rich3051
asked on
Process creation notification without kernel hook
Hi,
I need a user mode app to receive notifications when a new process is created. It will run on XP and on our kit (win CE) so kernel hooking is out, for the time being at least. It would also be particularly poor to periodically query the process list.
I don't need a hook, just a notification. Is there no way of doing this in Windows?
Cheers in advance
I need a user mode app to receive notifications when a new process is created. It will run on XP and on our kit (win CE) so kernel hooking is out, for the time being at least. It would also be particularly poor to periodically query the process list.
I don't need a hook, just a notification. Is there no way of doing this in Windows?
Cheers in advance
The only way to do this is to create a hook or poll the process list from time to time because as far as I know hooking is the only method for intercepting other application messages.
>>>> or poll the process list from time to time
You would retrieve the list by EnumProcesses. If only GUI processes were needed to detect you may do a EnumWindows on top level windows. If doing that any second you'll have not harm the system overall performance.
To find out which windows (processes) were added or removed, put the handles into arrays, and sort them. Then you can easily get the wished information.
Regards, Alex
You would retrieve the list by EnumProcesses. If only GUI processes were needed to detect you may do a EnumWindows on top level windows. If doing that any second you'll have not harm the system overall performance.
To find out which windows (processes) were added or removed, put the handles into arrays, and sort them. Then you can easily get the wished information.
Regards, Alex
I think you could use the WMI ManagementEventWatcher interface for detecting process starts - but as far as I know this doesn't work on WinCE either?
Apart from WMI, a nice and elegant way to do that is to place a small DLL "HKEY_LOCAL_MACHINE\SOFTWA
BOOL
WINAPI
DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
TCHAR acModule[MAX_PATH];
switch (dwReason) {
//
// The DLL is loading due to process
// initialization or a call to LoadLibrary.
//
case DLL_PROCESS_ATTACH:
OutputDebugString("DllMain
GetModuleFileName(NULL,acM
NotifyProcessStart(acModul
break;
case DLL_PROCESS_DETACH:
OutputDebugString("DllMain
GetModuleFileName(NULL,acM
NotifyProcessEnd(acModule)
break;
default:
break;
}
return TRUE;
}
BOOL
WINAPI
DllMain ( HINSTANCE hInst, DWORD dwReason, LPVOID) {
TCHAR acModule[MAX_PATH];
switch (dwReason) {
//
// The DLL is loading due to process
// initialization or a call to LoadLibrary.
//
case DLL_PROCESS_ATTACH:
OutputDebugString("DllMain
GetModuleFileName(NULL,acM
NotifyProcessStart(acModul
break;
case DLL_PROCESS_DETACH:
OutputDebugString("DllMain
GetModuleFileName(NULL,acM
NotifyProcessEnd(acModule)
break;
default:
break;
}
return TRUE;
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>>> to place a small DLL at "HKEY_LOCAL_MACHINE\SOFTWA
Isn't that actually a *hook* ?
I don't wonder that viruses and worms easily can hijack any priviliged account if processes can be hooked without a way to defense ...
Regards, Alex
Isn't that actually a *hook* ?
I don't wonder that viruses and worms easily can hijack any priviliged account if processes can be hooked without a way to defense ...
Regards, Alex
>>Isn't that actually a *hook* ?
No. That's something completely different. And kernel hooking is even more different.
No. That's something completely different. And kernel hooking is even more different.
>>>> No. That's something completely different.
But the dll added at AppInit_DLLs would run within the context of the calling application. Where is the difference to a hook?
>>>> I don't need a hook, just a notification.
That is the requirement of the questioner. The reason for it maybe is that his program not necessarily has admin rights at the target system. To AppInit_DLLs in the registry can only be updated when having admin rights which needs to be granted at least at installation time.
Regards, Alex
But the dll added at AppInit_DLLs would run within the context of the calling application. Where is the difference to a hook?
>>>> I don't need a hook, just a notification.
That is the requirement of the questioner. The reason for it maybe is that his program not necessarily has admin rights at the target system. To AppInit_DLLs in the registry can only be updated when having admin rights which needs to be granted at least at installation time.
Regards, Alex
Sorry, but I am not inclined to get off topic here - which that discussion IMHO would be.
>>>> off topic here - which that discussion IMHO would be.
maybe you should omit the 'H'. There is nothing 'humble/honest' with that comment.
>>>> I don't need a hook, just a notification
Rich, if you need a notification you should use any of the proposed 'notification' solutions, though some of them may need administrator rights as well, at least at installation time. If you want to go without you may compare the list of processes or top level windows though it is the most work to do.
Regards, Alex
maybe you should omit the 'H'. There is nothing 'humble/honest' with that comment.
>>>> I don't need a hook, just a notification
Rich, if you need a notification you should use any of the proposed 'notification' solutions, though some of them may need administrator rights as well, at least at installation time. If you want to go without you may compare the list of processes or top level windows though it is the most work to do.
Regards, Alex
"hooking" is a very specific method of intercepting things. In the end, it implies that instead of some function call being provided by the normal provider, it is provided or intercepted or filtered by your function. so
* getting a DLL to load is not hooking.
* DLL injection is not hooking either
Hooking is when you
* Call a hook api to install a filter function
* intercept registration of a function API and change the pointers to point to your own function
* trojan thunk a service API entry point in a module
* swap out entries in the kernel service descriptor table (SDT)
* etc.
AFAIK, the only ways to register for or obtain notifications of process initialisation will require admin rights.
I think depending on OS, the best one may be a call to PsSetCreateProcessNotifyRo
* getting a DLL to load is not hooking.
* DLL injection is not hooking either
Hooking is when you
* Call a hook api to install a filter function
* intercept registration of a function API and change the pointers to point to your own function
* trojan thunk a service API entry point in a module
* swap out entries in the kernel service descriptor table (SDT)
* etc.
AFAIK, the only ways to register for or obtain notifications of process initialisation will require admin rights.
I think depending on OS, the best one may be a call to PsSetCreateProcessNotifyRo