Which user-mode functions to hook to monitor/intercept file access? - c#

Which user-mode functions in Windows 7 can I hook to monitor/intercept file access?
I've tried ntdll.dll's NtOpenFile(), NtCreateFile(), but some of these aren't files - they're also pipes and mutexes. Same goes for kernel32.dll's CreateFile(). Is there a function that is called only to access files/directories. If it helps, I'm trying to only hook explorer.exe to prevent access to firefox.exe. I'm also using EasyHook, if any of you have familiarity with it.
I think I've also read somewhere that, using the parameters from NtOpenFile/NtCreateFile, you can distinguish between file access/pipe access. But that's still a bit hazy. Is there a nice comfortable function to hook?
EDIT: Please keep in mind I do need to intercept file access to prevent access to some files. EasyHook is a great solution, since it allows me to perform complicated hooking in a few easy steps in C# managed code.

There is no "file open function" that only opens files. Furthermore, hooking is only supported using Detours. Finally, you must ensure that all computers running this have .NET 4.0 installed, so they can run in-proc SxS.
A far superior solution is to change the file permissions on firefox.exe. This is a solution that requires no licensing of Detours, and is supported.

Related

Is it possible to trace file operations with .NET?

Is it possible when a file operation is called somehow - like open or close - that I can handle it before the request proceeds by the operating system and if possible cancel it by .NET? If .NET has no abilities like that, how can I do this?
What your asking to do can be done. Virus Scanners, for example, do it all the time. You can easily monitor file activity with Process Monitor. You can also do it programmically in C# using the FileSystemWatcher Class. But trying to prevent a program from opening up or trying to stop a program from accessing the file can not be done in C#. You will need to use either C or C++. You need to create a File System Filter Driver. It is a complex thing to build but its exactly what you need. To quote MSDN:
A file system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. Examples of file system filter drivers include anti-virus filters, backup agents, and encryption products.
You can hook the Windows API if you want to. Check out this way to do that in .NET/C#:
EasyHook Windows API
Sysinternals offers a free tool called Process Monitor, one function of which is to attach to arbitrary Windows processes (including .NET applications) and capture system calls, including file open, close, read, etc.
You can download it at the Process Monitor Download Page.
EDIT
As I re-read your question, I see that you're asking about intercepting and possibly cancelling such operations. I believe the FileSystemWatcher class will be your best bet, although I don't think it can cancel file operations unilaterally - you'd need to build some kind of cooperative mechanism to signal the caller to abort its operation.
I'm pretty sure you've got to get into the kernel on that kind of operation and I'm pretty sure that means you'll need to code in C. Look at File System Drivers.
UPDATE: this SO link may help.
UPDATE: added a google search for Windows File System Drivers
ALSO What is a good resource to get started with Windows file system driver development?

Can I write an Extension for External Harddisk

I want to secure my external hard disk by writing sort of ShellExtension. But Shell extension is Workstation Specific.
Is there a way I can write an application that will show a authentication or an extension encrypt my drive data so user will get a failure message when double click on my drive.
You can't secure an external harddrive by the use of a shell extension, period.
If you want to keep your data safe, there's only one thing you can do: encrypt it. NTFS has built-in encryption, but I wouldn't recommend using that for an external drive, because of the way the encryption keys are handled.
There's a nice pre-cooked solution for you, though: TrueCrypt. It works, is available for multiple operating systems, has decent speed, and good security. Use it.
1) You should not write a shellextension in .net
This causes lots of trouble since then the .net runtime is injected into every application displaying a shell window (like the file open dialog) and if it already uses a different version of the runtime it will likely break.
2) I don't really understand what you are trying to do. But I encrypt my external harddisk with TrueCrypt. That's secure and easy to use.
This is only possible if you change the drive. Otherwise just using on a system without your software would bypass it.
Using NTFS with permissions for the drive's file system would be bypassed by anyone with applicable Window's privileges.
Using an encryption tool may be best: a single public file which contains a complete drive only accessible with the right software and authentication—there are a number around.

