Re: Hooking to stop file move(ment)

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Will do (post pseudo code), but first...

I do believe that my hooking function is actually being invoked; in one of
my tests I attempted to write a text string out to a file from inside the
hooking function. The text string was written in the file. So it seems that
it is calling my function. Something just appears to crash after I call the
real MoveFileW function.
About the function prototype (I'll include it below), the I believe real
MoveFileW function prototype receives two long pointers to unicode strings.
In theory, couldn't I use any type of long pointer to pass the data along,
even an LPVOID if I were so inclined (btw, tried LPVOID and it didn't fix the
crashing either)?

Here's some 'pseudo'code, if you need more detail let me know.

//Declare Pointer type/variables for MoveFileW Functions
typedef BOOL (CALLBACK* PFNMOVEFILEWFUNC)(LPCWSTR, LPCWSTR);
PFNMOVEFILEWFUNC g_pfnMoveFileWOrig = NULL;
PFNMOVEFILEWFUNC g_pfnMoveFileWHooked = NULL;

LoadLibrary(psapi.dll)

Get Proc Address of EnumProcesses, EnumProcessModules and GetModuleFileNameA

Open Current process for QUERY_INFORMATION | VM_READ

Call EnumProcessModules

//Get Orig Function Address
g_pfnMoveFileWOrig =
(PFNMOVEFILEWFUNC)GetProcAddress(GetModuleHandle("Kernel32.dll"),
"MoveFileW");

//Get Hooked Function Address
g_pfnMoveFileWHooked =
(PFNMOVEFILEWFUNC)GetProcAddress(GetModuleHandle("HookLib_Kernel32.dll"),
"MyMoveFileW");

Loop through all Modules (skipping HookLib_Kernel32.dll and Kernel32.dll)
For each module
Get pointer to import descriptor (using ImageDirectoryEntryToData)
Loop through all Names in import descriptor (looking for Kernel32.dll)
If Kernel32.dll found
//Get IAT
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)( (PBYTE)
hModuleArray[dwIndex] + pImportDesc->FirstThunk );
//Loop through all Thunks looking for function with address of
//g_pfnMoveFileWOrig
while(pThunk->u1.Function)
{
PROC* ppfn = (PROC*) &pThunk->u1.Function;
if(*ppfn == (PROC)g_pfnMoveFileWOrig
{
//Get MEMORY_BASIC_INFORMATION for ppfn (use VirtualQuery)
//Change memory protection to PAGE_READWRITE (using
VirtualProtect)
//Hook Function
*ppfn = (PROC)*g_pfnMoveFileWHooked;
//Restore memory protection
}
pThunk++;
}

That about does it for how I hook the function...my Hooking function
definition is below.


HOOKLIB_KERNEL32_API BOOL MyMoveFileW(LPCWSTR lpExistingFileName, LPCWSTR
lpNewFileName)
{
/*
char szBuf[1024];

ZeroMemory(szBuf, sizeof(szBuf));
if( (g_pfLogging = fopen("C:\\OIGHookingLog.log", "a+")) != NULL)
{
fwprintf(g_pfLogging, "\nMoveFileW Called. Params: %s, %s\n", (const
wchar_t *)lpExistingFileName, (const wchar_t *)lpNewFileName);
fclose(g_pfLogging);
g_pfLogging = NULL;
}
*/
return g_pfnMoveFileWOrig(lpExistingFileName, lpNewFileName);
}

One last quick thought... I use fprintf throughout the entire process to
facilitate logging. Could that have something to do with the crashing?
Since fprintf is part of the VC++ run-time library? I'm not really thinking
so, but it's a thought.

Thanks again for your assistance!

