Win32 Debug API
-
I need to write a debugger which will execute an process and I need to get notification when that process will write or modify any thing on the hard disk. Can we keep watch on any process for getting info when that process will write to hard disk? I have read something about "Win32 Debug API". Can any one guide me or give me any demo code for this?
-
I need to write a debugger which will execute an process and I need to get notification when that process will write or modify any thing on the hard disk. Can we keep watch on any process for getting info when that process will write to hard disk? I have read something about "Win32 Debug API". Can any one guide me or give me any demo code for this?
chandni_chandrakant_maheta wrote:
Can we keep watch on any process for getting info when that process will write to hard disk?
In short: no. Slightly longer: yes, but it requires a filter driver that you can connect to from user mode the way Process Monitor by Mark Russinovich[^] does. Perhaps you are able to use Process Monitor instead of developing something on your own.
"It's supposed to be hard, otherwise anybody could do it!" - selfquote
"High speed never compensates for wrong direction!" - unknown -
chandni_chandrakant_maheta wrote:
Can we keep watch on any process for getting info when that process will write to hard disk?
In short: no. Slightly longer: yes, but it requires a filter driver that you can connect to from user mode the way Process Monitor by Mark Russinovich[^] does. Perhaps you are able to use Process Monitor instead of developing something on your own.
"It's supposed to be hard, otherwise anybody could do it!" - selfquote
"High speed never compensates for wrong direction!" - unknownThanks a lot for your reply. I was thinking to build a file system filter driver. What do you think can I keep watch on a process by file system filter driver? According to me, if we load a filter driver, we need to restart the computer. Can we load a filter driver with out rebooting?
-
Thanks a lot for your reply. I was thinking to build a file system filter driver. What do you think can I keep watch on a process by file system filter driver? According to me, if we load a filter driver, we need to restart the computer. Can we load a filter driver with out rebooting?
The reason why I gave the short answer 'no', is because this way is difficult and there's a big risk for messing up the file system making the machine impossible to boot. I strongly recommend that you seriously try to find another solution. In any case, if you continue the filter driver track, I cannot help you. As for your questions...
chandni_chandrakant_maheta wrote:
can I keep watch on a process by file system filter driver?
Not exactly, you'd have to filter the file accesses from all processes. You may do the filtering in the driver.
chandni_chandrakant_maheta wrote:
According to me, if we load a filter driver, we need to restart the computer.
Correct in this case since it's about filtering the file system driver.
"It's supposed to be hard, otherwise anybody could do it!" - selfquote
"High speed never compensates for wrong direction!" - unknown