Solved

Hooking CreateFile()

Posted on 1998-12-07
13
715 Views
Last Modified: 2012-08-14
Hello:
Is there any way my application can know what files are being opened by other applications that are currently running. I saw a sample in a DDJ CD that would give me a list of all currently open files. But some applications keep the document open even after that close the associated file. So somehow I need to get a notification when the file is initially opened so thatI can hold on to the filename even after it is closed.
--regards
Rajesh Vijayakumar
0
Comment
Question by:vijayk
  • 5
  • 4
  • 2
  • +1
13 Comments
 
LVL 22

Expert Comment

by:nietod
ID: 1179466
Take a look at FindFirstChangeNotification().

Let me know if you have questions.
0
 
LVL 22

Expert Comment

by:nietod
ID: 1179467
Sorry, I'm wrong about that.  I thought it was possible to monitor the opening of files with that.  It allows you to monitor changes to files, but not opening of files.  This probably is not what you need.  (Although you might want to look into it all the same.)
0
 

Author Comment

by:vijayk
ID: 1179468
FindFirstChangeNotification() is not what I am looking for. (Wouldn't it be great if it gave the file open notification also!). Another thing I forgot to mention is that the solution has to work with Windows NT4. I don't care if it works with Win95 or not.
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179469
Well, there's an utility available at www.sysinternal.com that is named 'NTFilemon' which monitors the file system activity by hooking kernel device objects, e.g.:
        //
        // The file system's device hasn't been hooked already, so make a hooking device
        //  object that will be attached to it.
        //
        ntStatus = IoCreateDevice( DriverObject,
                    sizeof(HOOK_EXTENSION),
                    NULL,
                    fileSysDevice->DeviceType,
                    0,
                    FALSE,
                    &hookDevice );
        // Clear the device's init flag as per NT DDK KB article on creating device
        // objects from a dispatch routine
        //
        hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;

        //
        // Setup the device extensions. The drive letter and file system object are stored
        // in the extension.
        //
        hookExtension = hookDevice->DeviceExtension;
        hookExtension->LogicalDrive = 'A'+Drive;
        hookExtension->FileSystem   = fileSysDevice;

        //
        // Finally, attach to the device. The second we're successfully attached, we may
        // start receiving IRPs targetted at the device we've hooked.
        //
        ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );

The full source code is also available, but it is implemented as akernel driver - so if you don't mind that ;-)
0
 

Author Comment

by:vijayk
ID: 1179470
Hi,
I haven't written any kernel mode drivers yet so I feel a bit nervous about that. I am temporarily rejecting your answer so that other people get a change to give a simpler answer (if there is any). I was looking for something like the IFSMgr_InstallFileSystemApiHook() available in win95. If nobody gives a better answer within two days, I will accept your answer. Sorry about this but I want to make absolutely sure that there is no simpler way of doing this before writing a device driver.
--regards
Rajesh Vijayakumar
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179471
I can understand this - but as (IMHO) there is no method available, i think you'll have to follow this way...

Ooops, did i say there is _no_ other method... well, i can think of another one or 2 , but they _really_ are rude (and i don't even know if i'd want to follow it ;-) :
1. Replace kernel32.dll with your own version to intercept all incoming API calls and pass them through to the original DLL (lot's of work!)
2. create a DLL that is mapped into the address space of all running processes (see injlib.exe 'ftp://ftp.microsoft.com/softlib/mslfiles/INJLIB.EXE') and MS Systems Jounal May '94 'Load Your 32-bit DLL into Another Process's Address Space Using INJLIB' at http://www.microsoft.com/msj') and patch the function tables so that the 'CreateFile()' API call is redirected to one of your functions before you pass the through to the original function (If that is what you choose to do, i could even give you some code that illustrates this).
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 13

Expert Comment

by:Mirkwood
ID: 1179472
Goto www.sysinternals.com and download filemon or ntfilemon. It comes with complete source and does what you want.
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179473
Mirkwood - didn't you read the question's history? I already suggested this .....
0
 
LVL 13

Expert Comment

by:Mirkwood
ID: 1179474
Oeps, your so right. Well this basicly answers your question. I didn't read the history.
0
 

Author Comment

by:vijayk
ID: 1179475
hi, sorry for rejecting your correct answer but the points belong to jkr since he answered first. jkr: please post a dummy answer and claim your points. I downloaded the source code of FileMon and I think I don't have to write a device driver of my own. I could just use theirs. (provided the authors allow it).
thankyou all,
Rajesh Vijayakumar
0
 
LVL 86

Accepted Solution

by:
jkr earned 100 total points
ID: 1179476
Thanks Rajesh!
BTW: If you are interested in only some processes using 'CreateFile()', the 'INJLIB' method i mentioned earlier would be a really good idea - and i've got even a working sample that does exacly what you want (regarding the hooking of 'CreateFile()'), i just didn't think of it because of the 'global' hooking context. If you'd like to get the example, simply post your email and i'll send it to you...
0
 

Author Comment

by:vijayk
ID: 1179477
Hi jkr,
What I need is a system wide hook. Basically, the user will specify a set of files on their hard drive and my application has to get notified when any of these files are opened by any application. If the sample if applicable in such a situation, please send it to vijayk@cswl.com
Thanks once again for helping me out.
Rajesh Vijayakumar
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179478
OK Rajesh, you'll get it tomorrow, as i have to head home fast now (10pm here ;-)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

IntroductionThis article is the second in a three part article series on the Visual Studio 2008 Debugger.  It provides tips in setting and using breakpoints. If not familiar with this debugger, you can find a basic introduction in the EE article loc…
Introduction This article is a continuation of the C/C++ Visual Studio Express debugger series. Part 1 provided a quick start guide in using the debugger. Part 2 focused on additional topics in breakpoints. As your assignments become a little more …
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now