Solved

Intercepting application BEFORE it runs VB6.

Posted on 2004-08-24
26
374 Views
Last Modified: 2008-03-10
Hey guys,

I have desperatly been researching ways to intercept starting applications with visual basic.  So far the only method I can find is to intercept Window_create messages with a hook.  This does not catch all processes attempting to run though.  1.  Is there a way to intercept a .exe process Before they run?  2.  Provide example code that intercepts notepad and prompts the user with a yes no to allow to run, no is selected it doesn't run yes it runs.  I would really prefer that it not be written with a window create intercept due to the fact that this does not catch all attempting to run processes.  I will accept a WORKING example of a window creation message intercept though.  Thanks!
0
Comment
Question by:bluedragon99
  • 11
  • 9
  • 4
26 Comments
 
LVL 22

Expert Comment

by:cookre
ID: 11882613
Given those restrictions, the only way I can think of would be to find the location of CreateProcess() and CreateProcessAs() in the loaded kernal32.dll and replace it with your own code - not a pretty sight.
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11882901
Yeah I have seen programs that do this but not sure how they are intercepting all programs (there is blocking software out there).

How about a window_create intercept?
0
 
LVL 22

Expert Comment

by:cookre
ID: 11883204
A WM_CREATE message is created by virtue of calling the CreateWindow() API.  
Programs that create windows call CreateWindow() themselves.

Hence, hooking WM_CREATE or CreateWindow() would not suffice, since the target program is already running at that time.
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11883321
hehe, I have quite a problem here.  I have seen this asked several times and an example is not usually produced.  Someone must know how to do it or have an example somewhere
0
 
LVL 22

Expert Comment

by:cookre
ID: 11883689
What it comes down to is:

Do you have to catch the program before execution starts, i.e., catch the request to start the program?
Or is it sufficient to catch the program in its early stages of execution?
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11883829
need to catch it before could execute any lines of its code short of low level window building.  Check this code out it's close!

Couldn't I change the "wParam = WM_KEYDOWN" to "wParam = WM_CREATE".  This seems to actually work but has some odd effects!  Is there another lower level message like WM_CREATEPROCESS That I can Catch?



'**************************************
'Windows API/Global Declarations for :Di
'     sable Low Level Keys
'**************************************
Option Explicit


Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" _
          (Destination As Any, Source As Any, ByVal Length As Long)


Public Declare Function GetKeyState Lib "user32" _
          (ByVal nVirtKey As Long) As Integer


Public Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" _
          (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long


Public Declare Function CallNextHookEx Lib "user32" _
          (ByVal hHook As Long, ByVal nCode As Long, ByVal wParam As Long, lParam As Any) As Long


Public Declare Function UnhookWindowsHookEx Lib "user32" _
          (ByVal hHook As Long) As Long
    Public Const HC_ACTION = 0
    Public Const WM_KEYDOWN = &H100
    Public Const WM_KEYUP = &H101
    Public Const WM_SYSKEYDOWN = &H104
    Public Const WM_SYSKEYUP = &H105
    Public Const VK_TAB = &H9
    Public Const VK_CONTROL = &H11
    Public Const VK_ESCAPE = &H1B
    Public Const WH_KEYBOARD_LL = 13
    Public Const LLKHF_ALTDOWN = &H20


Public Type KBDLLHOOKSTRUCT
    vkCode As Long
    scanCode As Long
    flags As Long
    time As Long
    dwExtraInfo As Long
    End Type
    Dim p As KBDLLHOOKSTRUCT


Public Function LowLevelKeyboardProc(ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    Dim fEatKeystroke As Boolean


    If (nCode = HC_ACTION) Then


        If wParam = WM_KEYDOWN Or wParam = WM_SYSKEYDOWN Or wParam = WM_KEYUP Or wParam = WM_SYSKEYUP Then
            CopyMemory p, ByVal lParam, Len(p)
            fEatKeystroke = _
            ((p.vkCode = VK_TAB) And ((p.flags And LLKHF_ALTDOWN) <> 0)) Or _
            ((p.vkCode = VK_ESCAPE) And ((p.flags And LLKHF_ALTDOWN) <> 0)) Or _
            ((p.vkCode = VK_ESCAPE) And ((GetKeyState(VK_CONTROL) And &H8000) <> 0))
        End If
    End If


