Hello All!

I want some help as i m new to assembly (in tasm) . i want to make a program
that can tell whether any application is opening a file in read/write mode??

As I know the starting point i.e hooking the file opening interuppt but

how to do that??

i want help Please Help Me All

thanx ;)
Posted on 2009-12-04 08:12:16 by aloksaini
google for "systemwide api hooking" and maybe also "EAT hijacking" - you want to hook CreateFile at some level :)
Why do you want to do this?
Posted on 2009-12-04 08:53:02 by Homer
no just i need to check whether a file is trying to open any other .exe file in read/write mode

Posted on 2009-12-13 08:14:43 by aloksaini

no just i need to check whether a file is trying to open any other .exe file in read/write mode
As Homer asked: why do you want to do this?

Question #2 being: on which platform?
Posted on 2009-12-13 08:17:13 by f0dder
im using windows and dos

i want it for a protection against exe modifying viruses
Posted on 2009-12-29 22:04:19 by aloksaini
If your desktop user profile has Administrator privilege, then the virus code can easily find its way into Ring 0.
And once it does, nothing you do in UserLand will prevent it doing whatever it wants to.
Your solution is fundamentally flawed, since it will only prevent UserLand code from modifying files.
Furthermore, a well-defined ACL (or a demoted user profile) will stop UserLand code getting its teeth into Ring 0 in the first place (generally, anyway).
This is why good antiviruses install kernelside components ! You can't deal with kernelside issues unless your code is also kernelside. Better to concentrate on stopping all the holes that allow code to cross that border in the first place.

Posted on 2009-12-29 22:17:15 by Homer