Let's say I have a directory which contains some real files. However, I want to also add and remove 'virtual' files, so that any program that tries to access the virtual files basically triggers callbacks through my program to access either real files or memory in my program or just random data that my program generates on the fly. What's the best way to go about doing this on Windows?
I can't use symbolic/hard links or similar. I have also looked into virtual file systems but this doesn't work like I want - all I have seen is the ability to add virtual drives, not individual virtual files/folders on an existing filesystem.
Note: the virtual files have to be able to be enumerated alongside the real files, it can't just be a scenario where they are actually requested by name.
just to make sure i understand you... you want to make shortcuts essentially that trigger your program? i cant remember which one, but one of the registrys would hold this information so it does it by default
However, I want to also add and remove 'virtual' files, so that any program that tries to access the virtual files basically triggers callbacks through my program to access either real files or memory in my program or just random data that my program generates on the fly.
This part that I emboldened is the tricky bit. This is easy enough to accomplish through explorer, you would simply create your own file extension and register the extension in "HKLM\SOFTWARE\Classes". In order for it to be triggered from ANY program though you would need to hook "CreateProcess()" or something like that.
The regsitery key that DTSCode is talking about might be "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options". This is where you alter which program is run when a certain executable is supposed to be launched. It's meant to help with debugging but it's just too easy to abuse.
He wants an entry in the file system that isn't mapped to a file... but instead, when a program attempts to open/read/write the file, his (already running) program would get polled and provided the data.
-) LB.exe creates "myfile.txt"... a 'virtual' file
-) open myfile.txt in Notepad++ or <insert other text editor here>
-) Instead of Notepad++ reading the file from disk normally... all reads instead go through LB.exe, which provides (and possibly produces) the file contents on demand.
While interesting... I have no idea how to accomplish this. WinAPI files get pretty crazy though... so I don't doubt it's possible.
Looking at the usual suspects on MSDN... I don't see of any way to do this. =(
L B hook MiCreateImageFileMap for research look into MRK (Microsoft Research Kernel), also hook LdrInitializeThunk.
LdrInitializeThunk is the entry point for Ring3 PE loader by windows placing a hook and enumerating this through System-Wide would mean you have complete control of entry of all programs. LDR functions are usual hook style, just add a 0xE9 with offset set as second operand and you have hooked it.
To return just jump five-bytes ahead to avoid a infinite loop.
If you wish to block DLL injects follow my blog: http://codeempire.blogspot.co.uk/2013/10/security-blocking-dll-injections.html
As you see we hook LdrLoadDll - LDR functions and NTDLL & WSP functions are one of the biggest part's of base OS structure of windows.