S
Sir-Tuxford
Guest
I tried to hook copy file data using pre/post filter callbacks. When it hooks IRP_MJ_READ and IRP_MJ_WRITE. I see strange output. On read data size is wrong but on write data size is correct. I didn't try to check content yet.
Other thing. I see that post callback isdn't called after pre callback. Is it ok?
DbgView output.
Sequence time operation pid size/opts filename
00007839 117.25965881 FilePreCreate 1576 1200044 \;VBoxMiniRdr\;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007840 117.26058197 FilePostCreate 1576 1200044 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007841 117.26132202 FilePreCreate 1576 5000064 \tmp\disasm-lib\disasm_x86_tables.h
00007844 117.26177216 FilePostCreate 1576 5000064 \tmp\disasm-lib\disasm_x86_tables.h
00007846 117.26379395 FilePreRead 1576 131072 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007847 117.26388550 FilePreRead 1576 131072 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007848 117.26531982 FilePostRead 1576 131072
00007849 117.26658630 FilePostRead 1576 131072 !!! Not correct. correct size 130274
00007850 117.26786804 FilePreWrite 1576 131072 \tmp\disasm-lib\disasm_x86_tables.h
00007851 117.26795197 FilePostWrite 1576 131072
00007852 117.26919556 FilePreWrite 1576 130274 \tmp\disasm-lib\disasm_x86_tables.h
00007853 117.26924896 FilePostWrite 1576 130274
00007855 117.27242279 FPreClose 1576 - \tmp\disasm-lib\disasm_x86_tables.h
00007856 117.27261353 FPreClose 1576 - \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
Continue reading...
Other thing. I see that post callback isdn't called after pre callback. Is it ok?
DbgView output.
Sequence time operation pid size/opts filename
00007839 117.25965881 FilePreCreate 1576 1200044 \;VBoxMiniRdr\;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007840 117.26058197 FilePostCreate 1576 1200044 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007841 117.26132202 FilePreCreate 1576 5000064 \tmp\disasm-lib\disasm_x86_tables.h
00007844 117.26177216 FilePostCreate 1576 5000064 \tmp\disasm-lib\disasm_x86_tables.h
00007846 117.26379395 FilePreRead 1576 131072 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007847 117.26388550 FilePreRead 1576 131072 \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
00007848 117.26531982 FilePostRead 1576 131072
00007849 117.26658630 FilePostRead 1576 131072 !!! Not correct. correct size 130274
00007850 117.26786804 FilePreWrite 1576 131072 \tmp\disasm-lib\disasm_x86_tables.h
00007851 117.26795197 FilePostWrite 1576 131072
00007852 117.26919556 FilePreWrite 1576 130274 \tmp\disasm-lib\disasm_x86_tables.h
00007853 117.26924896 FilePostWrite 1576 130274
00007855 117.27242279 FPreClose 1576 - \tmp\disasm-lib\disasm_x86_tables.h
00007856 117.27261353 FPreClose 1576 - \;Z:\VBoxSvr\Src\mhook-master\disasm-lib\disasm_x86_tables.h
Continue reading...