问题
I'm trying to build POC that identify file copying activity from kauth based kernel extension that using fileop scope callback.
However, it seems that copying file involves two separate authentication operations (open src file from and create new file).
My goal is rather simple, detect the new target file creation after it was filled with data, disregarding the nature of the source file (so I'll be able to read it for further analysis)
According to my observation, it may possible to achieve this by monitoring the last action on the target file which is KAUTH_FILEOP_CLOSE. but this action alone may cause a lot of other scenarios such as file close for after reading, and I only care if the file has new data.
I would expect to get the in addition the KAUTH_FILEOP_CLOSE_MODIFIED flag and it's ain't there unless the target file is new file (not copying to an existing file).
Perhaps it's yet another bug with Kauth. Any Other ideas how to detect the new file after it filled with data ?
thanks
来源:https://stackoverflow.com/questions/49517854/detect-file-copying-from-kernel-extension