微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

读取NTFS的USN获取文件的历史操作记录,即使这个文件已被删除

原文转载于:http://blog.okbase.net/bruceteen/archive/242.html

上回说到NTFS USN会记录下文件的所有操作,但认情况下并没有激活这一功能,所以不用担心。在非激活状态,它也只剩下快速查找文件功能
这回,假设USN JOURNAL被激活了(你可以用控制台命令fsutil usn,或上回说到的FSCTL_CREATE_USN_JOURNAL来开启这一功能),怎么回窥过去的操作?
为此,写了段代码来进行试验,程序是检索 123.txt 操作历史(记录空间不是无穷大,过旧的信息会被覆盖掉),输出如下

2011-06-24 12:53:53 FILE_CREATE|
\share\x\新建 文本文档.txt
2011-06-24 12:53:53 FILE_CREATE|CLOSE|
\share\x\新建 文本文档.txt
2011-06-24 12:53:59 RENAME_OLD_NAME|
\share\x\新建 文本文档.txt
2011-06-24 12:53:59 RENAME_NEW_NAME|
\share\x\123.txt
2011-06-24 12:53:59 RENAME_NEW_NAME|CLOSE|
\share\x\123.txt
2011-06-24 12:55:41 FILE_DELETE|CLOSE|
\RECYCLER\S-1-5-21-945297121-3308661772-4115227181-3452\Dd3\123.txt

输出可以看出,先在\share\x目录下创建了"新建 文本文档.txt",后又更名为"123.txt",最后连其父目录一起删进了回收站。

试验代码如下(代码中有好多冗余调用,因为这只是试验代码而已):

#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <string>
#include <deque>
using namespace std;

struct MY_USN_RECORD
{
DWORDLONG FileReferenceNumber;
DWORDLONG ParentFileReferenceNumber;
LARGE_INTEGER TimeStamp;
DWORD Reason;
WCHAR FileName[MAX_PATH];
};
HANDLE hVol = INVALID_HANDLE_VALUE;
bool EnumUsnRecord( const char* drvname,std::deque<MY_USN_RECORD>& con )
{
bool ret = false;

char FileSystemName[MAX_PATH+1];
DWORD MaximumComponentLength;
if( GetVolumeinformationA( (std::string(drvname)+":\\").c_str(),&MaximumComponentLength,FileSystemName,MAX_PATH+1)
&& 0==strcmp(FileSystemName,"NTFS") ) // 判断是否为 NTFS 格式
{
hVol = CreateFileA( (std::string("\\\\.\\")+drvname+":").c_str() // 需要管理员权限,无奈
,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,NULL);
if( hVol != INVALID_HANDLE_VALUE )
{
DWORD br;
USN_JOURNAL_DATA qujd;
if( DeviceIoControl( hVol,FSCTL_QUERY_USN_JOURNAL,&qujd,sizeof(qujd),&br,NULL ) )
{
char buffer[0x1000];
DWORD BytesReturned;
{
READ_USN_JOURNAL_DATA rujd = { 0,-1,qujd.UsnJournalID };
for( ; DeviceIoControl(hVol,FSCTL_READ_USN_JOURNAL,&rujd,sizeof(rujd),buffer,_countof(buffer),&BytesReturned,NULL); rujd.StartUsn=*(USN*)&buffer )
{
DWORD dwRetBytes = BytesReturned - sizeof(USN);
PUSN_RECORD UsnRecord = (PUSN_RECORD)((PCHAR)buffer+sizeof(USN));
if( dwRetBytes==0 )
{
ret = true;
break;
}

while( dwRetBytes > 0 )
{
MY_USN_RECORD myur = { UsnRecord->FileReferenceNumber,UsnRecord->ParentFileReferenceNumber,UsnRecord->TimeStamp,UsnRecord->Reason };
memcpy( myur.FileName,UsnRecord->FileName,UsnRecord->FileNameLength );
myur.FileName[UsnRecord->FileNameLength/2] = L'\0';

con.push_back( myur );

dwRetBytes -= UsnRecord->RecordLength;
UsnRecord = (PUSN_RECORD)( (PCHAR)UsnRecord + UsnRecord->RecordLength );
}
}
}
}

