Solved

Killing a process in WLEventStart

Posted on 2006-10-21
11
509 Views
Last Modified: 2013-11-20
Hello,

I have the code below that executes a file called uptime.exe at the WLEventStop. I'd like to kill the uptime.exe once the WLEventStart fires. Does anyone know how to do that? If so, could you help me modify my code below?

#include <windows.h>
#include <Winwlx.h>
#include <stdio.h>


// Copyright (c) Microsoft Corporation. All rights reserved.

// Here is the entrance function for the DLL.
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
            {

             // Disable DLL_THREAD_ATTACH & DLL_THREAD_DETACH
             // notification calls. This is a performance optimization
             // for multithreaded applications that do not need
             // thread-level notifications of attachment or detachment.

            DisableThreadLibraryCalls (hInstance);
            }
            break;
    }

    return TRUE;
}

// Here is the event handler for the Winlogon Start event.
extern "C"
__declspec(dllexport)
VOID WLEventStart (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    OutputDebugString (TEXT("NOTIFY:  Entering WLEventStart.\r\n"));
    FILE* p = fopen("c:\\testlog.txt", "w+");
    fprintf(p,"NOTIFY:  Entering WLEventStart.\r\n");
    fclose(p);
}

// Here is the event handler for the Winlogon Stop event.
extern "C"
__declspec(dllexport)VOID WLEventStop (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    OutputDebugString (TEXT("NOTIFY:  Entering WLEventStop.\r\n"));
    FILE* p = fopen("c:\\testlog.txt", "w+");
      ShellExecute(NULL, "open", "C:\\Windows\\System32\\uptime.exe", NULL, NULL, SW_SHOW);
    fprintf(p,"NOTIFY:  Entering WLEventStop.\r\n");
    fclose(p);
}
0
Comment
Question by:hpops
  • 5
  • 4
  • 2
11 Comments
 
LVL 22

Expert Comment

by:mahesh1402
ID: 17782784
Instead of ShellExecute() use CreateProcess() API function to launch uptime.exe... you have to pass PROCESS_INFORMATION variable to CreateProcess function as parameter, with which you will be able to access 'Handle To Process' and using this handle you may kill this process using TerminateProcess() API function..

Code will be look something like following :

 PROCESS_INFORMATION pi;
 STARTUPINFO si;
 memset(&si, 0, sizeof(STARTUPINFO));
 si.cb = sizeof(STARTUPINFO);
 si.dwFlags = STARTF_USESHOWWINDOW;
 si.wShowWindow = SW_SHOW;
   
 CreateProcess(0,"C:\\Windows\\System32\\uptime.exe",0,0,0,0,0,0,&si,&pi)); // Launch Process using CreateProcess

  ....

// Now whenever you want to terminate application uptime.exe you may call TerminateProcess like following :

TerminateProcess(pi.hProcess,0);   // Terminate Process uptime.exe

Hope this helps
-MAHESH
0
 
LVL 22

Expert Comment

by:mahesh1402
ID: 17782802
You may refer docs of CreateProcess and TerminateProcess for more help :

CreateProcess :
http://msdn.microsoft.com/library/en-us/dllproc/base/createprocess.asp

TerminateProcess :
http://msdn.microsoft.com/library/en-us/dllproc/base/terminateprocess.asp

-MAHESH
0
 

Author Comment

by:hpops
ID: 17783959
Thanks a bunch for the code examples and links.

I'm having a bit of trouble getting this to compile. You'll have to forgive me I'm very new to C++ and am struggling on this one.

I'm getting the follwing errors when trying to compile:
ee.cpp(37) : error C2065: 'pi' : undeclared identifier
ee.cpp(37) : error C2228: left of '.hProcess' must have class/struct/union type

Here's my modified code.

#include <windows.h>
#include <Winwlx.h>
#include <stdio.h>
#include <winbase.h>

// Copyright (c) Microsoft Corporation. All rights reserved.

// Here is the entrance function for the DLL.
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
            {

             // Disable DLL_THREAD_ATTACH & DLL_THREAD_DETACH
             // notification calls. This is a performance optimization
             // for multithreaded applications that do not need
             // thread-level notifications of attachment or detachment.

