Hi All,
I am new in this system wide hooking. I am using MSVC 6.
I want to Monitor File access/change to text files (.txt). For that i need to hook on CreateFile(A/W), ReadFile(A/W), WriteFile(A/W), CloseHandle(a/W)... Am I right?
any other API Do i need to hook ?
If i am hooking these much API will it effect a lot on the machines performace?
I have downloaded MCHDemos.zip from this site... But i dont have .h &.dll file... where can i get those file....
Any other suggestion will be greaty appreciated.
Thanks in advance..
Looking forward to this grp.
Bye
Jetli
Want to Monitor File Activity..
Re: Want to Monitor File Activity..
There's no ReadFileA/W, there's just a ReadFile. Same with WriteFile and CloseHandle.Jetli wrote:I want to Monitor File access/change to text files (.txt). For that i need to hook on CreateFile(A/W), ReadFile(A/W), WriteFile(A/W), CloseHandle(a/W)... Am I right?
There are some more file related APIs, e.g. ReadFileEx. Also it's possible to access files by using CreateFileMapping and MapViewOfFile. Perhaps the best solution would be to hook the native function when running in the NT family (e.g. NtCreateFile). CreateFile ends up in NtCreateFile.Jetli wrote:any other API Do i need to hook ?
That depends very much on your code. When the code in your hook callback function is clean and fast (and doesn't block threads) then you shouldn't notice any performance loss. But if you do weird or time consuming things, performance will go down. It's also no problem to crash the whole OS, when your code is doing things wrong.Jetli wrote:If i am hooking these much API will it effect a lot on the machines performace?
Generally when you want to hook all the file related APIs, you might want to think about using a little device driver instead of hooking APIs at application level. But that's up to you, of course...
http://madshi.net/madCollection.exeJetli wrote:I have downloaded MCHDemos.zip from this site... But i dont have .h &.dll file... where can i get those file....
RE: Want to monitor file changes
Hi Madshi,
First of thank you very much for great reply.
Thanks..
I have downloaded madCollection.EXE from yr site. And found .dll &.h files And Also compiled sample programs......
I have made program to hook CreateFileA & CreateFileW & ReadFile.
It works fine.
But CreateFile Called too many times for all types of file. it is opend for \\.\pipe\@#$ and for .lnk files......... So my question is how can i Find which file is mine..... means if i open Help.txt/help.doc then CreateFileW called for at least 50 times with unopened files..... It contains help.txt/.doc also. rest files are device file pipes, shortcut files......
HOW CAN I DIFFERENTIATE my file say doc/txt .????
I have tried to use other creation option in API & file handles??? but could not find proper solution.
And also Not clear about ReadFile API when it is called to read file content???
You have told me to write little driver. For that I guess i need to have DDK. In that case also Above CreatefileW problem will happen ????
Any Solutions....
Thanks Again
Jetli
First of thank you very much for great reply.
Thanks..
I have downloaded madCollection.EXE from yr site. And found .dll &.h files And Also compiled sample programs......
I have made program to hook CreateFileA & CreateFileW & ReadFile.
It works fine.
But CreateFile Called too many times for all types of file. it is opend for \\.\pipe\@#$ and for .lnk files......... So my question is how can i Find which file is mine..... means if i open Help.txt/help.doc then CreateFileW called for at least 50 times with unopened files..... It contains help.txt/.doc also. rest files are device file pipes, shortcut files......
HOW CAN I DIFFERENTIATE my file say doc/txt .????
I have tried to use other creation option in API & file handles??? but could not find proper solution.
And also Not clear about ReadFile API when it is called to read file content???
You have told me to write little driver. For that I guess i need to have DDK. In that case also Above CreatefileW problem will happen ????
Any Solutions....
Thanks Again
Jetli
If you hook CreateFileA/W you have to live with that it gets called for more than just simple files. You can filter out devices by checking the filename. If it begins with "\\.\", then it's a device, not a file.
Not sure what you want to know about ReadFile. It's called after CreateFileA/W was called, of course.
About drivers: I think you wouldn't get devices there, not sure though. And yes, you need the DDK.
Not sure what you want to know about ReadFile. It's called after CreateFileA/W was called, of course.
About drivers: I think you wouldn't get devices there, not sure though. And yes, you need the DDK.