Hooking Windows Explorer (managed code)

Nov 28, 2011 at 11:51 AM

Hi all,

similiar to the FileMo example, I tried to hook CopyFileEx / CopyFile calls out of the windows explorer. However, I get no calls add all.

Does anyone has an idea?

 

 

delegate Boolean DCopyFile (String ExistingFileName, String NewFileName, bool FailIfexists);

 

[DllImport("kernel32.dll" )]

static extern bool CopyFile(string lpExistingFileName, string lpNewFileName, bool bFailIfExists);

 

Greeting,

Franz

Nov 30, 2011 at 9:10 PM

Did you have other hooks working?

Did you try to print something from this hook?

Dec 2, 2011 at 4:47 PM

Hi,

the FileMonitor example (using CreateFileW) works definitely. I also found out that CopyFile form kernel32 is never called by the Windows Explorer. Instead, the user32 SHFileOperation function is called. So I changed my example to make a hook for the SHFileOperation but it also did not work. Interestingly, I also  found out that deleteFileA/deleteFileW (Kernel32) did also not work. I am not sure what I did wrong. Does anyone has an idea or can give me a hint?

Kind regards,

Franz

Dec 3, 2011 at 6:04 PM
Edited Dec 4, 2011 at 3:05 PM

I explored the same a few years back.  My conclusion was Windows Explorer in Windows Vista/7 does not use both the API CopyFile and SHFileOperation.  It uses ZwCreateFile/NtCreateFile to open the src/dest file and ZwReadFile/NtReadFile/ZwWriteFile/NtWriteFile to copy the file.  

Mar 7, 2012 at 2:58 AM

I tried hooking with Deviare API hook the CreateFileW and ReadFile APIs and they are called mostly through shell32.dll in Windows Explorer but I do see these calls. If you use Process Monitor you can verify in the stack trace many calls from CreateFileW APIs and ReadFile. Of course its a bit slow to look since you have to watch stack for each call looking for the call that isn't kernel related.

Regards.