HI all,
almost all of us know about filemon. I have a question, is it not possible
to replicate this tool without an FSFD? If I need to display file names
being opened, closed, deleted etc, is there no other way of achieving this?
Bedanto
Hook the file Creation API in ntdll.dll or at system call dispatch
table level. Look at bindview’s strace utility it has the code for
doing it system call table level.
Regards
Faraz Ahmed
On 12/23/05, Bedanto wrote:
> HI all,
>
> almost all of us know about filemon. I have a question, is it not possible
> to replicate this tool without an FSFD? If I need to display file names
> being opened, closed, deleted etc, is there no other way of achieving this?
>
> Bedanto
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Faraz,
thanks for the help. But is hooking the only way? a lot of people swear by
it, and an equal no. are ready to fry you if you mention the word hook
here!!!
Just hooking ZWCREATEFILE is enough?
Bedanto
On 12/23/05, Faraz Ahmed wrote:
>
> Hook the file Creation API in ntdll.dll or at system call dispatch
> table level. Look at bindview’s strace utility it has the code for
> doing it system call table level.
> Regards
> Faraz Ahmed
>
>
> On 12/23/05, Bedanto wrote:
> > HI all,
> >
> > almost all of us know about filemon. I have a question, is it not
> possible
> > to replicate this tool without an FSFD? If I need to display file names
> > being opened, closed, deleted etc, is there no other way of achieving
> this?
> >
> > Bedanto
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
> ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> almost all of us know about filemon. I have a question, is it
not possible to replicate this tool without an FSFD?
Yes, it is. There is a driver called filespy in IFS, but the user mode
app is a console one (so not as confortable as Filemon). You must
take this driver as starting point, add some features and fix some bugs.
Then you have to write a GUI.
I’ve done it, the tool is called FileSpy and it is free for download from
OSR’s download section. Currently a beta version of new FileSpy is
in development, which is able to use either filespy or minispy driver.
L.
Yes thats right;
dont hook, if you just want to see monitor a single process
then you can just patch its import table :).
using the following fucntions.
PsSetLoadImageNotifyRoutine
In the call back
Patch the needed functions like ZwCreateFile etc.
AFAIK the code to do this availabe somewhere.
Hope it helps
Regards
Faraz.
On 12/23/05, Bedanto wrote:
> HI all,
>
> almost all of us know about filemon. I have a question, is it not possible
> to replicate this tool without an FSFD? If I need to display file names
> being opened, closed, deleted etc, is there no other way of achieving this?
>
> Bedanto
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
AFAIK, even strace uses a driver.
>Yes, it is. There is a driver called filespy in IFS, but the user mode
app is a console one (so not as confortable as Filemon). You must
take this driver as starting point, add some features and fix some bugs.
Then you have to write a GUI.
I dont want a driver, just the same functionality as filemon minus the
driver, may be in userland by some means.
I went through Ladislav’s filespy tool, heck, how does he do it without a
driver???
>I went through Ladislav’s filespy tool, heck, how does he do it without a
driver???
He doesn’t. He simply has somehow embedded the driver code in the app itself
(there are ways of doing it) and extracts the same into \system32\drivers by
the name fspy.sys and makes the registry entries. next time it is invoked,
it searches for the driver image, if it is found, it is loaded, else he
repeats the same steps as above.
amitr0
look at it in HEX, there is a driver
Bedanto wrote:
I went through Ladislav’s filespy tool, heck, how does he do it
without a driver??? — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To
unsubscribe send a blank email to xxxxx@lists.osr.com
"look at it in HEX, there is a driver " - excuse me, just realized I was
thinking of Mark R.'s page/reg defrag tool. It is the one with the
embeded driver. I’m not sure how Ladislav wrote his tool, if you don’t
see the driver he embeded it or it relies on an exteranel existing
one… Can’t recall, almost 37 hours of no sleep…
Kinda starting to hallucinate here…
Bedanto wrote:
I went through Ladislav’s filespy tool, heck, how does he do it
without a driver??? — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To
unsubscribe send a blank email to xxxxx@lists.osr.com
Hey Matt,
what do you mean by that, can you explain the techniques of finding a driver
through a hex editor. My technique was simple, I ran filemon (grin) and
then executed filespy, saw the driver being created.
Next i again run filespy and this time no driver got created. But if I
deleted the driver, yes, then it recreated it. 
It would be interesting to know your technique of doing the same.
Amitr0
apologies rod,
when i posted it in ntdev I was not aware that I could post in htfsd, my
previous mail to this list bounced back, making me believe that I was not a
member.
bedanto
>"look at it in HEX, there is a driver " - excuse me, just realized I was
thinking of Mark R.'s page/reg defrag tool. It is the one with the
embeded driver.
not an issue, tell me how to find the driver in that tool, I am interested
in the general technique of finding an embedded driver!!!
amitr0
“amitr0” wrote in message news:xxxxx@ntfsd…
It would be interesting to know your technique of doing the same.
Take a look at http://www.microsoft.com/MSJ/0398/driver.aspx they show how
to embed a driver in an application, then load it.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
Thanks Don.
amitr0,
what i meant specifically, is look at the exe in a hex editor. you can
clearly see the driver… all the functions it uses, it’s entire
structure is visible, even if you don’t know the hex codes, you’ll see
it. have a look for yourself
amitr0 wrote:
Hey Matt,
what do you mean by that, can you explain the techniques of finding a
driver through a hex editor. My technique was simple, I ran filemon
(grin) and then executed filespy, saw the driver being created.Next i again run filespy and this time no driver got created. But if I
deleted the driver, yes, then it recreated it.It would be interesting to know your technique of doing the same.
Amitr0
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently
subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To
unsubscribe send a blank email to xxxxx@lists.osr.com
aaah, tht way, well, ya that I tried, but don’s link was fabulous. I wonder
how he can produce them in so short a time. Don do you remember them
all???
> I went through Ladislav’s filespy tool, heck, how does
he do it without a driver???
Hehe, is does not do it without driver. The same like filemon,
there is a driver too. Just look better
L.