Virtual Files

Pages: 123
Let's say I have a directory which contains some real files. However, I want to also add and remove 'virtual' files, so that any program that tries to access the virtual files basically triggers callbacks through my program to access either real files or memory in my program or just random data that my program generates on the fly. What's the best way to go about doing this on Windows?

I can't use symbolic/hard links or similar. I have also looked into virtual file systems but this doesn't work like I want - all I have seen is the ability to add virtual drives, not individual virtual files/folders on an existing filesystem.

Note: the virtual files have to be able to be enumerated alongside the real files, it can't just be a scenario where they are actually requested by name.
closed account (Dy7SLyTq)
just to make sure i understand you... you want to make shortcuts essentially that trigger your program? i cant remember which one, but one of the registrys would hold this information so it does it by default
This sounds like it could make for a fun prank.

However, I want to also add and remove 'virtual' files, so that any program that tries to access the virtual files basically triggers callbacks through my program to access either real files or memory in my program or just random data that my program generates on the fly.

This part that I emboldened is the tricky bit. This is easy enough to accomplish through explorer, you would simply create your own file extension and register the extension in "HKLM\SOFTWARE\Classes". In order for it to be triggered from ANY program though you would need to hook "CreateProcess()" or something like that.

The regsitery key that DTSCode is talking about might be "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options". This is where you alter which program is run when a certain executable is supposed to be launched. It's meant to help with debugging but it's just too easy to abuse.
I think you both completely misunderstood me. I am not talking about file association in any way shape or form. The files might not even have extensions!
closed account (Dy7SLyTq)
could you try restating it?
I thought he stated it pretty clear =x

He wants an entry in the file system that isn't mapped to a file... but instead, when a program attempts to open/read/write the file, his (already running) program would get polled and provided the data.


-) LB.exe creates "myfile.txt"... a 'virtual' file
-) open myfile.txt in Notepad++ or <insert other text editor here>
-) Instead of Notepad++ reading the file from disk normally... all reads instead go through LB.exe, which provides (and possibly produces) the file contents on demand.

While interesting... I have no idea how to accomplish this. WinAPI files get pretty crazy though... so I don't doubt it's possible.


Looking at the usual suspects on MSDN... I don't see of any way to do this. =(
Last edited on
@Disch thank goodness someone understands. I'll bet andy knows, but until then I'll keep doing research myself.
closed account (Dy7SLyTq)
I thought he stated it pretty clear =x

he probably did. im just too new to windows filesystem to understand
You need to use a Shell namespace extension. It only works on Explorer and only for "top-level" drives I think.
No, an SNE is not what I need, especially considering it only works for Windows Explorer.
Named pipe?
I don't see what good that would do seeing as I specifically stated that the virtual files needed to be enumerable with the regular files.

L B hook MiCreateImageFileMap for research look into MRK (Microsoft Research Kernel), also hook LdrInitializeThunk.

LdrInitializeThunk is the entry point for Ring3 PE loader by windows placing a hook and enumerating this through System-Wide would mean you have complete control of entry of all programs. LDR functions are usual hook style, just add a 0xE9 with offset set as second operand and you have hooked it.
To return just jump five-bytes ahead to avoid a infinite loop.
If you wish to block DLL injects follow my blog:

As you see we hook LdrLoadDll - LDR functions and NTDLL & WSP functions are one of the biggest part's of base OS structure of windows.

That sounds like a pretty dangerous and messy way to do it, I would have thought there was an API for this already.
I guess I don't understand what you mean by enumerated in this context.
When you scan for files in a directory... like with FindFirstFile/FindNextFile... this file will appear alongside normal files.
I thought pipes could be enumerated using FindFirstFile/FindNextFile as well.

EDIT: Ok, I see pipes on Windows have their own filesystem and cannot be placed with regular files.
Last edited on
andy would probably know, but I'd bet Space Worm does know and has done something similar to this before. It makes me sad when people leave our community :(.

EDIT: @Orion Master: Don't you need to make a registry change and reboot the PC for stuff like that to be accessible?
Last edited on
closed account (Dy7SLyTq)
He didnt leave. He said he only comes on here when he has a question and his elite irc channel is on vacation.
Of course it didn't leave, his new name on these forums is OrionMaster or Cyberwarfare :)

As to the question, if OP wants full control, then writing a device driver that intercepts I/O operations is as low level as you can get. Microsoft calls these "MiniFilters".

It is worth checking external libraries if writing your own device driver is too difficult for you

Callback File System:


I hope it helps.
Last edited on
Pages: 123