Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Monitor process start in the system

Tags:

c++

c#

.net

winapi

Is there a way to monitor processes starting in the system before they start?

Example:
On programs like ZoneAlarm or Antivirus programs, when you run a program it asks you if you allow running this program or not before it runs...

like image 494
Ahmed Mounir Avatar asked Nov 16 '08 07:11

Ahmed Mounir


3 Answers

There's a few ways to do this. If you only need to track process creation coming from a specific program (or a few programs), the EasyHook/Detours method mentioned here will work pretty well, but you effectively need to install a hook on CreateProcess into each program, so it's not a great solution if you want to track all process creation in the system.

There's a specific API for this in NT-based Windows variants (NT/2000/XP/Vista) called PsSetCreateProcessNotifyRoutine(). Unfortunately, you can only call this function from ring0, so it needs to be done in a driver. There's a handy explanation (and code) in this CodeProject article: http://www.codeproject.com/KB/threads/procmon.aspx.

AFAIK, this is just a notification, and does not by itself allow you to tell the system whether the process should be created or not. However, if you needed to do this, you could pause the process (e.g. by attaching to it as a debugger) while your code decides whether to kill it or not.

like image 169
DarthPingu Avatar answered Nov 09 '22 04:11

DarthPingu


You should check out the easyhook-continuing-detours project, which is a .NET port of the Microsoft Detours project. It will allow you to hook unmanaged APIs (such as CreateProcess). Check out code examples for a simple FileMon-like program here.

like image 20
Igal Tabachnik Avatar answered Nov 09 '22 06:11

Igal Tabachnik


You can find out when processes start via using a real-time ETW consumer - however, to be able to take some action that could possibly cancel the process from starting, you'll have to do something shady / undocumented, like hooking CreateProcess, or using a kernel filter driver to block reads to the EXE.

like image 38
Ana Betts Avatar answered Nov 09 '22 06:11

Ana Betts