写一个 注入进程监视其文件读写操作的代码 用c语言

以下是一个注入进程并监视其文件读写操作的示例代码：

#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>

#define MAX_PATH_LEN 260

DWORD FindProcessIdByName(const char* processName)
{
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe32 = { 0 };
    pe32.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(hSnapshot, &pe32))
    {
        do
        {
            if (strcmp(pe32.szExeFile, processName) == 0)
            {
                CloseHandle(hSnapshot);
                return pe32.th32ProcessID;
            }
        } while (Process32Next(hSnapshot, &pe32));
    }
    CloseHandle(hSnapshot);
    return 0;
}

void MonitorFileOperation(HANDLE hProcess)
{
    char filePath[MAX_PATH_LEN] = { 0 };
    DWORD bytesRead = 0;
    DWORD bytesWritten = 0;
    OVERLAPPED overlapped = { 0 };
    HANDLE hFile = NULL;
    while (1)
    {
        if (ReadProcessMemory(hProcess, &overlapped, &overlapped, sizeof(OVERLAPPED), NULL))
        {
            if (ReadProcessMemory(hProcess, overlapped.hEvent, &overlapped.hEvent, sizeof(HANDLE), NULL))
            {
                if (GetFinalPathNameByHandle(overlapped.hEvent, filePath, MAX_PATH_LEN, VOLUME_NAME_DOS))
                {
                    if (strncmp(filePath, "\\Device\\HarddiskVolume", 22) == 0) // 仅监视磁盘文件操作
                    {
                        printf("File operation: %s\n", filePath);
                    }
                }
            }
        }
        Sleep(1000); // 降低CPU使用率
    }
}

int main(int argc, char* argv[])
{
    if (argc != 2)
    {
        printf("Usage: %s <processName>\n", argv[0]);
        return 1;
    }

    DWORD processId = FindProcessIdByName(argv[1]);
    if (processId == 0)
    {
        printf("Process %s not found.\n", argv[1]);
        return 1;
    }

    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
    if (hProcess == NULL)
    {
        printf("Failed to open process %s.\n", argv[1]);
        return 1;
    }

    // 注入DLL
    char dllPath[MAX_PATH_LEN] = { 0 };
    GetFullPathName("FileMonitor.dll", MAX_PATH_LEN, dllPath, NULL);
    LPVOID pRemoteBuf = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
    if (pRemoteBuf == NULL)
    {
        printf("Failed to allocate memory in process %s.\n", argv[1]);
        return 1;
    }
    if (!WriteProcessMemory(hProcess, pRemoteBuf, dllPath, strlen(dllPath) + 1, NULL))
    {
        printf("Failed to write memory in process %s.\n", argv[1]);
        return 1;
    }
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, pRemoteBuf, 0, NULL);
    if (hThread == NULL)
    {
        printf("Failed to create remote thread in process %s.\n", argv[1]);
        return 1;
    }
    WaitForSingleObject(hThread, INFINITE);

    // 监视文件操作
    MonitorFileOperation(hProcess);

    CloseHandle(hProcess);
    return 0;
}

其中，FindProcessIdByName 函数用于根据进程名查找进程ID，MonitorFileOperation 函数用于监视文件操作，main 函数注入 FileMonitor.dll 并调用 MonitorFileOperation 函数。FileMonitor.dll 可以通过 Detours 等工具实现注入并监视文件操作。在 MonitorFileOperation 函数中，通过 ReadProcessMemory 函数读取 OVERLAPPED 结构体和 hEvent 句柄，再通过 GetFinalPathNameByHandle 函数获取文件路径，最后判断是否为磁盘文件操作并输出即可。注意，为了降低CPU使用率，可以在每轮循环中加入 Sleep 函数。