            DisableThreadLibraryCalls (hInstance);
            }
            break;
    }

    return TRUE;
}

// Here is the event handler for the Winlogon Start event.
extern "C"
__declspec(dllexport)
VOID WLEventStart (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    TerminateProcess(pi.hProcess,0);   // Terminate Process uptime.exe
}

// Here is the event handler for the Winlogon Stop event.
extern "C"
__declspec(dllexport)VOID WLEventStop (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    PROCESS_INFORMATION pi;
 STARTUPINFO si;
 memset(&si, 0, sizeof(STARTUPINFO));
 si.cb = sizeof(STARTUPINFO);
 si.dwFlags = STARTF_USESHOWWINDOW;
 si.wShowWindow = SW_SHOW;
   
 CreateProcess(0,"C:\\Windows\\System32\\uptime.exe",0,0,0,0,0,0,&si,&pi); // Launch Process using CreateProcess
}

Thanks for any help


0
 
LVL 86

Expert Comment

by:jkr
ID: 17784198
This won't work for several reasons. One is that 'pi' would have to be declared globally to compile correctly, then the value might become invalid when your notification DLL gets unloaded. You can fix both using

#include <windows.h>
#include <Winwlx.h>
#include <stdio.h>


// Copyright (c) Microsoft Corporation. All rights reserved.

HANDLE g_hProcess = NULL; // global variable to store the process handle
HINSTANCE g_hInst = NULL;

// Here is the entrance function for the DLL.
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
            {

             // Disable DLL_THREAD_ATTACH & DLL_THREAD_DETACH
             // notification calls. This is a performance optimization
             // for multithreaded applications that do not need
             // thread-level notifications of attachment or detachment.

            DisableThreadLibraryCalls (hInstance);

            g_hInst = hInstance;
            }
            break;
    }

    return TRUE;
}

// Here is the event handler for the Winlogon Start event.
extern "C"
__declspec(dllexport)
VOID WLEventStart (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    OutputDebugString (TEXT("NOTIFY:  Entering WLEventStart.\r\n"));
    FILE* p = fopen("c:\\testlog.txt", "w+");
    fprintf(p,"NOTIFY:  Entering WLEventStart.\r\n");
    fclose(p);

    if (g_hProcess)
    {
      TerminateProcess(g_hProcess,0);

      FreeLibrary(g_hInstance); // unlock DLL

     }
}

// Here is the event handler for the Winlogon Stop event.
extern "C"
__declspec(dllexport)VOID WLEventStop (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    PROCESS_INFORMATION pi;
 STARTUPINFO si;
 memset(&si, 0, sizeof(STARTUPINFO));
 si.cb = sizeof(STARTUPINFO);
 si.dwFlags = STARTF_USESHOWWINDOW;
 si.wShowWindow = SW_SHOW;
   
 if(CreateProcess(0,"C:\\Windows\\System32\\uptime.exe",0,0,0,0,0,0,&si,&pi)) // Launch Process using CreateProcess
 {
   g_hProcess = pi.hProcess;

   LoadLibrary("mydll.dll"); // Lock DLL in memory to prevent unloading
 }


}
0
 

Author Comment

by:hpops
ID: 17784902
When compiling I got an "undeclared identifier" error on line: FreeLibrary(g_hInstance); // unlock DLL

I changed it to: FreeLibrary(g_hInst); // unlock DLL

It compiles but does not terminate the uptime.exe process.

Did I change the wrong thing here?



0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 86

Expert Comment

by:jkr
ID: 17784916
No, that was correct. Did you also change

 LoadLibrary("mydll.dll"); // Lock DLL in memory to prevent unloading

to have the name of *your* DLL?
0
 

Author Comment

by:hpops
ID: 17784945
Thanks for the quicky reply. Yes, I added the .dll name. Actually the code snippet we're working on is the .dll I'm making. Is doing it like that ok?

I'm putting the name of it in like this:
LoadLibrary("ee.dll"); // Lock DLL in memory to prevent unloading

Not sure what I'm doing wrong here, any ideas?






0
 
LVL 86

Expert Comment

by:jkr
ID: 17784962
Hm, try to

    if (g_hProcess)
    {
      if (!TerminateProcess(g_hProcess,0)) OutputDebugString(_T("Failed to terminate process")));

      FreeLibrary(g_hInstance); // unlock DLL

     }

and see if you get an error message.
0
 

Author Comment

by:hpops
ID: 17785728
Well, I tried and got two errors. Both were undeclared identifiers. One was for "_T" and the other for g_hInstance.

I found one two many ")" on the line:  if (!TerminateProcess(g_hProcess,0)) OutputDebugString(_T("Failed to terminate process")));
I fixed that but still no luck.

Do 'undeclared identifiers' errors mean I might have the wrong header(s) and/or global variables?

Here's my updated code that's throwing the mentioned errors.

#include <windows.h>
#include <Winwlx.h>
#include <stdio.h>


// Copyright (c) Microsoft Corporation. All rights reserved.

HANDLE g_hProcess = NULL; // global variable to store the process handle
HINSTANCE g_hInst = NULL;

// Here is the entrance function for the DLL.
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
            {

             // Disable DLL_THREAD_ATTACH & DLL_THREAD_DETACH
             // notification calls. This is a performance optimization
             // for multithreaded applications that do not need
             // thread-level notifications of attachment or detachment.