//CloseHandle( hVol );
}
}

return ret;
}

#include <set>
int main()
{
// 获得所有变化记录
std::deque<MY_USN_RECORD> con;
EnumUsnRecord( "D",con );

// 搜寻文件名为"test.txt"的文件号(可能有多个)
std::set<DWORDLONG> con2;
for( std::deque<MY_USN_RECORD>::const_iterator itor=con.begin(); itor!=con.end(); ++itor )
{
const MY_USN_RECORD& mur = *itor;
if( _wcsicmp(mur.FileName,L"123.txt") == 0 )
{
con2.insert( mur.FileReferenceNumber );
}
}

// 遍历其历史操作
setlocale( LC_CTYPE,"chs" );
for( std::set<DWORDLONG>::const_iterator itor2=con2.begin(); itor2!=con2.end(); ++itor2 )
{
for( std::deque<MY_USN_RECORD>::const_iterator itor=con.begin(); itor!=con.end(); ++itor )
{
const MY_USN_RECORD& mur = *itor;
if( *itor2 == mur.FileReferenceNumber )
{
FILETIME timestamp;
FileTimetoLocalFileTime( &(FILETIME&)mur.TimeStamp,&timestamp );
SYstemTIME st;
FileTimetoSystemTime( &timestamp,&st );
printf( "%04d-%02d-%02d %02d:%02d:%02d ",st.wYear,st.wMonth,st.wDay,st.wHour,st.wMinute,st.wSecond );

if( mur.Reason&USN_REASON_DATA_OVERWRITE )
printf( "%s|","DATA_OVERWRITE" );
if( mur.Reason&USN_REASON_DATA_EXTEND )
printf( "%s|","DATA_EXTEND" );
if( mur.Reason&USN_REASON_DATA_TruncATION )
printf( "%s|","DATA_TruncATION" );
if( mur.Reason&USN_REASON_NAMED_DATA_OVERWRITE )
printf( "%s|","NAMED_DATA_OVERWRITE" );
if( mur.Reason&USN_REASON_NAMED_DATA_EXTEND )
printf( "%s|","NAMED_DATA_EXTEND" );
if( mur.Reason&USN_REASON_NAMED_DATA_TruncATION )
printf( "%s|","NAMED_DATA_TruncATION" );
if( mur.Reason&USN_REASON_FILE_CREATE )
printf( "%s|","FILE_CREATE" );
if( mur.Reason&USN_REASON_FILE_DELETE )
printf( "%s|","FILE_DELETE" );
if( mur.Reason&USN_REASON_EA_CHANGE )
printf( "%s|","EA_CHANGE" );
if( mur.Reason&USN_REASON_Security_CHANGE )
printf( "%s|","Security_CHANGE" );
if( mur.Reason&USN_REASON_RENAME_OLD_NAME )
printf( "%s|","RENAME_OLD_NAME" );
if( mur.Reason&USN_REASON_RENAME_NEW_NAME )
printf( "%s|","RENAME_NEW_NAME" );
if( mur.Reason&USN_REASON_INDEXABLE_CHANGE )
printf( "%s|","INDEXABLE_CHANGE" );
if( mur.Reason&USN_REASON_BASIC_INFO_CHANGE )
printf( "%s|","BASIC_INFO_CHANGE" );
if( mur.Reason&USN_REASON_HARD_LINK_CHANGE )
printf( "%s|","HARD_LINK_CHANGE" );
if( mur.Reason&USN_REASON_COMPRESSION_CHANGE )
printf( "%s|","COMPRESSION_CHANGE" );
if( mur.Reason&USN_REASON_ENCRYPTION_CHANGE )
printf( "%s|","ENCRYPTION_CHANGE" );
if( mur.Reason&USN_REASON_OBJECT_ID_CHANGE )
printf( "%s|","OBJECT_ID_CHANGE" );
if( mur.Reason&USN_REASON_REPARSE_POINT_CHANGE )
printf( "%s|REPARSE_POINT_CHANGE","" );
if( mur.Reason&USN_REASON_STREAM_CHANGE )
printf( "%s|","STREAM_CHANGE" );
if( mur.Reason&USN_REASON_TRANSACTED_CHANGE )
printf( "%s|","TRANSACTED_CHANGE" );
if( mur.Reason&USN_REASON_CLOSE )
printf( "%s|","CLOSE" );

