DeleteFile hooking with EasyHook succeeds in WinXP but not in Win7?

Question

4.00/5 (1 vote)

See more:

I want to say a little about my idea, I want to hook the DeleteFile win32 API function in explorer.exe to intercept the deleting action, if someone deletes a file, a dialog box will pop up to ask for password, if the password is correct that one should be able to delete the file, if not the file will be protected from unauthorized user.

Firstly, I've done the hooking in Win7 and it failed then I tried the hooking in WinXP and it worked well except that when the user chooses Cancel, the file, in fact, is not deleted (that's what I want because user cancels his deleting operation), but the file is hidden right after user choosing Cancel from the dialog box. I have to press F5 (Refresh the window containing the file) to make it visible again. If don't do that, the user may think the file is deleted no matter what he chooses from the dialog. It is a little nasty to me. I tested the hooking on a Virtual machine installed with Win XP. I hope it should work well on a real machine. But this is not a serious problem to me. I think I've done the hooking successfully in Win XP. My serious problem is for Win 7.

For Win 7, my code even can't create a hook into explorer.exe, because right after the LocalHook.Create() is called, explorer.exe will be restarted, there is no exception raised. Because it is restarted so the hook is failed. I tried hooking CreateFile instead (this is from a sample code on EasyHook) and the hooking works well (explorer.exe doesn't restart). I don't know why explorer.exe restarts, there is no exception so it is really difficult for me to know, even debugging can't help (with my debugging skill), now here is a little of my inject dll code (the code for the main interface works well, it injects the dll successfully, because I can see some message sent from dll code, but the dll code which creates LocalHook fails):

C#

public void Run(RemoteHooking.IContext icontext, string channel)
        {
            try
            {
                mainInterface.ShowStatus("Creating...");
                hook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "DeleteFileW"), new DeleteFileHandler(DeleteFileHookInstance), this); //It stops here, the main interface receives the reported status 'Creating...' seemly forever, I understand that is for the unexpected restarting of explorer.exe
                mainInterface.ShowStatus("Completing...");
                hook.ThreadACL.SetExclusiveACL(new int[] { 0 });
                RemoteHooking.WakeUpProcess();
                mainInterface.ShowStatus("OK");
            }
            catch (Exception ex)
            {
                mainInterface.ShowStatus("CreateHook failed: " + ex.Message);
                System.Diagnostics.Process.GetCurrentProcess().Kill();
            }
            while (true) { System.Threading.Thread.Sleep(500); }
        }

[DllImport("kernel32.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall)]
private static extern int DeleteFile(string filename);
        
[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode)]
private delegate int DeleteFileHandler(string filename);
private static bool deleted = false;
private int DeleteFileHookInstance(string filename)
 {
            if (deleted)
            {
                deleted = false;
                return 1;
            }
            if (MessageBox.Show("Do you really want to delete file " + filename + "?", "Confirm delete file", MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.Yes)
            {
                deleted = true;
                return DeleteFile(filename);
            }
            else return 1;//Assume the call is successfull
 }

Please help me out, your help would be highly appreciated!
Thanks!

Posted 15-Jan-13 1:05am

supernorb

Updated 15-Jan-13 1:23am

v4

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Soroush Falahati · Answer 1 · 2013-01-20T11:30:00

This sort of problems always happen when using hooks. Actually I don't know the answer. It may be a problem with CPU architect or a change in DeleteFile API in new version. But I can suggest other ways.

1) You can go for NtSetFileInformation. It is an undocumented API but you can find needed info by searching the web. It is one of lowest APIs on a file deletion process and it can prevent deletion even in lower level than DeleteFile
2) Try to implement ICopyHook:
http://msdn.microsoft.com/en-us/library/windows/hardware/gg462968.aspx[^]
http://1code.codeplex.com/workitem/7617[^]
ICopyHook implementation[^]
Using this you can prevent deletion from explorer (ONLY EXPLORER AND WHERE SHELL EXTENSIONS APPLY) without even hooking. Very clean way.

But you may have some difficulties with both ways.

3) Hardest way is to go for Drivers. This is not possible in C#.
http://msdn.microsoft.com/en-us/library/windows/hardware/gg462968.aspx[^]