Any windows apis to get documents takes care of besides createfile and also openfile?

I am attempting to sleuth on a log documents that an application is contacting.

I have efficiently addicted createfile with the detours collection from MSR, yet createfile never ever appears to be called with documents I want sleuthing on. I have actually additionally attempted hooking openfile with the very same outcomes.

I am not a seasoned windows/c+npls designer (or perhaps a seasoned designer), so my first 2 ideas were either that the application calls createfile prior to I hook the apis, or that there is a few other api for developing files/obtaining takes care of for them.

Edit : Thanks for both wonderful replys. I would certainly upvote codingthewheel is reply given that it was insightful, yet I do not have adequate representative : (

2019-12-02 03:07:05
Source Share
Answers: 2

Here is a link which could be of usage :

Guerilla-Style File Monitoring with C# and C++

It is feasible to create a documents without touching CreateFile API yet can I ask what DLL shot method you are making use of ? If you are making use of something like Windows Hooks your DLL will not be mounted till at some time after the target application initializes and also you'll miss out on very early phone call to CreateFile. Whereas if you are making use of something like DetourCreateProcessWithDll your CreateFile hook can be mounted before any one of the application start-up code running.

In my experience 99.9% of created/opened files cause a phone call to CreateFile, consisting of files opened up via C and also C+npls libs, 3rd - event libs, etc Maybe there are some undocumented DDK features which do not course via CreateFile, but also for a regular log documents, I question it.

2019-12-03 04:53:03

You can make use of Sysinternal is FileMon. It is a superb display that can inform you specifically which submit - relevant system telephone calls are being made and also what are the parameters.

I assume that this strategy is a lot easier than hooking API telephone calls and also a lot less invasive.

2019-12-03 04:49:00