printf( "\n " );
bool PrintFullPath( const MY_USN_RECORD& mur,const std::deque<MY_USN_RECORD>& con );
PrintFullPath(mur,con);

printf( "\n" );
}
}

printf( "\n" );
}

if( hVol != INVALID_HANDLE_VALUE )
CloseHandle( hVol );

return 0;
}

bool PrintFullPath( const MY_USN_RECORD& mur,const std::deque<MY_USN_RECORD>& con )
{
if( (mur.FileReferenceNumber&0x0000FFFFFFFFFFFF) == 5 )
return true;

std::deque<MY_USN_RECORD>::const_iterator recent = con.end();
for( std::deque<MY_USN_RECORD>::const_iterator itor=con.begin(); itor!=con.end() && itor->TimeStamp.QuadPart<=mur.TimeStamp.QuadPart; ++itor )
{
if( itor->FileReferenceNumber == mur.ParentFileReferenceNumber )
recent = itor;
}
if( recent != con.end() )// 它的父目录可能也已被删除,所以要先在记录集中找找
{
bool r= PrintFullPath(*recent,con);
printf( "\\%s",mur.FileName );
return r;
}

bool GetFullPathByFileReferenceNumber( HANDLE hVol,DWORDLONG FileReferenceNumber );
bool r = GetFullPathByFileReferenceNumber(hVol,mur.ParentFileReferenceNumber); //如果记录中没有,再去看看这个文件实际存在否
if( r )
printf( "\\%s",mur.FileName );
else
printf( "???\\%s",mur.FileName );
return r;
}

bool GetFullPathByFileReferenceNumber( HANDLE hVol,DWORDLONG FileReferenceNumber ) //根据文件号获得全路径,上篇文章已经说过,共有3中方法,这是其中之一,代码简单但效率不高
{
typedef ULONG (__stdcall *PNtCreateFile)(
PHANDLE FileHandle,
ULONG DesiredAccess,
PVOID ObjectAttributes,
PVOID IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG Createdisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength );
PNtCreateFile NtCreatefile = (PNtCreateFile)GetProcAddress( GetModuleHandle(L"ntdll.dll"),"NtCreateFile" );

typedef struct _UNICODE_STRING {
USHORT Length,MaximumLength;
PWCH Buffer;
} UNICODE_STRING,*PUNICODE_STRING;
UNICODE_STRING fidstr = { 8,8,(PWSTR)&FileReferenceNumber };

typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
const ULONG OBJ_CASE_INSENSITIVE = 0x00000040UL;
OBJECT_ATTRIBUTES oa = { sizeof(OBJECT_ATTRIBUTES),hVol,&fidstr,OBJ_CASE_INSENSITIVE,0 };

HANDLE hFile;
ULONG iosb[2];
const ULONG FILE_OPEN_BY_FILE_ID = 0x00002000UL;
const ULONG FILE_OPEN = 0x00000001UL;
ULONG status = NtCreatefile( &hFile,GENERIC_ALL,&oa,iosb,FILE_ATTRIBUTE_norMAL,FILE_OPEN,FILE_OPEN_BY_FILE_ID,0 );
if( status == 0 )
{
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR information;
} IO_STATUS_BLOCK,*PIO_STATUS_BLOCK;
typedef enum _FILE_informatION_CLASS {
// ……
FileNameinformation = 9
// ……
} FILE_informatION_CLASS,*PFILE_informatION_CLASS;
typedef NTSTATUS (__stdcall *PNtQueryinformationFile)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID Fileinformation,
DWORD Length,
FILE_informatION_CLASS FileinformationClass );
PNtQueryinformationFile NtQueryinformationFile = (PNtQueryinformationFile)GetProcAddress( GetModuleHandle(L"ntdll.dll"),"NtQueryinformationFile" );

