Just a quick question, I am currently investigating
the security of an app I have, and am wondering if
it would be relatively simply to hook the file-opening
API such that I can be aware of the first few bytes of
the file are before returning the handle to the program
that actually requested it opened ... I am assuming its
possible but just wanted confirmation from someone
with a bit more knowledge than me ....

apprecate it :)
Posted on 2004-01-21 21:20:57 by latte
I sure hope you're not planning to use this for evil-doing...

You can CreateProcess in suspended mode, and inject code to patch the ReadFile IAT entry with code of your own. This will trap one particular application. Will not handle GetProcAddress imports, nor "unconventional" ways of doing imports.

If you want full hooking, you'll have to write a driver and trap at a lower level.
Posted on 2004-01-22 03:36:01 by f0dder
f0dder, thanks for the reply ...

no, i am not using it for anything bad :) I don't really need to know
how, just if .. but it seems its harder than i thought ..., but still possible,
but its not as simple as just hooking the "ReadFile" function...?

i.e:
pOpenProcess = (OPENPROCESS_PROC)HookAPIFunction(GetModuleHandle(NULL), "KERNEL32.DLL", "OpenProcess", (PROC)OpenProcess_Handler);
is used in the source of a demo hooking ap from sys-internals, the same won't work for Readfile ?
Posted on 2004-01-22 03:49:11 by latte
or is that doing exactly what you said, but just in the dll and not the
actual executable... i think so.

let me know if i'm wrong ...

thanks again :)
Posted on 2004-01-22 03:53:05 by latte