Reputation: 23525
Detect CreateProcess or who created the process
How can I detect the name of the application that created my application's process?
For example, if someone wanted, they could call CreateProcess and pass it the suspended flag and inject into my application.
Is there a way to block CreateProcess or to figure out what process created an instance of my application?
I've hooked loadlibrary, createthread and all the other easy stuff but CreateProcess seems like it can bypass that.
I'm doing it for fun and learning, not for real world use. I just haven't seen anything that detects CreateProcess..
Any ideas at all?
Upvotes: 0
Views: 406
Answers (1)
Reputation: 613582
You can find the parent process ID using the tool help library:
- Call
CreateToolhelp32Snapshot. - Call
Process32FirstandProcess32Nextto enumerate the processes. - At some point you will encounter a
PROCESSENTRY32struct for whichth32ProcessIDis the process ID of your process. - Read out the
th32ParentProcessIDmember to find the process ID of your parent. - Now that you know the parent process, you can enumerate again to gain information about it.
Be prepared for the parent process to have been terminated before you reach this point.
Upvotes: 1
Related Questions
- Get process handle of created processes Windows
- How to give a program's Handle to a process it created?
- How to detect win32 process creation/termination in c++
- How to tell if a process started with CreateProcess is still running?
- CreateProcess as Administrator and get its ProcessInformation Like ProcessID
- Detect any program that uses OpenProcess?
- Get the PID of the process started by CreateProcess()
- Monitor process start in the system
- How do I know when CreateProcess actually started a process?
- Win32 determine process ID