About hooking SHFileOperation

c++ / delphi package - dll injection and api hooking
Post Reply
leochou0729
Posts: 3
Joined: Tue Nov 02, 2021 2:46 pm

About hooking SHFileOperation

Post by leochou0729 »

Hi,
I need to inject some app and hook the SHFileoperation api. Actually, I need to apply a rule based on each file to decide which one is allowed to be copied. SHFileOperation can copy several file and folders all together, so it’s very hard to handle. I need a lower level API to hook. On Windows 10, SHFileOperation finally calls CopyFile2 on each file, so I just need to hook CopyFile2 instead of SHFileOperation. But on Windows 7, it’s totally a different thing. After using both Procmon and API Monitor, I cannot find which function SHFileOperation calls to implement file copy. I have tested IFileOperation interface, CopyFile, CopyFileEx, etc, but none of them get called. I’m not good at reverse engineering. Can anyone give me some suggedtions? Even unknown private API is OK. Thanks!

Leo
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: About hooking SHFileOperation

Post by iconic »

Older OSes such as XP SHFileOperationW(FO_COPY) would eventually boil down to calling CopyFileExW() - the unicode variant of CopyFileEx()
I've just confirmed it by looking at the ReactOS source code. Anyhow, if you're not hooking the unicode version of that API you can try that first, otherwise IIRC Vista and 7 used a CFileOperation class (COM class)

--Iconic
leochou0729
Posts: 3
Joined: Tue Nov 02, 2021 2:46 pm

Re: About hooking SHFileOperation

Post by leochou0729 »

Hi Iconic,
Thank for your reply.
I have no idea what the CFileOperation class looks like and how to hook its method. I can't find any infomation on the web.
From API monitor, I can see CoCreateInstance is called with this interface id {5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}.
I think it's probably the CFileOperation interface, but I can't find it in header files in the Windows 7 SDK.
I've tried to hook CoCreateInstance in ole32.dll and SHCoCreateInstance in shell32.dll, but both of them are not used to get the CFileOperation interface, which is different from what I see in API monitor.
My code seems correct and it works on Windows 10.

Code: Select all

MadCHook("ole32.dll", "CoCreateInstance", Hook_CoCreateInstance,
                &(PVOID&)g_OriginFunction.m_pfnCoCreateInstance);

const GUID IID_CFILEOPERATION = { 0x5762F2A7, 0x4658, 0x4C7A, 0xA4, 0xAC, 0xBD, 0xAB, 0xFE, 0x15, 0x4E, 0x0D };

HRESULT WINAPI Hook_CoCreateInstance(
    REFCLSID rclsid,
    LPUNKNOWN pUnkOuter,
    DWORD dwClsContext,
    REFIID riid,
    LPVOID FAR* ppv
)
{
    HRESULT hr = g_OriginFunction.m_pfnCoCreateInstance(rclsid, pUnkOuter, dwClsContext, riid, ppv);
    if (SUCCEEDED(hr) &&
        IsEqualIID(riid, IID_CFILEOPERATION) &&
        (nullptr != ppv) &&
        (nullptr != *ppv))
    {
        ctype_IFileOperation *pFO = (ctype_IFileOperation *)(*ppv);
        HookCode(pFO->lpVtbl->Advise, Hook_Advise, &(PVOID&)g_OriginFunction.m_pfnAdvise);
        DbgPrintW(L"IFileOperation::Advise = %x", (PVOID)g_OriginFunction.m_pfnAdvise);
        HookCode(pFO->lpVtbl->MoveItems, Hook_MoveItems, &(PVOID&)g_OriginFunction.m_pfnMoveItems);
        DbgPrintW(L"IFileOperation::MoveItems = %x", (PVOID)g_OriginFunction.m_pfnMoveItems);
        HookCode(pFO->lpVtbl->CopyItems, Hook_CopyItems, &(PVOID&)g_OriginFunction.m_pfnCopyItems);
        DbgPrintW(L"IFileOperation::CopyItems = %x", (PVOID)g_OriginFunction.m_pfnCopyItems);
    }
}
Could you please show me how to do it on Windows 7? Thanks!
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: About hooking SHFileOperation

Post by iconic »

Hello,

Unfortunately I lack the time to help further, I'm currently heavily invested in some fairly large projects and today is yet another typical busy day for me otherwise I'd throw Shell32.dll into IDA and trace it downwards until I hit the definitive copy call. Are you absolutely 100% positive that CopyFileExW() is not being called? Also, this is important, CopyFileExW() exists in 2 different DLLs. kernel32.dll and kernelbase.dll Most kernel32 APIs are simply just forwarded to kernelbase.dll but it's important to make this clear in case the OS is calling CopyFileExW directly from kernelbase and maybe you're only hooking kernel32 which is never actually called.

--Iconic
leochou0729
Posts: 3
Joined: Tue Nov 02, 2021 2:46 pm

Re: About hooking SHFileOperation

Post by leochou0729 »

Hi Iconic,
I've tried to hook related APIs in both kernelbase.dll and kernel32.dll, but none of them get called. I'm very doubt SHFileOperation in win7 uses a publicly known file copy function internally. I've also tried to use IDA pro and windbg to trace the function call, but can't find any clue. The CFileOperation class is undocumented and not return by CoCreateInstance. And its methods are not called on a per file basis.
Anyway, thanks a lot for your suggestion!
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: About hooking SHFileOperation

Post by iconic »

I'm very doubt SHFileOperation in win7 uses a publicly known file copy function internally
You may be correct, I haven't personally checked with Windows 7. But, what begs the questions is.... Why would XP use CopyFileEx() and (according to your initial post) Windows 10 use CopyFile2() which are both documented APIs and exported from kernel32? :D Just something to question is all since Windows 7 falls in the gap of XP and Windows 10.

--Iconic
Post Reply