- ZwCreate file hooking and opening the file in user space to calculatethe md5 sum
- Posted by zaman on June 27th, 2008
Hi,
I have hooked ZwCreateFile (SSDT)for some benign purpose. As i
received the event at user space, i need to calculate the md5 of the
created file and for this i need to open the file. As a file is
created, windows calls ZwCreateFile and then ZwWriteFile to write the
chunks of file in newly created file.
As i received the ZwCreateFile event, windows is busy in writing data
to the file, and i am unable to open the file to calculate md5 sum in
user space, or if file is opend the md5 will be wrong because still
window will be writing chunks of data to the file.
Can anybody tell me the work around?
One solution is to hook the ZwClose file and search the fine name
extracted from ZwClose file passed handle from a map of file names in
ZwCreateFile.
My question is , will this approach work?
Thanks for suggestions and comments.
- Posted by Maxim S. Shatskih on June 27th, 2008
Stop hooking and write a FltMgr-based minifilter.
MD5 is easy to calculate in kernel mode.
--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com
"zaman" <fhm2zaman@gmail.com> wrote in message
news:13afc2c4-a3a5-493e-9f64-4e4ee9e358f5@d77g2000hsb.googlegroups.com...
- hooking FILE * I/O functions (Development Resources) by byaarov@yahoo.com
- How to hide some file using Irp hooking. (Drivers) by Ben
- Word file not opening from Adm -My recent docs but opening from file menu of Word (Computers & Technology) by Thaqalain
- File system hooking (Drivers) by Nadav
- Hooking Win XP file I/O? (Development Resources) by Emil Dotchevski
