Since few days I have been looking for a method to detect, like process monitor, the CreateFile events in order to know the path of libraries that are not found by an executable.
After some research, I saw that it was mainly necessary to use a hook or to pass by the ETW events.
So I tested via ETW events with the TraceEvent library:
using (var kernelSession = new TraceEventSession(KernelTraceEventParser.KernelSessionName))
{
kernelSession.EnableKernelProvider(KernelTraceEventParser.Keywords.All);
kernelSession.Source.Kernel.FileIOCreate += ((FileIOCreateTraceData obj) =>
{
if (obj.ProcessID == process.Id)
{
if (obj.FileName.ToLower().EndsWith(".dll") && !File.Exists(obj.FileName))
{
Console.WriteLine(obj.FileName);
}
}
});
kernelSession.Source.Process();
}
The problem is that I have much less results than process monitor, even testing the other methods available in the Kernel object, I think that either I'm not using the right method or I'm doing it wrong.
