Hook windows explorer copyFile2 function with MinHook not works

Question

I try to hook CopyFile2 function, for that I wrote this dll:

#include "..\..\..\minhook-1.3.3\include\MinHook.h"

WCHAR msgbuf[1024];

#define DbgPrint(format, ...) wsprintf(msgbuf, format, __VA_ARGS__); \
                              OutputDebugString(msgbuf);

#if defined _M_X64
#pragma comment(lib, "libMinHook.x64.lib")
#elif defined _M_IX86
#pragma comment(lib, "libMinHook.x86.lib")
#endif

typedef HRESULT(WINAPI *COPY_FILE_2)(
    _In_      PCWSTR                          pwszExistingFileName,
    _In_      PCWSTR                          pwszNewFileName,
    _In_opt_  COPYFILE2_EXTENDED_PARAMETERS   *pExtendedParameters
    );

COPY_FILE_2 fpCopyFile2 = NULL;

HRESULT WINAPI DetourCopyFile2(
    _In_      PCWSTR                          pwszExistingFileName,
    _In_      PCWSTR                          pwszNewFileName,
    _In_opt_  COPYFILE2_EXTENDED_PARAMETERS   *pExtendedParameters
)
{
    DbgPrint(L"=> DetourCopyFile2\n");
    DbgPrint(L"DetourCopyFile2.pwszExistingFileName = %ws\n", pwszExistingFileName);
    DbgPrint(L"DetourCopyFile2.pwszNewFileName      = %ws\n", pwszNewFileName);

    return fpCopyFile2(pwszExistingFileName, pwszNewFileName, pExtendedParameters);
}


void InstallHook()
{    
    DbgPrint(L"=> InstallHook\n");

    // Initialize MinHook.
    if (MH_Initialize() != MH_OK)
    {
        DbgPrint(L"failed MH_Initialize\n");
        return;
    }

    if (MH_CreateHook(&CopyFile2, &DetourCopyFile2, (LPVOID*)&fpCopyFile2) != MH_OK)
    {
        DbgPrint(L"failed MH_CreateHook\n");
    }
    else
    {
        if (MH_EnableHook(&CopyFile2) != MH_OK)
        {
            DbgPrint(L"failed MH_EnableHook\n");
        }
    }
}

HINSTANCE hInstance = NULL;

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        DbgPrint(L"DLL_PROCESS_ATTACH");
        hInstance = hinstDLL;
        DisableThreadLibraryCalls(hInstance);
        InstallHook();
        break;
    }
    return TRUE;
}

When I inject this dll to test prograg its work, and DebugView shows the Messages:

int main()
{
    OutputDebugString(L"=> main");
    printf("inject now");
    getchar();

    CopyFile2(L"", L"", NULL);

    system("pause");
    return 0;
}

I run the CSharpConsole64.exe from Deviare2 project, and I saw that Explorer uses CopyFile2 function to copy files.

My question is why when I inject this DLL into the Windows Explorer I get Only the first messages that the hook was successful, but when I copy a file there are no messages from the detour function in the DebugView? And how can I solve the problem?

I am using Visual Studio 2017 Operating System Windows 10 64 bit.

I also tried Hook ReadFile function and I got messages in debugview but not every time I copied a file, something here is not clear to me what is different in Explorer, any help would be greatly appreciated.

Answer 1

I know it's been a long time since this question was asked. I am answering so that it may be helpful for others.

I have the same problem, tested it with Detours. With the same test program you used I see DebugView messages in hooked CopyFile2 function but explorer.exe does not show any messages in hooked function. Also same as you for explorer.exe I saw that hooking was successful from DetourAttach function in DllMain.

After analyzing call stack of CopyFile2 in explorer.exe using x64dbg, I found that CopyFile2 in kernel32.dll is never called. I realized that both kernel32.dll and kernelbase.dll have a CopyFile2 function with the same signature. I saw that actually CopyFile2 function in kernelbase.dll is called instead of the one in kernel32.dll.

I think your hooking is certainly correct but you are hooking CopyFile2 from kernel32.dll. Since explorer.exe uses CopyFile2 from kernelbase.dll instead of kernel32.dll the hooking function is never called. You need to hook CopyFile2 from kernelbase.dll.

I haven't used MinHook before but it should support hooking a function in a specified module. Detours library has DetourFindFunction to get address of a function in specified module. Or you can try using GetProcAddress.