File hooking in win9x. I'm trying to get a filename from a handle after installing a IFSMgr hook.

Hooking a IFSFN_OPEN returns a ptr to the unicode path in the ioreq structure. But no such path is returned for a IFSFN_WRITE.

One way I've seen to get the path (from IFSFN_WRITE), requires the address of enum procedure.

The code snippet I've seen for this is:
;enumFunc = ifsr.ifs_hndl->hf_misc->hm_func;

.if pEnumFunc==0 ;if already got it then
mov esi,ifs_hndl ; esi ptr on hndlfunc
add esi,8h ; esi ptr on ptr to hf_misc
mov esi,dword ptr ; esi ptr on hf_misc
add esi,4 ; esi ptr on hm_func
add esi,7*4 ; HM_ENUMHANDLE = 7
mov esi,dword ptr ; esi =
mov pEnumfunc,esi

Trouble is I've not got much documentation on any of this. :)

1) I know about the ioreq structure (and where to access it from the stack when my hook gains control), but what is the ifsreq structure, and how do I access it?

2) ";enumFunc = ifsr.ifs_hndl" I'm lost as to this. I take it has something to with ifsreq structure? What would be the numerical value of ifs_hndl?

Any clarification would be most helpful!
Posted on 2003-02-03 07:46:54 by Manxcat