mspx. Just scroll to
the bottom of the page and click the Download Process Monitor link. When you run
Process Monitor, it will immediately start capturing all kinds of events.However, for this
example, we only want to figure out what desiredAccess is requested when we try to
open secret.txt for reading. We??™ll filter for only relevant events so that we can focus on
the secret.txt operations and not be overloaded with the thousands of other events being
captured. Click Filter and then add a Filter specifying ???Path contains secret.txt???. Then
click the Add button and then OK. You can see that filter rule being built in Figure 16-19.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
412
Figure 16-19 Building a Process Monitor filter
With the filter rule in place, Process Monitor should have an empty display. Go back
to the command prompt and try the type c:\temp\secret.txt command again to allow
Process Monitor to capture the event that you see in Figure 16-20.
Aha! Process Monitor tells us that our operation to view the contents of the file is
actually attempting to open for Generic Read. If we take another quick trip to MSDN, we
remember that FILE_GENERIC_READ includes FILE_READ_DATA, SYNCHRONIZE,
FILE_READ_ATTRIBUTES, and FILE_READ_EA.
Pages:
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733