Hey Guys, (THERE IS A QUESTION IN HERE I PROMISE)
I've made A LOT of progress on this in the past week and I may be hitting my limit for the day but I am full of energy and don't want to give up without at least posting this question. I'm partley "Thinking Out Loud" here so forgive me if it doesn't make a whole lot of sense.
I'm basically writting
lsof for Win32; a guy I work with (a *Nix Guy) was gripeing about how Windows doesn't have an adequite piece of software to tell you what processes have which files locked. This seems to be true, and I couldn't find anything that met his criteria online which doesn't make a whole lot of sense to me since "GetMappedFileName()" is part of kernel32 (
http://msdn.microsoft.com/en-us/library/ms683195(VS.85).aspx).
So I've decided that since the virtual memory space of an application is private that the best way to go about this would be thread injection, so I'm using the simple method
- VirtualAllocEx():
http://msdn.microsoft.com/en-us/library/aa366890(VS.85).aspx
- WriteProcessMemory():
http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspx
- CreateRemoteThread():
http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx
I'll be using a custom class to store the addresses of the functions that I will be calling in my injected thread. This seems right since "CreateRemoteThread()" only allows me to pass a single variable (that I know of), and using a class will let me use "sizeof()" to set dwSize parameter in "VirtualAllocEx()" instead of having to hard code the size of the function pointers.
There is some fine tuning still left to do and I'll eventually run this as a Service to get around Terminal Services. But this still doesn't allow me to see things that don't use kernal file maps like notepad. I can't believe that after all of the progress I've made I'm stumped what seems like it should be the simple part.
I haven't tried it yet but as I was typing this I thought of "CopyMemory()"? But do I really want to pull each processes virtual memory stack and do a byte by byte comparison? That feels sloppy, not that I particularly like the thread injection that I'm already doing but at least that isn't too trashey.
What do you guys think? Is there another way to detect programs that aren't using Win32 functions to read a file? It may be awhile before I reply but I can't wait to read any input you guys might have, even if it's to flame me for resorting to thread injection. Thanks