Intercepting CreateProcess()...
Luis Miguel Huapaya
I am trying to figure out how I can detect and suspend (i.e. intercept) the
execution of an executable program so that specific pre-execution processing
(i.e. uncompressing/recovering from backup files required by the executable
program) can take place. Once the pre-execution processing is done, I want to
resume the execution of the executable program. Once the executable program
exits, the post-execution processing will take place as well.
cheers,
Luis
Kellie Fitton
One viable approach is to use the following API's to launch
an executable program, for example:
CreateProcess()
CreateProcessAsUser()
Then you can suspend/resume the thraed of that execuatable program,
by using the following API's:
SuspendThread()
ResumeThread()
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/suspendthread.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/resumethread.asp
Hope these information helps,
Kellie.
Eugene Gershnik
> Hi,
>
> One viable approach is to use the following API's to launch
> an executable program, for example:
>
> CreateProcess()
> CreateProcessAsUser()
>
> Then you can suspend/resume the thraed of that execuatable program,
> by using the following API's:
>
> SuspendThread()
Or simply pass CREATE_SUSPENDED to CreateProcess.
But I think OP is looking for something like
PsSetCreateProcessNotifyRoutine.
--
Eugene
http://www.gershnik.com
Luis Miguel Huapaya
problem. I want to support any and all third party applications, so I can't
really mess around with the binaries. I need to be able to be notified when a
process is about to start so that I may suspend it right away and the proceed
to uncompress/recover from backup any and all files associated with the said
application.
Eugene Gershnik
> Not exactly. If I was the one calling CreateProcess() I would not
> have this
> problem. I want to support any and all third party applications, so I
> can't
> really mess around with the binaries. I need to be able to be
> notified when a
> process is about to start so that I may suspend it right away and the
> proceed
> to uncompress/recover from backup any and all files associated with
> the said
> application.
AFAIK there are only two options: PsSetCreateProcessNotifyRoutine or
system-wide API hooking (which is definitely not recommended). If you need
to support 9x too see http://www.codeproject.com/system/chikago.asp
--
Eugene
http://www.gershnik.com
Arkady Frenkel
Arkady
"Eugene Gershnik" <gers...@hotmail.com> wrote in message
news:%23eL%23Ah02...@TK2MSFTNGP10.phx.gbl...
Scherbina Vladimir
--
[Scherbina Vladimir]
"Arkady Frenkel" <ark...@hotmailxdotx.com> wrote in message
news:OscenU62...@TK2MSFTNGP12.phx.gbl...
Eugene Gershnik
> it's commercial.. ;)
Detours don't really solve the problem of *system-wide* API hooking. To do
it right one needs kernel module anyway so if the only goal is to hook
process creation what's the point?
--
Eugene
http://www.gershnik.com
Alexander Grigoriev
"Luis Miguel Huapaya" <LuisMigu...@discussions.microsoft.com> wrote in
message news:8C7CF8CD-5B4B-4681...@microsoft.com...
Scherbina Vladimir
implement it in "system-wide" scope.
--
[Scherbina Vladimir]
"Eugene Gershnik" <gers...@hotmail.com> wrote in message
news:%23Lcaz39...@TK2MSFTNGP10.phx.gbl...
Eugene Gershnik
> Detours illustrates *how* to hook api. Basing on those methods one may
> implement it in "system-wide" scope.
Sure. My point is that in order to inject each and every process you have to
have some kernel code. Since being in kernel already solves OP's problem
there is no point to add API interception to it.
If his problem is limited to a single (or a few) parent processes then of
course API hooking could be a viable solution.
--
Eugene
http://www.gershnik.com
Gary Chanson
Unless he also needs to inject code into the few system processes which
can't be hooked, a global hook will inject his DLL into all processes. If I'm
remembering the original post correctly, this should be sufficient for this
problem.
--
-GJC [MS Windows SDK MVP]
-Software Consultant (Embedded systems and Real Time Controls)
- http://www.mvps.org/ArcaneIncantations/consulting.htm
-gcha...@mvps.org
Eugene Gershnik
> "Eugene Gershnik" <gers...@hotmail.com> wrote in message
> news:OfSeHjX...@tk2msftngp13.phx.gbl...
>> Scherbina Vladimir wrote:
>>> Detours illustrates *how* to hook api. Basing on those methods one
>>> may implement it in "system-wide" scope.
>>
>> Sure. My point is that in order to inject each and every process you
>> have to have some kernel code. Since being in kernel already solves
>> OP's problem there is no point to add API interception to it.
>> If his problem is limited to a single (or a few) parent processes
>> then of course API hooking could be a viable solution.
>
> Unless he also needs to inject code into the few system processes
> which can't be hooked, a global hook will inject his DLL into all
> processes. If I'm remembering the original post correctly, this
> should be sufficient for this problem.
If you mean a global Windows hook then I don't think it will help with
non-GUI processes.
--
Eugene
http://www.gershnik.com
Gary Chanson
That's true.
Also, since he wants to get control very early, a hook probably wouldn't
get control soon enough. A DLL loaded using the AppInit_DLLs value of
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows might
be a better choice.
Scherbina Vladimir
news:%23UF8Mhe...@TK2MSFTNGP15.phx.gbl...
This would not work under 9x.
IMHO OP wants actually hooking CreateProcess instead of injecting dll into
newly created process.
--
[Scherbina Vladimir]
Eugene Gershnik
>
> This would not work under 9x.
> IMHO OP wants actually hooking CreateProcess instead of injecting dll
> into newly created process.
I think so too. But then injecting into *parent* process allows to do
exactly that ;-)
--
Eugene
http://www.gershnik.com
Gary Chanson
"Scherbina Vladimir" <vladimir....@gmail.com> wrote in message
news:OMFXx%23e3FH...@TK2MSFTNGP09.phx.gbl...
Neither will an XP driver...
> IMHO OP wants actually hooking CreateProcess instead of injecting dll into
> newly created process.
--
Vitoto
Imports System.Management
Public Class Form1
Inherits System.Windows.Forms.Form
#Region " Windows Form Designer generated code " ....
Dim q As New EventQuery("SELECT * FROM Win32_ProcessStartTrace")
WithEvents w As New ManagementEventWatcher(q)
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'start subscribing to WMI event
w.Start()
End Sub
Private Sub ProcStartEventArrived(ByVal sender As Object, ByVal e As
EventArrivedEventArgs) Handles w.EventArrived
'Get the Event object and display it
TextBox1.Text += e.NewEvent("ProcessName") & Environment.NewLine
End Sub
Private Sub Form1_Closing(ByVal sender As Object, ByVal e As
System.ComponentModel.CancelEventArgs) Handles MyBase.Closing
'stop subscribing to WMI event
w.Stop()
End Sub
End Class