StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
6113630
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2011-05-24T16:25:31.730
FavoriteCount
0
LastActivityDate
2011-05-24T16:25:31.730
LastEditDate
LastEditorUserId
0
OwnerUserId
768013
ParentId
6066857
PostTypeId
2
Score
1
ViewCount
0
LastEditorDisplayName
text
Body
It's right. You have to hook the function CreateFileA/W in kernel32.dll to monitor the acces. Do you want to hook these APIs in your own process or in an other process? If you want to hook functions in your own process you can use <pre><code>void *DetourFunc(BYTE *src, const BYTE *dst, const int len) { BYTE *jmp = (BYTE*)malloc(5+len); DWORD dwback; VirtualProtect(src,len,PAGE_READWRITE,&dwback); memcpy(jmp,src,len); jmp += len; jmp[0] = 0xE9; *(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5; src[0] = 0xE9; *(DWORD*)(src+1) = (DWORD)(dst - src) - 5; VirtualProtect(src,len,dwback,&dwback); return (jmp-len); } </code></pre> for it. These function detours the function src (f.e. MessageBoxA()) to function dst. As len you can use 5. It returns a function pointer to the original function. An example call: <pre><code>typedef int (WINAPI *__MessageBox)( __in_opt HWND hWnd, __in_opt LPCTSTR lpText, __in_opt LPCTSTR lpCaption, __in UINT uType ); __MessageBox _MessageBox; int cMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) { //here you can change anything you want return _MessageBox(hWnd,lpText,lpCaption,uType); } int main(void) { BYTE *hookfunc = (BYTE*)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA"); _MessageBox = (__MessageBox)DetourFunc(hookfunc,(BYTE*)cMessageBox,5); return 0; } </code></pre> That's an usermode hook. If you want to do this systemwide I would use a device driver. Here is a tutorial about this. <a href="http://www.codeproject.com/KB/system/driverdev.aspx" rel="nofollow">http://www.codeproject.com/KB/system/driverdev.aspx</a> And if you are using VC++ compile in multibyte mode ;). If you want to hook in an other process just google DLL-Injection ;).
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POHook CreateFileW
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USDavid
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POHook CreateFileW
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. This table or related slice is empty.
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.