Not a terribly good question, sorry.
I have a program that should be warned when a file is opened from Windows Explorer (i.e. ShellExecute (A / W) is called).
Unfortunately, Microsoft has removed the COM interface (IShellExecuteHook), which allows you to intercept these events in Vista, and possibly because the old code may crash due to changes. To enable this feature again, a solution was created, but it no longer works.
I did some research, and it seems like the only way to catch ShellExecute calls is to redirect the call to shell32.dll. At the moment, I am considering the possibility of entering my own DLL into the explorer process, and then copying the IAT entry for ShellExecute to some kind of address allocation in my DLL and finally changing the IAT entry for ShellExecute to point to my function that will notify the program. in which the file was opened, and go to the original ShellExecute function, the address of which we saved earlier.
My biggest problem here is antiviruses. Will they take care of what I introduce to the researcher? They will be interested that I change IAT?
Another issue is whether it is safe; Is it possible (or, most likely) for the security of the explorer to prohibit injection through CreateRemoteThread? If so, is there a better way to make this injection?
Is there a better way to do this overall?
EDIT: for anyone facing this in the future, explorer.exe does not have an IAT for shell32.dll; it has a header, but thunk is full of spam values, so there is no (as far as I can tell) to get a record for any imported functions.
Tunneling seems to be the only way to link this.
source
share