tags:

views:

1265

answers:

3

I am trying to snoop on a log file that an application is writing to.

I have successfully hooked createfile with the detours library from MSR, but createfile never seems to be called with file I am interested in snooping on. I have also tried hooking openfile with the same results.

I am not an experienced windows/c++ programmer (or even an experienced programmer), so my initial two thoughts were either that the application calls createfile before I hook the apis, or that there is some other api for creating files/obtaining handles for them.

Edit: Thanks for the two great replys. I would upvote codingthewheel's reply since it was informative, but I don't have enough rep :(

+6  A: 

Here's a link which might be of use:

Guerilla-Style File Monitoring with C# and C++

It is possible to create a file without touching CreateFile API but can I ask what DLL injection method you're using? If you're using something like Windows Hooks your DLL won't be installed until sometime after the target application initializes and you'll miss early calls to CreateFile. Whereas if you're using something like DetourCreateProcessWithDll your CreateFile hook can be installed prior to any of the application startup code running.

In my experience 99.9% of created/opened files result in a call to CreateFile, including files opened through C and C++ libs, third-party libs, etc. Maybe there are some undocumented DDK functions which don't route through CreateFile, but for a typical log file, I doubt it.

James D
+6  A: 

You can use Sysinternal's FileMon. It is an excellent monitor that can tell you exactly which file-related system calls are being made and what are the parameters.

I think that this approach is much easier than hooking API calls and much less intrusive.

Barak Schiller
Filemon, and its sister application Regmon are great stuff
Chris Ballance
FileMon has been superceded by ProcMon (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx)
Jason R. Coombs
+2  A: 

Process Monitor from sysinternals could help too.

botismarius