/// <summary> /// This callback is invoked whenever this process calls CreateFile(). This is where we can modify parameters and other cool things. /// </summary> /// <remarks> /// The method signature must match the original CreateFile(). /// </remarks> private IntPtr OnCreateFile(string filePath, uint desiredAccess, uint shareMode, IntPtr securityAttributes, uint creationDisposition, uint flags, IntPtr templateFile) { try { /* * Note that we can do whatever we want in this callback. We could change the file path, return an access denied (pretend we're an antivirus program), * but we won't do that in this program. This program only monitors file access from processes. */ var fileEntry = new FileEntry() { FullPath = filePath, Timestamp = DateTime.Now }; var processId = Process.GetCurrentProcess().Id; IpcInterface.AddFileEntry(processId, fileEntry); } catch (Exception ex) { IpcInterface.PostException(ex); } // The process had originally intended to call CreateFile(), so let's actually call Windows' original CreateFile() return(CreateFile(filePath, desiredAccess, shareMode, securityAttributes, creationDisposition, flags, templateFile)); }
public void Unload() { try { // We're exiting our program now IpcInterface.TerminatingProcesses.Remove(Process.GetCurrentProcess().Id); CreateFileHook.Dispose(); } catch (Exception ex) { IpcInterface.PostException(ex); } }
public void Load() { try { CreateFileHook = LocalHook.Create( LocalHook.GetProcAddress("kernel32.dll", "CreateFileW"), new CreateFileDelegate(OnCreateFile), this); // All hooks start de-activated // The following ensures that this hook can be intercepted from all threads of this process CreateFileHook.ThreadACL.SetExclusiveACL(new Int32[1]); } catch (Exception ex) { IpcInterface.PostException(ex); } }
public void Main() { try { // All of our program's main execution takes place within the OnCreateFile() hook callback. So we don't really do anything here. // Except Ping() our FileMonitorController program to make sure it's still alive; if it's closed, we should also close while (!IpcInterface.TerminatingProcesses.Contains(Process.GetCurrentProcess().Id)) { Thread.Sleep(0); IpcInterface.Ping(); } // When this method returns (and, consequently, Run()), our injected DLL terminates and that's the end of our program (though Unload() will be called first) } catch (Exception ex) { IpcInterface.PostException(ex); } }