Hi to all,
This is my first message on this board.
I'm working on a tool named Watcher. It is/would be used to monitor filesystem changes in order to log the activity.
The main target of this tool is to log the activity of malware, and the whole monitoring is mentioned to be done under virtual machine.
As for now, the tool uses a component that fires a notification event if the directory content is changed.
After the event is received, the tool does a copy of the file changed.
The problem is that not all of the files could be copied because they are in use by other application (malware), and sometimes the Watcher tend to break the activity of the malware because the copying of big files takes a lot of time.
Is it possible to use madCodeHook to resolve this problem? The files need to be copied on every modification, and before they get deleted from the HD (a lot of malware are creating a file, use it, and delete after use).
The process should monitor system-wide, because a malware can also download an other malware from the net and get it running, and the modifications done by that new malware should also be monitored.
Also a neat feature would be also to log which file has created or modified other file.
I would like to know if this can be accomplished by using madCodeHook, and if yes - which APIs should be monitored (I'm mostly a Delphi/FreePascal user, and I don't have much knowledge of Windows API).
I'm totaly new to hooks, so please don't get my newbish questions wrong.
After the file-system monitoring would be finished, the next step would be addition of registry monitoring.
The Watcher will be distributed as freeware, and probably as open-source.
The test version that uses notification of file-system changes is already in use in a closed test-group of researchers, and it does a hell of the job, but it misses a lot of files because of the mentioned problems (the logging is OK).
best regards
Spasic Boban (aka bobby) from www.mc-antivirus-test.com
P.S. I apologize for my bad English, I hope my message is not hard to understand.
How to intercept file-creation and file-deleting API calls?
Your Englisch reads just fine for me. But what do I know? It's not my native language, either... 
madCodeHook should be able to hook into file creation/modification/deletion, as long as the files are created/modified/deleted in user land. madCodeHook will not be able to catch file actions which are done in driver land.
What you're trying to do sounds very much like a driver job. A driver would at least be the cleanest solution. madCodeHook is the next best choice, if driver programming is too difficult or time consuming to you. But as explained above, madCodeHook hooking is limited to user land, only. Furthermore the performance overhead of hooking all file related APIs in user land is probably a bit bigger compared to driver land. But a lot depends on how well you implement these things.
Ok, which APIs should you hook? That depends. If you only need to support the NT family (NT4, 2000, XP, 2003, Vista, ...) then I think your best bet would be to hook the native APIs like NtCreateFile, NtOpenFile etc.
madCodeHook should be able to hook into file creation/modification/deletion, as long as the files are created/modified/deleted in user land. madCodeHook will not be able to catch file actions which are done in driver land.
What you're trying to do sounds very much like a driver job. A driver would at least be the cleanest solution. madCodeHook is the next best choice, if driver programming is too difficult or time consuming to you. But as explained above, madCodeHook hooking is limited to user land, only. Furthermore the performance overhead of hooking all file related APIs in user land is probably a bit bigger compared to driver land. But a lot depends on how well you implement these things.
Ok, which APIs should you hook? That depends. If you only need to support the NT family (NT4, 2000, XP, 2003, Vista, ...) then I think your best bet would be to hook the native APIs like NtCreateFile, NtOpenFile etc.
Thanks for the fast reply.
Userland is just fine for me, and I don't have any idea how to code a driver (hobby coder here, not a pro), even this with hooking is a big project for me (and for my knowledge).
As for APIs that need to be hooked, I have expected to hear that from you or from other experienced users here.
Not that I'm lazy to read the MSDN, but I've got lost there as I don't know for which API functions to search.
I've just found a info on other sites that Deleting the file can be done in a lot of various ways.
I will quote the text here because I have saved it, and forgot to take a note where I've found it:
I know that I'm asking too much, and that it is like that I'm asking someone else to do the job instead of me. If so, please point me to a good reading that can introduce me to Windows internals and APIs needed for this task, or just make a list of relevant API's that I should look at on MSDN, please.
Would be OpenFile, CreateFile and CloseFile APIs be enought to monitor in order to catch modifications done?
For deleting, I have already qouted what I've found.
thanks in advance
Userland is just fine for me, and I don't have any idea how to code a driver (hobby coder here, not a pro), even this with hooking is a big project for me (and for my knowledge).
As for APIs that need to be hooked, I have expected to hear that from you or from other experienced users here.
Not that I'm lazy to read the MSDN, but I've got lost there as I don't know for which API functions to search.
I've just found a info on other sites that Deleting the file can be done in a lot of various ways.
