• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 506
  • Last Modified:

Hook Process Creation

Experts,
I need to hook process creation in win95/98/NT.... I know I could have a thread which checks if a process is added say every 100ms, but this may take up valuable resource time and it's not too efficient (as a process may be created within that 100ms of sleep).
I can hook window creation with the WH_SHELL hook, but I need something equivalent for process creation.
Thanx,
Afzal.
0
afzalj
Asked:
afzalj
1 Solution
 
WynCommented:
All way to create process is by using CreateProcess() directly or indirectly.So you can hook this function.
0
 
afzaljAuthor Commented:
How ?
0
 
WxWCommented:
You can't hook a specific function ( I wish we could ... )

But you still can use the shell hook and then GetWindowThreadProcessId() . If the thread returned is new , you can assume its a new process . However , this requires that the process will create a window ( not always that happens )

0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
alexoCommented:
First, look here:
  http://www.internals.com/utilities_main.htm

There are some programs on SysInternals that use API hooking.  You can get sample source from:
  http://www.sysinternals.com/regsrc.zip

More sample code is available from:
  http://support.microsoft.com/support/kb/articles/q122/2/74.asp

Some comments and pointers can be found here:
  http://www.deja.com/=dnc/getdoc.xp?AN=475707613
0
 
MadshiCommented:
Two more links about API interception (both NOT system wide):

http://research.microsoft.com/sn/detours/

http://www.geocities.com/SiliconValley/1741/miscprog/mp_main.html

Regards, Madshi.
0
 
WynCommented:
>>You can't hook a specific function ( I wish we could ... )

No , we can.
0
 
alexoCommented:
afzalj?
0
 
alexoCommented:
Oh well...
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now