Tracking file activities

It seems that tracking file activities on win NT family, is not such an easy task to do. I've used API spying techniques to do that, but I can't track activities made by CreateFileMapping and MapViewOfFile functions. Just ReadFile WriteFile and their family can be tracked using API Spying techniques.

Please help me.

[WhoCares]

the best solution is to write a file system filter driver, but it's a pain for most ppl to do this. You can refer to OSR web site(www.osr.com) and the leaked Microsoft IFS kit, and FileMon source code.

imo get a debugger(preffered ollydbg) look at the api calls,make a olly script to log details.

Killy it's all about writing a program not just using tools like FileMon

Maybe you can try strace for NT. I have not used it personaly and was told it is a quite reliable API log application.

[dyn!o]

Guys, this thread should end with the second topic.

What are you looking for if you can get FileMon with sources? (it includes NT based source too) It is the best tool and it has been made by "the masters of drivers", so just get it and you will own "a bible".

By the way: I encountered similar challenge as you, but 2 years ago and I should tell you that in my humble opinion "API spying techniques" are not the way... (you will understand it after analysing FileMon structure - of course get source first).

Good luck.