Re: Process creation interception
From: James Brown (remove_james_dot_brown7_at_virgin_dot_net)
Date: 11/21/04
- Previous message: Alexander Grigoriev: "Re: Exceptions in API"
- In reply to: Nadav: "Process creation interception"
- Next in thread: Don Burn: "Re: Process creation interception"
- Reply: Don Burn: "Re: Process creation interception"
- Reply: Nadav: "Re: Process creation interception"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 21 Nov 2004 16:36:46 -0000
Option B is the best for being notified for process creation...
option A is just plain nasty...setting a "detours" style hook for
every process is not a good design imo.
The best method for preventing process-creation is to hook
either the ZwCreateProcess API in kernel, or the ZwCreateSection
API - this last one is what virus-scanners hook to monitor when an
executable image is being mapped from disk into memory...they check
which file is being used and fail/succeed the API accordingly.
You really need to be doing this type of "system-wide" stuff in the kernel..
-- James --- www.catch22.net Free win32 software, sourcecode and tutorials ----- Please de-spam my email address before replying. "Nadav" <Nadav@discussions.microsoft.com> wrote in message news:82519416-1B3E-4E7F-8925-7CC2D1C74056@microsoft.com... > Hi, > > I am developing some kind of a watch dog, this watch dog should intercept > process creation ( programs execution ), and should prevent execution of > process that apply certain conditions. > This could be done in the following ways: > A. Intercept the CreateProcess*.*/ZwCreateProcess API for each process > being > created, inject code to ALL of the application level process in the > system. > B. Install a SINGLE kernel level hook through the > 'PsSetCreateProcessNotifyRoutine' API. > > I would rather use Option 'B' as this require less robust intervention ( > the > callback is being set at a single location and not on a per-process > basis ), > Still, I have an open issues concerning this kind of interception ( > kernel ): > when using application level interception ( as referred to at 'A' ) each > CreateProcess API is being intercepted, the injected code gets control > before > the call is delegated to the kernel, hence, the application detour can > prevent the process from being created upon certain criteria was met. Is > it > possible to do the same thing from within the > 'PsSetCreateProcessNotifyRoutine' callback ( at the kernel )? > How this functionality can be achieved through kernel? > What is the best way achieving this functionality? > > -- > Nadav > http://www.ddevel.com
- Previous message: Alexander Grigoriev: "Re: Exceptions in API"
- In reply to: Nadav: "Process creation interception"
- Next in thread: Don Burn: "Re: Process creation interception"
- Reply: Don Burn: "Re: Process creation interception"
- Reply: Nadav: "Re: Process creation interception"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
