none
which Monoting tool ? RRS feed

  • Question

  • I want to Monitor a Specific file and it's state and how and who is accessing that executable !

    What is best tool to monitor that?

    I am familiar with Procmo but is there any Other tool which suits best ?

    Thanks =====


    • Edited by Dr. Bean Monday, April 11, 2016 7:41 AM
    Sunday, April 10, 2016 2:47 AM

Answers

  • You can use PsSetLoadImageNotifyRoutine to see which processes load the DLL and where it is loaded in the process space.  Correlating this back to the specific call to minispy is not easy.  First trying to walk the stack is not easy.  Second, if this is memory mapped I/O there is no call by the process.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Dr. Bean Monday, April 11, 2016 12:28 PM
    Monday, April 11, 2016 11:49 AM

All replies

  • Your other choice is to take the FileSpy sample of the WDK and customize it for your own use.  I believe there are commercial custom FileSpy applications.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Sunday, April 10, 2016 12:32 PM
  • Your other choice is to take the FileSpy sample of the WDK and customize it for your own use.  I believe there are commercial custom FileSpy applications.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Can you give me any link ?

    Last time I used it. There are options to Monitor a Whole Drive (C:,,X,X,X) but I want to examine on single PE Exe

    so Can you please give me a link ?

    Sunday, April 10, 2016 12:40 PM
  • The source is at https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/minispy  You will need to modify it to only collect data for the specific file you are interested in.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Dr. Bean Sunday, April 10, 2016 4:47 PM
    • Unmarked as answer by Dr. Bean Monday, April 11, 2016 7:09 AM
    Sunday, April 10, 2016 3:04 PM
  • The source is at https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/minispy  You will need to modify it to only collect data for the specific file you are interested in.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Using this method will i be able to see that a file access from a Specific dll ( dynamic link library ) ? 

    I want to monitor a DLL.

    I will appreciate your reply even though i made this thread answered. I will appreciate your last Reply on this topic ! 

    Thanks 

    Monday, April 11, 2016 6:32 AM
  • You can use PsSetLoadImageNotifyRoutine to see which processes load the DLL and where it is loaded in the process space.  Correlating this back to the specific call to minispy is not easy.  First trying to walk the stack is not easy.  Second, if this is memory mapped I/O there is no call by the process.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by Dr. Bean Monday, April 11, 2016 12:28 PM
    Monday, April 11, 2016 11:49 AM