Environment: Visual C++ 5.0, DDK, Windows 95/98 (*will not work in Windows NT*)
This article demonstrates a technique of monitoring the File Input and Output in Windows 95/98. It uses VxD (Virtual Device Driver) to accomplish this. This program cannot operate in Windows NT.
Using this program it is possible to analyse the ins and outs that are happening in the File System in Windows. This is done by hooking the specified function through which the file io happens. Registry access, Swap File access, DLLs, even VxDs are opened only through this hook. Hence all these operations are logged to a file called C:\FileCall.Spy. It is done using Dynamic VxD loading. This is similar to DLL technique but VxDs operate in Ring 0 which is where the Kernel operates in Windows. DLLs operate in Ring 3 and which are less privileged.
I have provided the source code along with the code that accomplishes this. Ask me your doubts and suggest me for improvements.
Load the driver through SpyExec program. The Spy.VxD must be in the current working directory or in the Windows system directory. After it is loaded the hook remains active, till OK button is pressed in the message box, at which point the box is dismissed and then the logging stops. A short duration of the hook produces a lot of logging activity, so be quick in your analysis. If you want to know the DLLs that a program is opening then use this program to monitor the file IO.
Downloads
Download Spy - 15 Kb
Download source code for Spy - 8 Kb
About the Author
I have been programming for the past 16 years. I started programming in 1990. I came to Windows in 1993. I have authored a book called, "Classic Utilities Using Assembly Language" , 1995.
In my free time I listen a lot to Kenny G sax all the albums and Valentine Classics Songs. I like to watch a lot of TinTin adventure Comics. I am currently working in K7 Computing antivirus company (www.k7computing.com) as Senior Technical Lead.
My contact is:
Phone: +91 944 411 7353
All
IE 7
Firefox 2.0
