windbg脚本实践1----监控特定文件创建 删除 读写

windbg脚本方便灵活，但是语法古怪，使用的人不多。windbg扩展功能强大，但是使用的人也很少。抛砖引玉吧。

此脚本可以监控到

a 任意时机 开关机时刻 (挂shutdown 删文件 或者开机挂回调特定时刻删文件)

b 任意底层穿透驱动 bapidrv tsyskit kisapi pchunter 对文件进行的删除 创建 粉碎等敏感操作

$$*****************************************************************
$$ Script by kms_hhl to monitor file create read write delete and show call stack
$$ Create Time 2014_11
$$ Execute by $$><D:\BaiduYunTongBu\百度云同步盘\windbg_sc\1sc_file_monitor.txt
$$*****************************************************************

bp Ntfs!NtfsFsdSetInformation"
r $t0=poi(poi(poi(esp+8)+64)+34)
as /mu $FileNameA $t0
.block
{
.if ($spat(\" ${$FileNameA} \",\" *virus.dll* \"))
{
.echo found the pattern
.echo $FileNameA
ad *
}
.else
{
.echo not found the pattern
.echo ' $FileNameA '
ad *
gc
}
}"

bp Ntfs!NtfsSetRenameInfo"
r $t1=poi(poi(poi(esp+c)+64)+34)
as /mu $FileNameB $t1
.block
{
.if ($spat(\" ${$FileNameB} \",\" *virus.dll* \"))
{
.echo found the pattern
.echo $FileNameB
ad *
}
.else
{
.echo not found the pattern
.echo ' $FileNameB '
ad *
gc
}
}"

bp Ntfs!NtfsSetDispositionInfo"
r $t2=poi(poi(poi(esp+c)+64)+34)
as /mu $FileNameC $t2
.block
{
.if ($spat(\" ${$FileNameC} \",\" *virus.dll* \"))
{
.echo found the pattern
.echo $FileNameC
ad *
}
.else
{
.echo not found the pattern
.echo ' $FileNameC '
ad *
gc
}
}"