?
Solved

HOOK process creation

Posted on 2004-11-18
10
Medium Priority
?
758 Views
Last Modified: 2010-04-05
I need to hook process creation in win95/98/NT/XP.... I know I could have a thread which checks if a process is added say every 100ms, but this may take up valuable resource time and it's not too efficient (as a process may be created within that 100ms of sleep).

Thanks
EKIM

I know thet question as been already asked, but since not registered users have no access to previous asked questions...
0
Comment
Question by:EKIM
  • 5
  • 4
10 Comments
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 12616014
well... this was the accepted answer for the same question, I quote Alexo

" First, look here:
  http://www.internals.com/utilities_main.htm

There are some programs on SysInternals that use API hooking.  You can get sample source from:
  http://www.sysinternals.com/regsrc.zip

More sample code is available from:
  http://support.microsoft.com/support/kb/articles/q122/2/74.asp

Some comments and pointers can be found here:
  http://www.deja.com/=dnc/getdoc.xp?AN=475707613"
0
 
LVL 20

Accepted Solution

by:
Madshi earned 1000 total points
ID: 12622709
madCodeHook even contains a demo which does exactly what you're asking for - namely hooking process creation. See here:

documentation: http://help.madshi.net/madCodeHook.htm
demo download: http://madshi.net/MCHDemos.zip
full package download: http://madshi.net/madCollection.exe

madCodeHook is free for non-commercial purpose.
0
 

Author Comment

by:EKIM
ID: 12622716
Madshi : I went to your site on yesterday... and told my Boss to buy your libraries... But it seems to be very complex for me. Would you accept to build a little example for me (If my boss effectively bought your stuff off course) ?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:EKIM
ID: 12622736
Black TigerX :
 - internals.com site : Proc SPy does not works on XP
 - SysInternals : the page cannot be found
 - Support microsoft : article not available
 - Deja.com : ?? the page is about health deseases ...

:-)
0
 
LVL 20

Expert Comment

by:Madshi
ID: 12622768
EKIM, just check out the demo "HookProcessCreation.dpr". It's really not that complicated.

For what purpose do you need to hook process creation btw? Do you just need to be notified about the creation of new processes? In that case there are other ways to solve the problem.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 12622769
P.S: I don't have the time to write a custom demo for you, I'm sorry...
0
 

Author Comment

by:EKIM
ID: 12624763
Madshi : need no more custom demo  :-) I have modifyed the included demo 'HookProcessCreation' libraby...
And it begins to works  :-)))
Thanks a lot

Ekim
0
 
LVL 20

Expert Comment

by:Madshi
ID: 12624798
Let me ask again:

For what purpose do you need to hook process creation btw? Do you just need to be notified about the creation of new processes? In that case there are other ways to solve the problem.
0
 

Author Comment

by:EKIM
ID: 12624919
Madshi : for some reasons we have to use firebird Classic server than super server. Classic server creates a process named 'fb_inet_server.exe'for each client connection. I 'hook' from the Database when a new user tries to connect, and save into a file the userNo.
If I can get the ProcessID of each 'fb_inet_server.exe' as soon as it is created, I can know witch user uses witch process.
I have to write an application that records UserNo / ProcessID.

With this tool, it will be easy for system administrator to 'kill' a user's connection  at its own convenience (ie if user's application chashes, or if he launch a too much long time query, or if the client loses his TCP/IP connection and so on...)

Ekim
0
 
LVL 20

Expert Comment

by:Madshi
ID: 12625010
Ok, understood. But you can have it even easier than using HookProcessCreation.dpr!

Look: madCodeHook internally already hooks process creation. When a new process is created, madCodeHook automatically injects your dll into it. That means you can solve the problem by simply writing the processID and userNo into the file in the initialization section of your hook dll. You don't need to hook a single API yourself. Something like this:

library YourHookDll;

uses Windows, madStrings;

var str : string;
    fh : dword;
begin
  str := IntToHexEx(GetCurrentProcessID) + #12#10;
  fh := CreateFile('c:\log.txt', GENERIC_WRITE, 0, ...);
  SetFilePosition(fh, 0, END_FILE);
  WriteFile(str[1], Length(str), ...);
  CloseHandle(fh);
end.

That's it. You don't even need to add madCodeHook to the uses clause. One thing is important, though: If two processes get created at the same time, you need to synchronize access to the log file. Otherwise one process will be able to open the log file, while the other won't. Use CreateMutex(..., 'EkimsMutex') + WaitForSingleObject + ReleaseMutex to synchronize access to the log file.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question