Is it possible to redirect an app's write to a file (to memory for example)
Maybe using a hook or sth like that, but how?
Maybe using a hook or sth like that, but how?
i've something in my mind that might work but not reliable.
Start process execution in debug mode and hook all memory allocation related APIs
when app decides to alloc memory you give a read-only buffer to it, that any write attempt will cause exception and then you hook it (will generate debugevent) and restore state.Change stack to read-only too before execution.
or you can make a .vxd that handles the memory fault.
Another way is doing partial emulation for each opcode, checking its modrm/sib for memory access and check some other particular instructions too.
uNdErX
Start process execution in debug mode and hook all memory allocation related APIs
when app decides to alloc memory you give a read-only buffer to it, that any write attempt will cause exception and then you hook it (will generate debugevent) and restore state.Change stack to read-only too before execution.
or you can make a .vxd that handles the memory fault.
Another way is doing partial emulation for each opcode, checking its modrm/sib for memory access and check some other particular instructions too.
uNdErX
What do you mean by an 'app's write'. If you mean the standard output, this can be redirected to a file or a pipe by specifying the hStd* handle values in the STARTUPINFO structure used in CreateProcess.
Thomas
Thomas
Not console output. I mean an app's write to a disk file.
sounds quite complicated. if i just wanna redirect an app's write to REGISTRY, then how?
i've something in my mind that might work but not reliable.
or you can make a .vxd that handles the memory fault.
Another way is doing partial emulation for each opcode, checking its modrm/sib for memory access and check some other particular instructions too.
uNdErX
i've something in my mind that might work but not reliable.
or you can make a .vxd that handles the memory fault.
Another way is doing partial emulation for each opcode, checking its modrm/sib for memory access and check some other particular instructions too.
uNdErX
Really cool, u mean hooking the API of registry operation?
But still need some time to digest the code. This trick only works in win9x?
Att.=Very simple MsgBox Hook Example + Doc.
More information
But still need some time to digest the code. This trick only works in win9x?
Att.=Very simple MsgBox Hook Example + Doc.
More information
u mean hooking the API of registry operation? yes...
This trick only works in win9x? yes...
i thought that u'd like to intercept every memory write attempt.