Test piece to track a log file.

mnemonic · May 03, 2006, 07:56:16 AM

Quote from: hutch-- on May 03, 2006, 07:20:14 AM
The interesting part is the unix utility TAIL can read it. I looked up its imports and its plain MSVCRT functionality but I don't know how its getting the file read access.

Hi hutch,

I had a quick look at the tail tool with OllyDbg and here is what it does to open the file:

Code Select


004029A7  |. 6A 00          PUSH 0                                   ; |access = O_RDONLY|SH_COMPAT0
004029A9  |. FF33           PUSH DWORD PTR DS:[EBX]                  ; |path
004029AB  |. E8 505E0000    CALL <JMP.&msvcrt._open>                 ; \_open

HTH,
Jens

MichaelW · May 03, 2006, 08:15:41 AM

Judging from the Tail for Win32 source available here

http://sourceforge.net/projects/tailforwin32

File change notifications will work only for local files. For remote files, Tail for Win32 monitors the file by polling.

hutch-- · May 03, 2006, 11:43:56 AM

Michael,

Thanks for the link, I just read the CreateFile() styles, added them and BINGO it works.

Code Select


          invoke CreateFile,OFFSET logbuffer,GENERIC_READ,
                            FILE_SHARE_WRITE or FILE_SHARE_READ,
                            NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL or \
                            FILE_FLAG_POSIX_SEMANTICS,NULL
          mov hFile, eax

News:

Test piece to track a log file.

mnemonic

MichaelW

hutch--