Solved

show/get the path+filename of the file creator and the newly created file

Posted on 2010-09-15
20
611 Views
Last Modified: 2012-08-13
hi
i'm a delphi developer, but c is more powerful than delphi, we know that.

i want to show/get the path+filename of the file creator and the newly created file
a sample for this is;
copyfile(file_creator_source,  newly_created_file);
a sample code can be userland or kernelmode
please
0
Comment
Question by:systan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 4
  • +1
20 Comments
 
LVL 32

Expert Comment

by:phoffric
ID: 33687911
Could you give an example of what you want copyfile to do?
For example, what would this do:
     copyfile( "c:/homefile_creator_source",  "newly_created_file");
0
 
LVL 14

Author Comment

by:systan
ID: 33688257
hi
copyfile is a function in delphi/c/c++builder?
and i think zW/NtCreateFile, zW/NtWriteFile, zW/NtOpenFile, zW/NtFlushBufferFile, zWNtQueryVolumeInformationFile has a part of doing that.   But i don't really know how to begin with it.

copyfile( "homefile_creator_source",  "newly_created_file");

i would like to show a message box with there path+filename  when  there is a newly created file  including the homefile_creator_source

The real purpose of this?,  is,  just to know the source file path and the destination file path when someone created a new file of any type.

If you can discuss this in userland or kernelmode, then im biting the steps forward to do it, but it would be wonderful if you can get a sample code for better quicker learning.

thanks for the quick reply
0
 
LVL 32

Expert Comment

by:phoffric
ID: 33688281
Sorry, I'm not a delphi/C++builder guy, so I am not sure about your terminology.

On the other hand, if it's just a question of parsing a char * string such as "C:\Projects\Test1\src_file" into the following two strings:
     "C:\Projects\Test1\"
     "src_file"
then I can help you with that. (Then you can display the two strings.)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 32

Expert Comment

by:phoffric
ID: 33688293
BTW - you are looking for a C solution, yes?
0
 
LVL 16

Expert Comment

by:CodedK
ID: 33688478
Hi Systan.

Do you want to monitor file creation and get the source path and the destination path in a log file?
Do you want this in C?
0
 
LVL 14

Author Comment

by:systan
ID: 33688586
phoffric;
What I meant is to detect when a newly created file;
as you can see when a command code is issued on like that;
copyfile( "c:\windows\homefile_creator_source",  "d:\anydir_folder\newly_created_file");

my app(exe or dll) will detect that a new file is created,  and hopefuly i can get/show path+filename of the source as well as the destination.

>>BTW - you are looking for a C solution, yes?
I'm not really looking for a c solution, i understand delphi better

I only post as the primary zone, because i have notice that c zone experts have much knowledge in terms of this category question.

But if anyone could post a code of delphi,  i'm sure to test it if is really working.
And if i see the code in c/c++ i'll be glad to try and analyze it and convert it to delphi way of coding and ask for help if its hardly complicated.


hello codedK;
I was thinking that your gone in e-e, because i always check whos active and not on delphi zone,  i though you were with hypo and twinsoft.


anyway, i don't want to use the directory/file watch creation, because it is specific on the drive/folder that you want to watch.

i am using zW/NtCreateFile, zW/NtWriteFile, zW/NtOpenFile individually and thats why i did not have the change to make it work.

Now I am doubtful of zW/NtFlushBufferFile and zWNtQueryVolumeInformationFile which i have not tested because i am not capable of  knowing such variables to use like pint64, ulong and others that are new to my sight.


Thanks
0
 
LVL 32

Assisted Solution

by:phoffric
phoffric earned 50 total points
ID: 33688695
I will defer to a c/delphi programmer for extended discussion.

If this were C, I'd use the strrchr() function to search from the end of the string to the left to find the first occurrence of '\' (assuming a Windows path). Here is a link explaining strrchr():
      http://www.cplusplus.com/reference/clibrary/cstring/strrchr/
0
 
LVL 13

Expert Comment

by:ThievingSix
ID: 33688732
Hooking CreateFileA() and CreateFileW() in user mode in all process would work.
0
 
LVL 14

Author Comment

by:systan
ID: 33689059
phoffric;
I don't know if you got it, but these detects an application .dll or .exe or even .sys  that issue a command code copyfile or any other terms that would create a physical file.

@ThievingSix;
I'll try to research for that createfilew hook, it would be better if you have the code and show some snippet.
0
 
LVL 14

Author Comment

by:systan
ID: 33689128
Ah, createFileW does only gets the destination file?  what about the source file?
0
 
LVL 14

Author Comment

by:systan
ID: 33689218
phoffric , codedK, and ThievingSix;
I think it's much better if this code runs on kernelmode using c, the problem is the source,   if there is a source, maybe i can compile it with visual c++6 with a brand new .sys. lol,  I think that is really impossible for someone to show the code.  lets wait for a delphi code instead.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 33689288
Hi Systan...

I was really gone from February ... Now I have a little time for myself again :)
Anyway.

