ETW-Microsoft-Windows-Kernel-File

前言

由于ETW的事件非常多,并且事件名有些类似,因此记录一下文件操作所对应的事件

事件的详细信息可以通过https://github.com/jdu2600/Windows10EtwEvents/blob/master/manifest/Microsoft-Windows-Kernel-File.tsv进行查询

Microsoft-Windows-Kernel-File

该provider主要负责内核的文件操作的事件

获取与关闭文件句柄

该例子主要是测试文件句柄的获取与关闭所触发的事件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <windows.h>
#include <stdio.h>
#include <iostream>
int main()
{
	wchar_t file[1024] = L"C:\\PWN\\windows\\ETW_TEST\\x64\\Release\\asdihi12jeopjaposjdopasjd.txt";
	HANDLE hFile = CreateFile(file,
		GENERIC_WRITE | GENERIC_READ,
		FILE_SHARE_READ,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL);;
	char buf[1024];
	DWORD dwRead;
	if (hFile != INVALID_HANDLE_VALUE) {
		std::cout << "获取文件句柄" << std::endl;
		getchar();
		std::cout << "关闭文件" << std::endl;
		CloseHandle(hFile);
	}
	else
	{
		std::cout << "打开文件句柄失败" << std::endl;
		getchar();
		return -1;
	}
	getchar();
}

可以看到获取与关闭文件句柄会触发Create与Close事件。触发序列为Create->Close

image-20230828113902785

provider event_id version event(fields) opcode keywords task level
Microsoft-Windows-Kernel-File 12 0 Create(Pointer Irp, Pointer ThreadId, Pointer FileObject, UInt32 CreateOptions, UInt32 CreateAttributes, UInt32 ShareAccess, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILEIO或KERNEL_FILE_KEYWORD_CREATE Create Informational
Microsoft-Windows-Kernel-File 12 1 Create_V1(Pointer Irp, Pointer FileObject, UInt32 IssuingThreadId, UInt32 CreateOptions, UInt32 CreateAttributes, UInt32 ShareAccess, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILEIO KERNEL_FILE_KEYWORD_CREATE Create Informational
Microsoft-Windows-Kernel-File 14 0 Close(Pointer Irp, Pointer ThreadId, Pointer FileObject, Pointer FileKey) KERNEL_FILE_KEYWORD_FILEIO Close Informational
Microsoft-Windows-Kernel-File 14 1 Close_V1(Pointer Irp, Pointer FileObject, Pointer FileKey, UInt32 IssuingThreadId) KERNEL_FILE_KEYWORD_FILEIO Close Informational

删除文件

该例子主要是测试删除文件所触发的事件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include <windows.h>
#include <stdio.h>
#include <iostream>
int main()
{
	LPCWSTR filePath = L"C:\\PWN\\windows\\ETW_TEST\\x64\\Release\\asdihi12jeopjaposjdopasjd.txt";
	std::cout << "删除文件" << std::endl;
	getchar();
	if (DeleteFile(filePath)) {
		// 文件删除成功
		wprintf(L"File deleted successfully.\n");
	}
	else {
		// 文件删除失败
		DWORD error = GetLastError();
		wprintf(L"File deletion failed with error code %d.\n", error);
	}
	getchar();
}

可以看到删除文件会触发Create、SetDelete以及Namedelete的事件。触发序列为Create->SetDelete->Namedelete

image-20230828114854079

provider event_id version event(fields) opcode keywords task level
Microsoft-Windows-Kernel-File 11 0 NameDelete(Pointer FileKey, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILENAME NameDelete Informational
Microsoft-Windows-Kernel-File 12 0 Create(Pointer Irp, Pointer ThreadId, Pointer FileObject, UInt32 CreateOptions, UInt32 CreateAttributes, UInt32 ShareAccess, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILEIO或KERNEL_FILE_KEYWORD_CREATE Create Informational
Microsoft-Windows-Kernel-File 12 1 Create_V1(Pointer Irp, Pointer FileObject, UInt32 IssuingThreadId, UInt32 CreateOptions, UInt32 CreateAttributes, UInt32 ShareAccess, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILEIO KERNEL_FILE_KEYWORD_CREATE Create Informational
Microsoft-Windows-Kernel-File 18 0 SetDelete(Pointer Irp, Pointer ThreadId, Pointer FileObject, Pointer FileKey, Pointer ExtraInformation, UInt32 InfoClass) KERNEL_FILE_KEYWORD_FILEIO SetDelete Informational
Microsoft-Windows-Kernel-File 18 1 SetDelete_V1(Pointer Irp, Pointer FileObject, Pointer FileKey, Pointer ExtraInformation, UInt32 IssuingThreadId, UInt32 InfoClass) KERNEL_FILE_KEYWORD_FILEIO SetDelete Informational

