nbsp;SHCNE_RENAMEITEM: sEvent := '重命名文件'+strPath1+'为'+strpath2; <br><br> &nbsp; &nbsp;SHCNE_CREATE: sEvent := '建立文件 文件名：'+strPath1; <br> &nbsp; &nbsp;SHCNE_DELETE: sEvent := '删除文件 文件名：'+strPath1; <br> &nbsp; &nbsp;SHCNE_MKDIR: sEvent := '新建目录 目录名：'+strPath1; <br> &nbsp; &nbsp;SHCNE_RMDIR: sEvent := '删除目录 目录名：'+strPath1; <br> &nbsp; &nbsp;SHCNE_MEDIAINSERTED: sEvent := strPath1+'中插入可移动存储介质'; <br> &nbsp; &nbsp;SHCNE_MEDIAREMOVED: sEvent := <br>strPath1+'中移去可移动存储介质'+strPath1+' '+strpath2; <br> &nbsp; &nbsp;SHCNE_DRIVEREMOVED: sEvent := '移去驱动器'+strPath1; <br> &nbsp; &nbsp;SHCNE_DRIVEADD: sEvent := '添加驱动器'+strPath1; <br> &nbsp; &nbsp;SHCNE_NETSHARE: sEvent := '改变目录'+strPath1+'的共享属性'; <br><br> &nbsp; &nbsp;SHCNE_ATTRIBUTES: sEvent := '改变文件目录属性 文件名'+strPath1; <br> &nbsp; &nbsp;SHCNE_UPDATEDIR: sEvent := '更新目录'+strPath1; <br> &nbsp; &nbsp;SHCNE_UPDATEITEM: sEvent := '更新文件 文件名：'+strPath1; <br> &nbsp; &nbsp;SHCNE_SERVERDISCONNECT: sEvent := '断开与服务器的连接'+strPath1+' <br>'+strpath2; <br> &nbsp; &nbsp;SHCNE_UPDATEIMAGE: sEvent := 'SHCNE_UPDATEIMAGE'; <br> &nbsp; &nbsp;SHCNE_DRIVEADDGUI: sEvent := 'SHCNE_DRIVEADDGUI'; <br> &nbsp; &nbsp;SHCNE_RENAMEFOLDER: sEvent := <br>'重命名文件夹'+strPath1+'为'+strpath2; <br> &nbsp; &nbsp;SHCNE_FREESPACE: sEvent := '磁盘空间大小改变'; <br> &nbsp; &nbsp;SHCNE_ASSOCCHANGED: sEvent := '改变文件关联'; <br> &nbsp;else <br> &nbsp; &nbsp;sEvent:='未知操作'+IntToStr(lParam); <br> &nbsp;end; <br> &nbsp;Result:=sEvent; <br>end; <br><br>function SHNotify_Register(hWnd : Integer) : Bool; <br>var <br> &nbsp;psIDLSTRUCT;<br>begin <br> &nbsp;{$R-} <br> &nbsp;Result:=False;<br> &nbsp;New(ps);<br> &nbsp;If m_hSHNotify = 0 then begin <br> &nbsp; &nbsp;//获取桌面文件夹的Pidl<br> &nbsp; &nbsp;if SHGetSpecialFolderLocation(0, <br>CSIDL_DESKTOP,m_pidlDesktop)&lt;&gt; NOERROR then<br> &nbsp; &nbsp; &nbsp; &nbsp;Form1.close; <br> &nbsp; &nbsp;if Boolean(m_pidlDesktop) then begin<br> &nbsp; &nbsp; &nbsp;ps.bWatchSubFolders := 1;<br> &nbsp; &nbsp; &nbsp;ps.pidl := m_pidlDesktop;<br><br> &nbsp; &nbsp; &nbsp;// 利用SHChangeNotifyRegister函数注册系统消息处理 <br> &nbsp; &nbsp; &nbsp;m_hSHNotify := SHChangeNotifyRegister(hWnd, (SHCNF_TYPE <br>Or SHCNF_IDLIST), <br> &nbsp; &nbsp; &nbsp;(SHCNE_ALLEVENTS Or <br>SHCNE_INTERRUPT), <br> &nbsp; &nbsp; &nbsp;WM_SHNOTIFY, 1, ps); <br><br> &nbsp; &nbsp; &nbsp;Result := Boolean(m_hSHNotify); <br> &nbsp; &nbsp;end <br> &nbsp; &nbsp;Else <br> &nbsp; &nbsp; &nbsp;// 如果出现错误就使用 CoTaskMemFree函数来释放句柄 <br> &nbsp; &nbsp; &nbsp;CoTaskMemFree(m_pidlDesktop); <br> &nbsp;End;<br> &nbsp;Dispose(ps);<br> &nbsp;{$R+} <br>end; <br><br>function SHNotify_UnRegister:Bool; <br>begin <br> &nbsp;Result:=False; <br> &nbsp;If Boolean(m_hSHNotify) Then <br> &nbsp; &nbsp;//取消系统消息监视，同时释放桌面的Pidl<br> &nbsp; &nbsp;If Boolean(SHChangeNotifyDeregister(m_hSHNotify)) Then <br>begin <br> &nbsp; &nbsp; &nbsp;{$R-} <br> &nbsp; &nbsp; &nbsp;m_hSHNotify := 0; <br> &nbsp; &nbsp; &nbsp;CoTaskMemFree(m_pidlDesktop); <br> &nbsp; &nbsp; &nbsp;Result := True; <br> &nbsp; &nbsp; &nbsp;{$R-} <br> &nbsp; &nbsp;End; <br>end; <br><br>procedure TForm1.WMShellReg(var Message:TMessage); &nbsp; &nbsp; &nbsp;<br>//系统消息处理函数 <br>var <br> &nbsp;strPath1,strPath2:String; <br> &nbsp;charPath:array[0..259]of char; <br> &nbsp;pidlItemSHNOTIFYSTRUCT; <br>begin <br> &nbsp;pidlItem:=PSHNOTIFYSTRUCT(Message.wParam); <br> &nbsp;//获得系统消息相关得路径 <br> &nbsp;SHGetPathFromIDList(pidlItem.dwItem1,charPath); <br> &nbsp;strPath1:=charPath; <br> &nbsp;SHGetPathFromIDList(pidlItem.dwItem2,charPath); <br> &nbsp;strPath2:=charPath; <br><br> &nbsp;<br>Memo1.Lines.Add(SHEvEntName(strPath1,strPath2,Message.lParam)+chr(13)+chr(10)); <br><br>end; <br><br>procedure TForm1.FormClose(Sender: TObject; var Action: <br>TCloseAction); <br>begin <br> &nbsp;//在程序退出的同时删除监视 <br> &nbsp;if Boolean(m_pidlDesktop) then <br> &nbsp; &nbsp;SHNotify_Unregister; <br>end; <br><br>procedure TForm1.Button1Click(Sender: TObject); <br>//Button1的Click消息 <br>begin <br> &nbsp;m_hSHNotify:=0; <br> &nbsp;if SHNotify_Register(Form1.Handle) then begin //注册Shell监视 <br> &nbsp; &nbsp;ShowMessage('Shell监视程序成功注册'); <br> &nbsp; &nbsp;Button1.Enabled := False; <br> &nbsp;end <br> &nbsp;else <br> &nbsp; &nbsp;ShowMessage('Shell监视程序注册失败'); <br>end; <br><br>procedure TForm1.FormCreate(Sender: TObject); <br>begin <br> &nbsp;Button1.Caption := '打开监视'; <br>end; <br><br>end.

顶上去

2k下用啥函数。？