I will quote the text here because I have saved it, and forgot to take a note where I've found it:
As for copying the file when modified - if I hook the function for creating or modifying the file, I would than not get really what I wan't. I need a copy after modification. Is there any API that provides a feedback from OS that the file is successfully modified or created?"You are not going to like this. There are a few ways to delete files, from the native API, so you have a few things to hook.
First, you need to hook ZwOpenFile and watch the OpenOptions variable for the FILE_DELETE_ON_CLOSE bit being set.
Second, you need to hook ZwCreateFile and perform the same watch as indicated for ZwOpenFile.
Third, and probably the most common way a file gets deleted, you need to hook ZwSetInformationFile, watch to see if it is for FileDispositionInformation and then see if the DeleteFile flag is set to true (within the past structure).
There may be even more methods to delete files. These are just the ones I've figured out over time."
I know that I'm asking too much, and that it is like that I'm asking someone else to do the job instead of me. If so, please point me to a good reading that can introduce me to Windows internals and APIs needed for this task, or just make a list of relevant API's that I should look at on MSDN, please.
Would be OpenFile, CreateFile and CloseFile APIs be enought to monitor in order to catch modifications done?
For deleting, I have already qouted what I've found.
thanks in advance
Yes, and what you quoted is fully correct.bobby wrote:I've just found a info on other sites that Deleting the file can be done in a lot of various ways.
No, because the OS doesn't know whether the modification was the last modification done for this file or not. So what you need is probably hooking NtClose.bobby wrote:As for copying the file when modified - if I hook the function for creating or modifying the file, I would than not get really what I wan't. I need a copy after modification. Is there any API that provides a feedback from OS that the file is successfully modified or created?
Well, you'll find all the file related APIs on Microsoft. Just search for CreateFile and then look for all related APIs from there. However, I'd suggest to hook the native APIs instead, because that's what the other APIs end up in, anyway.bobby wrote:I know that I'm asking too much, and that it is like that I'm asking someone else to do the job instead of me. If so, please point me to a good reading that can introduce me to Windows internals and APIs needed for this task, or just make a list of relevant API's that I should look at on MSDN, please.
I would hook NtCreateFile/NtOpenFile instead. ("Zw" and "Nt" are 100% identical in user land).bobby wrote:Would be OpenFile, CreateFile and CloseFile APIs be enought to monitor in order to catch modifications done?
Here's more information about native APIs:
http://www.sysinternals.com/Information/NativeApi.html
This is my first test:
... but it does not work.
It should lie the applications that the files are created or deleted, but it does not.
I use DllInjector from Demos to test the dll as System wide hook.
Code: Select all
library WatcherHook;
{$IMAGEBASE $5a000000}
uses
Windows,
native,
JwaWinType,
madCodeHook,
madStrings;
var
NTOpenFileNext : function (FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; IoStatusBlock: PIO_STATUS_BLOCK; ShareAccess: ULONG; OpenOptions: ULONG): NTSTATUS; stdcall;
NTCreateFileNext: function (FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; IoStatusBlock: PIO_STATUS_BLOCK; AllocationSize: PLARGE_INTEGER; FileAttributes: ULONG; ShareAccess: ULONG; CreateDisposition: ULONG; CreateOptions: ULONG; EaBuffer: PVOID; EaLength: ULONG): NTSTATUS; stdcall;
NTDeleteFileNext: function (ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
function NTOpenFileCallback(FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; IoStatusBlock: PIO_STATUS_BLOCK; ShareAccess: ULONG; OpenOptions: ULONG): NTSTATUS; stdcall;
begin
Result := 0;
//Result := NTOpenFileNext(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
end;
function NtCreateFileCallback(FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; IoStatusBlock: PIO_STATUS_BLOCK; AllocationSize: PLARGE_INTEGER; FileAttributes: ULONG; ShareAccess: ULONG; CreateDisposition: ULONG; CreateOptions: ULONG; EaBuffer: PVOID; EaLength: ULONG): NTSTATUS; stdcall;
begin
Result := 0;
//Result := NtCreateFileNext(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
end;
function NtDeleteFileCallback(ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall;
begin
Result := 0;
end;
begin
CollectHooks;
HookAPI('ntdll.dll', 'NTOpenFile', @NTOpenFileCallback, @NTOpenFileNext);
HookAPI('ntdll.dll', 'NTCreateFile', @NTCreateFileCallback, @NTCreateFileNext);
HookAPI('ntdll.dll', 'NTDeleteFile', @NTDeleteFileCallback, @NTDeleteFileNext);
FlushHooks;
end.It should lie the applications that the files are created or deleted, but it does not.
I use DllInjector from Demos to test the dll as System wide hook.