Announcement

Collapse
No announcement yet.

Process Creation Notification

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Process Creation Notification

    Is there any way to receive some kind of notification call from the OS when a process is created? I know that I can call EnumProcesses in PSAPI, but I'd rather not use a polling technique if I can get a notification via a callback function. Any suggestions?

    Thanks,

    Jason Bock

    ------------------
    Tags: None
  • #2
    Start an app using CreateProcess and do not close a handle. You will receive all.

    ------------------
    E-MAIL: [email protected]

    Comment

    • #3
      Semen,

      I don't see how CreateProcess notifies you when a process is started up. I'm not looking for a way to start up a process myself. I'm looking for a way to:

      1) Start up my process (call it p1).
      2) Have p1 call some Win32 function and pass it a function pointer.
      3) Whenever a process is started up (like Word or Notepad) that p1 did not start up, the callback function would be fired (I'm assuming it would pass a PID or process handle, maybe?).

      CreateProcess doesn't do this, according to the SDK; it only starts up the app you specify in lpApplicationName. Or maybe it does, and I don't see it. Could you post some code showing how you would do this?

      Thanks,

      Jason

      ------------------

      Comment

      • #4
        jason --
        probably a global hook will satisfy you.
        look "source code": i posted some variants. http://www.powerbasic.com/support/pb...ad.php?t=22658
        for example, cbt (last).

        ------------------
        e-mail: [email protected]

        Comment

        • #5
          Jason,
          Try http://www.domaindlx.com/e_morcillo/...cod/shlext.asp

          It's VB only sorry, but there is a demo there called ShellExecuteHook, which uses an activex dll as the hook. With your dll properly installed in the correct way, correct registry keys in place etc, youre ready. When you start a program, the operating system will ask your DLL if it can contine processing the file... you respond with 1 - yes continue with the file (allow it to execute), or 0 - block the execution of the file.
          Sorry that it's only in VB, but it seems to do what you're after
          Ive used the ShellExecutehook myself, but I would LOVE to see it converted to PB! As it uses a Type Library, im not sure if its possible or not

          Best of luck,
          Wayne



          ------------------
          -

          Comment

          • #6
            Wayne,

            Thanks for the link. Haven't tried it yet, but I'll play around with it later. From a quick glance of the code it'll hook ShellExecute calls, which is what MS says you should use to start processes, but I'm guessing that too many processes are started using CreateProcess. But it's a start.

            If it works in VB, that's fine .

            Thanks,

            Jason

            ------------------

            Comment

            • #7
              It works in VB, and works quite well, although VB really isnt too good for this because the DLL requires all the VB bloat on top - and its only a tiny DLL that does the hook, so it's bigtime resource overkill, and remembering that this load is for every single execution on your system, so it can in some cases slow file execution down ...
              a PB implementation wouldn't have any of those problems. The only issue is the Type Library...
              best of luck!



              ------------------
              -

              Comment

              • #8
                iShellExecute is too specific "hook".
                It's not even a hook in classic understanding (mostly "callback" for ShellExecute).

                Well, I modified CBT hook (tested under 2000 only, but, hope, worsk everywhere).
                When app is activated first time it's sends a message (see textbox).

                Dll

                Code:
                   #Compile Dll "Hook.Dll"
   #Register None
   #Dim All
   #Include "Win32Api.Inc"

   $WndNm = "Any unique name"
   %NotifyId = %WM_USER + 401

   Global hHook As Long, hInstDLL As Long

   Function LibMain(ByVal hInstance As Long, ByVal fwdReason As Long, _
      ByVal lpvReserved As Long) Export As Long
       Select Case fwdReason
         Case %DLL_PROCESS_ATTACH: hInstDLL = hInstance: LibMain = 1
         Case %DLL_PROCESS_DETACH: LibMain = 1
      End Select
   End Function


   Function HookProc(ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) Export As Long
      Static hDlg As Long, NotFirstTime As Long

      Function = CallNextHookEx(ByVal hHook, ByVal nCode, ByVal wParam, ByVal lParam)

      If (nCode = %HCBT_ACTIVATE) And IsFalse (NotFirstTime) Then
         NotFirstTime = %True
         hDlg = FindWindow("", $WndNm)
         If IsTrue(hDlg) And hdlg <> wParam Then _
            PostMessage hDlg, %NotifyId, GetCurrentProcessId, 0
      End If

   End Function

   Function SetHookWindow Alias "SetHookWindow" (hWnd As Long) Export As Long
      hHook = SetWindowsHookEx (%WH_CBT, CodePtr(HookProc), ByVal hInstDLL, ByVal 0)
   End Function

   Function UnHookWindow Alias "UnHookWindow" Export As Long
      UnhookWindowsHookEx hHook
   End Function
                Exe

