Solved

show/get the path+filename of the file creator and the newly created file

Posted on 2010-09-15
20
606 Views
Last Modified: 2012-08-13
hi
i'm a delphi developer, but c is more powerful than delphi, we know that.

i want to show/get the path+filename of the file creator and the newly created file
a sample for this is;
copyfile(file_creator_source,  newly_created_file);
a sample code can be userland or kernelmode
please
0
Comment
Question by:systan
  • 8
  • 4
  • 4
  • +1
20 Comments
 
LVL 32

Expert Comment

by:phoffric
Comment Utility
Could you give an example of what you want copyfile to do?
For example, what would this do:
     copyfile( "c:/homefile_creator_source",  "newly_created_file");
0
 
LVL 14

Author Comment

by:systan
Comment Utility
hi
copyfile is a function in delphi/c/c++builder?
and i think zW/NtCreateFile, zW/NtWriteFile, zW/NtOpenFile, zW/NtFlushBufferFile, zWNtQueryVolumeInformationFile has a part of doing that.   But i don't really know how to begin with it.

copyfile( "homefile_creator_source",  "newly_created_file");

i would like to show a message box with there path+filename  when  there is a newly created file  including the homefile_creator_source

The real purpose of this?,  is,  just to know the source file path and the destination file path when someone created a new file of any type.

If you can discuss this in userland or kernelmode, then im biting the steps forward to do it, but it would be wonderful if you can get a sample code for better quicker learning.

thanks for the quick reply
0
 
LVL 32

Expert Comment

by:phoffric
Comment Utility
Sorry, I'm not a delphi/C++builder guy, so I am not sure about your terminology.

On the other hand, if it's just a question of parsing a char * string such as "C:\Projects\Test1\src_file" into the following two strings:
     "C:\Projects\Test1\"
     "src_file"
then I can help you with that. (Then you can display the two strings.)
0
 
LVL 32

Expert Comment

by:phoffric
Comment Utility
BTW - you are looking for a C solution, yes?
0
 
LVL 16

Expert Comment

by:CodedK
Comment Utility
Hi Systan.

Do you want to monitor file creation and get the source path and the destination path in a log file?
Do you want this in C?
0
 
LVL 14

Author Comment

by:systan
Comment Utility
phoffric;
What I meant is to detect when a newly created file;
as you can see when a command code is issued on like that;
copyfile( "c:\windows\homefile_creator_source",  "d:\anydir_folder\newly_created_file");

my app(exe or dll) will detect that a new file is created,  and hopefuly i can get/show path+filename of the source as well as the destination.

>>BTW - you are looking for a C solution, yes?
I'm not really looking for a c solution, i understand delphi better

I only post as the primary zone, because i have notice that c zone experts have much knowledge in terms of this category question.

But if anyone could post a code of delphi,  i'm sure to test it if is really working.
And if i see the code in c/c++ i'll be glad to try and analyze it and convert it to delphi way of coding and ask for help if its hardly complicated.


hello codedK;
I was thinking that your gone in e-e, because i always check whos active and not on delphi zone,  i though you were with hypo and twinsoft.


anyway, i don't want to use the directory/file watch creation, because it is specific on the drive/folder that you want to watch.

i am using zW/NtCreateFile, zW/NtWriteFile, zW/NtOpenFile individually and thats why i did not have the change to make it work.

Now I am doubtful of zW/NtFlushBufferFile and zWNtQueryVolumeInformationFile which i have not tested because i am not capable of  knowing such variables to use like pint64, ulong and others that are new to my sight.


Thanks
0
 
LVL 32

Assisted Solution

by:phoffric
phoffric earned 50 total points
Comment Utility
I will defer to a c/delphi programmer for extended discussion.

If this were C, I'd use the strrchr() function to search from the end of the string to the left to find the first occurrence of '\' (assuming a Windows path). Here is a link explaining strrchr():
      http://www.cplusplus.com/reference/clibrary/cstring/strrchr/
0
 
LVL 13

Expert Comment

by:ThievingSix
Comment Utility
Hooking CreateFileA() and CreateFileW() in user mode in all process would work.
0
 
LVL 14

Author Comment

by:systan
Comment Utility
phoffric;
I don't know if you got it, but these detects an application .dll or .exe or even .sys  that issue a command code copyfile or any other terms that would create a physical file.

@ThievingSix;
I'll try to research for that createfilew hook, it would be better if you have the code and show some snippet.
0
 
LVL 14

Author Comment

by:systan
Comment Utility
Ah, createFileW does only gets the destination file?  what about the source file?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 14

Author Comment

by:systan
Comment Utility
phoffric , codedK, and ThievingSix;
I think it's much better if this code runs on kernelmode using c, the problem is the source,   if there is a source, maybe i can compile it with visual c++6 with a brand new .sys. lol,  I think that is really impossible for someone to show the code.  lets wait for a delphi code instead.
0
 
LVL 16

Expert Comment

by:CodedK
Comment Utility
Hi Systan...

I was really gone from February ... Now I have a little time for myself again :)
Anyway.

