3DExtended 3DExtended - 1 year ago 89
C++ Question

For every CreateProcess, call my function first

My idea is, to make a pop up window for every new process that will be created so I can be sure, that there are only processes with my permission.

The question is, how I link my function in before Windows is creating the new process.

I tried some dll injections but it does not work.

Has anyone a solution for this problem or is it even not possible?


Answer Source

The legitimte way of doing this is to create a kernel driver that uses PsSetCreate|ProcessNotifyRoutineEx (supported on Vista SP1 and later) to control process creation (and termination). This routine allows you to register a callback function that is invoked when either a process is being created, or is terminating. In the creation case, your callback may decide to block the process. The callback gets following information about the new process:

1) image file name,

2) command line arguments,

3) PID,

4) PID of its parent,

5) TID:PID of the creating process and thread.

If you do not wish to develop a kernel driver, you can an approximate solution. AFAIK WMI is able to notify you that a new process has just been created. When you get the notification, you may tre to suspend the process and ask the user about it (or do anything you wish).

