Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Hooking CreateFile()

Posted on 1998-12-07
13
729 Views
Last Modified: 2012-08-14
Hello:
Is there any way my application can know what files are being opened by other applications that are currently running. I saw a sample in a DDJ CD that would give me a list of all currently open files. But some applications keep the document open even after that close the associated file. So somehow I need to get a notification when the file is initially opened so thatI can hold on to the filename even after it is closed.
--regards
Rajesh Vijayakumar
0
Comment
Question by:vijayk
  • 5
  • 4
  • 2
  • +1
13 Comments
 
LVL 22

Expert Comment

by:nietod
ID: 1179466
Take a look at FindFirstChangeNotification().

Let me know if you have questions.
0
 
LVL 22

Expert Comment

by:nietod
ID: 1179467
Sorry, I'm wrong about that.  I thought it was possible to monitor the opening of files with that.  It allows you to monitor changes to files, but not opening of files.  This probably is not what you need.  (Although you might want to look into it all the same.)
0
 

Author Comment

by:vijayk
ID: 1179468
FindFirstChangeNotification() is not what I am looking for. (Wouldn't it be great if it gave the file open notification also!). Another thing I forgot to mention is that the solution has to work with Windows NT4. I don't care if it works with Win95 or not.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 86

Expert Comment

by:jkr
ID: 1179469
Well, there's an utility available at www.sysinternal.com that is named 'NTFilemon' which monitors the file system activity by hooking kernel device objects, e.g.:
        //
        // The file system's device hasn't been hooked already, so make a hooking device
        //  object that will be attached to it.
        //
        ntStatus = IoCreateDevice( DriverObject,
                    sizeof(HOOK_EXTENSION),
                    NULL,
                    fileSysDevice->DeviceType,
                    0,
                    FALSE,
                    &hookDevice );
        // Clear the device's init flag as per NT DDK KB article on creating device
        // objects from a dispatch routine
        //
        hookDevice->Flags &= ~DO_DEVICE_INITIALIZING;

        //
        // Setup the device extensions. The drive letter and file system object are stored
        // in the extension.
        //
        hookExtension = hookDevice->DeviceExtension;
        hookExtension->LogicalDrive = 'A'+Drive;
        hookExtension->FileSystem   = fileSysDevice;

        //
        // Finally, attach to the device. The second we're successfully attached, we may
        // start receiving IRPs targetted at the device we've hooked.
        //
        ntStatus = IoAttachDeviceByPointer( hookDevice, fileSysDevice );

The full source code is also available, but it is implemented as akernel driver - so if you don't mind that ;-)
0
 

Author Comment

by:vijayk
ID: 1179470
Hi,
I haven't written any kernel mode drivers yet so I feel a bit nervous about that. I am temporarily rejecting your answer so that other people get a change to give a simpler answer (if there is any). I was looking for something like the IFSMgr_InstallFileSystemApiHook() available in win95. If nobody gives a better answer within two days, I will accept your answer. Sorry about this but I want to make absolutely sure that there is no simpler way of doing this before writing a device driver.
--regards
Rajesh Vijayakumar
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179471
I can understand this - but as (IMHO) there is no method available, i think you'll have to follow this way...

Ooops, did i say there is _no_ other method... well, i can think of another one or 2 , but they _really_ are rude (and i don't even know if i'd want to follow it ;-) :
1. Replace kernel32.dll with your own version to intercept all incoming API calls and pass them through to the original DLL (lot's of work!)
2. create a DLL that is mapped into the address space of all running processes (see injlib.exe 'ftp://ftp.microsoft.com/softlib/mslfiles/INJLIB.EXE') and MS Systems Jounal May '94 'Load Your 32-bit DLL into Another Process's Address Space Using INJLIB' at http://www.microsoft.com/msj') and patch the function tables so that the 'CreateFile()' API call is redirected to one of your functions before you pass the through to the original function (If that is what you choose to do, i could even give you some code that illustrates this).
0
 
LVL 13

Expert Comment

by:Mirkwood
ID: 1179472
Goto www.sysinternals.com and download filemon or ntfilemon. It comes with complete source and does what you want.
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179473
Mirkwood - didn't you read the question's history? I already suggested this .....
0
 
LVL 13

Expert Comment

by:Mirkwood
ID: 1179474
Oeps, your so right. Well this basicly answers your question. I didn't read the history.
0
 

Author Comment

by:vijayk
ID: 1179475
hi, sorry for rejecting your correct answer but the points belong to jkr since he answered first. jkr: please post a dummy answer and claim your points. I downloaded the source code of FileMon and I think I don't have to write a device driver of my own. I could just use theirs. (provided the authors allow it).
thankyou all,
Rajesh Vijayakumar
0
 
LVL 86

Accepted Solution

by:
jkr earned 100 total points
ID: 1179476
Thanks Rajesh!
BTW: If you are interested in only some processes using 'CreateFile()', the 'INJLIB' method i mentioned earlier would be a really good idea - and i've got even a working sample that does exacly what you want (regarding the hooking of 'CreateFile()'), i just didn't think of it because of the 'global' hooking context. If you'd like to get the example, simply post your email and i'll send it to you...
0
 

Author Comment

by:vijayk
ID: 1179477
Hi jkr,
What I need is a system wide hook. Basically, the user will specify a set of files on their hard drive and my application has to get notified when any of these files are opened by any application. If the sample if applicable in such a situation, please send it to vijayk@cswl.com
Thanks once again for helping me out.
Rajesh Vijayakumar
0
 
LVL 86

Expert Comment

by:jkr
ID: 1179478
OK Rajesh, you'll get it tomorrow, as i have to head home fast now (10pm here ;-)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how to understand recursion 12 229
How to copy an image file into clipboard C/C++? 1 197
best sources to up-to-date in C++? 8 91
Copy output image from TWindowsMediaPlayer 6 48
Many modern programming languages support the concept of a property -- a class member that combines characteristics of both a data member and a method.  These are sometimes called "smart fields" because you can add logic that is applied automaticall…
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question