1) Since it could be programmed in C you could set breakpoints at kernel calls... log the info and jump back.
2) You can hook CreateFile like ThievingSix said.

Problems: not every process will be hooked and most likely you'll get files that some times are not really created... Some functions in kernel, widely used in many apps call CreateFile with no creation taking place.
0
 
LVL 16

Expert Comment

by:CodedK
Comment Utility
C Source:

Hook CreateFileA, Ring3 under inline Hook  ->
http://www.hackchina.com/en/cont/73703
0
 
LVL 16

Assisted Solution

by:CodedK
CodedK earned 100 total points
Comment Utility
Check this out in delphi :
http://blog.csdn.net/zhaoyu_me/archive/2007/02/22/1512812.aspx

You can use google translate to change the language from Chinese to English.

Hope this helps.
0
 
LVL 14

Author Comment

by:systan
Comment Utility
If i'm going to use createfilew/a it would only get the destination file, which work like this;
How I am going to get the source file?
function MyCreateFileW(lpFileName: PWideChar; dwDesiredAccess,

dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes;

dwCreationDisposition, dwFlagsAndAttributes: DWORD;

hTemplateFile: THandle): THandle; stdcall;

var

        i: Integer;

        fName: String;

        Written: dword;

      begin

        fName := WideCharToString(lpFileName);

        for i := 1 to Length(fName) do fName[i]:=UpCase(fName[i]);

        if Pos('c:\testing\', fName) <> 0 then begin

          Result := INVALID_HANDLE_VALUE;

          SetLastError(ERROR_ACCESS_DENIED);

          Exit;

        end;

WriteProcessMemory(INVALID_HANDLE_VALUE, @TrueCreateFileW, @OldMbw, SizeOf(far_jmp), Written);

Result := TrueCreateFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);

WriteProcessMemory(INVALID_HANDLE_VALUE, @TrueCreateFileW, @JmpMbw, SizeOf(far_jmp), Written);

end;

       

Open in new window

0
 
LVL 14

Author Comment

by:systan
Comment Utility
This one also points to a destination file, but what about the source file? when the command code is:
 copyfile( 'c:/homefile_creator_source',  FILENAME.EXT', false);
 function MyCreateFileW(  

          lpFileName: PWideChar;  

          dwDesiredAccess, dwShareMode: Integer;  

          lpSecurityAttributes: PSecurityAttributes;  

          dwCreationDisposition, dwFlagsAndAttributes: DWORD;  

          hTemplateFile: THandle): THandle; stdcall;  

 begin  

    if 0 = lstrcmpiW(lpFileName, 'FILENAME.EXT') then  

    begin  

     ...

     ... 

    end  

    else  

       Result :=   

         TrueCreateFileW(  

            lpFileName,   

            dwDesiredAccess,  

            dwShareMode,   

            lpSecurityAttributes,   

            dwCreationDisposition,   

            dwFlagsAndAttributes,   

            hTemplateFile);  

 end;  

Open in new window

0
 
LVL 13

Accepted Solution

by:
ThievingSix earned 350 total points
Comment Utility
You would get both the source and destination with CreateFileX(). Since CreateFileX() is for both opening/reading/writing as well as creating. The problem is you would have no way to differentiate between which is the source and which is the destination.

I see two options:

1) You hook the ShFileOperation() API and check for Struct.wFunc = FO_COPY. This is the way windows copies files (NT at least). The only issue is programs that do not use windows default file copy. This function will call CreateFile() --> NtCreateFile() --> ZwCreateFile().

2) You hook CreateFileX() and CloseHandle(). When an application opens a file, and creates another you record the two handles returned by CreateFileX(). When the application calls CloseHandle() on both those handles (or even the one regarding the created file) you compare the two files and hash them. If the hashes are the same you can assume that the program just copied them. This is a more complete solution than 1 but it's more complete. If you implement this in kernel mode Zw* it would be even more complete.

Just a refresher. Nt* = user mode, Zw = kernel mode. Don't hook one in the other.
0
 
LVL 13

Expert Comment

by:ThievingSix
Comment Utility
Also, I want to point out that CopyFile() is not a function in Delphi or any programming language by default. It's also WinAPI. Might as well just hook CopyFileA() and CopyFileW() no? Also, don't forget about CopyFileExA() and CopyFileExW().
0
 
LVL 13

Expert Comment

by:ThievingSix
Comment Utility
Also, when doing user mode hooks I'd recommend either:

1) This PAQ of mine http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_23233896.html

2) MadCodeHook <-- Not free

3) afxCodeHook
0
 
LVL 14

Author Closing Comment

by:systan
Comment Utility
Thanks
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Introduction This article is a continuation of the C/C++ Visual Studio Express debugger series. Part 1 provided a quick start guide in using the debugger. Part 2 focused on additional topics in breakpoints. As your assignments become a little more …
This tutorial is posted by Aaron Wojnowski, administrator at SDKExpert.net.  To view more iPhone tutorials, visit www.sdkexpert.net. This is a very simple tutorial on finding the user's current location easily. In this tutorial, you will learn ho…
The goal of this video is to provide viewers with basic examples to understand and use conditional statements in the C programming language.
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now