Here is a file IO monitoring tool for WM5

Search This thread

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
224
mamaich-eng.blogspot.ru
I've wrote a tool that hooks CreateFileW function and writes its parameters and a name of a caller process to "\Storage Card\fileio.txt" file. Here is a sample output:
Code:
Hooked CreateFileW...
17FB4002: CreateFileW("\Windows\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Release\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 3 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Windows\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Release\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 3 ("\Windows\nk.exe")
B6FA4402: CreateFileW("RIL1:",c0000000,0,0,3,0,0) -> F6769D16 ("\Windows\shell32.exe")
B6FA4402: CreateFileW("\windows\Default_stwater_240_320.gif",80000000,0,0,3,80,0) -> FFFFFFFF, Err: 2 ("\Windows\shell32.exe")
16DD2DCA: CreateFileW("\Windows\ActiveSync\CtrlLog.txt",40000000,3,0,4,0,0) -> 165DD2AE ("\Windows\repllog.exe")
16DD2DCA: CreateFileW("\Windows\Profiles\guest\Temporary Internet Files\Content.IE5\4TEF45QZ\SyncStat[1].dll",40000000,3,0,1,10000080,0) -> 7661E6E6 ("\Windows\repllog.exe")
16DD2DCA: CreateFileW("\Windows\ActiveSync\CtrlLog.txt",40000000,3,0,4,0,0) -> B65DD2F6 ("\Windows\repllog.exe")
575A36A6: CreateFileW("BAT2:",c0000000,0,0,3,0,0) -> 3660EBD2 ("\Windows\device.exe")
It would also create file "Log.txt" in the root directory with some diagnostics information.
The program works only under WM5, though it can be recompiled for older OSes. The idea is simple - hooking SystemAPISets table.
I can give the source code of the tool for someone who would finisth the project: add logging of CreateFileForMappingW, DeviceIOControl and registry functions.
Installation process:
copy TestApiSetHookDll.dll and TestApiSetHook.exe to \Windows directory on the device and run TestApiSetHook.exe. It would output a message "CreateFileW hooked" and logging would start. To stop logging reboot your device.
This program may conflict with the installed antivirus programs on PocketPC, so use it on your own risk.
 

Attachments

  • filemon.rar
    3.4 KB · Views: 704

Arise

Senior Member
Nov 29, 2005
197
42
Hi there,
I was looking for some ways to hook the DeviceIOControl function.
mamaich, would be great if you would like to share the source code.
 

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
224
mamaich-eng.blogspot.ru
Attached the source code

About hooking RIL. This method cannot be used, there are different ways to hook RIL functions.

Regarding DeviceIOControl. My other tool that hooks EnterCriticalSection function can be used to hook it, the trap address to hook is 0xF000E3D4
 

Attachments

  • fileiomon.rar
    36 KB · Views: 644

mgargett

New member
Feb 21, 2006
4
0
Mamaich - very interesting code, how would I go about hooking the file close events?

Have tried hooking method 0 of w32 API (20) but the handles look wrong.
Also tried mapping the File API, but the SysytemAPISet[7] doesn't seem to have any methods - but I know it must be loaded,

very confused...
 

mamaich

Retired Recognized Developer
Apr 29, 2004
1,150
224
mamaich-eng.blogspot.ru
TheBlasphemer said:
I see this is using PerformCallback4. Apparently that function would be killed off in WM5, how come you can still use it ;)?
I think that this function fould be left forever, but it would be allowed to be called only from trusted apps. And even if it is removed - there are dozens of other methods that can inject your code into address space of other process or kernel.

2 mgargett
Regarding hooking CloseHandle. Maybe hooking 0xF0010000 would not be enough, but if you'll look into its disassembly:
Code:
             CloseHandle                             
 04 E0 2D E5                 STR     LR, [SP,#var_4]!
 1C 30 9F E5                 LDR     R3, =unk_1FFFA54
 00 30 93 E5                 LDR     R3, [R3]
 00 00 53 E3                 CMP     R3, #0
 0C 30 9F 05                 LDREQ   R3, =Int_CloseHandle
 0F E0 A0 E1                 MOV     LR, PC
 13 FF 2F E1                 BX      R3
 04 E0 9D E4                 LDR     LR, [SP],#arg_4
 1E FF 2F E1                 BX      LR
you'll see that unk_1FFFA54 may be set to an address of a function that would be called instead of CloseHandle. For example this method is used by LMemDebug.DLL.
Of cause unk_1FFFA54 would have different addresses on different devices, but this is not a problem.
 

Arise

Senior Member
Nov 29, 2005
197
42
Hi mamaich.
I've tried to change the code from testcritsect.rar to hook DeviceIoControl function.
However, because my wisdom in that area is not far away from 0, the program doesn't work as expected.

Code:
	if(SystemAPISets[ApiSet]->cMethods<=Method)
	{
		puts("Invalid method number");
		return 0;
	}

The program ends in the if above. Don't know what I have wrong. :)
As you said above, I did that: #define FAULT_ADDR 0xF000E3D4 //DeviceIoControl

Are you sure this is the right number?

BTW, how did you get all this info?
I mean:
CreateFileW 0xF000AFDC
TakeCritSect 0xF000FF20
MessageBoxW 0xF000BB38
 

ZeBoxx

Senior Member
Dec 29, 2005
915
3
Yep... I've got a WM5 version, but the evaluation download location doesn't work anymore - didn't keep a copy around, I'm afraid :/

So just write to the author, and you should be able to get the preliminary WM5 version. Alternatively, I think the app mentioned here *could* be coded about to keep an eye on the registry as well. But I'm no coder :)