问题
I need to hook copyfile in order to stop the process whenever a malicious file is being copied. I saw a question asked by Cat Man Do
Hook into the Windows File Copy API from C#
and he mentioned that there is a solution for this problem in c++. I am using embarcadero c++ builder(non-MFC). Is this solution applicable for c++ builder and if it is can anybody post the link or give me a hint on how to hook copyfile in c++?
回答1:
You're not being specific about what you mean by "stop the process" - whether there is a specific process you are interested in, or whether you want to block all file copies throughout the entire system. If you want to block all file copies throughout the system, then what you're looking for is a file system filter driver. This is extremely advanced, since you will be writing a kernel-mode driver. Not for the faint of heart. Note also that you may end up being flagged as malware yourself, since malware will try to hook the file system in order to hide themselves.
回答2:
I recommend using Deviare API hook to do it. You can use its COM objects to intercept CopyFile and CopyFileEx APIs and prevent the call returning ACCESS DENIED in the last error.
来源:https://stackoverflow.com/questions/8201352/hook-into-the-windows-file-copy-api-from-c