EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Can I intercept loading of PE images

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#12439
Posted: 02/15/2010 18:46:54
by Bill Sobel (Basic support level)
Joined: 02/15/2010
Posts: 2

I'm trying to intercept all I/O to a directory (as a test). I can clearly control data files, but if I try to intercept images that the cache manager will load (such as .exe files) I don't see the requests occur as expected.

Is it possible to intercept cache manager IO and provide different data in the read callback?

If not, is it possible in the opencallback to change the name, e.g. if the name was c:\test\foo.exe replace it to \\server\share\test\bar.exe

Thank you,
Bill
#12442
Posted: 02/16/2010 02:52:37
by Vladimir Cherniga (EldoS Corp.)

Quote
Bill Sobel wrote:
I'm trying to intercept all I/O to a directory (as a test). I can clearly control data files, but if I try to intercept images that the cache manager will load (such as .exe files) I don't see the requests occur as expected.


Callback filter works in the non-cached path. Seems that some of the files from the controlled directory already placed in the cache. The possible way to intercept non-cached operations(read/write) is assigning default rule to prevent access to the selected directory until the filter will be activated.

Quote
Bill Sobel wrote:
If not, is it possible in the opencallback to change the name, e.g. if the name was c:\test\foo.exe replace it to \\server\share\test\bar.exe


This method doesn't work. Such behavior may be implemented through NTFS reparse points.
#12488
Posted: 02/18/2010 16:58:55
by Bill Sobel (Basic support level)
Joined: 02/15/2010
Posts: 2

That's a shame, definately won't work for what I had hoped. Back to ring 0 I suppose.

Reply

Statistics

Topic viewed 2749 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!