api-hook

CopyItems Function Hook crashes

你离开我真会死。 提交于 2020-01-05 08:28:25
问题 i am trying to hook CopyItems function ,its working fine but when i am trying to call Real CopyItems Function in the Callback function it is getting crash , my code is as below, please help me. PVOID GetInterfaceMethod(PVOID intf, DWORD methodIndex) { return *(PVOID*)(*(DWORD*)intf + methodIndex * 4); } typedef HRESULT (WINAPI *CopyItemsNext)(IUnknown *punkItems,IShellItem *psiDestinationFolder); CopyItemsNext Real_CopyItems = NULL; CopyItemsNext Actual_CopyItems; HRESULT WINAPI

CopyItems Function Hook crashes

生来就可爱ヽ(ⅴ<●) 提交于 2020-01-05 08:28:06
问题 i am trying to hook CopyItems function ,its working fine but when i am trying to call Real CopyItems Function in the Callback function it is getting crash , my code is as below, please help me. PVOID GetInterfaceMethod(PVOID intf, DWORD methodIndex) { return *(PVOID*)(*(DWORD*)intf + methodIndex * 4); } typedef HRESULT (WINAPI *CopyItemsNext)(IUnknown *punkItems,IShellItem *psiDestinationFolder); CopyItemsNext Real_CopyItems = NULL; CopyItemsNext Actual_CopyItems; HRESULT WINAPI

minifilter vs. API Hooking for file system operations monitoring \ filtering

别等时光非礼了梦想. 提交于 2020-01-01 19:41:09
问题 I need to develop an application that monitors, and potentially filters (rejects the calls), file operations. It appears that developing a minifilter is the "standard" solution. another potential method is using API hooks. are these relevant solutions? (I read in some places the an API hook may not be suitable - but no explanation was given) are there other options? 回答1: API hooking (at least in kernel space) is essentially not supported by microsoft. On x64 (starting from Vista and up)

How to know selected file in C#

孤街浪徒 提交于 2019-12-13 18:07:47
问题 I want to build a software. This software will just get the path of currently selected file. Suppose I click a file on my desktop. Now I want to get the path of this file. So whenever a new selection is made just get the path of newly selected file. Any ideas? 回答1: The windows Desktop window is a ListView Control like in the end (at least it was in Windows XP...) so if you need to know selected item of a ListView you basically need to get the handle of the desktop and check what has been

minifilter vs. API Hooking for file system operations monitoring \\ filtering

流过昼夜 提交于 2019-12-04 20:32:27
I need to develop an application that monitors, and potentially filters (rejects the calls), file operations. It appears that developing a minifilter is the "standard" solution. another potential method is using API hooks. are these relevant solutions? (I read in some places the an API hook may not be suitable - but no explanation was given) are there other options? API hooking (at least in kernel space) is essentially not supported by microsoft. On x64 (starting from Vista and up) patchguard will usually kill the machine if it detects SSDT hooking or any change whatsoever in critical

Registry monitoring, including kernel-mode registry accesses?

删除回忆录丶 提交于 2019-11-29 02:20:46
I remember for my final year university project i wrote a C# registry monitor, however, when i compared it with the Microsoft ProcessMonitor application (i cant remember its exact name, but was a company bought by MSoft), i wasnt capturing as many registry calls. Was this because i was using a C# wrapper and as such, it would only have been catching user-mode registry accesses? I used this wrapper: http://www.codeproject.com/KB/DLL/EasyHook64.aspx To catch the kernel mode registry accesses would i have to write in C++? Process Monitor is either using a kernel driver or ETW (see below) to

API Hook on a COM object function?

♀尐吖头ヾ 提交于 2019-11-28 04:13:03
问题 Greetings StackOverflowians, As discovered here, Windows 7 features a bug in which the DISPID_BEFORENAVIGATE2 event does not fire for Windows Explorer instances. This event allows shell extensions to be notified when a navigation is about to take place, and (most importantly for me) have the opportunity to cancel the navigation. I've been looking for a workaround for quite some time, and I think I found one. But, I'd like to get some opinions on how safe it is. I've been playing with API

How does SysInternal's ProcessMonitor work?

前提是你 提交于 2019-11-27 19:06:06
Could someone please give me a high level explanation how they are able to monitor every single registry access? http://technet.microsoft.com/en-us/sysinternals/bb896645 Enough detail so that i could google around the various sub-topics and try to write my own one? I know they've used some sort of dll injection/API hooking, but i'm unsure how they reached all the kernel mode activity. It loads a virtual driver on startup which does the monitoring on a low-level. So it doesn't have to inject anything in other processes. On http://www.decuslib.com/decus/vmslt00a/nt/filemon.htm there's a short

Registry monitoring, including kernel-mode registry accesses?

倾然丶 夕夏残阳落幕 提交于 2019-11-27 15:13:11
问题 I remember for my final year university project i wrote a C# registry monitor, however, when i compared it with the Microsoft ProcessMonitor application (i cant remember its exact name, but was a company bought by MSoft), i wasnt capturing as many registry calls. Was this because i was using a C# wrapper and as such, it would only have been catching user-mode registry accesses? I used this wrapper: http://www.codeproject.com/KB/DLL/EasyHook64.aspx To catch the kernel mode registry accesses

How does SysInternal's ProcessMonitor work?

[亡魂溺海] 提交于 2019-11-26 19:44:49
问题 Could someone please give me a high level explanation how they are able to monitor every single registry access? http://technet.microsoft.com/en-us/sysinternals/bb896645 Enough detail so that i could google around the various sub-topics and try to write my own one? I know they've used some sort of dll injection/API hooking, but i'm unsure how they reached all the kernel mode activity. 回答1: It loads a virtual driver on startup which does the monitoring on a low-level. So it doesn't have to
订阅 api-hook