show/get the path+filename of the file creator and the newly created file

hi
i'm a delphi developer, but c is more powerful than delphi, we know that.

i want to show/get the path+filename of the file creator and the newly created file
a sample for this is;
copyfile(file_creator_source,  newly_created_file);
a sample code can be userland or kernelmode
please
LVL 14
systanAsked:
Who is Participating?
 
ThievingSixConnect With a Mentor Commented:
You would get both the source and destination with CreateFileX(). Since CreateFileX() is for both opening/reading/writing as well as creating. The problem is you would have no way to differentiate between which is the source and which is the destination.

I see two options:

1) You hook the ShFileOperation() API and check for Struct.wFunc = FO_COPY. This is the way windows copies files (NT at least). The only issue is programs that do not use windows default file copy. This function will call CreateFile() --> NtCreateFile() --> ZwCreateFile().

2) You hook CreateFileX() and CloseHandle(). When an application opens a file, and creates another you record the two handles returned by CreateFileX(). When the application calls CloseHandle() on both those handles (or even the one regarding the created file) you compare the two files and hash them. If the hashes are the same you can assume that the program just copied them. This is a more complete solution than 1 but it's more complete. If you implement this in kernel mode Zw* it would be even more complete.

Just a refresher. Nt* = user mode, Zw = kernel mode. Don't hook one in the other.
0
 
phoffricCommented:
Could you give an example of what you want copyfile to do?
For example, what would this do:
     copyfile( "c:/homefile_creator_source",  "newly_created_file");
0
 
systanAuthor Commented:
hi
copyfile is a function in delphi/c/c++builder?
and i think zW/NtCreateFile, zW/NtWriteFile, zW/NtOpenFile, zW/NtFlushBufferFile, zWNtQueryVolumeInformationFile has a part of doing that.   But i don't really know how to begin with it.

copyfile( "homefile_creator_source",  "newly_created_file");

i would like to show a message box with there path+filename  when  there is a newly created file  including the homefile_creator_source

The real purpose of this?,  is,  just to know the source file path and the destination file path when someone created a new file of any type.

If you can discuss this in userland or kernelmode, then im biting the steps forward to do it, but it would be wonderful if you can get a sample code for better quicker learning.

thanks for the quick reply
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
phoffricCommented:
Sorry, I'm not a delphi/C++builder guy, so I am not sure about your terminology.

On the other hand, if it's just a question of parsing a char * string such as "C:\Projects\Test1\src_file" into the following two strings:
     "C:\Projects\Test1\"
     "src_file"
then I can help you with that. (Then you can display the two strings.)
0
 
phoffricCommented:
BTW - you are looking for a C solution, yes?
0
 
CodedKCommented:
Hi Systan.

Do you want to monitor file creation and get the source path and the destination path in a log file?
Do you want this in C?
0
 
systanAuthor Commented:
phoffric;
What I meant is to detect when a newly created file;
as you can see when a command code is issued on like that;
copyfile( "c:\windows\homefile_creator_source",  "d:\anydir_folder\newly_created_file");

my app(exe or dll) will detect that a new file is created,  and hopefuly i can get/show path+filename of the source as well as the destination.

>>BTW - you are looking for a C solution, yes?
I'm not really looking for a c solution, i understand delphi better

I only post as the primary zone, because i have notice that c zone experts have much knowledge in terms of this category question.

But if anyone could post a code of delphi,  i'm sure to test it if is really working.
And if i see the code in c/c++ i'll be glad to try and analyze it and convert it to delphi way of coding and ask for help if its hardly complicated.


hello codedK;
I was thinking that your gone in e-e, because i always check whos active and not on delphi zone,  i though you were with hypo and twinsoft.


anyway, i don't want to use the directory/file watch creation, because it is specific on the drive/folder that you want to watch.

i am using zW/NtCreateFile, zW/NtWriteFile, zW/NtOpenFile individually and thats why i did not have the change to make it work.

Now I am doubtful of zW/NtFlushBufferFile and zWNtQueryVolumeInformationFile which i have not tested because i am not capable of  knowing such variables to use like pint64, ulong and others that are new to my sight.


Thanks
0
 
phoffricConnect With a Mentor Commented:
I will defer to a c/delphi programmer for extended discussion.