            DisableThreadLibraryCalls (hInstance);

            g_hInst = hInstance;
            }
            break;
    }

    return TRUE;
}

// Here is the event handler for the Winlogon Start event.
extern "C"
__declspec(dllexport)
VOID WLEventStart (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    OutputDebugString (TEXT("NOTIFY:  Entering WLEventStart.\r\n"));
    FILE* p = fopen("c:\\testlog.txt", "w+");
    fprintf(p,"NOTIFY:  Entering WLEventStart.\r\n");
    fclose(p);

     if (g_hProcess)
    {
      if (!TerminateProcess(g_hProcess,0)) OutputDebugString(_T("Failed to terminate process"));

      FreeLibrary(g_hInstance); // unlock DLL

     }

}

// Here is the event handler for the Winlogon Stop event.
extern "C"
__declspec(dllexport)VOID WLEventStop (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    PROCESS_INFORMATION pi;
 STARTUPINFO si;
 memset(&si, 0, sizeof(STARTUPINFO));
 si.cb = sizeof(STARTUPINFO);
 si.dwFlags = STARTF_USESHOWWINDOW;
 si.wShowWindow = SW_SHOW;
   
 if(CreateProcess(0,"C:\\Windows\\System32\\uptime.exe",0,0,0,0,0,0,&si,&pi)) // Launch Process using CreateProcess
 {
   g_hProcess = pi.hProcess;

   LoadLibrary("ee.dll"); // Lock DLL in memory to prevent unloading
 }


}
0
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 17785955
Sorry again, should have been

     if (g_hProcess)
    {
      if (!TerminateProcess(g_hProcess,0)) OutputDebugString(TEXT("Failed to terminate process"));

      FreeLibrary(g_hInst); // unlock DLL

     }
0
 

Author Comment

by:hpops
ID: 17786099
Thanks so much for your help jkr.
This is working beautifully!

If anyone is interested this is what the final code ended up looking like.

#include <windows.h>
#include <Winwlx.h>
#include <stdio.h>


// Copyright (c) Microsoft Corporation. All rights reserved.

HANDLE g_hProcess = NULL; // global variable to store the process handle
HINSTANCE g_hInst = NULL;

// Here is the entrance function for the DLL.
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
            {

             // Disable DLL_THREAD_ATTACH & DLL_THREAD_DETACH
             // notification calls. This is a performance optimization
             // for multithreaded applications that do not need
             // thread-level notifications of attachment or detachment.

            DisableThreadLibraryCalls (hInstance);

            g_hInst = hInstance;
            }
            break;
    }

    return TRUE;
}

// Here is the event handler for the Winlogon Start event.
extern "C"
__declspec(dllexport)
VOID WLEventStart (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.

          PROCESS_INFORMATION pi;
 STARTUPINFO si;
 memset(&si, 0, sizeof(STARTUPINFO));
 si.cb = sizeof(STARTUPINFO);
 si.dwFlags = STARTF_USESHOWWINDOW;
 si.wShowWindow = SW_SHOW;
   
 if(CreateProcess(0,"C:\\Windows\\System32\\uptime.exe",0,0,0,0,0,0,&si,&pi)) // Launch Process using CreateProcess
 {
   g_hProcess = pi.hProcess;

   LoadLibrary("ee.dll"); // Lock DLL in memory to prevent unloading
 }
   
}

// Here is the event handler for the Winlogon Stop event.
extern "C"
__declspec(dllexport)VOID WLEventStop (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
OutputDebugString (TEXT("NOTIFY:  Entering WLEventStart.\r\n"));
    FILE* p = fopen("c:\\testlog.txt", "w+");
    fprintf(p,"NOTIFY:  Entering WLEventStart.\r\n");
    fclose(p);

     if (g_hProcess)
    {
      if (!TerminateProcess(g_hProcess,0)) OutputDebugString(TEXT("Failed to terminate process"));

      FreeLibrary(g_hInst); // unlock DLL

     }
}
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
repeatEnd java challenge 42 83
sumNumber challenge 16 99
Prevent this page from creating additional dialogs. 3 268
firstChar challenge 13 86
Introduction: Finishing the grid – keyboard support for arrow keys to manoeuvre, entering the numbers.  The PreTranslateMessage function is to be used to intercept and respond to keyboard events. Continuing from the fourth article about sudoku. …
Introduction: Dialogs (1) modal - maintaining the database. Continuing from the ninth article about sudoku.   You might have heard of modal and modeless dialogs.  Here with this Sudoku application will we use one of each type: a modal dialog …
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now