Hello All!
I want some help as i m new to assembly (in tasm) . i want to make a program
that can tell whether any application is opening a file in read/write mode??
As I know the starting point i.e hooking the file opening interuppt but
how to do that??
i want help Please Help Me All
thanx ;)
I want some help as i m new to assembly (in tasm) . i want to make a program
that can tell whether any application is opening a file in read/write mode??
As I know the starting point i.e hooking the file opening interuppt but
how to do that??
i want help Please Help Me All
thanx ;)
google for "systemwide api hooking" and maybe also "EAT hijacking" - you want to hook CreateFile at some level :)
Why do you want to do this?
Why do you want to do this?
no just i need to check whether a file is trying to open any other .exe file in read/write mode
no just i need to check whether a file is trying to open any other .exe file in read/write mode
Question #2 being: on which platform?
im using windows and dos
i want it for a protection against exe modifying viruses
i want it for a protection against exe modifying viruses
If your desktop user profile has Administrator privilege, then the virus code can easily find its way into Ring 0.
And once it does, nothing you do in UserLand will prevent it doing whatever it wants to.
Your solution is fundamentally flawed, since it will only prevent UserLand code from modifying files.
Furthermore, a well-defined ACL (or a demoted user profile) will stop UserLand code getting its teeth into Ring 0 in the first place (generally, anyway).
This is why good antiviruses install kernelside components ! You can't deal with kernelside issues unless your code is also kernelside. Better to concentrate on stopping all the holes that allow code to cross that border in the first place.
And once it does, nothing you do in UserLand will prevent it doing whatever it wants to.
Your solution is fundamentally flawed, since it will only prevent UserLand code from modifying files.
Furthermore, a well-defined ACL (or a demoted user profile) will stop UserLand code getting its teeth into Ring 0 in the first place (generally, anyway).
This is why good antiviruses install kernelside components ! You can't deal with kernelside issues unless your code is also kernelside. Better to concentrate on stopping all the holes that allow code to cross that border in the first place.