without replacing any DLLs/installing drivers? (OS is winXP sp1, target application is a msvc++6 application).

Here's the situation: I have a program which loads several files, all of which exist on the disk (completely unencrypted). The program expects these files to be in the format that they're in, and if not, it will crash because they're "corrupt." That's fine for most of the files, as the data they contain really isn't that sensitive anyway. But for one of the files, the data should never exist on the disk in an unencrypted form, but should instead only exist in memory when it isn't encrypted.

So somehow, I need to intercept the call to readfile(), and instead of passing the contents of the file back to the caller, I need to pass the unencrypted version.

If anyone has any suggestions/tips, I'd be glad to hear them.

I think what you want to do falls in the category of API call hooking:

http://www.codeproject.com/system/hooksys.asp


There are many other articles on the issue if you look up "api call hooking" in google.

Basically you would setup an app that would hook the readfile() call from your app and take control at that point.

Or I completely misunderstood your problem/question

If you just need to do this once, it can easily be done from a debugger, but I get the impression you want this change to be permanent.

I'm not sure what exactly you mean by 'without replacing any DLLs' but if you're allowed to modify the app's PEs (rather than system DLLs) you have yourself a schoolboy exercise in code injection (specifically, injecting an IAT hook). Otherwise you're going to need to dabble in something a bit more subtle. My first suggestion would be to create a loader that monitors ReadFile and intervenes appropriately (much like what naides describes).

I'm sure we could go on for days coming up with more and more convoluted solutions to the problem, but unless there's something very special about your situation, these suggestions should be more than adequate.

Admiral

hmm, not to self-promote, however, I just wrote a tutorial on this sort of thing: Weakness Of The Windows Api Part 1. you can get it at http://tutorials.accessroot.com
As Admiral said there are many different ways to do this sort of thing. If you have no problem modifying the executable check out section 4.1 of my paper . That will help walk you through modifying the address table to redirect an api call. If you are ambitious enough to code a dll I walk you through that as well. I did not cover injection as thouroughly as I would have liked though, but I suggest checking out the references (the site naides referenced is one of them) they should help you inject a dll into the programs address space.

It seems that the problem you face though is two-fold you need to unencrypt the file before you can pass back the unencrypted data. Which means your readfile hook may also need to account for the unencryption. There was a paper written awhile back that covered adding a dll to notepad to encrypt and unencrypt files. I thought it was from codebreakers-journal but I seem to be incorrect. Anyone remember where it is?

Another (most simple) solution could be using one of the off-the-shelf tools for encrypted virtual hard disks. Just create a container file with strong encryption which holds all the files of the application and there ya go.