天道酬勤,学无止境

api-hook

minifilter vs. API Hooking for file system operations monitoring \ filtering

I need to develop an application that monitors, and potentially filters (rejects the calls), file operations. It appears that developing a minifilter is the "standard" solution. another potential method is using API hooks. are these relevant solutions? (I read in some places the an API hook may not be suitable - but no explanation was given) are there other options?

2021-06-12 06:30:24    分类:问答    winapi   driver   api-hook   minifilter

Registry monitoring, including kernel-mode registry accesses?

I remember for my final year university project i wrote a C# registry monitor, however, when i compared it with the Microsoft ProcessMonitor application (i cant remember its exact name, but was a company bought by MSoft), i wasnt capturing as many registry calls. Was this because i was using a C# wrapper and as such, it would only have been catching user-mode registry accesses? I used this wrapper: http://www.codeproject.com/KB/DLL/EasyHook64.aspx To catch the kernel mode registry accesses would i have to write in C++?

2021-04-15 07:22:37    分类:问答    c#   c++   api-hook

How does SysInternal's ProcessMonitor work?

Could someone please give me a high level explanation how they are able to monitor every single registry access? http://technet.microsoft.com/en-us/sysinternals/bb896645 Enough detail so that i could google around the various sub-topics and try to write my own one? I know they've used some sort of dll injection/API hooking, but i'm unsure how they reached all the kernel mode activity.

2021-04-08 17:57:24    分类:问答    c#   c++   c   operating-system   api-hook