Solved

Hooking CreateFile()

Posted on 1998-12-07
13
721 Views
Last Modified: 2012-08-14
Hello:
Is there any way my application can know what files are being opened by other applications that are currently running. I saw a sample in a DDJ CD that would give me a list of all currently open files. But some applications keep the document open even after that close the associated file. So somehow I need to get a notification when the file is initially opened so thatI can hold on to the filename even after it is closed.
--regards
Rajesh Vijayakumar
0
Comment
Question by:vijayk
  • 5
  • 4
  • 2
  • +1
13 Comments
 
LVL 22

Expert Comment

by:nietod
ID: 1179466
Take a look at FindFirstChangeNotification().

Let me know if you have questions.
0
 
LVL 22

Expert Comment

by:nietod
ID: 1179467
Sorry, I'm wrong about that.  I thought it was possible to monitor the opening of files with that.  It allows you to monitor changes to files, but not opening of files.  This probably is not what you need.  (Although you might want to look into it all the same.)
0
 

Author Comment

by:vijayk
ID: 1179468
FindFirstChangeNotification() is not what I am looking for. (Wouldn't it be great if it gave the file open notification also!). Another thing I forgot to mention is that the solution has to work with Windows NT4. I don't care if it works with Win95 or not.
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 86

Expert Comment

by:jkr
ID: 1179469
Well, there's an utility available at www.sysinternal.com that is named 'NTFilemon' which monitors the file system activity by hooking kernel device objects, e.g.:
        //
        // The file system's device hasn't been hooked already, so make a hooking device
        //  object that will be attached to it.
        //
        ntStatus = IoCreateDevice( DriverObject,
                    sizeof(HOOK_EXTENSION),
                    NULL,
                    fileSysDevice->DeviceType,
                    0,
                    FALSE,
                    &hookDevice );
        // Clear the device's init flag as per NT DDK KB article on creating device
        // objects from a dispatch routine
        //
        hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;

        //
        // Setup the device extensions. The drive letter and file system object are stored
        // in the extension.
        //
        hookExtension = hookDevice->DeviceExtension;
        hookExtension->LogicalDrive = 'A'+Drive;
        hookExtension->FileSystem   = fileSysDevice;

        //
        // Finally, attach to the device. The second we're successfully attached, we may
        // start receiving IRPs targetted at the device we've hooked.
        //
        ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );

The full source code is also available, but it is implemented as akernel driver - so if you don't mind that ;-)
0
 

Author Comment

by:vijayk
ID: 1179470
Hi,
I haven't written any kernel mode drivers yet so I feel a bit nervous about that. I am temporarily rejecting your answer so that other people get a change to give a simpler answer (if there is any). I was looking for something like the IFSMgr_InstallFileSystemApiHook() available in win95. If nobody gives a better answer within two days, I will accept your answer. Sorry about this but I want to make absolutely sure that there is no simpler way of doing this before writing a device driver.
--regards
Rajesh Vijayakumar
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179471
I can understand this - but as (IMHO) there is no method available, i think you'll have to follow this way...

Ooops, did i say there is _no_ other method... well, i can think of another one or 2 , but they _really_ are rude (and i don't even know if i'd want to follow it ;-) :
1. Replace kernel32.dll with your own version to intercept all incoming API calls and pass them through to the original DLL (lot's of work!)
2. create a DLL that is mapped into the address space of all running processes (see injlib.exe 'ftp://ftp.microsoft.com/softlib/mslfiles/INJLIB.EXE') and MS Systems Jounal May '94 'Load Your 32-bit DLL into Another Process's Address Space Using INJLIB' at http://www.microsoft.com/msj') and patch the function tables so that the 'CreateFile()' API call is redirected to one of your functions before you pass the through to the original function (If that is what you choose to do, i could even give you some code that illustrates this).
0
 
LVL 13

Expert Comment

by:Mirkwood
ID: 1179472
Goto www.sysinternals.com and download filemon or ntfilemon. It comes with complete source and does what you want.
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179473
Mirkwood - didn't you read the question's history? I already suggested this .....
0
 
LVL 13

Expert Comment

by:Mirkwood
ID: 1179474
Oeps, your so right. Well this basicly answers your question. I didn't read the history.
0
 

Author Comment

by:vijayk
ID: 1179475
hi, sorry for rejecting your correct answer but the points belong to jkr since he answered first. jkr: please post a dummy answer and claim your points. I downloaded the source code of FileMon and I think I don't have to write a device driver of my own. I could just use theirs. (provided the authors allow it).
thankyou all,
Rajesh Vijayakumar
0
 
LVL 86

Accepted Solution

by:
jkr earned 100 total points
ID: 1179476
Thanks Rajesh!
BTW: If you are interested in only some processes using 'CreateFile()', the 'INJLIB' method i mentioned earlier would be a really good idea - and i've got even a working sample that does exacly what you want (regarding the hooking of 'CreateFile()'), i just didn't think of it because of the 'global' hooking context. If you'd like to get the example, simply post your email and i'll send it to you...
0
 

Author Comment

by:vijayk
ID: 1179477
Hi jkr,
What I need is a system wide hook. Basically, the user will specify a set of files on their hard drive and my application has to get notified when any of these files are opened by any application. If the sample if applicable in such a situation, please send it to vijayk@cswl.com
Thanks once again for helping me out.
Rajesh Vijayakumar
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179478
OK Rajesh, you'll get it tomorrow, as i have to head home fast now (10pm here ;-)
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Often, when implementing a feature, you won't know how certain events should be handled at the point where they occur and you'd rather defer to the user of your function or class. For example, a XML parser will extract a tag from the source code, wh…
What is C++ STL?: STL stands for Standard Template Library and is a part of standard C++ libraries. It contains many useful data structures (containers) and algorithms, which can spare you a lot of the time. Today we will look at the STL Vector. …
The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now