读写文件

该例子主要是测试读写文件所触发的事件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include <windows.h>
#include <stdio.h>
#include <iostream>
int main()
{

	wchar_t file[1024] = L"C:\\PWN\\windows\\ETW_TEST\\x64\\Release\\asdihi12jeopjaposjdopasjd.txt";
	HANDLE hFile = CreateFile(file,
		GENERIC_WRITE | GENERIC_READ,
		FILE_SHARE_READ,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL);;
	char buf[1024];
	DWORD dwRead;
	if (hFile != INVALID_HANDLE_VALUE) {
		std::cout << "获取文件句柄" << std::endl;
		getchar();
		int file_size = 0;
		file_size = GetFileSize(hFile, NULL);
		if (ReadFile(hFile, buf, file_size, &dwRead, NULL)) {
			std::cout << "读文件成功" << std::endl;
			getchar();
		}
		else {
			std::cout << "读文件失败" << std::endl;
			getchar();
			return -1;
		}
		std::cout << "读文件" << std::endl;
		getchar();
		std::cout << "写文件" << std::endl;
		WriteFile(hFile, buf, strlen(buf), &dwRead, NULL);

		CloseHandle(hFile);
	}
	else
	{
		std::cout << "打开文件句柄失败" << std::endl;
		getchar();
		return -1;
	}
	getchar();

}

可以看到读写事件会触发Read和Write事件以及SetInformation事件,而获取文件句柄是读写的前提因此Create事件也会被触发,但是关闭文件句柄则是代码规范问题,如果不调用的话则不会触发Close事件。触发序列为Create->Read->Write->SetInformation->Close

image-20230830111102876

这里可以看到Write事件会触发多次。这是因为即使不写入文件有时候也会触发写事件。

image-20230828124423925

provider event_id version event(fields) opcode keywords task level
Microsoft-Windows-Kernel-File 12 0 Create(Pointer Irp, Pointer ThreadId, Pointer FileObject, UInt32 CreateOptions, UInt32 CreateAttributes, UInt32 ShareAccess, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILEIO或KERNEL_FILE_KEYWORD_CREATE Create Informational
Microsoft-Windows-Kernel-File 12 1 Create_V1(Pointer Irp, Pointer FileObject, UInt32 IssuingThreadId, UInt32 CreateOptions, UInt32 CreateAttributes, UInt32 ShareAccess, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILEIO KERNEL_FILE_KEYWORD_CREATE Create Informational
Microsoft-Windows-Kernel-File 14 0 Close(Pointer Irp, Pointer ThreadId, Pointer FileObject, Pointer FileKey) KERNEL_FILE_KEYWORD_FILEIO Close Informational
Microsoft-Windows-Kernel-File 14 1 Close_V1(Pointer Irp, Pointer FileObject, Pointer FileKey, UInt32 IssuingThreadId) KERNEL_FILE_KEYWORD_FILEIO Close Informational
Microsoft-Windows-Kernel-File 15 0 Read(UInt64 ByteOffset, Pointer Irp, Pointer ThreadId, Pointer FileObject, Pointer FileKey, UInt32 IOSize, UInt32 IOFlags) KERNEL_FILE_KEYWORD_FILEIO KERNEL_FILE_KEYWORD_READ Read Informational
Microsoft-Windows-Kernel-File 15 1 Read_V1(UInt64 ByteOffset, Pointer Irp, Pointer FileObject, Pointer FileKey, UInt32 IssuingThreadId, UInt32 IOSize, UInt32 IOFlags, UInt32 ExtraFlags) KERNEL_FILE_KEYWORD_FILEIO KERNEL_FILE_KEYWORD_READ Read Informational
Microsoft-Windows-Kernel-File 16 0 Write(UInt64 ByteOffset, Pointer Irp, Pointer ThreadId, Pointer FileObject, Pointer FileKey, UInt32 IOSize, UInt32 IOFlags) KERNEL_FILE_KEYWORD_FILEIO KERNEL_FILE_KEYWORD_WRITE Write Informational
Microsoft-Windows-Kernel-File 16 1 Write_V1(UInt64 ByteOffset, Pointer Irp, Pointer FileObject, Pointer FileKey, UInt32 IssuingThreadId, UInt32 IOSize, UInt32 IOFlags, UInt32 ExtraFlags) KERNEL_FILE_KEYWORD_FILEIO KERNEL_FILE_KEYWORD_WRITE Write Informational
Microsoft-Windows-Kernel-File 17 0 SetInformation(Pointer Irp, Pointer ThreadId, Pointer FileObject, Pointer FileKey, Pointer ExtraInformation, UInt32 InfoClass) KERNEL_FILE_KEYWORD_FILEIO SetInformation Informational
Microsoft-Windows-Kernel-File 17 1 SetInformation_V1(Pointer Irp, Pointer FileObject, Pointer FileKey, Pointer ExtraInformation, UInt32 IssuingThreadId, UInt32 InfoClass) KERNEL_FILE_KEYWORD_FILEIO SetInformation Informational

