RolexHound Technical Deep DiveM

Developed by Shriniwas Kulkarni

Credits for Idea and Guidance to https://youtu.be/9nDYYc_7sKs?feature=shared

Program Architecture Overview

Program Initialization
Parse command line arguments
Extract filename from path
Signal Handler Setup
Register SIGINT (Ctrl+C) handler
Graceful shutdown mechanism
Main Monitoring Loop
Infinite loop for continuous monitoring
File attribute checking every 10 seconds
File System Interaction
FindFirstFile API call
WIN32_FILE_DATA structure analysis

Memory Management & Data Structures

Dynamic Allocation
basePath - malloc()
Size: strlen(argv[1]) + 1
Purpose: Store extracted filename
Stack Variables
FileData - WIN32_FIND_DATA
OldLastAccessTime - FILETIME
OldLastWriteTime - FILETIME
Windows Handles
hSearch - HANDLE
Return from FindFirstFile
Invalid: INVALID_HANDLE_VALUE

Windows API Integration

FindFirstFile()
Searches for file/directory matching specified name.
Returns HANDLE for iteration through matching files.
Parameters: filename, WIN32_FIND_DATA*
GetFileAttributes()
Retrieves file system attributes for specified file.
Returns DWORD containing attribute flags.
Used for: File existence validation
Signal Handling
POSIX signal() function for SIGINT capture.
Custom handler for graceful shutdown.
Behavior: Prompt user before exit

WIN32_FILE_DATA Structure Breakdown

struct WIN32_FILE_DATA

DWORD dwFileAttributes File attributes (hidden, system, etc.)
FILETIME ftCreationTime File creation timestamp
FILETIME ftLastAccessTime Last access time (monitored)
FILETIME ftLastWriteTime Last write time (monitored)
DWORD nFileSizeHigh High-order file size (64-bit)
DWORD nFileSizeLow Low-order file size (64-bit)

Execution Timeline

T0: Program Start
Parse arguments, allocate memory for basePath
T1: Path Processing
Extract filename using strtok() with '/' delimiter
T2: Signal Registration
Register SIGINT handler for Ctrl+C interception
T3: Monitoring Loop
Enter infinite loop, call FindFirstFile()
T4+: Change Detection
Compare FILETIME structures, detect modifications
T∞: Sleep Cycle
10-second intervals between checks

Signal Handling Flow

SIGINT
(Ctrl+C)
Handler
INTCTRLChandler()
Ignore
SIG_IGN
Prompt
User Choice
Exit/Continue
Decision

Code Quality Analysis

23: // All variables declared at top - C89/C90 compliance
42: char *basePath=NULL;
75: // Dynamic memory allocation with bounds checking
76: basePath=(char*)malloc(sizeof(char)*(strlen(argv[1])+1));
89: // Tokenization for cross-platform path handling
90: token=strtok(basePath,"/");

Strengths

  • Windows API expertise demonstrated
  • Proper signal handling implementation
  • Memory allocation with size calculation
  • Clear separation of concerns
  • Comprehensive error handling

Areas for Improvement

  • Memory leak: malloc() without free()
  • Platform-specific (Windows only)
  • Hard-coded 10-second interval
  • Limited error messages
  • No file handle cleanup

