Why can Detours no longer hook shell32.dll functions in Windows 7+

Question

In Windows XP it was possible to hook explorer with the following shell32 hook:

Real_SHFileOperation = (T_SHFileOperation) DetourFindFunction("shell32.dll", "SHFileOperationW");
nError = DetourAttach(&(PVOID&)Real_SHFileOperation, Detoured_SHFileOperation); 
if(nError != NO_ERROR)
{
    TRACE_ERROR(g_hTrace, "DetourAttach SHFileOperation Failed (%d)", nError);
}

For some reason on Windows 7 this no longer works even though DetourAttach still returns success. All the other hooks that I install (in ntdll.dll for example) still work but the hooks I've created in shell32.dll no longer do.

I attached Windbg to the explorer and ran uf shell32!SHFileOperationW this showed that the function did indeed now jump to my function:

SHELL32!SHFileOperationW:
76239708 e9039658fc      jmp     myhook!Detoured_SHFileOperation (727c2d10)

However, somehow explorer skips right past my detour and into other parts of the SHFileOperation function....

The fact the detour is attached and it still jumps to your function implies the issue is something inside rather than outside your function, does it not? — JAB, Aug 07 '13 at 15:28
If I put a break point in my function it never trips... so no I don't think so. Even if I do something trivial in there such as an OutputDebugString, it never prints. And yet despite this I can see explorer entering the real function in procmon... — Benj, Aug 07 '13 at 15:30

score 1 · Answer 1 · answered Aug 07 '13 at 15:51

1

Hmm,

It appears that what I really should be doing on Windows 7 is hooking the IFileOperation interface:

http://stuani.blogspot.co.uk/2010/01/ifileoperation-hook-under-vistaseven.html

Looks trickier than simple detours hooking but achievable.

answered Aug 07 '13 at 15:51

Benj

31,668
17
78
127

Why can Detours no longer hook shell32.dll functions in Windows 7+

1 Answers1