Pre-commit hooks in C# with SharpSVN

I'm new to SharpSVN (and frankly--pretty new to C# as well). I've been trying get a simple pre-commit hook working which checks for a comment. (i.e. the commit fails in the absence of a comment)
There are several posts (like this one) which are related and helpful, but I have a few fundamental questions that are keeping me from getting further:
1) How do I get code like the link above running in C#? (i.e. which C# context would I use-- console application? csharp class?)
2) In a Windows Server context, how do I call my compiled C# program?
I've tried this answer's methodology with no luck.
Thanks in advance.
If you are creating a pre-commit hook you should call it pre-commit.exe. (Subversion accepts hook with the extensions .exe, .cmd, .bat and .wsf.)
Hooks communicate via stdout, stderr and in some cases stdin, so you should compile your application as a console application.
To get the hook working you must place the .exe (and the required DLLs) in the hooks directory of the repository.
See How to access file information in a pre-commit hook using SharpSVN for some examplecode.
Compile your "hook" as a console application, and then write a batch file that calls your console application. The batch file needs to be named correctly and placed in the "hooks" folder of your Subversion repository.
For your specific case, the batch file should be called pre-commit.bat (or pre-commit.cmd).
I had to keep users from commiting to the wrong branch by mistake. So I wrote a pre-commit hook that would check the comment for a key value. If the comment doesn't start with the right key the commit is aborted.
Here is the project:
http://sourceforge.net/projects/csvnprecommit/
Feel free to use it as a base for your own hook or use it as is. If you find a bug submit it to the project.

Programatically batch files to copy at night

I need to create an Intranet website (page) which allows users to indicate a local network folder to copy to a production location. Currently this is done manually using xcopy in batch files.
What I am looking for is approaches on triggering the copy so it's done in the middle of the night and an approach to copy the files. I suppose I can run xcopy from my application, but is this a good way to do this? Should I use System.IO name space objects to copy the files? Is there a better way all together?
The application will be written in C# and ASP.NET. We currently use .NET 2.0/3.0, but I have no issues using .NET 3.5 if it contains better libraries for the solution.
Basically a user will indicate which network folder they need copied along with some other business information. The folder indicated and all sub-folders need to be copied to target location (not set by user).
If there is already an application out there which does this, I am not opposed to that either. I have no need to write stuff that already exists.
For the first problem (copying at midnight), I suggest setting up a scheduled task that runs the already existing batch file (or any program, for that matter)
For the scheduling part you could use Quartz.NET
It won't be difficult to write an xcopy operation in C# using System.IO. In fact, this would give you the greatest degree of flexibility.
I think you should consider using Windows Powershell to do your copying (or another scripting language if you prefer), driven by Windows Scheduled Tasks. Though you could write an application to do this, I think it would be much more maintainable to have a script that others could edit.
The simplest solution would be to wrap your xcopy commands in a command file and schedule it to run whenever you want as a Scheduled Task on your web server.
If you want to get fancy, you can write up a web interface to the task scheduler - I'm pretty sure I've seen open source examples of that type of application too.
you've tagged this ASP but if you aren't fussy I'd recommend a combination of Windows builtin Scheduled Tasks and rsync. If it really has to be automated from an intranet page (and you're in IE) then some form of ActiveX or downloadable script/application would be needed to configure the schedule.

How can I install a printer using .NET?

I have an .INF for a virtual printer that I need to install from a .NET Application. I have done this before using batch scripts, but I am looking for a snippet of code to do this in the .NET Framework.
There's nothing particular about the printer .INF, so any code that installs a printer from an INF in C# or VB.NET will work.
I believe this is possible via interop to native win32 APIs, but I've found its much, much easier just to use a System.Diagnostics.Process() to call into printui.dll via:
rundll32.exe printui.dll,PrintUIEntry /?
Perhaps you're already using that in the mentioned batch script, but if not the parameters are documented here: PrintUI.DLL User's Guide and Reference
Just be sure to test it against all operation systems you need to support. Some options either do not exist in all Windows releases or have been renamed (although I think they're the more esoteric options - installing an .INF will likely work across the board).
You are going to want to look at the WMI objects available. These give you a finer control of the local machine settings. Take a look at the WMI code creator from Microsoft, I believe this will generate some example code you can leverage to solve your problem.
Administering Printer Settings in C# for Flexible Printing
see this article, it uses an MS Platform SDK DLL called PRNADMIN to manage printers, printer-drivers, printer-ports, ...etc.
I personally use it in a commercial project to install a printer driver and change the printer port to local port to intercept the Postscript. and it works like a Charm.
Alternatively you can use some pre-installed vbscripts that come with windows in C:\Windows\system32\Printing_Admin_Scripts and here is a an articles for them:
http://technet.microsoft.com/en-us/library/cc771846.aspx
This is not the ideal solution, but if nobody else answers, you can create a temp batch file and invoke that through C#/VB.NET.
Someone else will probably know a more natural way to do this.
You will need to wrap the setup APIs using PINVOKE or a native COM object.

Categories

Resources