I need some advice here.
I have to code an app which will hook the file system activity, and since i?m a little bit out of practice i?d like to have some advice on different possible methods.
It?s a quick & dirty thing so no state-of-the art is needed. By this i mean that i?d like to avoid low level drivers and the such. Maybe API hooking? All i need to do is to hook WriteFile globally i guess.
Posted on 2002-11-22 11:06:57 by latigo
I'm not sure how much of a help this will be to you (since I don't know offhand what method(s) they used), but hasn't the source for filemon been released?
Posted on 2002-11-22 13:42:33 by Will
There are some methods to do what you want to do. 9x uses DOS to do a lot off things (Yes, 9x use int 21h). You must search info about VxDCall. It is an undocumented function of kernel. Maybe you know about that. So, you want some links. Here is an interesting one:


No virii links here! - bazik
Posted on 2002-11-22 15:19:18 by Kecol
Thanks very much guys, but that?s just the type of thing i was trying to avoid :)
I?m looking for a more ?superficial? approach.
Posted on 2002-11-22 18:11:48 by latigo
If you're interested in API hooking maybe take a look at this program by y0da with source. It shows you how to hook MessageBoxA, but it's in C. It's not too hard to write your own routine to modify IAT entries, I can attach one I wrote if you like. There's also APIHijack but I've found it a little buggy.

If you want to see what files programs are accessing though, may I suggest filemon, I've found it very useful for this. Will, you are right, the filemon source is available on the website.

Posted on 2002-11-23 07:26:01 by stormix
Posted on 2002-11-25 03:45:11 by latigo