Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
Hey Guys,
 
I am stuck. For some reason, I need to block Copy feature of the file system on Windows 8. Till Windows 7, ShFileOperation & CopyFile used to do trick. However, with Windows 8, as I could scan through API monitor, a new API: CopyFile2, has been used to do the job. So I need to detour CopyFile2.
 
I tried doing this using Detour 2.x & 3.x along windows SDK 6.x, 7.x and Win8 SDK. Following is the code snippet -
HRESULT (WINAPI *Trampoline_CopyFile2)(PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters) = CopyFile2;
HRESULT WINAPI Detour_CopyFile2(PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters)
{
    OutputDebugString(L"Inside TrozenCopyFile...");
    return Trampoline_CopyFile2(pwszExistingFileName, pwszNewFileName, pExtendedParameters);
}
 
//Attaching Detour 
DetourAttach( &(PVOID&)Trampoline_CopyFile2, (PVOID)Detour_CopyFile2);
DetourAttach returns 0(Successful), but I do not receive call to my Trampoline function. I know my dll is getting loaded in Explorer because other APIs are getting detoured - and I have checked it in ProcessExplorer too.
 
Does microsoft Detour Library support win8 APIs? If yes, am I doing anything wrong? If No, shall I report this as a bug?
 
Help me guys... Full points to anybody who can even hint me...
 
-----------------------------------------------------------------------------------------
Further more, I create a sample application calls CopyFile2. My Dll is getting loaded and DetourAttach is returning 0. However, I am still unable to get traces to Detour_CopyFile2
 
-- Varun
Posted 7-Apr-13 21:26pm
Edited 8-Apr-13 23:40pm
v2
Comments
The_Inventor at 9-Apr-13 1:01am
   
Please show snippet of the new API showing the new 'CopyFile2' decoration, declaration, and other related CONSTANT_ID_TYPES, would be of help to help you.
Varun Pandey at 9-Apr-13 1:14am
   
Hey @The_Inventor, thanks for the reply but I am not sure which snippet do you want. So please do tell me if I am adding a wrong comment. In the snippet above, *Trampoline_CopyFile2 is the address used for storing the original CopyFile2 function. Detour_CopyFile2 is the function that will replace the original CopyFile2 assembly. If you want me to add MS declaration and decoration of CopyFile2, here is the link - http://msdn.microsoft.com/en-us/library/windows/desktop/hh449404(v=vs.85).aspx
The_Inventor at 9-Apr-13 1:42am
   
HRESULT WINAPI CopyFile2(
_In_ PCWSTR pwszExistingFileName,
_In_ PCWSTR pwszNewFileName,
_In_opt_ COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters
);

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

You are missing something, as CopyFile2 looks like:
 
HRESULT WINAPI CopyFile2(
  _In_      PCWSTR pwszExistingFileName,
  _In_      PCWSTR pwszNewFileName,
  _In_opt_  COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters
);
HRESULT (WINAPI *Trampoline_CopyFile2(PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters)) = new CopyFile2();
HRESULT WINAPI Detour_CopyFile2(PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters)
{
    OutputDebugString(L"Inside TrozenCopyFile...");
    return Trampoline_CopyFile2(pwszExistingFileName, pwszNewFileName, pExtendedParameters);
}
 
//Attaching Detour 
DetourAttach( &(PVOID&)Trampoline_CopyFile2, (PVOID)Detour_CopyFile2);
  Permalink  
v3
Comments
Varun Pandey at 9-Apr-13 3:30am
   
It is just a function pointer that is been stored. Adding (PCWSTR,PCWSTR,COPYFILE2_EXTENDED_PARAMETERS) gives a compiler error saying "Illegal use of this type of expression"
The_Inventor at 10-Apr-13 2:48am
   
Then maybe the new change I will work, as it inits a Pointer.
HRESULT (WINAPI* Trampoline_CopyFile2( is not the same as
HRESULT (WINAPI CopyFile2(
Varun Pandey at 10-Apr-13 4:56am
   
The sample gives compiler error of identifier "CopyFile2". Assigning CopyFile2 to its Function pointers doesn't look like an issue since other APIs are getting detoured correctly by similar methods.
The_Inventor at 10-Apr-13 22:10pm
   
The real problem is that the compiler doesn't understand 'CopyFile2', as it isn't able to ID it. You need to include the header file that contains the code for it. It is like saying:
 
for(I = 0; I < Total; I++;) if you haven't said int I, Total; some where before the 'for' statement, then you will get a compiler error. In your case the 'Identifier' is the 'CopyFile2', and it can't find the code for the function.
Varun Pandey at 10-Apr-13 23:11pm
   
I suspected that, so I tried Win 8 SDK which has the API. So now the compiler understands the API but I am still unable to get a call on Detoured function...
The_Inventor at 13-Apr-13 2:15am
   
Did you write the CALL_BACK function for it?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 George Jonsson 175
1 Kornfeld Eliyahu Peter 169
2 Zoltán Zörgő 139
3 PIEBALDconsult 130
4 OriginalGriff 120
0 OriginalGriff 6,165
1 DamithSL 4,658
2 Maciej Los 4,107
3 Kornfeld Eliyahu Peter 3,649
4 Sergey Alexandrovich Kryukov 3,342


Advertise | Privacy | Mobile
Web02 | 2.8.141220.1 | Last Updated 10 Apr 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100