Re: Process notification

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

It's not so stupid as it seems. Have you ever checked how popular AV works ?
They hook SDT.
Agnitium Outpost hooks WriteProcessMemory, Kaspersky hooks TerminateProcess,
etc. (this list can be continued).

Yea, I do remember that this would not work under 64-bit systems, but I have
not seen any requerements in the OP post. Have you ?

--
Vladimir

"Don Burn" <burn@xxxxxxxxxxxxxxxx> wrote in message
news:%23fzRUwiBGHA.640@xxxxxxxxxxxxxxxxxxxxxxx
> Using hooking in the kernel is worse than STUPID. First, as was pointed
> out there is a kernel callback for creation and termination of processes
> available in the kernel since NT4.0. Second, hooking will be blocked by
> the kernel on 64-bit systems. On other systems hooking will work, but it
> is highly likely to crash the system, and even if it does not it will
> cause your software to be branded as MALWARE and removed from most
> systems.
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> "Scherbina Vladimir" <vladimir.scherbina@xxxxxxxxx> wrote in message
> news:%23mnnKegBGHA.3840@xxxxxxxxxxxxxxxxxxxxxxx
>> As you see from prev. posts there is no obsolute user mode solution on
>> how to be notified when process is created. Your implementation is easy,
>> but not efficent. It's not even reliable, because some process may be
>> started and then immidiatly terminated - your "monitoring loop" may not
>> detect it.
>>
>> Hooking CreateProcessA(W) in kernel mode (SDT hooking) will allow you to
>> avoid things described above.
>>
>> --
>> Vladimir
>
>


.

Relevant Pages

  • Re: Process notification
    ... > Agnitium Outpost hooks WriteProcessMemory, ... >> Using hooking in the kernel is worse than STUPID. ... >> Don Burn (MVP, Windows DDK) ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Hooking API Calls of another Process
    ... the word hooking in the sense of hooking the system call ... The kernel way to do this is a file system filter, ... filemon is there are problems with filemon: ... I have heard of the CAPIHook class>> but I can't seem to find it anywhere. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: SetWindowsHookEx Question.
    ... You are way too hung up on kernel level hooking. ... is one of the stupider things posted in this group in the last 5 years or ... Actually, the multiple device stuff is fun, since so many developers assume ...
    (microsoft.public.win32.programmer.kernel)
  • Re: [Lse-tech] [PATCH] cpusets - big numa cpu and memory placement
    ... No virtual numbering anymore. ... using the same cpu and node numberings as used in the other kernel ... > 2) Look at the hooks in the rest of the kernel. ...
    (Linux-Kernel)
  • Re: Hook, callback
    ... What is an hook and what is a callback? ... Hooking is used for many purposes, ... intercepting function calls and altering what is shown to the player." ... I'm thinking that hooks are used a lot on open source code. ...
    (comp.lang.php)