Technical Complexity Metrics

Cyclomatic Complexity

7

Moderate complexity with multiple decision points

Lines of Code

125

Compact implementation with focused functionality

API Dependencies

8

Windows API + POSIX signal functions

RolexHound File Monitoring System Architecture User Space Command Line Interface Signal Handler (CTRL+C) Output Display (Console) Application Space Main Monitoring Loop Path Parser strtok() basename extraction File Discovery FindFirstFile() Handle validation Attribute Monitor FILETIME compare Change detection Sleep Timer sleep(10) 10s interval Memory Manager malloc() Dynamic allocation Data Structures: WIN32_FIND_DATA | FILETIME | HANDLE | char* basePath Windows System Layer Windows API FindFirstFile, GetFileAttributes File System NTFS/FAT32 Signal System SIGINT handling Process Management getpid(), exit() Legend User Interface Signal Handling Output/File System Data Flow Interrupt Flow
RolexHound: System Architecture & Memory Layout Program Flow Architecture main() Entry Point argc, argv parsing Memory Management malloc(strlen(argv[1])+1) basePath allocation ⚠️ No free() - memory leak Signal Registration signal(SIGINT, handler) Ctrl+C interception Graceful shutdown Monitoring Loop while(true) FindFirstFile() FILETIME comparison sleep(10) ♻️ Infinite execution Path Processing strtok(basePath, "/") Extract filename Cross-platform parsing Memory Architecture STACK MEMORY WIN32_FILE_DATA FileData (540 bytes) FILETIME structs OldLastAccessTime (8 bytes) HANDLE hSearch (pointer) DWORD dwAttrs (4 bytes) char* token (pointer) TCHAR szNewPath[MAX_PATH] 260 bytes buffer HEAP MEMORY char* basePath malloc(strlen(argv[1])+1) ⚠️ LEAK ⚠️ WIN32_FILE_DATA Structure (540 bytes) typedef struct _WIN32_FIND_DATA DWORD dwFileAttributes; // File attributes (4 bytes) 0x00000000 FILE_ATTRIBUTE_NORMAL, FILE_ATTRIBUTE_HIDDEN, etc. FILETIME ftCreationTime; // Creation timestamp (8 bytes) 0x00000004 64-bit value: 100-nanosecond intervals since Jan 1, 1601 FILETIME ftLastAccessTime; // Last access time (8 bytes) ★ MONITORED 0x0000000C ★ Used for change detection algorithm FILETIME ftLastWriteTime; // Last write time (8 bytes) ★ MONITORED 0x00000014 ★ Primary change detection mechanism DWORD nFileSizeHigh; // High-order file size (4 bytes) 0x0000001C Upper 32 bits of 64-bit file size DWORD nFileSizeLow; // Low-order file size (4 bytes) 0x00000020 Lower 32 bits of 64-bit file size } WIN32_FIND_DATA, *LPWIN32_FIND_DATA; Change Detection Algorithm FILETIME Comparison Logic: 1. if(OldLastAccessTime.dwLowDateTime != FileData.ftLastAccessTime.dwLowDateTime) 2. || OldLastAccessTime.dwHighDateTime != FileData.ftLastAccessTime.dwHighDateTime 3. FILE ACCESS DETECTED! Update OldLastAccessTime Print notification to console ⏱️ Performance: 10-second polling interval CPU-friendly but not real-time Alternative: ReadDirectoryChangesW Signal Handling Architecture SIGINT (Ctrl+C) signal() Registration INTCTRLChandler() Custom Handler User Confirmation exit(0) Clean Exit continue Re-register Platform: Windows | Language: C | APIs: Win32, POSIX signals | Memory: Stack + Heap | Architecture: x86/x64
RolexHound File Monitor - Technical Architecture System Architecture Command Line Input argv[1]: File Path Path Parsing Extract Base Filename using strtok("/") Server Main Loop while(true) Monitor File Changes 10 Second Intervals sleep(10) Windows API FindFirstFile() WIN32_FIND_DATA File Attributes FILETIME Structs Signal Handler SIGINT (Ctrl+C) Graceful Shutdown User Confirmation Process ID Display File Monitoring Workflow 1. File Search FindFirstFile() Check if file exists INVALID_HANDLE_VALUE 2. Get Attributes Extract FILETIME LastAccessTime LastWriteTime 3. Compare Times dwLowDateTime dwHighDateTime Detect Changes 4. Log Changes Print to Console Update Old Times Continue Loop 5. Wait & Repeat sleep(10 seconds) Loop back to step 1 Continuous monitoring Key Data Structures WIN32_FIND_DATA FileData • dwFileAttributes (DWORD) • ftCreationTime (FILETIME) • ftLastAccessTime (FILETIME) • ftLastWriteTime (FILETIME) • nFileSizeHigh/Low (DWORD) FILETIME Structure • dwLowDateTime (DWORD) • dwHighDateTime (DWORD) 64-bit timestamp representing 100-nanosecond intervals since January 1, 1601 (UTC) Program Variables • basePath (char*) - Target file • hSearch (HANDLE) - Search handle • OldLastAccessTime (FILETIME) • OldLastWriteTime (FILETIME) • TimeIntervalToWatchChanges = 10s Key Features: Real-time monitoring • Cross-platform Windows API • Graceful shutdown • Change detection • Console logging