Civel

"Scherbina Vladimir" wrote:

> "Civel" <Civel@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:9E64AC0F-7765-4464-91E7-7ECA4CEF0B01@xxxxxxxxxxxxxxxx
> > Just realized that explorer.exe DOES import MoveFileW from Kernel32.dll.
> > I
> > injected my Hooking DLL into explorer.exe, hooked MoveFileW and everything
> > worked fine....UNTIL I tried to move a file. Then explorer crashed and
> > restarted itself. So, new question... any thoughts on why my hook is
> > crashing explorer?
>
> It depends on HOW you hook MoveFileW, and your hook code.
>
> > Could it have something to do with the fact that my hooking dll is not
> > compiled with Unicode support? I wouldn't think that would matter (after
> > all, I'm simply passing along the pointer to the wchar string), but I
> > could
> > be wrong.
>
> No, the only thing you need to care in this way is that your hooking
> function prototype is exactly the same as MoveFileW.
>
> > Unfortunately, I don't have my code with me right now...so in lieu of
> > posting actual code (which is long anyway), I can say that the exported
> > function that I'm using to hook MoveFileW ONLY calls the pointer that I've
> > stored to the real MoveFileW function (passing in the appropriate
> > arguments
> > of course). I've also tried to not call the real MoveFileW function, just
> > return true from my hook function; unfortunately, that didn't work either.
>
> > Any suggestions???
>
> I guess the problem is not in your hooking function code, I even think that
> your functions is not invoked, because returning true in it should not cause
> crush of explorer.exe.
>
> Try to post (pseudo)code that determines adress of MoveFileW, and hooks it.
>
> > Civel
> >
> > "Civel" wrote:
> >
> >> I'm working on a solution to prevent my users from inadvertantly moving
> >> files/folders through Windows Explorer and My Computer. Ideally, my
> >> application will display a confirmation prompt when users attempt to move
> >> a
> >> file/folder through either of the two avenues mentioned above.
> >>
> >> I believe I can accomplish this through api hooking, but haven't quite
> >> nailed down the details yet. I understand how to inject my hooking dll
> >> into
> >> another process and hook whatever functions I need. I'm currently
> >> working on
> >> the assumption that I need to inject my hooking dll into explorer.exe to
> >> intercept the file movement function calls, but I cannot determine what
> >> function(s) to hook from there. explorer.exe doesn't appear to import
> >> any of
> >> the file movement functions from shell32 or kernel32.
> >>
> >> Am I on the right track with attempting to inject into explorer.exe, or
> >> should I be going after another process? Also, what functions do I need
> >> to
> >> hook from whatever process I inject into? Any guidance anyone could
> >> offer
> >> would be greatly appreciated!
> >>
> >> Also, please note that users must retain rights to perform normal
> >> operations
> >> on the files (read/write/delete/etc). Therefore, I don't believe that
> >> restricting access to prevent movement of these files is really the
> >> direction
> >> I'm looking to go.
> >>
> >> Civel
>
> --
> [Scherbina Vladimir]
>
>
>
.

Relevant Pages

  • Re: Hooking to stop file move(ment)
    ... > I do believe that my hooking function is actually being invoked; ... > MoveFileW function prototype receives two long pointers to unicode ... > Get pointer to import descriptor ... > That about does it for how I hook the function...my Hooking function ...
    (microsoft.public.win32.programmer.kernel)
  • Re: SysHook and STATUS_ACCESS_VIOLATION
    ... > Excuse me you claim Microsoft has a hooking library, ... Once you hook you can never unhook! ... > Don Burn (MVP, Windows DDK) ... >> So, before write so much STUPID, probably you have to listen my answer, ...
    (microsoft.public.development.device.drivers)
  • Re: How to avoid that a key can be hold down
    ... CallNextHookEx Hook, ncode, wParam, ByVal lParam ... But you must realise that any hooking of this kind is ... when running hooking code in the IDE any error ...
    (comp.lang.basic.visual.misc)
  • Re: stop sounds of a different process
    ... using detour library i managed to cause the application i'm hooking not to ... which supports both (waveOut and direct sound) so it works fine (this is just ... my hook) i do not perform the actual write and just return MMSYSERR_NOERROR, ...
    (microsoft.public.win32.programmer.directx.audio)
  • Re: SysHook and STATUS_ACCESS_VIOLATION
    ... The kernel function is ... > NTSTATUS MyZwOpenKey(IN OUT PHANDLE pHandle, IN ACCESS_MASK ReqAccess, ... >> Excuse me you claim Microsoft has a hooking library, ... Once you hook you can never unhook! ...
    (microsoft.public.development.device.drivers)