使用EasyHook的DeleteFile挂钩在WinXP中成功但在Win7中没有成功吗? [英] DeleteFile hooking with EasyHook succeeds in WinXP but not in Win7?
问题描述
我想稍微谈谈我的想法,我想在explorer.exe中挂钩DeleteFile win32 API函数来拦截删除操作,如果有人删除了文件,会弹出一个对话框询问密码,如果密码是正确的,一个人应该能够删除该文件,如果没有该文件将受到保护,以防止未经授权的用户。
首先,我已经完成了挂钩在Win7中它失败然后我尝试在WinXP中挂钩并且它运行良好,除了当用户选择取消时,文件实际上没有被删除(这是我想要的,因为用户取消了他的删除操作),但是用户从对话框中选择取消后立即隐藏文件。我必须按F5(刷新包含文件的窗口)才能再次显示它。如果不这样做,用户可能会认为文件被删除,无论他从对话框中选择什么。这对我来说有点讨厌。我在安装了Win XP的虚拟机上测试了挂钩。我希望它能在真机上运行良好。但这对我来说不是一个严重的问题。我想我已经在Win XP中成功完成了挂钩。我的严重问题是Win 7。
对于Win 7,我的代码甚至无法创建到explorer.exe的挂钩,因为就在LocalHook.Create之后()被调用,explorer.exe将重新启动,没有异常引发。因为它重新启动所以钩子失败了。我尝试连接CreateFile(这是来自EasyHook上的示例代码)并且挂钩工作正常(explorer.exe没有重启)。我不知道为什么explorer.exe重新启动,没有异常因此我很难知道,即使调试也无法帮助(我的调试技巧),现在这里有一点我的注入DLL代码(主界面的代码运行良好,它成功注入了dll,因为我可以看到从dll代码发送的一些消息,但创建LocalHook的DLL代码失败):
I want to say a little about my idea, I want to hook the DeleteFile win32 API function in explorer.exe to intercept the deleting action, if someone deletes a file, a dialog box will pop up to ask for password, if the password is correct that one should be able to delete the file, if not the file will be protected from unauthorized user.
Firstly, I''ve done the hooking in Win7 and it failed then I tried the hooking in WinXP and it worked well except that when the user chooses Cancel, the file, in fact, is not deleted (that''s what I want because user cancels his deleting operation), but the file is hidden right after user choosing Cancel from the dialog box. I have to press F5 (Refresh the window containing the file) to make it visible again. If don''t do that, the user may think the file is deleted no matter what he chooses from the dialog. It is a little nasty to me. I tested the hooking on a Virtual machine installed with Win XP. I hope it should work well on a real machine. But this is not a serious problem to me. I think I''ve done the hooking successfully in Win XP. My serious problem is for Win 7.
For Win 7, my code even can''t create a hook into explorer.exe, because right after the LocalHook.Create() is called, explorer.exe will be restarted, there is no exception raised. Because it is restarted so the hook is failed. I tried hooking CreateFile instead (this is from a sample code on EasyHook) and the hooking works well (explorer.exe doesn''t restart). I don''t know why explorer.exe restarts, there is no exception so it is really difficult for me to know, even debugging can''t help (with my debugging skill), now here is a little of my inject dll code (the code for the main interface works well, it injects the dll successfully, because I can see some message sent from dll code, but the dll code which creates LocalHook fails):
public void Run(RemoteHooking.IContext icontext, string channel)
{
try
{
mainInterface.ShowStatus("Creating...");
hook = LocalHook.Create(LocalHook.GetProcAddress("kernel32.dll", "DeleteFileW"), new DeleteFileHandler(DeleteFileHookInstance), this); //It stops here, the main interface receives the reported status 'Creating...' seemly forever, I understand that is for the unexpected restarting of explorer.exe
mainInterface.ShowStatus("Completing...");
hook.ThreadACL.SetExclusiveACL(new int[] { 0 });
RemoteHooking.WakeUpProcess();
mainInterface.ShowStatus("OK");
}
catch (Exception ex)
{
mainInterface.ShowStatus("CreateHook failed: " + ex.Message);
System.Diagnostics.Process.GetCurrentProcess().Kill();
}
while (true) { System.Threading.Thread.Sleep(500); }
}
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall)]
private static extern int DeleteFile(string filename);
[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode)]
private delegate int DeleteFileHandler(string filename);
private static bool deleted = false;
private int DeleteFileHookInstance(string filename)
{
if (deleted)
{
deleted = false;
return 1;
}
if (MessageBox.Show("Do you really want to delete file " + filename + "?", "Confirm delete file", MessageBoxButtons.YesNo, MessageBoxIcon.Question) == DialogResult.Yes)
{
deleted = true;
return DeleteFile(filename);
}
else return 1;//Assume the call is successfull
}
请帮帮我,非常感谢您的帮助!
谢谢!
Please help me out, your help would be highly appreciated!
Thanks!
推荐答案
使用钩子时总会发生这种问题。其实我不知道答案。它可能是CPU架构师的问题或新版本中DeleteFile API的更改。但我可以建议其他方式。
1)你可以去NtSetFileInformation。它是一个未记录的API,但您可以通过搜索网络找到所需的信息。它是文件删除过程中最低的API之一,它可以防止删除,即使在比DeleteFile更低的级别
2)尝试实现ICopyHook:
http://msdn.microsoft.com/en-us/library/windows/hardware/gg462968.aspx [ ^ ]
http://1code.codeplex.com/workitem/7617 [ ^ ]
ICopyHook implementation [ ^ ]
使用此功能可以防止在没有前夕的情况下从资源管理器中删除(仅限探索器和外壳扩展应用)挂钩。非常干净的方式。
但是你可能会遇到两种困难。
3)最难的方法是选择司机。这在C#中是不可能的。
http:// msdn .microsoft.com / zh-CN / library / windows / hardware / gg462968.aspx [ ^ ]
This sort of problems always happen when using hooks. Actually I don''t know the answer. It may be a problem with CPU architect or a change in DeleteFile API in new version. But I can suggest other ways.
1) You can go for NtSetFileInformation. It is an undocumented API but you can find needed info by searching the web. It is one of lowest APIs on a file deletion process and it can prevent deletion even in lower level than DeleteFile
2) Try to implement ICopyHook:
http://msdn.microsoft.com/en-us/library/windows/hardware/gg462968.aspx[^]
http://1code.codeplex.com/workitem/7617[^]
ICopyHook implementation[^]
Using this you can prevent deletion from explorer (ONLY EXPLORER AND WHERE SHELL EXTENSIONS APPLY) without even hooking. Very clean way.
But you may have some difficulties with both ways.
3) Hardest way is to go for Drivers. This is not possible in C#.
http://msdn.microsoft.com/en-us/library/windows/hardware/gg462968.aspx[^]
这篇关于使用EasyHook的DeleteFile挂钩在WinXP中成功但在Win7中没有成功吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
