Here's the deal. I have a program and when it tries to read from a file I'd like to get the read data and edit it before the program receives it. I do not want to edit the file. In order to edit the data I have to know its position in the file, because the file is XOR-cyphered and the editing is nothing less than decyphering (and nothing more :)).

I hope you get what I am trying to say (I'm a li'l tired and sick)..

Posted on 2003-12-06 22:25:07 by yaXay
you can edit your program, using another thread, edit the temp buffer reading from your file,
or using another program do this
Posted on 2003-12-07 02:59:15 by whrcartoon
Okay.. scratch what I said.. I didn't really make myself clear.
The program reading from the file is not made by me. It's any program. The hooking isn't program dependent, it is file dependent! The main problem is, that there may be too many ways to read from a file. I mean.. if the file was just read by ReadFile it wouldn't be too hard (i think). But what if there were ten other ways to open it. I don't know, what files the user is going to protect. It might be a video or a audio file. So what if the file is opened via AVI API and I don't know anything about it? The user is gonna be pretty pissed, because he got my program for no use.. or is there just one way to read from a file (maybe the other APIs use ReadFile.. never thought about it..)

I hope that I did a better job this time.. *still not really awake*
Posted on 2003-12-07 17:15:23 by yaXay
to be complete sure you hook everything, you have to do it at the kernel level... VxD on 9x, KMD (.sys) on NT. This is a rather complicated task, I'm afraid :)
Posted on 2003-12-07 17:35:59 by f0dder
Okay.. Now how is Windows playing back a video/audio file? Does the media API directly input the data out of the opened file or does it use OpenFile/ReadFile/CloseHandle (I would love that, but I fear the truth is, it inputs directly out of the file). How do I find out??

Today is another I-Hate-MS-Day! :d
Freaking Windows isn't transparent enough!

Posted on 2003-12-08 14:43:15 by yaXay
Under Windows 9x, this is accomplished using the VxD service 400067h (IFSMgr_InstallFileSystemAPIHook). Hooking user level APIs won't do you any good, since DOS programs may open files, too.
Posted on 2003-12-08 15:43:52 by Sephiroth3
Mhhh.. I don't really like Win9x/ME. It's not that I like Win2k and XP, they're just more relieable (I think). Thanks for answering though. Do you know, if there any possibility to get that to work with 2k/XP (KMD as F0dder said)?
Is it still service 400067h (IFSMgr_InstallFileSystemAPIHook)? I'm afraid I never did any kind of kernel level hooking. Well, I have to learn it sometime... sooo pleaaaasssseeeeeee :)
Or maybe a table with all the KDE Hook Types.. anything..

Thank you!
Posted on 2003-12-08 19:55:21 by yaXay
kmd driver, hooking ntopenfile i'd imagine would do the trick, but then you have ring0 -> ring3 communication to handle too
Posted on 2003-12-08 21:27:22 by evlncrn8
I just found an interesting article:
Right now I'm still trying to understand it.. I just thought someone else might be interested, so here it is!

Posted on 2003-12-13 13:28:55 by yaXay