Hey Guys, (THERE IS A QUESTION IN HERE I PROMISE)

I've made A LOT of progress on this in the past week and I may be hitting my limit for the day but I am full of energy and don't want to give up without at least posting this question. I'm partley "Thinking Out Loud" here so forgive me if it doesn't make a whole lot of sense.

I'm basically writting lsof for Win32; a guy I work with (a *Nix Guy) was gripeing about how Windows doesn't have an adequite piece of software to tell you what processes have which files locked. This seems to be true, and I couldn't find anything that met his criteria online which doesn't make a whole lot of sense to me since "GetMappedFileName()" is part of kernel32 (http://msdn.microsoft.com/en-us/library/ms683195(VS.85).aspx).

So I've decided that since the virtual memory space of an application is private that the best way to go about this would be thread injection, so I'm using the simple method

- VirtualAllocEx(): http://msdn.microsoft.com/en-us/library/aa366890(VS.85).aspx

- WriteProcessMemory(): http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspx

- CreateRemoteThread(): http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx

I'll be using a custom class to store the addresses of the functions that I will be calling in my injected thread. This seems right since "CreateRemoteThread()" only allows me to pass a single variable (that I know of), and using a class will let me use "sizeof()" to set dwSize parameter in "VirtualAllocEx()" instead of having to hard code the size of the function pointers.

There is some fine tuning still left to do and I'll eventually run this as a Service to get around Terminal Services. But this still doesn't allow me to see things that don't use kernal file maps like notepad. I can't believe that after all of the progress I've made I'm stumped what seems like it should be the simple part.

I haven't tried it yet but as I was typing this I thought of "CopyMemory()"? But do I really want to pull each processes virtual memory stack and do a byte by byte comparison? That feels sloppy, not that I particularly like the thread injection that I'm already doing but at least that isn't too trashey.

What do you guys think? Is there another way to detect programs that aren't using Win32 functions to read a file? It may be awhile before I reply but I can't wait to read any input you guys might have, even if it's to flame me for resorting to thread injection. Thanks

AFAIK, Notepad doesn't keep the file open. Maybe that's what you are expecting. If so, then don't. Test yourself: Open a text file in Notepad, and then delete the file or edit it from another editor. You'll notice 2 things: Notepad will never know, and you will actually be able to do it.

There is no reliable way to do it without a kernel mode driver which work at a very low level to intercept every call to filesystem. I've seen applications that can do this and many other things, like hiding a file from windows explorer and any other file managers, some of them are open-source. Search on codeproject for details.

To write a driver you need full version of Visual Studio and Windows DDK installed from Microsoft web site.

@mordoran: Please don't propagate that myth anymore. You do NOT need a full version of VS to write a windows driver. "cl.exe" is the compiler that Windows uses and it is free, just like the Windows DDK (I think it's actually included in it). I've written a few rootkits for practice and although a DLL would make this easier I would like to avoid that route due to professional pride. REFERENCE: http://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/03212943190/ref=sr_1_1?ie=UTF8&qid=1309556530&sr=8-1
to hell with ANON. this book is well worth the time and money.

@ webJose: That's worth investigating. I'll check that out. EDIT->REDACTED: Too whiney