Home/ Questions/Q 5965813
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T19:41:32+00:00

I want to know what are the files opened/access by a process. May i

  • 0

I want to know what are the files opened/access by a process. May i know how to do that? I tried to use Deviare, a free hooking api to help me, but was unable to find any useful information from their AIP lib or forum.

I only know i have to hook on to kernel32.dll and createFileW and i am not sure of how to continue.

Pls help me. Thanks in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It’s right. You have to hook the function CreateFileA/W in kernel32.dll to monitor the acces. Do you want to hook these APIs in your own process or in an other process?
    If you want to hook functions in your own process you can use

    void *DetourFunc(BYTE *src, const BYTE *dst, const int len)
{
    BYTE *jmp = (BYTE*)malloc(5+len);
    DWORD dwback;
    VirtualProtect(src,len,PAGE_READWRITE,&dwback);   
    memcpy(jmp,src,len);
    jmp += len;   
    jmp[0] = 0xE9;
    *(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
    src[0] = 0xE9;
    *(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
    VirtualProtect(src,len,dwback,&dwback);
    return (jmp-len);
}

    for it. These function detours the function src (f.e. MessageBoxA()) to function dst. As len you can use 5. It returns a function pointer to the original function.
    An example call:

    typedef int (WINAPI *__MessageBox)(
  __in_opt  HWND hWnd,
  __in_opt  LPCTSTR lpText,
  __in_opt  LPCTSTR lpCaption,
  __in      UINT uType
);
__MessageBox _MessageBox;

int cMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType)
{
//here you can change anything you want
return _MessageBox(hWnd,lpText,lpCaption,uType);
}

int main(void)
{
BYTE *hookfunc = (BYTE*)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA");
_MessageBox = (__MessageBox)DetourFunc(hookfunc,(BYTE*)cMessageBox,5);
return 0;
}

    That’s an usermode hook. If you want to do this systemwide I would use a device driver. Here is a tutorial about this. http://www.codeproject.com/KB/system/driverdev.aspx

    And if you are using VC++ compile in multibyte mode ;).
    If you want to hook in an other process just google DLL-Injection ;).

    • 0