1

I have created a c# program which gets new loaded process

startWatch.EventArrived += new ventArrivedEventHandler(startWatch_EventArrived);

and doing stuff when eventHandler fire.

afterwards im using:

foreach (var runningProcess in Process.GetProcessesByName(ShortProcessName))

to get runningProcess.MainModule data for the current process and after that 

foreach (System.Diagnostics.ProcessModule module in MYPROCESS.Modules)

to get list of child process and modules.

My next wish is to get an output of files which created \ deleted \ renamed \ changed \ whatever by the process i catched. I have tried digging the 'Process' constructure and modules but didnt find anything for that. I also tried using filewatcher, but also here cannot get you the parent process responsible for file changes. i guess this cannot be done using high level language such as c# but lower.

Unfortunatly im not familiar with lowers. in the end i want a service \ watcher to hook a process real-time and create an output (file) of which file he has been messing with.

hope someone save my day :) Thanks!

Richard
  • 106,783
  • 21
  • 203
  • 265
Aner Izraeli
  • 21
  • 3
  • 1
    Seems, you want a virtual machine (good luck) –  Oct 09 '16 at 16:45
  • Why do you want this information (it looks like an XY Problem)? And by "lowers" do you mean drivers? – Richard Oct 09 '16 at 16:47
  • XY problem? think the process is a malware... i want to know which file the malware created or deleted. lowers means for low coding languages such as assembly, c, c++ – Aner Izraeli Oct 09 '16 at 18:57

0 Answers0