Feature Post

Top

How to intercept DELETE or SHIFT+DELETE keys in Windows?

If you want to know Run you program as windows service. Or, Hook into the WM_KEYPRESS, or how to intercept DELETE or SHIFT+DELETE keys in Windows?

There are couple of ways that a file can be deleted:

1. DEL key press
2. Shift+Del key press
3. Delete using mouse
4. Delete command from command prompt (cmd)
5. Drag a file to recycle bin
6. Direct calls to DeleteFile() api

Solution 1: Use windows hooks

Delete and SHIFT+DELETE are keystrokes that you can intercept using SetWindowsHookEx (http://msdn.microsoft.com/en-us/library/ms644990(VS.85).aspx) with WH_KEYBOARD or WH_KEYBOARD_LL hook. Handle that, and enjoy.

As for the DEL command (I'm assuming you mean that command from a Command Prompt), you can watch the folder/file of interest with the FindFirstChangeNotification or FindNextChangeNotification (http://msdn.microsoft.com/en-us/library/aa364417(VS.85).aspx) APIs for file removal.

Solution 2: NTFS resource(file) security descriptors
One way to address file deletion restrictions could be by employing NTFS security descriptors.

Security Descriptors(http://msdn.microsoft.com/en-us/library/aa379563%28VS.85%29.aspx)
Security Descriptor Operations(http://msdn.microsoft.com/en-us/library/aa379568%28v=VS.85%29.aspx)

That way, you change it in one place and not have to worry about covering all cases to prevent deleting a file.

Solution 3: Kernel mode hooking
http://www.rohitab.com/discuss/topic/33127-controling-binary-modifications/
We exported the function, modified its first 10 bytes to jump to our code then we just jump back. We just check if FileDispositionInformation is passed then we return before the function gets a chance to execute.

Happy hookering!

No comments