Any ideas on how to approach this problem?

Printable View

Feb 16th, 2000, 01:58 PM
ShepherdOfChaos

The Problem I'm faced with is how to detect, from within a VB program running in the background, when the OS or another program accesses the hard drive. I'm writing a small app to log user activity for a security company. The app has to run in the background undetected, thus the need to detect when the harddrive spins up and "piggyback" writes in order to not arouse suspicion.

Any ideas?
Feb 17th, 2000, 01:40 AM
ShepherdOfChaos

I'm thinking there must be some windows system variables somewhere which would give me this info.

Intellectually, this is quite a stimulating project, but I'm not sure how I feel about it on a personal level. On the other hand, the individuals this app is targeted at are suspected of some real scumbag activities (like child porn and gambling). Just don't much like the idea of snooping (even if it's completely legal).

Any suggestions will be greatly appreciated.

Thanks
Feb 17th, 2000, 11:34 AM

mhh... maybe u use a callback (every 5 secs or so) and then check the tasklist....

thats only one idea.... if any1 know to make better.... TELL ME ;)

taLON
Feb 17th, 2000, 11:38 AM
DiGiTaIErRoR

Make it a VxD or run as a service.

------------------
DiGiTaIErRoR
VB, QBasic, Iptscrae, HTML
Quote: There are no stupid questions, just stupid people.
Feb 17th, 2000, 02:21 PM
ShepherdOfChaos

Hmmm...not sure I understand these replies.

Having the program hidden from both the taskbar and task list (ctrl-alt-del) is pretty simple. Not worried about the program itself being detected directly (unless my code gets too bloated, in which case the target computers would slow to a crawl). What I'm trying to avoid is having the hard drive spin up every five to ten seconds, like clockwork. Any semi-knowledgable computer literate person would know something was up with that. So what I want to do is just buffer as much info as possible, detect when another process uses the harddrive, and send the buffered data right after (at a time when the user expects the harddrive to be active).
Feb 17th, 2000, 03:42 PM
RogerH

Just an idea: Is there a windows message like 'I want to read from harddisk' that you can get with a message hook?

RogerH
Feb 18th, 2000, 01:10 AM
ShepherdOfChaos

Yea, I was thinking something similar. After rereading his post, I think taLON was referring to doing something like that.

Hopefully, someone out there can give us an overview and the specifics of how to do this. Otherwise, I'm gonna have to get off my lazy butt and do some research. (and that would be just terrible :) )

[This message has been edited by ShepherdOfChaos (edited 02-18-2000).]

[This message has been edited by ShepherdOfChaos (edited 02-18-2000).]
Feb 18th, 2000, 10:45 PM
ggervais

You might want to check out this site:
http://www.sysinternals.com/filemon.htm

The FileMon utility does exactly what you want for Windows 9x or NT and it includes full source. It's in C however. You might be able to figure out how it's done... Don't know if it's possible with only VB.
Feb 20th, 2000, 02:45 PM
ShepherdOfChaos

Hey cool, thanks :)

C is an old friend of mine, so deciphering the code should be easy. Understanding "how" it does what it does is another matter.
Feb 21st, 2000, 09:23 AM
OB1

This might be what you are looking for. and it's in VB.
http://www.mvps.org/btmtz/shnotify/shnotify11.zip