Hooking IO of another process ?

[Heandel]

Hello,

I wanted to know if it's possible to do some kind of file hooking on a
native process.

Explanatation : an unmanaged process U tries to read file.txt, but data
isn't provided by system but by another process (managed), M.

Is it possible to "hook" IO reads ? Or is there's no easy solution to that
problem ?

Thanks in advance,

Heandel

 

[Peter Duniho]

Hello,

I wanted to know if it's possible to do some kind of file hooking on a
native process.

Explanatation : an unmanaged process U tries to read file.txt, but data
isn't provided by system but by another process (managed), M.

Is it possible to "hook" IO reads ? Or is there's no easy solution to
that problem ?

I can think of two main approaches to that: hack the file system so you
redirect data from a given file name, or hack the unmanaged process so
that when it tries to open a given file name, it gets your data instead.

Neither is going to be easy. In fact, I would expect either to be very
hard.

Why not just write your data to the "file.txt" file before the unmanaged
process runs?

Pete

 

[Arne Vajhøj]

I wanted to know if it's possible to do some kind of file hooking on a
native process.

Explanatation : an unmanaged process U tries to read file.txt, but data
isn't provided by system but by another process (managed), M.

Is it possible to "hook" IO reads ? Or is there's no easy solution to
that problem ?

Having the manged process provide data using f.ex. named
pipes should be easy.

Hooking into the IO of a process is a bit more difficult. And
definitely out of scope for this group.

But it should be possible. Both anti virus software and root kits
uses such techniques.

You should probably ask in a Windows internals group or
a group for development of anti virus software (if such exist).

Arne

 

[Heandel]

Thanks for your answer.

Hacking the file system or the unmanaged process is beyond my knowledge. Tho
I guess the second one would be easier.

Writing the data to file.txt makes it accessible to other processes, which I
do not want to happen. The data would get stolen immediately after its
release.

Maybe "hosting" the unmanaged process in the managed one, like a virtual
machine, would be possible ?

 

[Heandel]

Thanks for your suggestion, I will try.

Having the manged process provide data using f.ex. named
pipes should be easy.

Hooking into the IO of a process is a bit more difficult. And
definitely out of scope for this group.

But it should be possible. Both anti virus software and root kits
uses such techniques.

You should probably ask in a Windows internals group or
a group for development of anti virus software (if such exist).

Arne

 

[Asaf Shelly]

Hi,

You are looking for a filter driver that will attach do the file or drive
and relay messages to you application (doing the 'business logic' and sending
the alternate buffers). This is somewhat low level. This is similar to
www.sysinternals.com 's File Monitor. You will get a better answer asking
this on the DDK / WDK forum. I tried it once and it works.

Alternatively you can use ICopyHook or some other shell extension to replace
the file or file names, or create a virtual directory but surprisingly
creating a virtual directory this is more work than using a device driver.

Best Regards,
Asaf

 

[Heandel]

Thanks a lot, this is exactly what I needed.