Reputation: 1370
Hookin CreateProcessEx
i would like to systemwide hook CreateProcessEx
it is redirects all windows calls into my wrapper function
where I will log names to textfile then call oruginal CreateProcessEx
Can it be easy and safely done ?
I would like hook all systemwide calls to it but not etternaly for some period of time only.. How to do it?
If I will find the adress of this api call in ram then overvrite it with call to my procedure, how then I will call the oryginal function if there it is somewhat corrupted?
Upvotes: 0
Views: 1257
Answers (2)
Reputation: 596216
CreateProcessEx() is a user-mode function. You have to patch it on a per-process basis. That means creating a DLL that is injected into every running process, such as by using SetWindowsHookEx() or the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs Registry key, and then have that DLL patch the PE Imports table of every process it is loaded into.
Upvotes: 1
Reputation: 10613
Hooking CreateProcess is the wrong approach for a few reasons. There is an approved mechanism for doing this sort of thing but you need a driver to be loaded. Your driver can then simply leverage the PsSetCreateProcessNotifyRoutine function.
With that said, would your needs not be served by using the auditing functionality built into Windows? Turning on process creation auditing will cause the system to write an event log entry whenever a process is created, detailing plenty of information about the process being started, including the image path.
Upvotes: 4
Related Questions
- CreateProcess always fails
- winApi create process using c++
- How to install a hook on a process created with CreateProcess?
- using the CreateProcess function
- CreateProcess hook to add CommandLine
- Execute command using Win32
- Hooking in win32
- calling CreateProcess via system plugin
- CreateProcess to execute Windows command
- CreateProcess Won't Start