Log in

View Full Version : how to set BP on writing a file on usb memory stick...


p0lly
September 24th, 2010, 02:47
hi!

There is a PG which is called "USB Security PG(not commercial name)" in my office PC.

"USB Security PG" protected me to write, delete, modify a file on a Portable USB memory stick...
"USB Security PG" starts up when XP starts up and is designed not to be deleted and stopped...


but I have reversed that... then now I can write, delete, modify a file on a Portable USB memory stick while "USB Security PG" is working on XP.

But Still there is a problem with this PG...
whenever I insert a portable usb memory stick in my office PC, "ooo.bin" file is created (ex - F:\ooo.bin). It looks really terrible...

So I found the dirctory that "USB Security PG" is located(C:\Program Files\...), but there are so many .exe, .dll, .ocx files.
I tried to find a Ascii string, "ooo.bin" in those files... and found in several files... but there is no position that write "ooo.bin" on USB.

So here my question.. how can I set a BP when "USB Security PG" write "ooo.bin" on USB?

The point is that I couldn't find which .exe write "ooo.bin" on USB...

thanks for reading...

evaluator
September 24th, 2010, 14:50
>>thanks for reading...
no-no-no! instead: thank you for your great writing! ~:

before help, are you doing good thing or bad thing?

Elenil
September 24th, 2010, 23:14
did you use a filemonitor ? sometimes helps
if not you set breakpoint on windows api specific functions

p0lly
September 27th, 2010, 05:35
I'll try that...

dELTA
October 26th, 2010, 21:19
Sorry for the late answer, but if all you want is to disable the writing of that file, I'd just patch that string at all found locations, so that it contains an invalid file name character (e.g. ":" or whatever).

Most likely, either you'll get a bluescreen, or it will work nicely.

If you still want to understand the code deeper, setting a memory breakpoint at those found string locations, or XREF-tracing them with IDA, will probably be good starting points too.