Reputation: 107
Intercept and modify file system call - Windows
Short Version: Is there a way to 'intercept' a Windows (XP or 7) file system call to open a file and replace said call with a different file name?
Long Version: I am trying to help a customer recover from a HDD corruption. The computer in question is in a kiosk that simply plays two Flash files in combination with a webcam. It is controlled by a compiled .exe from MDM Zinc. I have the two Flash files and a copy of the .exe.
The problem is, only one of the Flash files opens. After MUCH head banging, I finally watched what is happening through Systernals Process Monitor. Both of the .flv files are in the same folder. I can see very clearly in Process Mon that the .exe calls the working one as c:\somedirectory\anotherdirectory\file1.flv. The non-working one though APPARENTLY has a typo in that it has two backslashes side-by-side in the path: c:\somedirectory\ \anotherdirectory\file2.flv
I am told that this is the only version of the .exe that is available and that the company who created it is out of business, so what I have is all I am going to get. If it is indeed a typo, I can't imagine how it ever could have worked. I have to think that there was a different version out there. Of course, if it really is a typo in the .exe, the worst possible character that it could have been was another \ since that is invalid in a directory or file name and I can't simply move the file in question to a new path. (found today that you can actually create a directory in Windows with a seemingly blank name (ALT-255) but that was a long shot which didn't work).
My programming skills are not incredibly strong, but researching today sort of lead me to think that minifilter or API hooking might be an answer? I've tried decompiling the .exe as well as popping it open in a HEX editor and unfortunately, the path in question does not appear to be a string that is readily available for editing. If either of those are a valid option, I would really appreciate a (hard) push in the right direction. If you can think of anything else that I might try, I'm pretty much out of ideas.
Thank you for your time!
Upvotes: 2
Views: 3093
Answers (1)
Reputation: 29642
You should be able to use the EasyHook library to accomplish this. The article about EasyHook at http://www.codeproject.com/Articles/27637/EasyHook-The-reinvention-of-Windows-API-hooking specifically contains an example for how to override CreateFile, the method that the .NET framework uses to open a file.
Upvotes: 1
Related Questions
- Learn about file system filters / minifilters
- Windows: How to intercept Win32 disk I/O API
- Which user-mode functions to hook to monitor/intercept file access?
- Windows Filesystem Minifilter Drivers: can I monitor and prevent FS operations using them?
- Intercept file\folder I\O without API hooking or filter driver
- Listens to the file system
- Filter FileSystemWatcher changed events
- How to monitor Fileaccess in C#
- monitor file/directory access in C#
- FileSystemWatcher blacklist?