I want to know what are the files opened/access by a process. May i know how to do that? I tried to use Deviare, a free hooking api to help me, but was unable to find any useful information from their AIP lib or forum.
I only know i have to hook on to kernel32.dll and createFileW and i am not sure of how to continue.
Pls help me. Thanks in advance.
It's right. You have to hook the function CreateFileA/W in kernel32.dll to monitor the acces. Do you want to hook these APIs in your own process or in an other process? If you want to hook functions in your own process you can use
void *DetourFunc(BYTE *src, const BYTE *dst, const int len)
{
BYTE *jmp = (BYTE*)malloc(5+len);
DWORD dwback;
VirtualProtect(src,len,PAGE_READWRITE,&dwback);
memcpy(jmp,src,len);
jmp += len;
jmp[0] = 0xE9;
*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
VirtualProtect(src,len,dwback,&dwback);
return (jmp-len);
}
for it. These function detours the function src (f.e. MessageBoxA()) to function dst. As len you can use 5. It returns a function pointer to the original function. An example call:
typedef int (WINAPI *__MessageBox)(
__in_opt HWND hWnd,
__in_opt LPCTSTR lpText,
__in_opt LPCTSTR lpCaption,
__in UINT uType
);
__MessageBox _MessageBox;
int cMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
//here you can change anything you want
return _MessageBox(hWnd,lpText,lpCaption,uType);
}
int main(void)
{
BYTE *hookfunc = (BYTE*)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA");
_MessageBox = (__MessageBox)DetourFunc(hookfunc,(BYTE*)cMessageBox,5);
return 0;
}
That's an usermode hook. If you want to do this systemwide I would use a device driver. Here is a tutorial about this. http://www.codeproject.com/KB/system/driverdev.aspx
And if you are using VC++ compile in multibyte mode ;). If you want to hook in an other process just google DLL-Injection ;).
