GitHub - alpinskiy/WFD: WriteFile Detector. WinDBG script that allows to track all writes to particular file.

alpinskiy / WFD Public

Notifications You must be signed in to change notification settings
Fork 0
Star 1

WriteFile Detector. WinDBG script that allows to track all writes to particular file.

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
README		README
discard_saved_handle		discard_saved_handle
dump_writes_to_file		dump_writes_to_file
dump_writes_to_saved_handle		dump_writes_to_saved_handle
match_file_name_and_save_handle		match_file_name_and_save_handle
save_handle		save_handle

Repository files navigation

Installation
============

Copy all script files into WinDBG installation directory
(it is "C:\Program Files\Debugging Tools for Windows (x64)\" on my installation).

Running
=======

Open program to be debugged or attach to the running target.
Issue "$$>a< dump_writes_to_file file1" command (lets assume we are interested in 'file1').
You will see:

Bp expression 'KERNEL32!CreateFileW' could not be resolved, adding deferred bp
Bp expression 'KERNEL32!WriteFile' could not be resolved, adding deferred bp
Bp expression 'KERNEL32!CloseHandle' could not be resolved, adding deferred bp
All writes to the file "*file1" will be dumped.

First three lines will absent if KERNEL32 already loaded.
Press F5 or type 'g' and press <Enter> in command window. Program execution begins.
You will see the output like this if writes to the specified file occure:

#3944 -> CreateFile "file1"
#3944 <- 0x00000040
#3944 WriteFile (11 bytes), HANDLE 0x00000040, 0058fdfc  "0123456789"
#3944 WriteFile (11 bytes), HANDLE 0x00000040, 0058fdfc  "0123456789"
#3944 WriteFile (11 bytes), HANDLE 0x00000040, 0058fdfc  "0123456789"
#3944 CloseHandle 0x00000040