我的操作系统是Windows 8 x64,但我想在其他Windows操作系统和它们的arquitechtures中编写一种通用方法(如果这样做不会让人头疼更难).

在这个SO问题中,我已经读过,最好的选择是通过我看到的方式挂钩NtSetFileInformation函数Intercept FIleSytemCall for Deletion,它存在名为DeleteFile的WinAPI函数以及接口ICopyHook,我不知道它们之间的差异,但是无论如何我真的不知道如何开始这样做……

I would like to clarify that I’m looking for a VBNET solution,I’ve headaches
because the absence of any VBNET Code example from these API-Hooking libraries over Google,
and C# code translations to VBNET goes really wrong when a complex code is involved.

编辑：我发现了一个关于NtSetFileInformation的EasyHook库示例,它似乎非常适合我的需求,但它是C#代码,我试图翻译它没有成功：Hooking NtCreateFile API from ntdll.dll with EasyHook (c#)

所以,我已经尝试过Deviare库2.6,但什么也没做：

Public Class Form1

    Private _mgr As Deviare2.NktSpyMgr = Nothing
    Private WithEvents _hook As Deviare2.NktHook = Nothing
    Private _proc As Deviare2.INktProcess = Nothing

    Private Shadows Sub Shown() Handles MyBase.Shown

        _mgr = New Deviare2.NktSpyMgr()
        _hook = _mgr.CreateHook("ntdll.dll!NtSetFileInformation",Nothing)
        _hook.Hook()

    End Sub

    Private Sub OnFunctionCalled(ByVal proc As Deviare2.INktProcess,ByVal callInfo As Deviare2.INktHookCallInfo,ByVal rCall As Deviare.IRemoteCall) Handles _hook.OnFunctionCalled

        MsgBox("Caught function call in " & proc.Name)

    End Sub

End Class

基本上上面的代码与@mazoula在这里回答的相同hooking another program’s calls to winapi functions in vb.net,他说代码对他有用,但我已经按原样尝试了(没有在上面做我的修改)并在_hook.Attach(_mgr)抛出了一个例外.Processes)指令.

我也尝试使用EasyHook库但是当我从Explorer.exe或CMD中删除文件时再没有做任何事情,代码是这个C#代码http://www.codeproject.com/Questions/528094/DeleteFileplushookingpluswithplusEasyHookplussucce的翻译：

Imports System.Runtime.InteropServices
Imports EasyHook

Public Class Form1

    <DllImport("kernel32.dll",CharSet:=CharSet.Unicode,CallingConvention:=CallingConvention.StdCall)>
    Private Shared Function DeleteFile(filename As String) As Integer
    End Function

    <UnmanagedFunctionPointer(CallingConvention.StdCall,CharSet:=CharSet.Unicode)>
    Private Delegate Function DeleteFileHandler(filename As String) As Integer

    Private Shared deleted As Boolean = False

    public Function DeleteFileHookInstance(filename As String) As Integer
        MsgBox("works?")
        If deleted Then
            deleted = False
            Return 1
        End If
        If MessageBox.Show((Convert.ToString("Do you really want to delete file ") & filename) + "?","Confirm delete file",MessageBoxButtons.YesNo,MessageBoxIcon.Question) = DialogResult.Yes Then
            deleted = True
            Return DeleteFile(filename)
        Else
            Return 1
        End If
        'Assume the call is successfull
    End Function

    Public Sub Run()

        Dim hook As EasyHook.LocalHook

        Try
            MsgBox("Creating...")
            hook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll","DeleteFileW"),New DeleteFileHandler(AddressOf DeleteFileHookInstance),Me)
            'It stops here,the main interface receives the reported status 'Creating...' seemly forever,I understand that is for the unexpected restarting of explorer.exe
            MsgBox("Completing...")
            hook.ThreadACL.SetExclusiveACL(New Integer() {0})
            RemoteHooking.WakeUpProcess()
            MsgBox("OK")
        Catch ex As Exception
            MsgBox("CreateHook Failed: " + ex.Message)
            System.Diagnostics.Process.GetCurrentProcess().Kill()
        End Try
        While True
            Application.DoEvents()
        End While
    End Sub

    Private Sub Form1_Load(sender As Object,e As EventArgs) Handles MyBase.Load
        Run()
    End Sub

End Class