Click here to Skip to main content
15,879,535 members
Search within:


CopyFile2 not getting detoured
Please Sign up or sign in to vote.
0.00/5 (No votes)
Hey Guys,

I am stuck. For some reason, I need to block Copy feature of the file system on Windows 8. Till Windows 7, ShFileOperation & CopyFile used to do trick. However, with Windows 8, as I could scan through API monitor, a new API: CopyFile2, has been used to do the job. So I need to detour CopyFile2.

I tried doing this using Detour 2.x & 3.x along windows SDK 6.x, 7.x and Win8 SDK. Following is the code snippet -
C++
HRESULT (WINAPI *Trampoline_CopyFile2)(PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters) = CopyFile2;
HRESULT WINAPI Detour_CopyFile2(PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters)
{
    OutputDebugString(L"Inside TrozenCopyFile...");
    return Trampoline_CopyFile2(pwszExistingFileName, pwszNewFileName, pExtendedParameters);
}

//Attaching Detour 
DetourAttach( &(PVOID&)Trampoline_CopyFile2, (PVOID)Detour_CopyFile2);

DetourAttach returns 0(Successful), but I do not receive call to my Trampoline function. I know my dll is getting loaded in Explorer because other APIs are getting detoured - and I have checked it in ProcessExplorer too.

Does microsoft Detour Library support win8 APIs? If yes, am I doing anything wrong? If No, shall I report this as a bug?

Help me guys... Full points to anybody who can even hint me...

-----------------------------------------------------------------------------------------
Further more, I create a sample application calls CopyFile2. My Dll is getting loaded and DetourAttach is returning 0. However, I am still unable to get traces to Detour_CopyFile2

-- Varun
Posted
Updated 8-Apr-13 22:40pm
v2
Add a Solution
Comments
The_Inventor 9-Apr-13 1:01am    
Please show snippet of the new API showing the new 'CopyFile2' decoration, declaration, and other related CONSTANT_ID_TYPES, would be of help to help you.
Varun Pandey 9-Apr-13 1:14am    
Hey @The_Inventor, thanks for the reply but I am not sure which snippet do you want. So please do tell me if I am adding a wrong comment. In the snippet above, *Trampoline_CopyFile2 is the address used for storing the original CopyFile2 function. Detour_CopyFile2 is the function that will replace the original CopyFile2 assembly. If you want me to add MS declaration and decoration of CopyFile2, here is the link - http://msdn.microsoft.com/en-us/library/windows/desktop/hh449404(v=vs.85).aspx
The_Inventor 9-Apr-13 1:42am    
HRESULT WINAPI CopyFile2(
_In_ PCWSTR pwszExistingFileName,
_In_ PCWSTR pwszNewFileName,
_In_opt_ COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters
);

1 solution

You are missing something, as CopyFile2 looks like:

HRESULT WINAPI CopyFile2(
  _In_      PCWSTR pwszExistingFileName,
  _In_      PCWSTR pwszNewFileName,
  _In_opt_  COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters
);

HRESULT (WINAPI *Trampoline_CopyFile2(PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters)) = new CopyFile2();
HRESULT WINAPI Detour_CopyFile2(PCWSTR pwszExistingFileName, PCWSTR pwszNewFileName, COPYFILE2_EXTENDED_PARAMETERS *pExtendedParameters)
{
    OutputDebugString(L"Inside TrozenCopyFile...");
    return Trampoline_CopyFile2(pwszExistingFileName, pwszNewFileName, pExtendedParameters);
}
 
//Attaching Detour 
DetourAttach( &(PVOID&)Trampoline_CopyFile2, (PVOID)Detour_CopyFile2);
 
Share this answer
 
Posted
Updated 9-Apr-13 21:52pm
v3
Comments
Varun Pandey 9-Apr-13 3:30am    
It is just a function pointer that is been stored. Adding (PCWSTR,PCWSTR,COPYFILE2_EXTENDED_PARAMETERS) gives a compiler error saying "Illegal use of this type of expression"
The_Inventor 10-Apr-13 2:48am    
Then maybe the new change I will work, as it inits a Pointer.
HRESULT (WINAPI* Trampoline_CopyFile2( is not the same as
HRESULT (WINAPI CopyFile2(
Varun Pandey 10-Apr-13 4:56am    
The sample gives compiler error of identifier "CopyFile2". Assigning CopyFile2 to its Function pointers doesn't look like an issue since other APIs are getting detoured correctly by similar methods.
The_Inventor 10-Apr-13 22:10pm    
The real problem is that the compiler doesn't understand 'CopyFile2', as it isn't able to ID it. You need to include the header file that contains the code for it. It is like saying:

for(I = 0; I < Total; I++;) if you haven't said int I, Total; some where before the 'for' statement, then you will get a compiler error. In your case the 'Identifier' is the 'CopyFile2', and it can't find the code for the function.
Varun Pandey 10-Apr-13 23:11pm    
I suspected that, so I tried Win 8 SDK which has the API. So now the compiler understands the API but I am still unable to get a call on Detoured function...
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 10 Apr 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900