Monitor debug file

Aleksey_G · September 19, 2017, 10:58am

Hi, all!

I am writing a filter driver, whitch monitoring executable files. For now I am faced with the problem of monitoring “debug” command. If I open cmd.exe and write “debug C:\example.xxx” (example.xxx is a .com file, just renamed), the file successfully launched.

IRP_MJ_CREATE (FILE_EXECUTE), IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION (PAGE_EXECUTE), PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine does not capture the file.

BUT if I use “example.COM” it does!

So how can I monitor files into debug command with different extensions?

Scott_Noone_OSR · September 19, 2017, 11:21am

Run Process Monitor and see what happens when you use the debug command.
IIRC ntvdm will just open the 16 bit binary for read and parse/execute it
itself.

-scott
OSR
@OSRDrivers

“%%merge inmail_.HdrFrom_%%” wrote in message news:xxxxx@ntfsd…

Hi, all!

I am writing a filter driver, whitch monitoring executable files. For now I
am faced with the problem of monitoring “debug” command. If I open cmd.exe
and write “debug C:\example.xxx” (example.xxx is a .com file, just renamed),
the file successfully launched.

IRP_MJ_CREATE (FILE_EXECUTE), IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
(PAGE_EXECUTE), PsSetLoadImageNotifyRoutine and
PsSetCreateProcessNotifyRoutine does not capture the file.

BUT if I use “example.COM” it does!

So how can I monitor files into debug command with different extensions?

Aleksey_G · September 19, 2017, 12:23pm

I did it, but I had no success. I am not familiar with process explorer and may be I lost something useful. Could you give any hint about where can I found the answer?

More then, I used API monitor to anderstand call stack what ntvdm does, but I found no useful information too.

Scott_Noone_OSR · September 20, 2017, 9:26am

For example, using edit.com:

Run Process Monitor
Set as a filter “Path contains edit.com”
Enable Advanced Output under the Filter menu
Run “debug edit.com”
…
Profit

Now look at the entries and figure out how you’re going to deal with this
case in your product. You can double click on the entries and get call
stacks if you want to know where the individual events are coming from.

-scott
OSR
@OSRDrivers

“%%merge inmail_.HdrFrom_%%” wrote in message news:xxxxx@ntfsd…

I did it, but I had no success. I am not familiar with process explorer and
may be I lost something useful. Could you give any hint about where can I
found the answer?

More then, I used API monitor to anderstand call stack what ntvdm does, but
I found no useful information too.