madshi.net

Rootmanager · Joined: 13 Jun 2008 Posts: 12

I want to prevent from deleing important file from user.
So i hook the DeleteFileA and DeleteFileW API.
It Works good When i trying to delete file in the ms explorer.

But When i tring to delete file with OS Recycle Bin active status.
My code does not work.
I think MS Windows does not use DeleteFileA/W API, When file move to Recyle Bin.
I know if i did not use Recyle Bin on the MS OS, My code will work.

But i want to trap file delete action , although file move to Recyle Bin.

Does anybody know What API should i hook ?

Please, Give me a idea.

Thanks.

TiLT · Joined: 12 Jun 2008 Posts: 2

Is it so hard to check the exports of ntdll?

mikec · Joined: 16 Jul 2006 Posts: 166 Location: UK

What you're trying to do is difficult. I had the same problem ages ago and i worked on it for a month before coming up with a better solution.

I would suggest looking at the native API's instead of the Win32 ones. If i remember rightly, when i traced this, the system used NtDeleteFile but it also called NtQueryInformationFile and NtSetInformationFile in certain circumstances..

HTH

Mike

Rootmanager · Joined: 13 Jun 2008 Posts: 12

Thank you. I'll try. very happy

madshi · Site Admin Joined: 21 Mar 2004 Posts: 5908

NtSetInformationFile sounds like the most promising API to me. It's used for both renaming/moving and deleting file, if I remember correctly.

dcsoft · Posted: Sat Jul 12, 2008 6:14 pm Post subject:

SHFileOperation() is used to recycle a file. I'm not sure there are any more API's that also do, so hooking an Nt() function as suggested may be more reliable.

-- David