                Code:
                   #Compile Exe
   #Dim All
   #Register None
   #Include "Win32Api.Inc"

   $WndNm = "Any unique name"
   %NotifyId = %WM_USER + 401

   Declare Function SetHookWindow Lib "Hook.Dll" Alias "SetHookWindow" (hWnd As Long) As Long
   Declare Function UnHookWindow Lib "Hook.Dll" Alias "UnHookWindow" As Long

   CallBack Function DlgProc
      Select Case CbMsg
         Case %WM_INITDIALOG: SetHookWindow CbHndl
         Case %WM_DESTROY   : UnHookWindow
         Case %NotifyId     : Control Set Text CbHndl, 101, "ProcessId = &H" + Hex$(CbWparam)
        End Select
   End Function

   Function PbMain()
      Local hDlg As Long
      Dialog New 0, $WndNm, 0, 0, 200, 14, %WS_CAPTION Or %WS_SYSMENU, %WS_EX_TOPMOST To hDlg
      Control Add TextBox, hDlg, 101, "", 0, 0, 200, 14
      Dialog Show Modal hDlg Call DlgProc
   End Function
                ------------------
                E-MAIL: [email protected]

                Comment

                • #9
                  Many thanks for that Semen, id never seen an implementation like that (works perfectly on my NT4 box) - can it be modified so that the file execution can be blocked?


                  ------------------


                  [This message has been edited by Wayne Diamond (edited October 27, 2000).]
                  -

                  Comment

                  • #10
                    Wayne --
                    Yes, it's more than simple.
                    For example, in previous variant of DLL replace %DLL_PROCESS_ATTACH processing
                    Code:
                             Case %DLL_PROCESS_ATTACH
            Local TmpAsciiz As Asciiz * %MAX_PATH
            hInstDLL = hInstance
            Local hDlg As Long
            GetModuleFileName(GetModuleHandle(ByVal %Null), TmpAsciiz, SizeOf(TmpAsciiz)
            If MessageBox (0, TmpAsciiz, "To Kill ?", %MB_YESNO) = 7 Then LibMain = 1 Else _
               FreeLibraryAndExitThread hInstDLL, 0&
                    Be careful and don't kill explorer.exe

                    [This message has been edited by Semen Matusovski (edited October 27, 2000).]

                    Comment

                    • #11
                      Outstanding, a thousand thankyous Semen!



                      [This message has been edited by Wayne Diamond (edited October 27, 2000).]
                      -

                      Comment

                      • #12
                        wayne --
                        there are different global hooks. but all works so.
                        when (new or old) process is activated, windows inserts a dll with global hook.

                        i used this feature to detect any process.
                        if you want to detect new processes only, first of all it's necessary to retrieve a list of currently running.
                        it's not very difficult, but a lot of code - see http://www.powerbasic.com/support/pb...ead.php?t=2521



                        ------------------
                        e-mail: [email protected]

                        Comment

                        • #13
                          One curiousity I noticed with your demo compared to ShellExecuteHook, is that when you go Start | Run | c:\test.vbs, instead of saying "c:\test.vbs is doing its stuff", it says "c:\winnt\system32\msscript.exe is doing its stuff"
                          Also, if you start the programs from the Command Prompt, they dont seem to get recognised either
                          the ShellExecuteHook demo is different in that it will say "c:\test.vbs has been started, allow it to run?"
                          however both fail when it comes to detecting programs started in Command Prompt
                          any ideas? ShellExecuteHook is the closest non-driver solution im aware of , but youre right in that it is more of a callback from explorer.exe than anything else



                          ------------------
                          -

                          Comment

                          • #14
                            ShellExecute(Ex), which is used by explorer:

                            1) At first, search execute module
                            2) Then starts it, using CreateProcess.

                            iShellExecuteHook receives information about study 1, not about study 2.
                            For some purposes it's good, for some - not, because really it doesn't control creating of processes.
                            iShellHook is not able to detect, when one program starts another by Shell "...".

                            Unlike iShellExecuteHook, global hooks are directly linked with processes.
                            But if to speak about console apps ...
                            Yes, it's well known - global hooks doesn't work for them.

                            Alone solution, which I know, to detect console app is to enumerate processes (for example, by timer).

                            ------------------
                            E-MAIL: [email protected]

                            Comment

                            • #15
                              Semen, is the only real solution then to use a file monitoring driver ? such as www.sysinternals.com FileMon
                              (nobody here seems to have done the PB <-> driver thang before though?) which would require one driver for 95/98, and one for NT/2K i suppose..




                              ------------------
                              -

                              Comment

                              Previous template Next
                              Working...
                              X

                              We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, and to analyze site activity. For additional details, refer to our Privacy Policy.

                              By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

                              I Agree