Exetools - Tracking file activities

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Tracking file activities (https://forum.exetools.com/showthread.php?t=6294)

LAVA	01-07-2005 20:35

Tracking file activities

It seems that tracking file activities on win NT family, is not such an easy task to do. I've used API spying techniques to do that, but I can't track activities made by CreateFileMapping and MapViewOfFile functions. Just ReadFile WriteFile and their family can be tracked using API Spying techniques.

Please help me.

WhoCares

01-07-2005 23:00

the best solution is to write a file system filter driver, but it's a pain for most ppl to do this. You can refer to OSR web site(www.osr.com) and the leaked Microsoft IFS kit, and FileMon source code.

killy

01-08-2005 01:26

imo get a debugger(preffered ollydbg) look at the api calls,make a olly script to log details.

LAVA	01-10-2005 23:21

Killy it's all about writing a program not just using tools like FileMon

zzsx	01-11-2005 02:48

Maybe you can try strace for NT. I have not used it personaly and was told it is a quite reliable API log application.

dyn!o

01-11-2005 03:38

Guys, this thread should end with the second topic.

What are you looking for if you can get FileMon with sources? (it includes NT based source too) It is the best tool and it has been made by "the masters of drivers", so just get it and you will own "a bible".

By the way: I encountered similar challenge as you, but 2 years ago and I should tell you that in my humble opinion "API spying techniques" are not the way... (you will understand it after analysing FileMon structure - of course get source first).

Good luck.

All times are GMT +8. The time now is 15:03.