If this were C, I'd use the strrchr() function to search from the end of the string to the left to find the first occurrence of '\' (assuming a Windows path). Here is a link explaining strrchr():
      http://www.cplusplus.com/reference/clibrary/cstring/strrchr/
0
 
ThievingSixCommented:
Hooking CreateFileA() and CreateFileW() in user mode in all process would work.
0
 
systanAuthor Commented:
phoffric;
I don't know if you got it, but these detects an application .dll or .exe or even .sys  that issue a command code copyfile or any other terms that would create a physical file.

@ThievingSix;
I'll try to research for that createfilew hook, it would be better if you have the code and show some snippet.
0
 
systanAuthor Commented:
Ah, createFileW does only gets the destination file?  what about the source file?
0
 
systanAuthor Commented:
phoffric , codedK, and ThievingSix;
I think it's much better if this code runs on kernelmode using c, the problem is the source,   if there is a source, maybe i can compile it with visual c++6 with a brand new .sys. lol,  I think that is really impossible for someone to show the code.  lets wait for a delphi code instead.
0
 
CodedKCommented:
Hi Systan...

I was really gone from February ... Now I have a little time for myself again :)
Anyway.

1) Since it could be programmed in C you could set breakpoints at kernel calls... log the info and jump back.
2) You can hook CreateFile like ThievingSix said.

Problems: not every process will be hooked and most likely you'll get files that some times are not really created... Some functions in kernel, widely used in many apps call CreateFile with no creation taking place.
0
 
CodedKCommented:
C Source:

Hook CreateFileA, Ring3 under inline Hook  ->
http://www.hackchina.com/en/cont/73703
0
 
CodedKConnect With a Mentor Commented:
Check this out in delphi :
http://blog.csdn.net/zhaoyu_me/archive/2007/02/22/1512812.aspx

You can use google translate to change the language from Chinese to English.

Hope this helps.
0
 
systanAuthor Commented:
If i'm going to use createfilew/a it would only get the destination file, which work like this;
How I am going to get the source file?
function MyCreateFileW(lpFileName: PWideChar; dwDesiredAccess,
dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition, dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
        i: Integer;
        fName: String;
        Written: dword;
      begin
        fName := WideCharToString(lpFileName);
        for i := 1 to Length(fName) do fName[i]:=UpCase(fName[i]);
        if Pos('c:\testing\', fName) <> 0 then begin
          Result := INVALID_HANDLE_VALUE;
          SetLastError(ERROR_ACCESS_DENIED);
          Exit;
        end;
WriteProcessMemory(INVALID_HANDLE_VALUE, @TrueCreateFileW, @OldMbw, SizeOf(far_jmp), Written);
Result := TrueCreateFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
WriteProcessMemory(INVALID_HANDLE_VALUE, @TrueCreateFileW, @JmpMbw, SizeOf(far_jmp), Written);
end;
       

Open in new window

0
 
systanAuthor Commented:
This one also points to a destination file, but what about the source file? when the command code is:
 copyfile( 'c:/homefile_creator_source',  FILENAME.EXT', false);
 function MyCreateFileW(  
          lpFileName: PWideChar;  
          dwDesiredAccess, dwShareMode: Integer;  
          lpSecurityAttributes: PSecurityAttributes;  
          dwCreationDisposition, dwFlagsAndAttributes: DWORD;  
          hTemplateFile: THandle): THandle; stdcall;  
 begin  
    if 0 = lstrcmpiW(lpFileName, 'FILENAME.EXT') then  
    begin  
     ...
     ... 
    end  
    else  
       Result :=   
         TrueCreateFileW(  
            lpFileName,   
            dwDesiredAccess,  
            dwShareMode,   
            lpSecurityAttributes,   
            dwCreationDisposition,   
            dwFlagsAndAttributes,   
            hTemplateFile);  
 end;  

Open in new window

0
 
ThievingSixCommented:
Also, I want to point out that CopyFile() is not a function in Delphi or any programming language by default. It's also WinAPI. Might as well just hook CopyFileA() and CopyFileW() no? Also, don't forget about CopyFileExA() and CopyFileExW().
0
 
ThievingSixCommented:
Also, when doing user mode hooks I'd recommend either:

1) This PAQ of mine http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_23233896.html

2) MadCodeHook <-- Not free

3) afxCodeHook
0
 
systanAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.