重命名文件

该例子主要是测试重命名文件所触发的事件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <windows.h>
#include <stdio.h>
#include <iostream>
int main()
{
	// 原始文件路径
	LPCWSTR filePath = L"C:\\PWN\\windows\\ETW_TEST\\x64\\Release\\asdihi12jeopjaposjdopasjd.txt";
	std::cout << "修改文件名" << std::endl;
	getchar();
	LPCWSTR newFilePath = L"C:\\PWN\\windows\\ETW_TEST\\x64\\Release\\1234.txt";     // 新文件路径

	if (MoveFile(filePath, newFilePath)) {
		std::cout << "文件名修改成功\n" << std::endl;
	}
	else {
		std::cout << "文件名修改失败\n" << std::endl;
	}
}

可以看到文件名的修改会触发Create、Rename、Namedelete以及Close事件。触发序列为Create->Rename->Namedelete->Close

image-20230828125301585

provider event_id version event(fields) opcode keywords task level
Microsoft-Windows-Kernel-File 11 0 NameDelete(Pointer FileKey, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILENAME NameDelete Informational
Microsoft-Windows-Kernel-File 12 0 Create(Pointer Irp, Pointer ThreadId, Pointer FileObject, UInt32 CreateOptions, UInt32 CreateAttributes, UInt32 ShareAccess, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILEIO或KERNEL_FILE_KEYWORD_CREATE Create Informational
Microsoft-Windows-Kernel-File 12 1 Create_V1(Pointer Irp, Pointer FileObject, UInt32 IssuingThreadId, UInt32 CreateOptions, UInt32 CreateAttributes, UInt32 ShareAccess, UnicodeString FileName) KERNEL_FILE_KEYWORD_FILEIO KERNEL_FILE_KEYWORD_CREATE Create Informational
Microsoft-Windows-Kernel-File 14 0 Close(Pointer Irp, Pointer ThreadId, Pointer FileObject, Pointer FileKey) KERNEL_FILE_KEYWORD_FILEIO Close Informational
Microsoft-Windows-Kernel-File 14 1 Close_V1(Pointer Irp, Pointer FileObject, Pointer FileKey, UInt32 IssuingThreadId) KERNEL_FILE_KEYWORD_FILEIO Close Informational
Microsoft-Windows-Kernel-File 19 0 Rename(Pointer Irp, Pointer ThreadId, Pointer FileObject, Pointer FileKey, Pointer ExtraInformation, UInt32 InfoClass) KERNEL_FILE_KEYWORD_FILEIO Rename Informational
Microsoft-Windows-Kernel-File 19 1 Rename_V1(Pointer Irp, Pointer FileObject, Pointer FileKey, Pointer ExtraInformation, UInt32 IssuingThreadId, UInt32 InfoClass) KERNEL_FILE_KEYWORD_FILEIO Rename Informational
windows
#windows
ETW-Microsoft-Windows-Kernel-File
https://h0pe-ay.github.io/ETW-Microsoft-Windows-Kernel-File/
作者
hope
发布于
2023年8月31日
许可协议