Installing an api hook against the client and logging seek/read against files of that extension would be a start. That's half the picture, anyway. The other half is a memory scanner that locates what was just read in the client's memory. You can then trace execution from that point.
|