Solved

Hook CreateProcess

Posted on 2006-06-24
15
2,928 Views
Last Modified: 2008-01-09
Hi
I want to hook every created process and manage them.
Example before a process creates it give me its name and it should wait for my reply, access or deny...
Sorry for my bad english :( I hope I describe it...
0
Comment
Question by:dgn_
  • 9
  • 4
15 Comments
 
LVL 28

Expert Comment

by:2266180
ID: 16976682
well , I think what you are looking for is maghis madhook components :)
http://www.madshi.net/madCodeHookDescription.htm
you will also have some examples there, and you can find a lot of examples on the net.

0
 

Author Comment

by:dgn_
ID: 16978522
I cannot use madCodeHook :(
can you give me working examples like i said in question ?
0
 
LVL 28

Expert Comment

by:2266180
ID: 16981425
I'll have to ask this so that I don't waste time doing stuff you don't need:
you can't use madcodehook because you don't know how, or because there are some restrictions? if there are some restrictions, what are they?
0
 

Author Comment

by:dgn_
ID: 16982433
I can't use madcodehook because I don't know how
0
 
LVL 28

Expert Comment

by:2266180
ID: 16983853
ok then. I'll dig you up a small demo from somewhere in a few minute. until then, if you haven't already done so, install the madshi components
0
 
LVL 28

Expert Comment

by:2266180
ID: 16983979
so, you download the demos from madhis site (http://madshi.net/MCHDemos.zip)
in  system wide\HookProcessTermination you have an example of what you want to do: not createprocess, but terminateprocess. you should be able to easily adopt that to createprocess.

let me know if you can do that, if not, I'll find some time later on today to do it
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:dgn_
ID: 16990379
Very thanks for your interest but i cannot adopt it :(
0
 
LVL 28

Expert Comment

by:2266180
ID: 16997334
ok. I will make the necessary changes for you sometime tomorrow.

btw, you are aware that createprocess is not the only function that can be used to lunch an application, right? I remember a discussion on this issue here on EE. I did a small search but couldn't find the discussion but found somthing you might look into until tomorrow when I get a chance to make the project:

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_10338608.html?query=hook+createprocess&topics=85
0
 
LVL 28

Expert Comment

by:2266180
ID: 17138129
sorry for the outage. I got some issues on my head and were not able to modify my dev environemnt for a while.
I just installed madshi components and will get back to you with a demo in the next 24 hours.

sorry for this delay
0
 
LVL 28

Expert Comment

by:2266180
ID: 17146542
I did the hook for createprocess api function but for some reaason injecting the hook did not work. so I looked over madhi's site and found a simle example that hooks winexec:
file://localhost/C:/Program%20Files/madCollection/madBasic/help/data/ProcessApi.htm
as you notice this is from the local installation folder ;)
also, it will only work for that process.

I am working to see why the injection fails and post the projects as soon as I fix the issue.(I will go over it tomorrow)
0
 

Author Comment

by:dgn_
ID: 17151976
Thanks ciuly. I wait no prob :)
thanks
0
 
LVL 28

Expert Comment

by:2266180
ID: 17200900
a small update. I found the issue. pretty stupid from my part, but that's what happens when someone doesn't use madcodehook too often.
the issue was that madchook.dll must be present before injecting the dll.

now that I fixed that, I am getting a lot of craches in the injecting processes. I am guessing that is might be eitehr because the ipcqueue used, or because this injects in all system processes and some system processes don't like createprocess being hooked.

I'll do some more testing next week (I am flying home this weekend :) and won't have a pc handy for the next 48-56 hours)

cheers
0
 
LVL 28

Accepted Solution

by:
2266180 earned 125 total points
ID: 17269387
for some reason I still get a few errors when injecting. maybe it's my system to blame.
try out this demo just as it is (you should get no message dialogs or whatever, just some logging in hooking.log
demo here: http://www.ciuly.com/delphi/CreateProcessHook.zip

the way to use:
- compile all 4 projects
- copy madCHook.dll from madhsi installation to the manager directory (OR, place the path to it on the PATH variable)
- copy CreateProcessHook.dll in the manager directory
- run manager.exe
- click on install and wait to finish. if you get some error messages from different applications, make them go away and let me knwo: in this case it's something with the hooking and I'll have to investigate further (maybe call in madshi to take a look :) )
- run test.exe. an empty form will appear (the one of bogus.exe) at this point you can check the logs and see that indeed the hook was called and some messages were logged.

at this stage, if no error appeared from other applications, you can safely work with manager.exe and now check the ask checkbox (you did not close the exe yet ;) ) now close the empty form and run test.exe again. you should be promted with a dialog if you want to run the exe or not and onyl after you chose yes you should see the empty form appear :)

I sure do hope there are issues on my machine as previous projects done just like this worked fine and now they also generate these errors. but in case it's not my system, I'll need to really do everything from ground 0: I must be doing something wrong then :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Memory leak using records in a TVirtualStringTree 11 109
problem when i try to pack my dll file with upx 9 72
Printing problem 2 80
Magic Software info 18 125
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now