How to find all files of a certain type in Memory?
-
Hi all, I'm contemplating what would be a good approach to find all the files of a certain filetype (*.bgl) that a third-party (unmanaged) application loads into memory - basically to get an overview of names and paths of them. Could someone of you please give me a hint or reading sources? I found the article "C# How to Scan a Process' Memory" but I'm too unexperienced to tell if that approach makes sense for retrieving a filelist only. Thank you very much in advance, Mick
-
Hi all, I'm contemplating what would be a good approach to find all the files of a certain filetype (*.bgl) that a third-party (unmanaged) application loads into memory - basically to get an overview of names and paths of them. Could someone of you please give me a hint or reading sources? I found the article "C# How to Scan a Process' Memory" but I'm too unexperienced to tell if that approach makes sense for retrieving a filelist only. Thank you very much in advance, Mick
The only way to do that would be by what is known as "hooking", whereby you intercept API requests and examine the content of the parameters before passing the request on to the operating system for processing. Once an application has loaded all or part of a file into memory then there is no way to find its name.
-
The only way to do that would be by what is known as "hooking", whereby you intercept API requests and examine the content of the parameters before passing the request on to the operating system for processing. Once an application has loaded all or part of a file into memory then there is no way to find its name.
Thank you for the first clue, Richard! After reading a little bit about hooking, I'm not quite sure if it would become a challenge or a torture, given my programming experience. But I want to give it a try. I also stumbled upon the "EasyHook" project, which seems to make things much easier in .NET, and will start reading the documentation later... maybe there are more hints or examples. I guess it would help me if you had an idea which of the different Windows API hooks to use in order to find which files the exe loads?
-
Thank you for the first clue, Richard! After reading a little bit about hooking, I'm not quite sure if it would become a challenge or a torture, given my programming experience. But I want to give it a try. I also stumbled upon the "EasyHook" project, which seems to make things much easier in .NET, and will start reading the documentation later... maybe there are more hints or examples. I guess it would help me if you had an idea which of the different Windows API hooks to use in order to find which files the exe loads?
-
Thank you for the first clue, Richard! After reading a little bit about hooking, I'm not quite sure if it would become a challenge or a torture, given my programming experience. But I want to give it a try. I also stumbled upon the "EasyHook" project, which seems to make things much easier in .NET, and will start reading the documentation later... maybe there are more hints or examples. I guess it would help me if you had an idea which of the different Windows API hooks to use in order to find which files the exe loads?
Sonhospa wrote:
Thank you for the first clue, Richard!
Aw, I do like games - here's your second clue; Hook into the Windows File Copy API from C++ - Stack Overflow[^].
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Sonhospa wrote:
Thank you for the first clue, Richard!
Aw, I do like games - here's your second clue; Hook into the Windows File Copy API from C++ - Stack Overflow[^].
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Sorry, Eddy - I guess I don't get it right. Followed the link, but neither the thread nor the links in it lead me to anything I could even dream about understanding :( But you're right about the game thing :laugh: FSX
That's why there's a warning in the stackoverflow thread; it is not an easy task - hooking isn't, and writing a filter isn't either. Look at it this way; there'll be few developers who can say they tried something similar. There'd be quite some people waiting for an article on "how" you did so :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
That's why there's a warning in the stackoverflow thread; it is not an easy task - hooking isn't, and writing a filter isn't either. Look at it this way; there'll be few developers who can say they tried something similar. There'd be quite some people waiting for an article on "how" you did so :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)