3DExtended 3DExtended - 1 year ago 89
C++ Question

For every CreateProcess, call my function first

My idea is, to make a pop up window for every new process that will be created so I can be sure, that there are only processes with my permission.

The question is, how I link my function in before Windows is creating the new process.

I tried some dll injections but it does not work.

Has anyone a solution for this problem or is it even not possible?

Thanks!

Answer Source

The legitimte way of doing this is to create a kernel driver that uses PsSetCreate|ProcessNotifyRoutineEx (supported on Vista SP1 and later) to control process creation (and termination). This routine allows you to register a callback function that is invoked when either a process is being created, or is terminating. In the creation case, your callback may decide to block the process. The callback gets following information about the new process:

1) image file name,

2) command line arguments,

3) PID,

4) PID of its parent,

5) TID:PID of the creating process and thread.

If you do not wish to develop a kernel driver, you can an approximate solution. AFAIK WMI is able to notify you that a new process has just been created. When you get the notification, you may tre to suspend the process and ask the user about it (or do anything you wish).

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download