Masters, I hand a program at run time will read a flash file, and add a cipher decrypted in memory to create a decrypted the file for their own use, I use the monitor to see the change process in memory called CreateFile to encrypt folders with create the decrypted files in the folder of the path, at first thought is to create the file in the disk, glad to found that there is no this file to read, query the CreateFile function just know later, founded the object is in the kernel; I want to read the decrypted file, could you tell me how to, should provide each master a way to appreciate,

Annotation: CreateFile connotation is to create the File this kernel object, rather than the creation of a physical disk "File", a series of operating the kernel object in the Win32 API functions, create a kernel object function mostly named CreateXxxx type,

CodePudding user response:

There is no reply warrior?

CodePudding user response:

Do you have a program source code? Otherwise it is difficult to get the exact file from memory

CodePudding user response:

Can I come!
ReadProcessMemory

CodePudding user response:

Estimates that it is to use a memory mapped file do

CodePudding user response:

Have the source code, create an actual file on the corresponding place,,,

CodePudding user response:

The CreateFile before you tamper with the several parameters, not become to create a file on disk again?

CodePudding user response:

refer to 6th floor srhouyu response:

the CreateFile before you tamper with the several parameters, don't become to create a file on disk again?

If you have the source code, this can be

CodePudding user response:

With the debugger break down CreateFile this API, look at the file path is

CodePudding user response:

Hook the CreateFile function create disk file you want to modify parameters

CodePudding user response:

refer to 7th floor cyhh_h response:

Quote: refer to the sixth floor srhouyu response:

The CreateFile before you tamper with the several parameters, not become to create a file on disk again?

If you have the source code, this can

If there is the source of this affair will not exist, is somebody else's program

CodePudding user response:

refer to the eighth floor ZWFGDLC response:

use the debugger to break down the CreateFile this API, look at what is the path to the file

The file path is very clear, but the program is not produce real file on disk, founded the object in the kernel

CodePudding user response:

reference zhao4zhong1 reply: 3/f

warrior here I come!
ReadProcessMemory

Warrior, this function can read other process resource files?

CodePudding user response:

refer to 12 floor renfei0730 reply:

Quote: refer to the third floor zhao4zhong1 response:

Can I come!
ReadProcessMemory

Warrior, this function can read other process resource files?

Unless the other processes of the content of the resource file is not loaded into memory,

CodePudding user response:

Flash SWF file? FLV? Search, file header blocks of memory, may be found

CodePudding user response:

references 9 f qq_43432265 response:

hook CreateFile function to modify parameters to create disk file you want to

reference 13 floor zhao4zhong1 reply:

Quote: refer to 12 floor renfei0730 reply:

Quote: refer to the third floor zhao4zhong1 response:

Can I come!
ReadProcessMemory

Warrior, this function can read other process resource files?

Unless the other processes of the content of the resource file is not loaded into memory,

Have hook the createfile, oneself write a program to verify, if it is to create a file, written in his hook program to copy the file; But I saw on the target program like this event as shown in figure, but the createfile path is always can't see a file on disk, then wrote a hook into the target process, to copy the file path, is also not what bai copy out what, masters and see what is this you?? Where is the omissions

CodePudding user response:

CreateFile connotation is to create the File this kernel object, a File to hook WriteFile (decryption), get the File info, again across processes ReadFile

CodePudding user response:

reference 16 floor schlafenhamster response:

CreateFile connotation is to create the File this kernel object, a File to hook WriteFile (decryption), get the File info, again across processes ReadFile

Strange to me from the beginning to the end to the writefile no monitoring operation I currently under the createfile operation hook estimation is not waiting for the file is written to content began to copy, so I didn't get it

CodePudding user response:

Even with the ex WriteFileEx

CodePudding user response:

Should be set up in it in the CreateFile FILE_ATTRIBUTE_TEMPORARY, then CreateFileMapping, write file is written by memory mapping file,

CodePudding user response:

references the 19th floor DelphiGuy response:

should be set up in it in the CreateFile FILE_ATTRIBUTE_TEMPORARY, then CreateFileMapping, write file is written by memory mapping file,

is there any idea to get this file, I didn't see have write files with process monitor related operations

CodePudding user response:

In its "play" in the "file header" search process memory,
Then use ReadProcessMemory () reads that the data of a memory area,
Total length of data, should be in "header" section, have corresponding information,
(according to the specific file format "different, perhaps can get size directly, it may be calculated)

CodePudding user response:

Yourself reading this too close flash files, decrypt the feasible?

CodePudding user response:

nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull