0

I am playing around with the demo of IDA and I am trying to do some reverse engineering of a program to figure out the structure of one of its files that it uses. My final goal is to be able to read that file directly from my own program.

Using Process Monitor I was able to find the subroutine that calls kernel32_ReadFile. What I would like to know is how do I find out what the hFile variable is pointing to before it makes the call to ReadFile

I have been exploring around the menus while in debug mode and I have not found anywhere inside IDA where I can look up information about what file is associated with a file handle.

How do I map a handle to a real file?

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431

2 Answers2

1

This MSDN page describes ways to get the file name from a file handle:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa366789(v=vs.85).aspx

Is that the information you were looking for? I'm not sure why you can't see the the file name directly in Process Monitor.

Adrian McCarthy
  • 45,555
  • 16
  • 123
  • 175
  • 1
    That is what I am doing but I want to do a conditional breakpoints if a specific file is being read. I found a work around though, I can break on 'nNumberOfBytesToRead == 259' as that is uniuqe to the file I want. I won't accept yet as I would like a solution for how to do it inside IDA, but I will give you the answer if no one gives a solution in a few days. – Scott Chamberlain Jul 17 '12 at 19:40
0

I would set a breakpoint on CreateFileA and CreateFileW and see what files are being opened. You can then match the returned HANDLE value to the subsequent ReadFile call.

jcopenha
  • 3,935
  • 1
  • 17
  • 15