Reputation: 29
Which user-mode functions to hook to monitor/intercept file access?
Which user-mode functions in Windows 7 can I hook to monitor/intercept file access?
I've tried ntdll.dll's NtOpenFile(), NtCreateFile(), but some of these aren't files - they're also pipes and mutexes. Same goes for kernel32.dll's CreateFile(). Is there a function that is called only to access files/directories. If it helps, I'm trying to only hook explorer.exe to prevent access to firefox.exe. I'm also using EasyHook, if any of you have familiarity with it.
I think I've also read somewhere that, using the parameters from NtOpenFile/NtCreateFile, you can distinguish between file access/pipe access. But that's still a bit hazy. Is there a nice comfortable function to hook?
EDIT: Please keep in mind I do need to intercept file access to prevent access to some files. EasyHook is a great solution, since it allows me to perform complicated hooking in a few easy steps in C# managed code.
Upvotes: 2
Views: 1977
Answers (1)
Reputation: 457017
There is no "file open function" that only opens files. Furthermore, hooking is only supported using Detours. Finally, you must ensure that all computers running this have .NET 4.0 installed, so they can run in-proc SxS.
A far superior solution is to change the file permissions on firefox.exe. This is a solution that requires no licensing of Detours, and is supported.
Upvotes: 3
Related Questions
- C# Monitor File Activity
- Monitor file open c# .Net
- Detecting opening file (using c#)
- Monitor file read on Windows - C# solution
- Monitor File activity performed by my application
- Use file system watcher to monitor files being copied?
- Monitor files accessed by other programs
- monitor file/directory access in C#
- Monitor files accessed by windows
- How to intercept the access to a file in a .NET Program