Re: any way to hook process creation at kernel level in suspended ?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Don & Sergei,

First, thanks alot for your comments !
I have few comments upon what you both said.

Why do you think that the DLL solution using the AppInit_DLLs registry key
is somehow "clumsy" ?
It might be even more efficient than the a kernel mode-driver.
I tested and I can even unload the dll attached by Windows to the process
being created if i return FALSE on the DLL_PROCESS_ATTACH event in DllMain
(dll is unloaded and the process continues to run without error, that's
because the DLL is loaded by system using LoadLibrary).
Hence, if I dont need any dialog confirmation for the process being created,
i can just unload the DLL.
In fact I will always unload the DLL since I can determine when the process
is finished once the process handle is signaled (opening a process handle on
a copy of process id).
If i need the dialog confirmation for a process, i will use synchronization
between processes (for ex event, mutex ) and make the process being created
to be suspended right in the DLL_PROCESS_ATTACH event .

But I am still thinking about the kernel callback routines as it might be a
better solution (though I dont know exactly why).
Sergei, I think you are correct.
Anyway, I think the main point is missunderstood here. Its not a problem of
just knowing when a process is created, its more than that, its about
sometimes suspending the process execution also (and in a non-blocking way,
without blocking the process which invoked CreateProcess).

Thank you !



.

Relevant Pages

  • Re: Any tool that tells COM dependencies of a DLL?
    ... Actually that's what Igor was trying to tell you - the DLL never ... client does a single cocreate, ... one can unload them explicitly by calling ...
    (microsoft.public.win32.programmer.ole)
  • Re: Any tool that tells COM dependencies of a DLL?
    ... i see the shell load my ... i don't see the DLL get loaded and held onto... ... the client does a single cocreate, ... one can unload them explicitly by calling ...
    (microsoft.public.win32.programmer.ole)
  • Re: The Hoard Scalable Memory Allocator
    ... aware about implementation details like per-thread heap when he simply ... Now because the DLL is internally using per- ... Without the per-thread heap it's possible to unload the ... Since you are promoting a general purpose memory manager you ...
    (comp.programming.threads)
  • Re: dllimport to unload dll
    ... I was thinking that when the method (it is a static method) completed then the dll would be unloaded. ... It would be quite annoying to load a DLL, call a function that starts a background thread, and then have the runtime helpfully unload that DLL behind your back, which would either crash the thread or force the DLL to terminate it. ... About the only thing explicit unloading would be good for is to allow the DLL to be replaced while the main application is still running, which is a dubious versioning mechanism to say the least. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Dynamically Created AX Control not released.
    ... every dll loaded in a process must be explicitly ... For COM dll's (like OCX) the dll is loaded in a compatible apartment (STA ... yourself, by calling "CoLoadLibrary", and unload it when done by calling ... > protected override void Dispose(bool disposing) ...
    (microsoft.public.dotnet.framework.interop)