Easyhook ReadFile not working as expected

  c++, doc, easyhook, readfile, word

I’m hooking into ReadFile function and display file name in first step.
Here is my code:

BOOL WINAPI 
MyReadFile(
    _In_ HANDLE hFile,
    _Out_writes_bytes_to_opt_(nNumberOfBytesToRead, *lpNumberOfBytesRead) __out_data_source(FILE) LPVOID lpBuffer,
    _In_ DWORD nNumberOfBytesToRead,
    _Out_opt_ LPDWORD lpNumberOfBytesRead,
    _Inout_opt_ LPOVERLAPPED lpOverlapped
)
{
    TCHAR Path[MAX_PATH];
    GetFinalPathNameByHandle(hFile, Path, MAX_PATH, VOLUME_NAME_NT);

    MessageBox(NULL, Path, L"MyReadFile", MB_OK);

    return ReadFile(hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped);
}

When Word open old format e2.doc file, in Process Monitor app, i saw ReadFile operation in the following file (filter by file doc and tmp extension):

  • C:Userstototot-devDownloadsCiphere2.doc
  • C:Userstototot-devDownloadsCipher~$e2.doc
  • C:UsersTOTOTO~1AppDataLocalTemp~DF0149C3B203B643F4.TMP
  • C:Userstototot-devAppDataLocalMicrosoftWindowsINetCacheContent.Word~WRF{EFDBF5DE-83F5-49D2-889D-55A594AEAA84}.tmp

Process Monitor result

But it only display "e2.doc" file, not display other 3 files.

Please help me to determine what is problem here?

Source: Windows Questions C++

LEAVE A COMMENT