ReadFile example

Feb 26, 2009 at 6:47 PM
I'm trying to hook the ReadFile API like FileMon does. FileMon reports the offset of the read. I'm having trouble figuring out how to capture this offset. I would have thought the last parameter of ReadFile (the NativeOverlapped parameter) would have that info, but it appears to always be a null pointer even when FileMon reports it's reading an offset.

Do you have an example of ReadFile?

Or have you made any more progress on a more complete version of FileMon (i.e. one that captures more than just CreateFile)?

Thanks for a great API. Very helpful.
Feb 27, 2009 at 4:29 PM
filemon is just an example and by no means should be compared to the "real" filemon!

Capturing the offsets is not that simple. You have to look into the API specification. The overlapped structure is, as its name already says, only used in overlapped IO. Most apps use direct IO by using file pointers. So if the overlapped structure is NULL you should query the current offset by using GetFilePointer().
Feb 27, 2009 at 4:31 PM
Of course there might be more ways to specify an offset but the two above are the only ones I ever used...
Feb 27, 2009 at 5:39 PM
Thank you! GetFilePointer (or more precisely, SetFilePointer moving the pointer zero from the current) did return the current offset.

In some of the documentation, you said you were working on a full Process Monitor knock-off in .NET, and that would be published August 2008. Is that the sample which only hooks CreateFile? If not, I would be interested to see the more complete version of that code whenever it's ready.

Thanks again!!!
Feb 27, 2009 at 5:50 PM
This is not up to date but I don't want to update the docs just for this...

I am not actively developing EasyHook at this moment and currently there seem to be no major issues. I will probably release the final version around august 2009 with some minor bug-fixes.
This tool you are talking about does not exist ;-). Well, I started developing but I was interrupted by another project... Maybe I will release such a tools but I have no plans for this, so don't wait!

It also is not that hard with EasyHook. If you want to do this, you are probably best suited with C++.NET, because the managed-unmanaged integration is almost perfect!