19

My goal is to determine when executing a command, precisely which files it reads and writes. On Linux I can do this using ptrace (with work, akin to what strace does) and on FreeBSD and MacOS I can do this with the ktrace system command. What would you use to obtain this information on Windows?

My research so far suggests that I either use the debugger interface (similar to ptrace in many ways) or perhaps ETW. A third alternative is to interpose a DLL to intercept system calls as they are made. Unfortunately, I don't have the experience to guess as to how challenging each of these approaches will be.

Any suggestions?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
David Roundy
  • 1,706
  • 2
  • 14
  • 20
  • Probably it is sufficient with a GUI tool? Try Windows Internals (filemon). – harper Apr 02 '15 at 13:28
  • how about using resource monitor in windows 7 or process explorer – GingerJack Apr 02 '15 at 14:04
  • No, a GUI tool is not sufficient, I have to be able to do this from my program, which is written in C (but could use C++ if needed). – David Roundy Apr 02 '15 at 14:10
  • Look at [Detours](http://research.microsoft.com/en-us/projects/detours) – Nikerboker Apr 19 '15 at 14:00
  • This is a pretty lousy functional specification. Doesn't sound like it needs anything more than auditing. Use the group policy editor to turn it on and read the event log. – Hans Passant Apr 19 '15 at 15:10
  • @Nikerboker, I looked at Detours, but am working on an unfundend open source project and don't care for the free-version limitation to 32-bit progrms. – David Roundy Apr 19 '15 at 21:26
  • I wonder if there's a way to use the Chromium sandbox to accomplish this with arbitrary child processes. https://www.chromium.org/developers/design-documents/sandbox/Sandbox-FAQ – Adrian McCarthy Apr 24 '15 at 17:12

5 Answers5

5

Unfortunately it seems there is no easy way to intercept file level operations on Windows.

Here are some hints:

  • you could try to use FileMon from Sysinternals if it is enough for your needs, or try to look at the source of the tool
  • you could make use of commercial software like Detours - beware, I never used that myself and I'm not sure it really meets your needs

If you want a better understanding and are not frightened at doing it by hand, the Windows way of intercepting file I/O is using a File System Filter Driver. In fact, there is a FilterManager embedded in Windows system that can forward all file system calls to minifilters.

To build it, the interface with the system is provided by the FilterManager, and you have just (...) to code and install the minifilter that does the actual filtering - beware again never tested that ...

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Serge Ballesta
  • 143,923
  • 11
  • 122
  • 252
  • I've started looking into the file system minifilters, but have some difficulty seeing how they could help. It looks like the filter needs to be installed to the system, perhaps using administrative privileges? – David Roundy Apr 19 '15 at 21:29
4

As you suggested, this is a fairly simple task to solve with API hooking with DLL injection.

This is a pretty good article about the application: API hooking revealed

I believe you can find more recent articles about the issue.

However, you probably need to use C++ to implement such a utility. By the way, programs can disable DLL injection. For example, I weren't able to use this approach on the trial version of Photoshop.

So, you may want to check if you can inject DLL files in the process you want with an existing solution before you start writing your own.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Fatih BAKIR
  • 4,569
  • 1
  • 21
  • 27
1

Please, take a look to the article CDirectoryChangeWatcher - ReadDirectoryChangesW all wrapped up.

It is a very old, but running, way to watch directory changes.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
gaetanoM
  • 41,594
  • 6
  • 42
  • 61
  • It looks to me that this approach doesn't allow to find out which process performed the modifications. Also, it looks like it doesn't provide a mechanism to determine which files were read. – David Roundy Apr 21 '15 at 00:28
1

Microsoft owns a bunch of tools called Sysinternals. There is a program called Process Monitor that will show you all the file accesses for a particular process. This is very likely what you want.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Zagrev
  • 2,000
  • 11
  • 8
1

Check this particular Stack Overflow question out for your question... This might help you: Is there something like the Linux ptrace syscall in Windows?

Also, if you are running lower versions like Windows XP then you should check out Process Monitor.

Also, I would like you to check this out... Monitoring certain system calls done by a process in Windows

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
spt025
  • 2,134
  • 2
  • 20
  • 26