0

Screenshot of Process Monitor

Above is a screen shot I took in Windows PE environment while applying an image to a machine. As you can see I have filtered the results of Windows Sysinternals Process Monitor so that only ReadFile operations on the Win8 32-bit image by the Dism.exe process are shown.

I am in need of finding a way to access this same information using C/C#/C++ without the .NET framework (because supposedly the .NET framework doesn't exist in PE environment). I have searched, asked around, and searched again for Namespaces and Classes that would allow me to extract this information from the kernel without luck.

I am most interested in having the ability to access the value "Offset" that you can see in the image. This number is the location offset of the Read operation on the file and I need this value for the program I am required to make.

Does anybody know how I can achieve my goal? This is obviously possible to do in the PE environment because Process Monitor does it, so how can I do the same thing?

Matt Hintzke
  • 7,744
  • 16
  • 55
  • 113
  • Why not use a second process monitor to find out what process monitor is doing internally? :P – thejh Jun 19 '13 at 19:59
  • How would this help me figure out how to program such a thing? All it would do is tell me what Procmon.exe is Reading and Writing... I need to know what classes and namespaces they used to do this – Matt Hintzke Jun 19 '13 at 20:00
  • classes and namespaces? you just need to know the syscalls – thejh Jun 19 '13 at 20:02
  • Well I am unsure how it works.. that's why I am asking in the first place. What kind of syscalls would this take then? – Matt Hintzke Jun 19 '13 at 20:03
  • Basically I wanna write a C/C#/C++ program that can display this "Offset" value of the process read operation.. That is all. It must be fairly simple. I just cannot figure out how – Matt Hintzke Jun 19 '13 at 20:06
  • 1
    Another question asking essentially the same question led me to this: http://stackoverflow.com/questions/864839/monitoring-certain-system-calls-done-by-a-process – Mats Petersson Jun 19 '13 at 22:23
  • @MatsPetersson thank you kind sir. That looks like it will help a lot – Matt Hintzke Jun 19 '13 at 23:55

1 Answers1

0

You might want to look at file mini-filters. Process Explorer basically installs one on the system when you start it for the first time. The mini-filter can be installed and started without the need for a reboot.

The mini-filter runs inside the kernel like any other device drivers and from there you can monitor any file activity (read, write, create, delete, close, execute, etc.) You'd have to write this in C. You can also get info from the OSR distribution list.

E.T
  • 1,095
  • 1
  • 10
  • 19