要在 Windows 下监控进程的 I/O 操作,可以使用 syscall 包提供的 ReadProcessMemory() 和 WriteProcessMemory() 函数。下面是一个示例代码:
package main
import (
"fmt"
"syscall"
"time"
"unsafe"
"golang.org/x/sys/windows"
)
func main() {
processName := "notepad.exe"
fmt.Println("Waiting for process", processName, "to start...")
var processHandle windows.Handle
for {
processId, err := getProcessIdByName(processName)
if err == nil {
processHandle, err = windows.OpenProcess(windows.PROCESS_ALL_ACCESS, false, uint32(processId))
if err == nil && processHandle != 0 {
fmt.Println("Successfully opened handle for process", processName)
break
}
}
time.Sleep(time.Second)
}
for {
var buffer [1024]byte
// 监控 ReadProcessMemory()
bytesRead := uint32(0)
success := windows.ReadProcessMemory(processHandle,
uintptr(unsafe.Pointer(&buffer)),
uintptr(unsafe.Pointer(&buffer[0])),
uintptr(len(buffer)),
&bytesRead)
if success && bytesRead > 0 {
fmt.Printf("[Intercepted] ReadProcessMemory: %s\n", string(buffer[:bytesRead]))
}
// 监控 WriteProcessMemory()
bytesWritten := uint32(0)
success = windows.WriteProcessMemory(processHandle,
uintptr(unsafe.Pointer(&buffer)),
uintptr(unsafe.Pointer(&buffer[0])),
uintptr(len(buffer)),
&bytesWritten)
if success && bytesWritten > 0 {
fmt.Printf("[Intercepted] WriteProcessMemory: %s\n", string(buffer[:bytesWritten]))
}
time.Sleep(time.Second)
}
}
// 根据进程名获取进程 ID
func getProcessIdByName(processName string) (int, error) {
snapshotHandle, err := windows.CreateToolhelp32Snapshot(windows.TH32CS_SNAPPROCESS, 0)
if err != nil {
return 0, err
}
defer windows.CloseHandle(snapshotHandle)
var processEntry windows.ProcessEntry32
processEntry.Size = uint32(unsafe.Sizeof(processEntry))
err = windows.Process32First(snapshotHandle, &processEntry)
if err != nil {
return 0, err
}
for {
if syscall.UTF16ToString(processEntry.ExeFile[:]) == processName {
return int(processEntry.ProcessID), nil
}
err = windows.Process32Next(snapshotHandle, &processEntry)
if err != nil {
break
}
}
return 0, fmt.Errorf("process not found")
}
在上面的代码中,我们首先等待指定进程(notepad.exe)启动,然后打开其句柄并开始循环监控 ReadProcessMemory() 和 WriteProcessMemory() 函数。当这些函数被调用时,我们会输出相应的 I/O 操作信息。
需要注意的是,监控其他进程的 I/O 操作可能会有一定的安全风险,请谨慎使用。另外,在使用 ReadProcessMemory() 和 WriteProcessMemory() 函数时,请务必了解其参数和返回值的含义,并进行相关测试和优化。
![/data # iw --debug dev wlan0 connect -w "lucky-5g" auth open key 0:1234567890
Usage: iw [options] dev connect [-w] [] [] [auth open|shared] [key 0:abcde d:1:6162636465] [mfp:req/opt/no]
Join the network with ...](https://linuxcpp.0voice.com/zb_users/upload/2023/05/202305162239148267954.png)
![驱动代码
void kalRxTaskletSchedule(struct GLUE_INFO *pr)
{
static unsigned int num = 0;
tasklet_hi_schedule(&pr->rRxTask[(num++)%NR_CPUS]);
// tasklet_hi_schedule(&pr->rRxTask);
DBGLOG(HAL, ERROR,](https://linuxcpp.0voice.com/zb_users/upload/2023/05/202305162226144313964.png)
