File System Hook
Allan
write data to it.
Is it possible to hook the file system to get information like these?
Is there ready made software that does this?
File File Handle Event
Config.ini 1 File Opened
Config.ini 1 File Append Data
Config.ini 1 File Append Data
Config.ini 1 File Append Data
Config.ini 1 File Closed
Maxim S. Shatskih
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
ma...@storagecraft.com
http://www.storagecraft.com
"Allan" <mmr...@hotmail.com> wrote in message
news:uJGDe6wl...@TK2MSFTNGP06.phx.gbl...
Allan
Ok. I had found the solution.
There is no need to track the file handle for my case.
I just need to track the event to "File Open" to the Config.ini file, and
track a corresponding "File Close" event. I would be able to tell the same
handle had written data to the Config.ini file.
There is a ready made software File Monitor or Process Monitor.
http://technet.microsoft.com/en-us/sysinternals/bb545046.aspx
// File Open
8:10:06 PM Project1.exe:1856 C:\gb\file.txt Options: OverwriteIf Access:
00120196
8:10:06 PM Project1.exe:1856 C:\gb\ Options: Open Directory Access:
00100000
// File Write Data
8:10:11 PM Project1.exe:1856 Msimtf.dll Attributes: A
8:10:11 PM Project1.exe:1856 Msimtf.dll Options: Open Access: 00100020
8:10:11 PM Project1.exe:1856 Msimtf.dll Length: 159232
8:10:11 PM Project1.exe:1856 Msimtf.dll
8:10:11 PM Project1.exe:1856 Msimtf.dll
8:10:11 PM Project1.exe:1856 Msimtf.dll Attributes: A
8:10:11 PM Project1.exe:1856 Msimtf.dll Options: Open Access: 00100020
8:10:11 PM Project1.exe:1856 Msimtf.dll Length: 159232
8:10:11 PM Project1.exe:1856 Msimtf.dll
8:10:11 PM Project1.exe:1856 Msimtf.dll
// File Close
8:10:16 PM Project1.exe:1856 C:\gb\file.txt Offset: 0 Length: 5
8:10:16 PM Project1.exe:1856 C:\gb\file.txt
8:10:16 PM Project1.exe:1856 C:
8:10:16 PM Project1.exe:1856 C:\gb\file.txt
"Maxim S. Shatskih" <ma...@storagecraft.com> wrote in message
news:e9DjI$wlIHA...@TK2MSFTNGP05.phx.gbl...
doskey
>
> > FILEMON
>
> > --
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > ma...@storagecraft.com
> >http://www.storagecraft.com
>
> > "Allan" <mmr...@hotmail.com> wrote in message
> >news:uJGDe6wl...@TK2MSFTNGP06.phx.gbl...
> >> I need to monitor a particular file if the same file handle is being used
> >> to
> >> write data to it.
> >> Is it possible to hook the file system to get information like these?
> >> Is there ready made software that does this?
>
> >> File File Handle Event
> >> Config.ini 1 File Opened
> >> Config.ini 1 File Append Data
> >> Config.ini 1 File Append Data
> >> Config.ini 1 File Append Data
> >> Config.ini 1 File Closed
I think you don't need FSD filter or minifilter driver.
You maybe need a SSDT hook driver. You can hook some native API such
as NtCreateFile, NtWriteFile and NtReadFile.
I think it can do this case. :)
Maxim S. Shatskih
>You maybe need a SSDT hook driver.
Will not work on x64 Vista/2008, also note that NtReadFile hook will not catch
paging IO.
Don Burn
pointed out, it will not work for X64, and it will not catch paging I/O.
Also, getting these right is harder than one thinks, and is likely to
destabilize the system. Also, the driver will immediately be flagged as
MALWARE. Following such a path for file operations that are easily
catchable with approved ways, is beyond stupid.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"doskey" <doske...@gmail.com> wrote in message:
Lisa Pearlson
"Don Burn" <bu...@stopspam.windrvr.com> wrote in message
news:%23pp3r1J...@TK2MSFTNGP06.phx.gbl...
Don Burn
meets most of the OP's needs. Get the WDK and take a look.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"Lisa Pearlson" <n...@spam.plz> wrote in message
news:%23dJo6iP...@TK2MSFTNGP03.phx.gbl...
doskey
> This can be done with a mini-filter and Microsoft provides one FileSpy that
> meets most of the OP's needs. Get the WDK and take a look.
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website:http://www.windrvr.com
> Blog:http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> "Lisa Pearlson" <n...@spam.plz> wrote in message
>
> news:%23dJo6iP...@TK2MSFTNGP03.phx.gbl...
>
> > So what are these approved ways exactely?
>
> >news:%23pp3r1J...@TK2MSFTNGP06.phx.gbl...
> >> Using a SSDT hook driver for this is incredibly irresponsible. First as
> >> Max pointed out, it will not work for X64, and it will not catch paging
> >> I/O. Also, getting these right is harder than one thinks, and is likely
> >> to destabilize the system. Also, the driver will immediately be flagged
> >> as MALWARE. Following such a path for file operations that are easily
> >> catchable with approved ways, is beyond stupid.
>
> >> --
> >> Don Burn (MVP, Windows DDK)
> >> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >> Website:http://www.windrvr.com
> >> Blog:http://msmvps.com/blogs/WinDrvr
> >> Remove StopSpam to reply
>
>
> >> I think you don't need FSD filter or minifilter driver.
> >> You maybe need a SSDT hook driver. You can hook some native API such
> >> as NtCreateFile, NtWriteFile and NtReadFile.
> >> I think it can do this case. :)
I don't think SSDT hook driver look like malware. Too many HIPS
software are using this technology.
Mini-filter driver maybe is the best way to done this case.
Don Burn
software are using this technology.
And some not all of these are special cased in the MALWARE detection.
Bottom lime is you cannot hook and unhook safely and it is a damaging
practice that hopefully Microsoft will block in 32 bit someday as well as 64
bit.