The blog continues at suszter.com/ReversingOnWindows

February 18, 2012

Finding the appropriate ReadFile

There are applications reading data from numerous files when they're running. If you want to intercept when the certain file is being read, one possibility is to put breakpoint, let's say, on ReadFile() and wait for the debugger to break in. It happens that the debugger constantly breaks in on ReadFile() that you're not interested in. It can be extremely time consuming to ignore the unwanted debugger breaks until the certain file is being read.

This is a Windbg script that I usually use it as a template to intercept when a certain file is being read. It checks for specified value in the buffer of ReadFile(), and if the vaule matches the debugger can break in.

  This blog is written and maintained by Attila Suszter. Read in Feed Reader.