Windows File Tracing

[hakim]

I am trying to trace the files opened by an application and I am following the approach of Drakvuf. I tried to trace Notepad++. When I open a file, my program can only trace the directory of that file, it doesn't trace the actual file itself. For example, if I open a file in C:/Users/TestData/test.txt, my output will look like this-

[---------------------------------- bunch of other not related files --------------------------------]
file name = \??\::\
file name = \??\C:\
file name = \??\C:\Users\TestData\
file name = \??\C:\Program Files (x86)\Notepad++
file name = \??\C:\Users\TestData\

In the output I have no trace of target file: C:/Users/TestData/test.txt

Here is my code:

static event_response_t objattr_read(vmi_instance_t vmi, addr_t attr)
{
    access_context_t ctx;
    ctx.translate_mechanism = VMI_TM_PROCESS_DTB;
    ctx.dtb = cr3;


    if ( !attr )
    {
        return 0;
    }


    ctx.addr = attr + 16;   // Why 16? Shouldn't it be 4 bytes Length(ULONG) + 4 bytes RootDirectory(Handle)
    if ( VMI_FAILURE == vmi_read_addr(vmi, &ctx, &ctx.addr) )
    {
      return 0;
    }


    unicode_string_t* us = vmi_read_unicode_str(vmi, &ctx);
    if ( !us )
    {
        printf("unicde read error for addr + %d\n", i);
        return 0;
    }


    unicode_string_t str2 = { .contents = NULL };


    if (VMI_SUCCESS == vmi_convert_str_encoding(us, &str2, "UTF-8"))
    {
        printf("file name = %s\n", str2.contents);
    }


    vmi_free_unicode_str(us);
     
    return VMI_EVENT_RESPONSE_TOGGLE_SINGLESTEP;
}


event_response_t syscall_trap_callback(vmi_instance_t vmi, vmi_event_t *event) {
  vmi_pause_vm(vmi);
  addr_t r8 = event->x86_regs->r8;


  page_mode_t page_mode = vmi_get_page_mode(vmi, 0);
  if (page_mode == VMI_PM_IA32E) {
    uint64_t object_attributes = r8;
    objattr_read(vmi, object_attributes);
  }
  else {
    // Not handled now.
  }




  vmi_write_8_va(vmi, NtOpenFileAddress, 0, &saved_trap_byte);


  vmi_resume_vm(vmi);
  event->interrupt_event.reinject = 0;


  return VMI_EVENT_RESPONSE_TOGGLE_SINGLESTEP;
}

What am I missing here?

[Tamas K Lengyel]

I see you are trapping NtOpenFileAddress. You might want to trap some
other syscalls too, like in
https://github.com/tklengyel/drakvuf/blob/master/src/plugins/filetracer/filetracer.cpp#L236

> --
> You received this message because you are subscribed to the Google Groups
> "vmitools" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vmitools+u...@googlegroups.com.
> To post to this group, send email to vmit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/vmitools.
> For more options, visit https://groups.google.com/d/optout.

[hakim]

Shouldn't NtOpenFile and ZwOpenFile be enough? I am only interested in file open operation and don't care about what the application does on the file after opening it. I tried both NtOpenFile and ZwOpenFile together, but I don't still see the target file in the output. As if, those two system calls are not being called at all on the target file.

[Tamas K Lengyel]

I would suggest you review the WRK to check how those system calls
actually are being used.