0

I am developing a file monitor to monitor file access of any exe. I monitor that exe for any file it opens/closes,reads/writes and collect the stats.

I am total newcomer to ETW (as from my research, it does not look there is any other way to do this.)

while I have been able to get some c++ code going, my client would prefer a c# solution.is there enough support in c# to monitor file io?

the samples in msdn are c++/c specific. I read vance Morrison's blogs.but its beyond me at the moment and they don't seem to suit "nt kernel logging sessions/ monitor file io" scenarios.

can anyone give me a simple sample or point me to a useful link ? any inputs is welcome on this.

user1914725
  • 25
  • 7
  • Any C# solution is going to have to use P/Invoke a lot to access the Windows API functions that you'll need to call. Perhaps you could write a DLL in C/C++ that does what you need and export from it some simple functions that provide an interface, then write a wrapper class in C# that uses P/Invoke to call those functions. – Matthew Watson Dec 05 '13 at 11:07
  • that's what I am doing currently..I am just curious to see the support offered by c# 4.0 4.5 and if that's the case,code will be more simple and pinvoke is not required.. – user1914725 Dec 05 '13 at 11:24

2 Answers2

0

Take a look at the FileSystemWatcher class.

Alberto
  • 15,626
  • 9
  • 43
  • 56
  • I am well aware this class.but it monitors a file for changes...not the external accesses of this file..that's what I am lookin for. – user1914725 Dec 05 '13 at 11:02
0

In windows, ultimately any file access is granted, by the underlying winapi. See CreateFile and familly. These functions are hook-able by Microsoft Detours (though it is intended for instrumention purposes). There are also a handfull of other libraries for this sort of purposes e.g. easyhook.

Lawrence Kok
  • 1,568
  • 11
  • 29
  • I am monitoring an exe..will they be useful in this context-i.e pick up file io events ?.....thanks for the info mate. means more research :) – user1914725 Dec 05 '13 at 11:28
  • Simply put such hook functions means they will first be dispatched to your own function, prior to actually calling, the function supplied by the os - you can even adjust parameters if you wish and alter the behaviour. In short yes - they can be used in your scenario. – Lawrence Kok Dec 05 '13 at 11:56
  • oh that's great!...any other useful sample/link on this lib that you can provide me? I will search anyway – user1914725 Dec 05 '13 at 13:02
  • ,I read some articles..from my understanding, I have to write a dll naming the to-be-hooked functions and user defined hook procedures.Then I inject that dll into the required process.is this the way to do it? – user1914725 Dec 05 '13 at 14:27
  • Correct, that is the basic outline of it. I have never done it on third-party executable files though but the code on http://www.codeproject.com/Articles/30140/API-Hooking-with-MS-Detours, specificially under the CreateRemoteThread is what you need for this. – Lawrence Kok Dec 05 '13 at 14:49