1

Is there a way to get _stat() C runtime functions caught in ProcMon

Chesnokov Yuriy
  • 1,760
  • 5
  • 21
  • 35

2 Answers2

2

Not directly, because (as @Preet Sangha explained) it works below the CRT level. However, it does show you a call stack, and _stat does access a file. So if ProcMon has access to your executable symbols and you know which file to watch, you might see _stat in the call stack of that file's access.

If that is not enough, further describe your scenario.

Note that there are tools for hooking at the code level - see How can I hook Windows functions in C/C++?

Community
  • 1
  • 1
Eran
  • 21,632
  • 6
  • 56
  • 89
  • thank you, I'm using _stat to test if directory is present. I presume I may filter directory name access? – Chesnokov Yuriy Aug 11 '11 at 13:09
  • @Chesnokov, sure. On the filter window, Path => contains => the_dir_name – Eran Aug 11 '11 at 13:11
  • @Chesnokov, it works for me. Does the filter's list have a row that looks like "Path contains dir_name include"? Note that dir_name can be just the last subdir, and not the complete path. Also, try to access that dir using, say, the browser (which is what I just did). If you see nothing, the filter's not set correctly. If you do see the access, the code might not be accessing that dir after all. If that's the case, try monitoring all FileSys activity of the process, if it's not to much, and add filters based on the results. – Eran Aug 11 '11 at 19:35
  • thank you for your kind help, adding just last directory name as to be contained in Path works well with Windows Explorer. I'm sure the code should access that folder with `_stat` as the folder parameter passed is hard coded. The problem is that the process is IIS (w3wp.exe) and it calls native dll using interop. Native dll calls `_stat` to check if specific dir is present. I can not find that dir in Path column – Chesnokov Yuriy Aug 11 '11 at 19:58
  • @Chesnokov, are you sure the path is accessible to IIS? If it's on a non-existent drive, or a bad UNC path, or a mapped network drive that is not mapped to the user under which IIS is running, then ProcMon won't catch the dir access. – Eran Aug 11 '11 at 20:12
  • @eran, yes, the path is on c:\ drive, and I can catch all IIS filesys events in ProcMon. The logic in native dll is: test if specific dir is available on c:\ and drive, if not then use '.' current path to save error log. Thus I catch log file creation event in ProcMon where '.' is IIS path on c:] drive – Chesnokov Yuriy Aug 12 '11 at 05:33
  • @Chesnokov, I'm assuming `_stat()` returns -1. What's the last error when this happens? Also, if you want to check accessibility, you can use [_access](http://msdn.microsoft.com/en-us/library/1w06ktdy(v=VS.100).aspx) - `if (_access(dir, 2) == 0) WriteLogTo(dir);`. Internally, it uses a different Win32 function. Maybe that will broaden the picture. – Eran Aug 12 '11 at 07:09
  • @eran, there is no W access file system right for native dll invoked from IIS, thus you can not create file in any desired place. There is possibility to create it in APPDATA but to get that folder you need to call `SHGetSpecialFolderPath` which is also no longer possible in w7 – Chesnokov Yuriy Aug 12 '11 at 07:25
  • @eran, I presume I will use winapi functions to test for directory presence and capture that event in ProcMon – Chesnokov Yuriy Aug 12 '11 at 07:25
  • @Chesnokov, if you don't have write access, how can you create logs there? Anyway, both call WinApi functions - `_stat` calls `FindFirstFile`, and `_access` calls `GetFileAttributes` IIRC. But from what you say now about IIS, it's possible that the check is rejected before it gets to the actual dir, so you don't see the dir's access. I have no idea how those Win32 functions are implemented. Maybe you can give the IIS user permissions for that dir, and see if that works. – Eran Aug 12 '11 at 07:53
  • @eran, I create logs from web application only. native dll is used for some calculations taking the file from some folder. I found `CreateFile` event only for both `_stat` and `GetFileAttributes` – Chesnokov Yuriy Aug 12 '11 at 08:20
1

ProcMon intercepts calls at the Window levels (specifically NTxxxx and ZWxxxx calls I think). These are way lower than the C runt time library - so I suspect no.

Preet Sangha
  • 64,563
  • 18
  • 145
  • 216