Any clue how (if possible) to hook writes to a Memory Mapped File?

Dec 7, 2010 at 12:47 AM

This is admittedly very probably not Easyhook related, but I have an account here and had a feeling someone reading this forum might be knowledgeable.

Basically my hairbrain scheme is to monitor writes into a relatively small array in memory, by creating a MMF and replacing the address of the array with the pointer into the MMF. Then I'd like to hook into whatever routine if any there is which would be equivalent to a WriteFile operation for the MMF.

The program with the array performs very simple arithmetic operations over registers in the array, and we'd like to extend it so we can add additional arithmetic operations. If we can known every time there is a write into some special registers then we can use that window to perform extended operations.

 

Thanks,

Dec 7, 2010 at 2:32 AM
Edited Dec 8, 2010 at 6:17 AM

I think maybe you'd need a "minifilter" driver to monitor MMF writes.

I also wonder about VirtualAllocating a readonly segment for the array and installing a VectoredHandler to catch Invalid Access Exceptions.

Docs say the address of the offending code and location of the memory being written to is provided. As well as the processor state, though that may not be useful. If just letting the write pass thru doesn't work, you could change the write access of the segment and copy the data being written over if you could make out what the opcodes intended to do.

It sounds sound to my naive ears (versus injecting code) but I wonder about the performance overhead of such a thing.