Solved

Intercepting file operations (Madshi?)

Posted on 2003-11-18
24
689 Views
Last Modified: 2010-08-05
Short question: How can I prevent the user from deleting a file (system wide)?

More elaborate question: This is for a program that's going to be used in kiosk mode (lan house, etc). There's an interface which limits the programs that the user can open, and he can't use alt+tab or ctrl+alt+del or the Windows key. However, the user can just open any available program (Internet Explorer, the Office suite) that has a file open/save menu and he will have access to the explorer shell (enough access to move stuff around and delete files). What I want to do is to intercept file operations (especially deletion) and deny the action. I tried doing this with hooks (DeleteFileA, DeleteFileW, SHFileOperation), but it didn't work. Works fine for programs, but the explorer shell can still delete the files.

The intended platform is Windows XP, but in the future I'd like to make it work with Win98 also, so setting user permissions doesn't seem like a very good idea.
0
Comment
Question by:TJ_The_Dude
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 5
  • +4
24 Comments
 
LVL 5

Accepted Solution

by:
DeerBear earned 125 total points
ID: 9777148
Hi,

Use a copy hook. You can find an example in the DelphiX/Demos folder, where X stands for the version.

HTH,

Andrew
0
 

Author Comment

by:TJ_The_Dude
ID: 9778071
Copy hooks only work for folders, not files.
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9778184
Hi,

It's been a long time since I last used COM that way, but are you sure they're not suited?
I remember having written a copy hook which required a password to copy a certain
file... anyway, if you're really sure...

Cheers,

Andrew
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Assisted Solution

by:GloomyFriar
GloomyFriar earned 125 total points
ID: 9778431
The best way to solve the task is writing driver.
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9778518
Gloomy,

To say the truth there's *no* real way to completely solve the issue.
Even with a driver, it would be enough to use a LiveCD edition of Linux and
anyone would be able to do basically anything on the computer, through
terminal and/or GUI.

Even if NTFS partitions can't be written to from Linux as to now( which I
beleive won't last long yet ), it's however possible( if I'm not wrong ) to
delete files from them.

Thus the issue has no definite solution.

But since the PC is already heavily patched in order to avoid some tasks,
I beleive a driver would really be overkill.

All this, obviously, imho.

HTH,

Andrew
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9778589
;-)
So, TJ_The_Dude even don't try to do it! ;-)))
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9778619
LOL

U nasty! ;-)

Andrew
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9778634
>To say the truth there's *no* real way to completely solve the issue.
By the way. You can write the you own FS. ;-) It's possible;-)
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9778809
LOL

Well, if you wanna know, I'm thinking of writing a new OS <g>.

But that's another matter... <g>.

Andrew
0
 

Expert Comment

by:TJHaeser
ID: 9779477
So... no cigar? I'm off to trying to monitor API calls made by Explorer.exe when deleting a file...

Still waiting...
0
 

Expert Comment

by:TJHaeser
ID: 9779556
I think my problem is that Explorer probably uses kernel mode functions like NtDeleteFile and ZwDeleteFile
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9779572
LOL,

I told you: if you have D6/7, try looking at the Sample components.
I found an API some time ago that allowed this kind of monitoring.

HTH,

Andrew

P.S. Maybe it's the fact I am a bit tired, but I felt your message as
rude... again, I may be misunderstanding, but that's the way I felt it.

It's been given LOTS of informations on file deletions, along with
lots of useless( for you ) infos. :-)

HTH,

Andrew
0
 

Author Comment

by:TJ_The_Dude
ID: 9780579
I didn't mean to be rude in my previous comments, nor could I sense any offensiveness by re-reading my posts. Anyway, I've checked and double checked, and copy hook extensions can only monitor folders.
0
 

Author Comment

by:TJ_The_Dude
ID: 9780650
And the TShellChangeNotifier (or anything using the SHChangeNotify API) will only notify you of changes or deletions AFTER they've taken place - no use for me.
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9781227
>copy hook extensions can only monitor folders.
Then write you own hook ;-)
0
 

Author Comment

by:TJ_The_Dude
ID: 9781259
What do you mean?

BTW, are 500 points not enough?
0
 
LVL 5

Expert Comment

by:DeerBear
ID: 9785160
Hi,

Use API SHChangeNotify :-)

That api notifies you when a file's being deleted, among other things, but I'm unsure if you can
stop the deletion process.

HTH,

Andrew
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9787994
>What do you mean?
I mean, that you need
1. System wide hook on all file API that allow to delete file.
OR
2. Driver

0
 
LVL 20

Assisted Solution

by:Madshi
Madshi earned 125 total points
ID: 9797720
Yep, either write a driver. Or do system wide API hooking. GloobyFriar is right there.

I'm not sure how the XP's explorer deletes files. I would start by hooking DeleteFileA/W and SHFileOperation. But it seems you've already tried that. The next try would be to hook NtCreateFile/NtOpenFile + NtSetFileInformation. This is the more low level way of deleting files. With NtSetFileInformation you can do all sorts of things, including renaming and deleting files.

Btw, are you talking about deleting files or about moving files to the recycle bin? What I've talked about was really deleting files. Moving files to the recycle bin is a different beast again...

P.S: Since you mentioned me in your question title, I guess you're already using madCodeHook, so I don't need to mention it, right?   :-)
0
 

Author Comment

by:TJ_The_Dude
ID: 9798429
Yup :-)

The thing is, if I block all those deletion functions, every other program I've tried is unable to delete files, EXCEPT Explorer.exe (= the shell).

I did some monitoring and it indeed uses the NtSetFileInformation function. I'll take a look at it. Oh, and if it turns out to be the one I need to hook, I'll give ya the points.
0
 

Expert Comment

by:easysoft_studios
ID: 10426424
Hi

I've was wondering how you do this in code? I'm in the excact same problem, and would like to know if your solution could help me too :)

Best regards
 Jonas
0
 
LVL 3

Assisted Solution

by:Bijith
Bijith earned 125 total points
ID: 10438330
try this


unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
  StdCtrls;

type
  TFileLockType = (ltNone, ltQuery, ltReadOnly, ltReadWrite);
  TForm1 = class(TForm)
    Button1: TButton;
    OpenDialog1: TOpenDialog;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;
  FFileLockHandle: THandle;
  FFileLockType: TFileLockType;

implementation

{$R *.DFM}


function LockFile(FileName: string; var AHandle: THandle): TFileLockType;
begin
  Result := ltReadWrite;
  AHandle := CreateFile(PChar(FileName), GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ, nil,
    OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
  if AHandle = INVALID_HANDLE_VALUE then
  begin
    Result := ltReadOnly;
    AHandle := CreateFile(PChar(FileName), GENERIC_READ, FILE_SHARE_READ or FILE_SHARE_WRITE, nil,
      OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
    if AHandle = INVALID_HANDLE_VALUE then
    begin
      Result := ltQuery;
      AHandle := CreateFile(PChar(FileName), 0, FILE_SHARE_READ or FILE_SHARE_WRITE or FILE_SHARE_DELETE, nil,
        OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
      if AHandle = INVALID_HANDLE_VALUE then
        Result := ltNone;
    end;
  end;
end;

procedure UnLockFile;
begin
 if FFileLockHandle <> 0 then
    CloseHandle(FFileLockHandle);
  FFileLockHandle := 0;
  FFileLockType := ltNone;
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
  if OpenDialog1.Execute then
    FFileLockType := LockFile(OpenDialog1.FileName, FFileLockHandle);
end;

end.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month11 days, 3 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question