I can inject a hook into running processes to catch when they create, destroy, max/min. But I haven't come up with a way to catch the creation of a new process so that I can inject my hook into that one. Does anyone know the best way to accomplish this?
SetWindowsHookEx is your easiest solution.
If you don't mind upsetting the anti-virus software, you can also inject a DLL into each process that will then hook CreateProcess (to inject the DLL into further processes) and CreateWindowEx (for your purposes).
EDIT: I just read your question completely. Yes, you'll want to just hook CreateProcessW and inject your hook into future processes.
EDIT #2: I was actually working on something like this yesterday, so some code which does what you want.
#include <windows.h>
// call GetModuleFileNameto get the full path of the module before installing the hook
static LPWSTR lpszDllName;
HMODULE LoadModuleEx(__in HANDLE hProcess, __in_z LPCTSTR lpcszDll)
DWORD cdwSize;
LPVOID lpvAllocation;
HANDLE hThread;
cdwSize = lstrlen(lpcszDll) + 1;
cdwSize *= sizeof(TCHAR);
lpvAllocation = VirtualAllocEx(hProcess, NULL, cdwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (lpvAllocation != NULL)
if (WriteProcessMemory(hProcess, lpvAllocation, lpcszDll, cdwSize, NULL))
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, lpvAllocation, 0, NULL);
if (hThread != NULL)
GetExitCodeThread(hThread, (LPDWORD)&hRet);
VirtualFreeEx(hProcess, lpvAllocation, cdwSize, MEM_DECOMMIT);
return hRet;
// hook future process creation - install this hook on top of CreateProcessW
// I'd suggest using Microsoft Detours []
BOOL WINAPI CreateProcessWHook(__in_opt LPCWSTR lpApplicationName, __inout_opt LPWSTR lpCommandLine, __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes, __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in BOOL bInheritHandles, __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCWSTR lpCurrentDirectory, __in LPSTARTUPINFO lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
// create the process suspended
dwCreationFlags |= CREATE_SUSPENDED;
// call original CreateProcessW
BOOL bRet = _CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
if (bRet)
// inject DLL
LoadModuleEx(lpProcessInformation->hProcess, lpszDllName);
// resume thread
return bRet;
As other people have mentioned, using SetWindowsHookEx to create a shell hook is probably the optimal solution.
If you're really serious about catching the creation of new processes and injecting your own code, you'll have to load a kernel driver and use PsSetLoadImageNotifyRoutine, but this is almost certainly the wrong approach.
You'll want to use a system hook using SetWindowsHookEx
. That will then allow you to provide a callback when applications (for example) create a window.