    If fEatKeystroke Then
        LowLevelKeyboardProc = -1
    Else
        LowLevelKeyboardProc = CallNextHookEx(0, nCode, wParam, ByVal lParam)
    End If
End Function




















'**************************************
' Name: Disable Low Level Keys
' Description:There are many situations
'     when it's need to disable some combinati
'     ons of keys from a VB program. For insta
'     nce, ALT-TAB, CTRL-ESC, ALT-ESC or other
'     s like these. Other combinations could b
'     e tested at form level using KeyPreview
'     property and KeyPress / KeyDown / KeyUp
'     events. All system keystrokes won't fire
'     key events in a form (or other controls)
'     because they are handled internally by t
'     he system. Since application threads nev
'     er receive messages for these keystrokes
'     , there is no way that an application ca
'     n intercept them and prevent the normal
'     processing. This behavior is "by design"
'     and ensures that a user can always switc
'     h to another application’s window even i
'     f an application’s thread enters an infi
'     nite loop or hangs.
The question is how we can intercept this keystrokes? The solution could be achieved using hooks. A hook is a point in the Microsoft Windows message-handling mechanism where an application can install a subroutine To monitor the message traffic in the system and process certain types of messages before they reach the target window procedure.


For Windows NT SP3 (or higher), Microsoft introduced a new hook: WH_KEYBOARD_LL. This hook is called the low-level hook because it is notified of keystrokes just after the user enters them and before the system gets a chance To process them. This hook has a serious drawback: the thread processing the hook filter Function could enter an infinite Loop or hang. If this happens, Then the system will no longer process keystrokes properly and the user will become incredibly frustrated. To alleviate this situation, Microsoft places a time limit on low-level hooks. When the system sends a notification to a low-level keyboard hook’s filter function, the system allows that function a fixed amount of time to execute. If the function does not return in the allotted time, the system ignores the hook filter function and processes the keystroke normally. The amount of time allowed (in milliseconds) is Set via the LowLevelHooksTimeout value under the following registry subkey: HKEY_CURRENT_USER\Control Panel\Desktop.
    The program (VB) is disabling some of these combinations (ALT-TAB, CTRL-ESC and ALT-ESC) as Long as the option is checked.
' By: Ovidiu Crisan
'
'This code is copyrighted and has' limited warranties.Please see http://w
'     ww.Planet-Source-Code.com/vb/scripts/Sho
'     wCode.asp?txtCodeId=13106&lngWId=1'for details.'**************************************

Dim hhkLowLevelKybd As Long


Private Sub chkDisable_Click()


    If chkDisable = vbChecked Then
        hhkLowLevelKybd = SetWindowsHookEx(WH_KEYBOARD_LL, AddressOf LowLevelKeyboardProc, App.hInstance, 0)
    Else
        UnhookWindowsHookEx hhkLowLevelKybd
        hhkLowLevelKybd = 0
    End If
End Sub


Private Sub Form_Unload(Cancel As Integer)
    If hhkLowLevelKybd <> 0 Then UnhookWindowsHookEx hhkLowLevelKybd
End Sub







0
 
LVL 22

Expert Comment

by:cookre
ID: 11884126
If you know that the program does nothing substantive before it calls its first CreateWindow(), then catching it at the WM_CREATE should be sufficient.  Note that the WM_* messages deal with window processing and have nothing to do with processes per se.

What I'd do to see what happens before the WM_CREATE is:

1) If you don't already have it, get InCtrl:
http://www.pcmag.com/article2/0%2C4149%2C9882%2C00.asp
It used to be free, but they only want $6 for it.  You may be able to surf a free copy somewhere.

2) Get Process Explorer:
http://www.snapfiles.com/get/processexplorer.html
The originating site, http://www.sysinternals.com/ , has other great utilities, but they seem to be down right now.

3) Use InCtrl to taken an initial snapshot of files and the Registry.

4) Run your trapper and kick off the target program.

5) When your program catches the WM_CREATE, but before passing the message along, run ProcExp to see what handles the target program has open, then kill the target program and run InCtrl again to see what files may have been created, changed, or deleted, and what changes may have been made in the Registry.

