windbg脚本方便灵活,但是语法古怪,使用的人不多。windbg扩展功能强大,但是使用的人也很少。抛砖引玉吧。
此脚本可以监控到
a 任意时机 开关机时刻 (挂shutdown 删文件 或者开机挂回调特定时刻删文件)
b 任意底层穿透驱动 bapidrv tsyskit kisapi pchunter 对文件进行的删除 创建 粉碎等敏感操作
$$*****************************************************************
$$ Script by kms_hhl to monitor file create read write delete and show call stack
$$ Create Time 2014_11
$$ Execute by $$><D:BaiduYunTongBu百度云同步盘windbg_sc1sc_file_monitor.txt
$$*****************************************************************
bp Ntfs!NtfsFsdSetInformation"
r $t0=poi(poi(poi(esp+8)+64)+34)
as /mu $FileNameA $t0
.block
{
.if ($spat(" ${$FileNameA} "," *virus.dll* "))
{
.echo found the pattern
.echo $FileNameA
ad *
}
.else
{
.echo not found the pattern
.echo ' $FileNameA '
ad *
gc
}
}"
bp Ntfs!NtfsSetRenameInfo"
r $t1=poi(poi(poi(esp+c)+64)+34)
as /mu $FileNameB $t1
.block
{
.if ($spat(" ${$FileNameB} "," *virus.dll* "))
{
.echo found the pattern
.echo $FileNameB
ad *
}
.else
{
.echo not found the pattern
.echo ' $FileNameB '
ad *
gc
}
}"
bp Ntfs!NtfsSetDispositionInfo"
r $t2=poi(poi(poi(esp+c)+64)+34)
as /mu $FileNameC $t2
.block
{
.if ($spat(" ${$FileNameC} "," *virus.dll* "))
{
.echo found the pattern
.echo $FileNameC
ad *
}
.else
{
.echo not found the pattern
.echo ' $FileNameC '
ad *
gc
}
}"