Re: Process notification

Tech-Archive recommends: Fix windows errors by optimizing your registry

Get a clue, the AV folks are dumping this approach as fast as they can run.
You are recomending a dangerous technique where it is not needed, since
PsSetCreateProcessNotifyRoutine will capture things before the process runs.
Encouraging the use of lousy hacks just makes Windows less reliable for all
of us.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply



"Scherbina Vladimir" <vladimir.scherbina@xxxxxxxxx> wrote in message
news:ePfWRejBGHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
> It's not so stupid as it seems. Have you ever checked how popular AV works
> ? They hook SDT.
> Agnitium Outpost hooks WriteProcessMemory, Kaspersky hooks
> TerminateProcess, etc. (this list can be continued).
>
> Yea, I do remember that this would not work under 64-bit systems, but I
> have not seen any requerements in the OP post. Have you ?
>
> --
> Vladimir
>
> "Don Burn" <burn@xxxxxxxxxxxxxxxx> wrote in message
> news:%23fzRUwiBGHA.640@xxxxxxxxxxxxxxxxxxxxxxx
>> Using hooking in the kernel is worse than STUPID. First, as was pointed
>> out there is a kernel callback for creation and termination of processes
>> available in the kernel since NT4.0. Second, hooking will be blocked by
>> the kernel on 64-bit systems. On other systems hooking will work, but it
>> is highly likely to crash the system, and even if it does not it will
>> cause your software to be branded as MALWARE and removed from most
>> systems.
>>
>>
>> --
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>>
>>
>> "Scherbina Vladimir" <vladimir.scherbina@xxxxxxxxx> wrote in message
>> news:%23mnnKegBGHA.3840@xxxxxxxxxxxxxxxxxxxxxxx
>>> As you see from prev. posts there is no obsolute user mode solution on
>>> how to be notified when process is created. Your implementation is
>>> easy, but not efficent. It's not even reliable, because some process may
>>> be started and then immidiatly terminated - your "monitoring loop" may
>>> not detect it.
>>>
>>> Hooking CreateProcessA(W) in kernel mode (SDT hooking) will allow you to
>>> avoid things described above.
>>>
>>> --
>>> Vladimir
>>
>>
>
>


.

Relevant Pages

  • Re: Process notification
    ... Agnitium Outpost hooks WriteProcessMemory, Kaspersky hooks TerminateProcess, ... > Using hooking in the kernel is worse than STUPID. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Process notification
    ... Store the ProcessInformation in one Object during the Creation. ... >> Agnitium Outpost hooks WriteProcessMemory, ... >>> Using hooking in the kernel is worse than STUPID. ... >>> Don Burn (MVP, Windows DDK) ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Any way to get RTL_USER_PROCESS_PARAMETERS at NtCreateSection entry
    ... Except that hooking does not work on 64-bit systems (unless you really hack ... the kernel). ... Don Burn (MVP, Windows DDK) ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Process creation interception
    ... > either the ZwCreateProcess API in kernel, ... This is a lousy way to do it in that such hooks play badly with one another. ... Hooking in the kernel leads to crashes and is just plain stupid in this ... Don Burn (MVP, Windows DDK) ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Any way to get RTL_USER_PROCESS_PARAMETERS at NtCreateSection entry
    ... There are a bunch of checks in the 64-bit kernel to make sure the call table ... and that some other patching is not done. ... Don Burn (MVP, Windows DDK) ... Except that hooking does not work on 64-bit systems (unless you really ...
    (microsoft.public.win32.programmer.kernel)