We help IT Professionals succeed at work.

show/get the path+filename of the file creator and the newly created file

systan
systan asked
on
627 Views
Last Modified: 2012-08-13
hi
i'm a delphi developer, but c is more powerful than delphi, we know that.

i want to show/get the path+filename of the file creator and the newly created file
a sample for this is;
copyfile(file_creator_source,  newly_created_file);
a sample code can be userland or kernelmode
please
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Could you give an example of what you want copyfile to do?
For example, what would this do:
     copyfile( "c:/homefile_creator_source",  "newly_created_file");

Author

Commented:
hi
copyfile is a function in delphi/c/c++builder?
and i think zW/NtCreateFile, zW/NtWriteFile, zW/NtOpenFile, zW/NtFlushBufferFile, zWNtQueryVolumeInformationFile has a part of doing that.   But i don't really know how to begin with it.

copyfile( "homefile_creator_source",  "newly_created_file");

i would like to show a message box with there path+filename  when  there is a newly created file  including the homefile_creator_source

The real purpose of this?,  is,  just to know the source file path and the destination file path when someone created a new file of any type.

If you can discuss this in userland or kernelmode, then im biting the steps forward to do it, but it would be wonderful if you can get a sample code for better quicker learning.

thanks for the quick reply
CERTIFIED EXPERT

Commented:
Sorry, I'm not a delphi/C++builder guy, so I am not sure about your terminology.

On the other hand, if it's just a question of parsing a char * string such as "C:\Projects\Test1\src_file" into the following two strings:
     "C:\Projects\Test1\"
     "src_file"
then I can help you with that. (Then you can display the two strings.)
CERTIFIED EXPERT

Commented:
BTW - you are looking for a C solution, yes?
CodedKSenior Software Engineer
CERTIFIED EXPERT

Commented:
Hi Systan.

Do you want to monitor file creation and get the source path and the destination path in a log file?
Do you want this in C?

Author

Commented:
phoffric;
What I meant is to detect when a newly created file;
as you can see when a command code is issued on like that;
copyfile( "c:\windows\homefile_creator_source",  "d:\anydir_folder\newly_created_file");

my app(exe or dll) will detect that a new file is created,  and hopefuly i can get/show path+filename of the source as well as the destination.

>>BTW - you are looking for a C solution, yes?
I'm not really looking for a c solution, i understand delphi better

I only post as the primary zone, because i have notice that c zone experts have much knowledge in terms of this category question.

But if anyone could post a code of delphi,  i'm sure to test it if is really working.
And if i see the code in c/c++ i'll be glad to try and analyze it and convert it to delphi way of coding and ask for help if its hardly complicated.


hello codedK;
I was thinking that your gone in e-e, because i always check whos active and not on delphi zone,  i though you were with hypo and twinsoft.


anyway, i don't want to use the directory/file watch creation, because it is specific on the drive/folder that you want to watch.

i am using zW/NtCreateFile, zW/NtWriteFile, zW/NtOpenFile individually and thats why i did not have the change to make it work.

Now I am doubtful of zW/NtFlushBufferFile and zWNtQueryVolumeInformationFile which i have not tested because i am not capable of  knowing such variables to use like pint64, ulong and others that are new to my sight.


Thanks
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
ThievingSixDeveloper
CERTIFIED EXPERT

Commented:
Hooking CreateFileA() and CreateFileW() in user mode in all process would work.

Author

Commented:
phoffric;
I don't know if you got it, but these detects an application .dll or .exe or even .sys  that issue a command code copyfile or any other terms that would create a physical file.

@ThievingSix;
I'll try to research for that createfilew hook, it would be better if you have the code and show some snippet.

Author

Commented:
Ah, createFileW does only gets the destination file?  what about the source file?

Author

Commented:
phoffric , codedK, and ThievingSix;
I think it's much better if this code runs on kernelmode using c, the problem is the source,   if there is a source, maybe i can compile it with visual c++6 with a brand new .sys. lol,  I think that is really impossible for someone to show the code.  lets wait for a delphi code instead.
CodedKSenior Software Engineer
CERTIFIED EXPERT

Commented:
Hi Systan...

I was really gone from February ... Now I have a little time for myself again :)
Anyway.

1) Since it could be programmed in C you could set breakpoints at kernel calls... log the info and jump back.
2) You can hook CreateFile like ThievingSix said.

Problems: not every process will be hooked and most likely you'll get files that some times are not really created... Some functions in kernel, widely used in many apps call CreateFile with no creation taking place.
CodedKSenior Software Engineer
CERTIFIED EXPERT

Commented:
C Source:

Hook CreateFileA, Ring3 under inline Hook  ->
http://www.hackchina.com/en/cont/73703
CodedKSenior Software Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
If i'm going to use createfilew/a it would only get the destination file, which work like this;
How I am going to get the source file?
function MyCreateFileW(lpFileName: PWideChar; dwDesiredAccess,
dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition, dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
        i: Integer;
        fName: String;
        Written: dword;
      begin
        fName := WideCharToString(lpFileName);
        for i := 1 to Length(fName) do fName[i]:=UpCase(fName[i]);
        if Pos('c:\testing\', fName) <> 0 then begin
          Result := INVALID_HANDLE_VALUE;
          SetLastError(ERROR_ACCESS_DENIED);
          Exit;
        end;
WriteProcessMemory(INVALID_HANDLE_VALUE, @TrueCreateFileW, @OldMbw, SizeOf(far_jmp), Written);
Result := TrueCreateFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
WriteProcessMemory(INVALID_HANDLE_VALUE, @TrueCreateFileW, @JmpMbw, SizeOf(far_jmp), Written);
end;
       

Open in new window

Author

Commented:
This one also points to a destination file, but what about the source file? when the command code is:
 copyfile( 'c:/homefile_creator_source',  FILENAME.EXT', false);
 function MyCreateFileW(  
          lpFileName: PWideChar;  
          dwDesiredAccess, dwShareMode: Integer;  
          lpSecurityAttributes: PSecurityAttributes;  
          dwCreationDisposition, dwFlagsAndAttributes: DWORD;  
          hTemplateFile: THandle): THandle; stdcall;  
 begin  
    if 0 = lstrcmpiW(lpFileName, 'FILENAME.EXT') then  
    begin  
     ...
     ... 
    end  
    else  
       Result :=   
         TrueCreateFileW(  
            lpFileName,   
            dwDesiredAccess,  
            dwShareMode,   
            lpSecurityAttributes,   
            dwCreationDisposition,   
            dwFlagsAndAttributes,   
            hTemplateFile);  
 end;  

Open in new window

Developer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
ThievingSixDeveloper
CERTIFIED EXPERT

Commented:
Also, I want to point out that CopyFile() is not a function in Delphi or any programming language by default. It's also WinAPI. Might as well just hook CopyFileA() and CopyFileW() no? Also, don't forget about CopyFileExA() and CopyFileExW().
ThievingSixDeveloper
CERTIFIED EXPERT

Commented:
Also, when doing user mode hooks I'd recommend either:

1) This PAQ of mine https://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_23233896.html

2) MadCodeHook <-- Not free

3) afxCodeHook

Author

Commented:
Thanks
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.