typedef struct _OBJECT_NAME_informatION {
UNICODE_STRING Name;
} OBJECT_NAME_informatION,*POBJECT_NAME_informatION;
IO_STATUS_BLOCK IoStatus;
size_t allocSize = sizeof(OBJECT_NAME_informatION) + MAX_PATH*sizeof(WCHAR);
POBJECT_NAME_informatION pfni = (POBJECT_NAME_informatION)operator new(allocSize);
status = NtQueryinformationFile(hFile,&IoStatus,pfni,allocSize,FileNameinformation);
if( status == 0 )
{
printf( "%.*S",pfni->Name.Length/2,&pfni->Name.Buffer );
}
operator delete(pfni);

CloseHandle(hFile);
}

return status == 0;}

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

相关推荐


Windows注册表操作基础代码 Windows下对注册表进行操作使用的一段基础代码Reg.h:#pragmaonce#include&lt;assert.h&gt;#include&lt;windows.h&gt;classReg{HKEYhkey;public:voidopen(HKEYroot
黑客常用WinAPI函数整理之前的博客写了很多关于Windows编程的内容,在Windows环境下的黑客必须熟练掌握底层API编程。为了使读者对黑客常用的Windows API有个更全面的了解以及方便日后使用API方法的查询,特将这些常用的API按照7大分类进行整理如下,希望对大家的学习有所帮助。一
一个简单的Windows Socket可复用框架说起网络编程,无非是建立连接,发送数据,接收数据,关闭连接。曾经学习网络编程的时候用Java写了一些小的聊天程序,Java对网络接口函数的封装还是很简单实用的,但是在Windows下网络编程使用的Socket就显得稍微有点繁琐。这里介绍一个自己封装的一
Windows文件操作基础代码 Windows下对文件进行操作使用的一段基础代码File.h,首先是File类定义:#pragmaonce#include&lt;Windows.h&gt;#include&lt;assert.h&gt;classFile{HANDLEhFile;//文件句柄publ
Winpcap基础代码 使用Winpcap进行网络数据的截获和发送都需要的一段代码:#include&lt;PCAP.H&gt;#pragmacomment(lib,&quot;wpcap.lib&quot;)//#pragmacomment(lib,&quot;ws2_32.lib&quot;)#
使用vbs脚本进行批量编码转换 最近需要使用SourceInsight查看分析在Linux系统下开发的项目代码,我们知道Linux系统中文本文件默认编码格式是UTF-8,而Windows中文系统中的默认编码格式是Gb2312。系统内的编码格式有所区别倒无伤大雅,关键的是SourceInsigh...
缓冲区溢出攻击缓冲区溢出(Buffer Overflow)是计算机安全领域内既经典而又古老的话题。随着计算机系统安全性的加强,传统的缓冲区溢出攻击方式可能变得不再奏效,相应的介绍缓冲区溢出原理的资料也变得“大众化”起来。其中看雪的《0day安全:软件漏洞分析技术》一书将缓冲区溢出攻击的原理阐述得简洁
Windows字符集的统一与转换一、字符集的历史渊源在Windows编程时经常会遇到编码转换的问题,一直以来让刚接触的人摸不着头脑。其实只要弄清Win32程序使用的字符编码方式就清楚了,图1展示了一个Win32控制台项目的属性中的字符集选项。这里有两个不同的字符集:一个是Unicode字符集,另一个
远程线程注入引出的问题一、远程线程注入基本原理远程线程注入——相信对Windows底层编程和系统安全熟悉的人并不陌生,其主要核心在于一个Windows API函数CreateRemoteThread,通过它可以在另外一个进程中注入一个线程并执行。在提供便利的同时,正是因为如此,使得系统内部出现了安全
windows系统启动项怎么打开