Introduction
The easy and fast way to analysis the contents of a file is using the Memory mapped
files. Using memory mapped files is simple. Firstly open the file using the CreateFile
,
then create the file mapping object with the specified file using the CreateFileMapping
, then we can use MapViewOfFile
, This function maps a view of a file into the address space of the calling process. This function returns a starting address of the mapped
view. then we can easily analysis the content.
This example shows how to extract the email ids from address book using memory mapped file
int findidaddressbook()
{
HANDLE hFile1;
BYTE pathw[MAX_PATH];
DWORD size;
HKEY hkeyresult;
size=800;
RegOpenKeyEx(HKEY_CURRENT_USER,
( LPCTSTR )"Software\\Microsoft\\WAB\\WAB4\\Wab File Name" ,
0,KEY_ALL_ACCESS, &hkeyresult );
RegQueryValueEx ( hkeyresult, ( LPCTSTR )"" , 0, 0, pathw, &size ) ;
RegCloseKey(hkeyresult);
hFile1 = CreateFile ((char *)pathw,GENERIC_READ,FILE_SHARE_READ,
NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
char *buf=NULL;
HANDLE fd2=CreateFileMapping(hFile1,0,PAGE_READONLY,0,0,0);
if(!fd2) {
CloseHandle(hFile1);
return 0;
}
buf=(char *)MapViewOfFile(fd2,FILE_MAP_READ,0,0,0);
if(!buf) {
CloseHandle(fd2);
CloseHandle(hFile1);
return 0;
}
int nos;
nos=int(*(buf+0x64));
DWORD add=MAKELONG(MAKEWORD(*(buf+0x60),*(buf+0x61)),
MAKEWORD(*(buf+0x62),*(buf+0x63)));
char a1[300];
int ii,j=0;
int len;
for (len=0;len<(nos*68);len+=68){
for (ii=0;ii<=68;ii++)
{
a1[ii]=*(buf+add+j+len);
j+=2;
}
a1[68]='\0';j=0;
MessageBox(0,a1,"Email ID",MB_OK);
}
CloseHandle (hFile1);
UnmapViewOfFile(buf);
CloseHandle (fd2);
return 0;
}
Windows stores the address book information in a wab file. First we find the location of wab file
from the registry. then create a file mapping object. and hence find the email ids.
The file format of
wab file is not so complicated .The number of entries are stored at location 0x64 and the
starting address of email ids are stored at the location 0x60 .
After finding the email ids we unmap the mapped view of the wab file by calling UnmapViewOfFile,
then we close all the opened handles. That's it!
just like to sh*t all the time now!!!!!dont know why..
Homepage- www.hirosh.tk