I am trying to get file open/write/create operation, I have tried fslogger which can only get file creation/delete....and other operations, can not get open/close operation,
then I wrote a driver to do it, I can get open/close operation but can not get create operation, what's more, it's too messy!
for example, if I open a file and modify it, and then close it, the driver gets a lot of open/write operations..I have no way to tell which one is really caused by user open/close operation..
any hints about this?
thanks.
Your best bet is going to be the KAuth system. You install your kauth handler (as a kernel extension) and get various callback codes when someone tries to create, open or close a file. This involves getting your callback in the critical path of opening files, so whatever you do has to be quick!
To quote:
KAUTH_SCOPE_FILEOP defines the following actions.
KAUTH_FILEOP_OPEN
KAUTH_FILEOP_CLOSE
KAUTH_FILEOP_CLOSE_MODIFIED
KAUTH_FILEOP_RENAME
KAUTH_FILEOP_EXCHANGE
KAUTH_FILEOP_LINK
KAUTH_FILEOP_EXEC
https://developer.apple.com/library/mac/technotes/tn2127/_index.html
If you're writing a kext you then have the question of how to get that info back into userland. FWIW I used Kqueue but you may have success with another method (let me know in the comments if you do!).
More info on Kauth here and KQueue here. It's not brilliantly documented, but there's enough info between those two to work out what you need to do.
Related
I read here that the inverse is possible, but how does one achieve such a thing? I'd hope there's a simple way, similar to calling from a loaded DLL, but my google research comes up with nothing. My only other thought is that one could pass some predefined constants through WriteFile or DeviceIoControl that the driver parses like a switch statement to execute the relevant function; does a more direct method exist?
The question is why would you want to do it? Generally if you have to rely on some mechanism like this, you need to revisit the design of the application/driver that you are writing.
The correct way to do something in context of your user mode application is exactly what you described. You can do a DeviceIoControl call to your driver and the driver validates all the parameters that you have passed, then carries out the operation on behalf of the user mode call.
If for some reason, you need to call into kernel directly, you will have to resort to undocumented methods. There are ways to hook into kernel dispatch table and overwrite one of the dispatch handler to redirect the call to your function. But I hope you never ever ship anything like this to your customer. This is good for learning how the dispatch table works, etc but introduces several security nightmares. Ultimately your software should not be responsible for someone's machine getting hacked.
I'm working on a Qt native messaging host for a chrome extension on windows.
The circumstances seem to be as follows:
There's no way to tell, before attempting to read, whether data is available or how much data is available to be read on stdin.
Making a read call, e.g. via a QFile that has opened the stdin handle, will block forever until enough data is written to stdin to satisfy it.
So it looks like this will involve a thread resigned to staying in these blocking read calls waiting for data to be written. The only option I can see for ending this operation is to call terminate() on the QThread, which is highly discouraged. Is there a better way of interrupting an endlessly blocking call? What are the consequences of terminating the thread - does the object that was running on it still exist, and would I be able to salvage it to perform cleanup?
Is there any way to hook all disk writes going thru the system, and receive the file names of whatever's being modified, using the Win32 API? Or is this something that would require writing a driver?
You can't do this in user mode, it needs to be kernel mode and so that means a driver. You need a File System Filter Driver.
If you don't care about intercepting the actual data, and only want to know which files are being modified/created/deleted then you can use the ReadDirectoryChangesW API to get that info from userland. Note however that it's one of the hardest functions to use effectively and efficiently, and you should be familiar with IOCP to use it correctly.
I am at the end of my rope here. I have been trying for three weeks now to get this information. Before I continue I want you to know I am not writing malware here. I am however writing a binary analysis tool that monitors the behavior of malware.
What I am trying to accomplish is either to hook or monitor CreateServiceW and CreateServiceA. The reason is I want to know what process invoked CreateService and what the binary is that is being registered as a service by the call.
I am tried everything from writing hook ZwRequestWaitReplyPort to intercept the LPC message, to writing a proxy DLL for advapi32.dll, and writing an inline hook for the CreateService function. None of these approaches have yielded results though. The proxy DLL was promising in testing, but didn't work when the official DLL in system32 was replaced with the proxy (BSOD). The inline hook would work if I could gain write access to the mapped area of memory the DLL lies in. But regardless my time is running out and I am desperately in need of an alternative.
I have looked at SetWindowsHookEx and it seems plausible that it might be able to intercept messages sent from the process to services.exe ...but I am not certain.
Can anyone point me in a good direction...I'm begging you.
"The inline hook would work if I could gain write access to the mapped area of memory the DLL lies in."
If it's a system that you fully control, why don't you have write access to the memory?
Use VirtualProtect to change the permissions to RWX and put your hook in. The ADVAPI32 CreateService routines are just stubs forwarded to sechost.dll via api-ms-service-management-l1-1-1.dll (due to MinWin) so there is already easy call instruction to hook.
This is intended to be a lightweight generic solution, although the problem is currently with a IIS CGI application that needs to log the timeline of events (second resolution) for troubleshooting a situation where a later request ends up in the MySQL database BEFORE the earlier request!
So it boils down to a logging debug statements in a single text file.
I could write a service that manages a queue as suggested in this thread:
Issue writing to single file in Web service in .NET
but deploying the service on each machine is a pain
or I could use a global mutex, but this would require each instance to open and close the file for each write
or I could use a database which would handle this for me, but it doesnt make sense to use a database like MySQL to try to trouble shoot a timeline issue with itself. SQLite is another possability, but this thread
http://www.perlmonks.org/?node_id=672403
Suggests that it is not a good choice either.
I am really looking for a simple approach, something as blunt as writing to individual files for each process and consolidating them accasionally with a scheduled app. I do not want to over engineer this, nor spend a week implementing it. It is only needed occassionally.
Suggestions?
Try the simplest solution first - each write to the log opens and closes the file. If you experience problems with this, which you probably won't , look for another solution.
You can use file locking. Lock the file for writing, write the message, unlock.
My suggestion is to preserve performance then think in asynchronous logging. Why not send your data log info using UDP to service listening port and he write to log file.
I would also suggest some kind of a central logger that can be called by each process in an asynchronous way. If the communication is UDP or RPC or whatever would be an implementation detail.
Even thought it's an old post, has anyone got an idea why not using the following concept:
Creating/opening a file with share mode of FILE_SHARE_WRITE.
Having a named global mutex, and opening it.
Whenever a file write is desired, lock the mutex first, then write to the file.
Any input?