1) Since it could be programmed in C you could set breakpoints at kernel calls... log the info and jump back.
2) You can hook CreateFile like ThievingSix said.

Problems: not every process will be hooked and most likely you'll get files that some times are not really created... Some functions in kernel, widely used in many apps call CreateFile with no creation taking place.
0
 
LVL 16

Expert Comment

by:CodedK
ID: 33689337
C Source:

Hook CreateFileA, Ring3 under inline Hook  ->
http://www.hackchina.com/en/cont/73703
0
 
LVL 16

Assisted Solution

by:CodedK
CodedK earned 100 total points
ID: 33689498
Check this out in delphi :
http://blog.csdn.net/zhaoyu_me/archive/2007/02/22/1512812.aspx

You can use google translate to change the language from Chinese to English.

Hope this helps.
0
 
LVL 14

Author Comment

by:systan
ID: 33689565
If i'm going to use createfilew/a it would only get the destination file, which work like this;
How I am going to get the source file?
function MyCreateFileW(lpFileName: PWideChar; dwDesiredAccess,
dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes;
dwCreationDisposition, dwFlagsAndAttributes: DWORD;
hTemplateFile: THandle): THandle; stdcall;
var
        i: Integer;
        fName: String;
        Written: dword;
      begin
        fName := WideCharToString(lpFileName);
        for i := 1 to Length(fName) do fName[i]:=UpCase(fName[i]);
        if Pos('c:\testing\', fName) <> 0 then begin
          Result := INVALID_HANDLE_VALUE;
          SetLastError(ERROR_ACCESS_DENIED);
          Exit;
        end;
WriteProcessMemory(INVALID_HANDLE_VALUE, @TrueCreateFileW, @OldMbw, SizeOf(far_jmp), Written);
Result := TrueCreateFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
WriteProcessMemory(INVALID_HANDLE_VALUE, @TrueCreateFileW, @JmpMbw, SizeOf(far_jmp), Written);
end;
       

Open in new window

0
 
LVL 14

Author Comment

by:systan
ID: 33689607
This one also points to a destination file, but what about the source file? when the command code is:
 copyfile( 'c:/homefile_creator_source',  FILENAME.EXT', false);
 function MyCreateFileW(  
          lpFileName: PWideChar;  
          dwDesiredAccess, dwShareMode: Integer;  
          lpSecurityAttributes: PSecurityAttributes;  
          dwCreationDisposition, dwFlagsAndAttributes: DWORD;  
          hTemplateFile: THandle): THandle; stdcall;  
 begin  
    if 0 = lstrcmpiW(lpFileName, 'FILENAME.EXT') then  
    begin  
     ...
     ... 
    end  
    else  
       Result :=   
         TrueCreateFileW(  
            lpFileName,   
            dwDesiredAccess,  
            dwShareMode,   
            lpSecurityAttributes,   
            dwCreationDisposition,   
            dwFlagsAndAttributes,   
            hTemplateFile);  
 end;  

Open in new window

0
 
LVL 13

Accepted Solution

by:
ThievingSix earned 350 total points
ID: 33689617
You would get both the source and destination with CreateFileX(). Since CreateFileX() is for both opening/reading/writing as well as creating. The problem is you would have no way to differentiate between which is the source and which is the destination.

I see two options:

1) You hook the ShFileOperation() API and check for Struct.wFunc = FO_COPY. This is the way windows copies files (NT at least). The only issue is programs that do not use windows default file copy. This function will call CreateFile() --> NtCreateFile() --> ZwCreateFile().

2) You hook CreateFileX() and CloseHandle(). When an application opens a file, and creates another you record the two handles returned by CreateFileX(). When the application calls CloseHandle() on both those handles (or even the one regarding the created file) you compare the two files and hash them. If the hashes are the same you can assume that the program just copied them. This is a more complete solution than 1 but it's more complete. If you implement this in kernel mode Zw* it would be even more complete.

Just a refresher. Nt* = user mode, Zw = kernel mode. Don't hook one in the other.
0
 
LVL 13

Expert Comment

by:ThievingSix
ID: 33689626
Also, I want to point out that CopyFile() is not a function in Delphi or any programming language by default. It's also WinAPI. Might as well just hook CopyFileA() and CopyFileW() no? Also, don't forget about CopyFileExA() and CopyFileExW().
0
 
LVL 13

Expert Comment

by:ThievingSix
ID: 33689669
Also, when doing user mode hooks I'd recommend either:

1) This PAQ of mine http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_23233896.html

2) MadCodeHook <-- Not free

3) afxCodeHook
0
 
LVL 14

Author Closing Comment

by:systan
ID: 33689832
Thanks
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
Windows programmers of the C/C++ variety, how many of you realise that since Window 9x Microsoft has been lying to you about what constitutes Unicode (http://en.wikipedia.org/wiki/Unicode)? They will have you believe that Unicode requires you to use…
The goal of this video is to provide viewers with basic examples to understand how to use strings and some functions related to them in the C programming language.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use for-loops in the C programming language.
Suggested Courses
Course of the Month5 days, 1 hour left to enroll

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question