If nothing of greeat import shows up, then you can use the WM_CREATE hook.
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11884202
is there a list of the WM_* messages?
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11884263
Ok WM_Create is def exceptable as far as nothing going on before it.  Can the example above be modified to check for WM_CREATE and msgbox "do you want to run?".  Seems like it would work.
0
 
LVL 22

Expert Comment

by:cookre
ID: 11884552
The sample code above sets a keyboard hook - you need a global WH_CALLWNDPROC hook:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.asp

Since the hook has to be global, you'll have to create a DLL for the call back.
0
 
LVL 1

Expert Comment

by:sgartner
ID: 11889969
This is totally off the wall, but what if you change the registry value for the EXE file extension to launch your program and pass the name of the EXE that was attempted to you.  Then you could look at the EXE to see if it is one that you need to monitor.  You can launch the exe yourself and get the process ID and hook it directly from there.  You would probably want to set it up as a DDE launch so that if your application was already running it would just pass the EXE launch call over to you.

Disclaimer: I am not certain how unstable your Windows could get if you try this.  Frankly, I don't have a computer at hand that I am willing to try this on to see what would happen.  I read that something similar to this has been used in the past by Windows viruses.

Scott
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11892043
great thinking outside the box, that sounds a bit over my head.  How would you grab the PID or exe name from windows?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 22

Expert Comment

by:cookre
ID: 11892891
The persistent handler associated with exe's in the registry is a GUID that says there is none.  I suspect if you were to change it, you would see some interesting fireworks before rebuilding the box.

To find a particular process, you have to know either a window title or the exe name.  Have you either?

0
 
LVL 1

Expert Comment

by:sgartner
ID: 11895030
Blue,

Since you would be intercepting the launch of the EXE (only when launched through Explorere, mind) you would turn around and "spawn" the EXE yourself.  When an application launches another it will generally get the process ID back.  Here is the example answer about launching a process and collecting the process ID:

http://www.experts-exchange.com/Programming/Programming_Languages/Cplusplus/Q_20714864.html

Scott
0
 
LVL 1

Expert Comment

by:sgartner
ID: 11895148
Cookre,

I am not suggesting he change the persistent handler.  I am suggesting that he change the Shell command for exefile.  Specifically:

HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default)

It is normally set to: "%1" %*

Which tells the shell (Explorer.exe) that EXE files run themselves and get all parameters passed on the command line.

If it is changed, for example, to: "myprogram.exe" "%1" %*
the myprogram.exe would get loaded any time anybody requests an "open" on a file ending in .EXE and it would be passed the name of the EXE file and any command line parameters directed to it.

If this string is changed it will change how Explorer launches EXE files as well as any application that uses the ShellExecute() API.  It will not effect CreateProcess() calls.  

This may very well cause unresolvable issues on the machine, but that's part of the homework ;-)  I suspect that to make this work well (if this even solves his problem) would require a VxD or at least a service to make sure the "EXE handler" was loaded before any ShellExecute was called.  But since it will be loaded with the first ShellExecute it might just be fine...

Scott
0
 
LVL 1

Expert Comment

by:sgartner
ID: 11895168
One more point.  This change I am suggesting may very well be noticed by a virus scanner as a machine take-over attempt.

Scott
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11898893
Yeah this sounds like a nasty propositon.  I just wish there were an example code out there of even intercepting a Create_window message, that would be great
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11908775
Any takers?  Someone has to be capable of writing it ;)
0
 
LVL 22

Accepted Solution

by:
cookre earned 500 total points
ID: 11908984
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11927607
anyone want to attempt at providing a working example?
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11963068
?
0
 
LVL 22

Expert Comment

by:cookre
ID: 11963721
There are no takers for writing the entire thing because it requires no small amount of code, and most folks answering questions here do so in their spare time.
0
 
LVL 1

Author Comment

by:bluedragon99
ID: 11963774
I understand.  I have found code that displays system messages, would it be hard to intercept them and proccess/not process them this way?
0
 
LVL 22

Expert Comment

by:cookre
ID: 11963940
Not too bad, as long as the info you get is sufficient to identify the program you want to control.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This is about my first experience with programming Arduino.
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now