[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [ProgSoc] File Access hook
Two ways come to mind:
1. File system filter/driver - nasty, complicated and expensive but the only
way to do it properly... see
- http://www.acc.umu.se/~bosse/ (thanks to Anand a few weeks ago)
or get a book that deals specifically with this.
2. File system notifications - more an "after its been done" thing, so you
can't prevent something from occurring (except by deleting I guess and
assuming the file isn't locked). RTM on FindFirstChangeNotification(),
FindNextChangeNotification() and FindCloseChangeNotification().
Unfortunately, you have to call these functions on every directory you are
If your lucky you might be able to hook in through a NT kernel function
called NtNotifyChangeDirectoryFile() or something similar in ntdll.dll for
Windows NT/2000 but I doubt that its documented anywhere, so your pretty
much on your own.
There is always some useful information at http://www.sysinternals.com for
this sort of thing, and possibly an example or source code that might do
what you want.
[mailto:email@example.com]On Behalf Of Adam Bewsher
Sent: Thursday, 28 June 2001 4:59 PM
Subject: [ProgSoc] File Access hook
Does anyone know how to hook (windows) system file i/o?
I'm wanting to write something like a virus scanner which will intercept a
file access, perform a test, and then allow or deny it depending on the test
Can anyone help?
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to firstname.lastname@example.org.
If you are having trouble, ask email@example.com for help.