Hi everybody!
I want to develop a VXD and SYS driver for hooking the start/stop
processes.
In NT/2000 I replace the NtCreateProcess() and NtTerminateProcess() native
API, but
in W9x I don’t know how to do this. I think that I can replace the INT 21h
AH=4B.
Can you help me?
Thanks in advance.
-Abel.
As far as I remember, W9x have a method to register notification handlers
for thread creation / destruction. I don’t remember if they have same thing
for a process (I think, they do). But even with threads you can can
implement a logic that allows you to track process creation/destruction
(process starts when its first thread starts and ends when its last thread
terminates).
Vladimir
-----Original Message-----
From: Abel Mu?oz Alcaraz [mailto:xxxxx@trymedia.com]
Sent: Monday, October 02, 2000 9:28 AM
To: NT Developers Interest List
Subject: [ntdev] How I can hook processes?
Hi everybody!
I want to develop a VXD and SYS driver for hooking the start/stop
processes.
In NT/2000 I replace the NtCreateProcess() and NtTerminateProcess()
native
API, but
in W9x I don’t know how to do this. I think that I can replace the INT 21h
AH=4B.
Can you help me?
Thanks in advance.
-Abel.
You are currently subscribed to ntdev as: xxxxx@Starbase.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
And what to do if someone creates process using PsCreateSystemProcess ?
You should consider following facts:
Physical process creation is done in PspCreateProcess
which is called by two other routines only,
NtCreateProcess and PsCreateSystemProcess.
Physical thread creation is done in PspCreateThread
which is called by two other routines only,
NtCreateThread and PsCreateSystemThread.
Both PspCreateProcess and PspCreateThread calls
registered callbacks (by PsSetCreateProcessNotifyRoutine and
PsSetCreateThreadNotifyRoutine) with the third argument = TRUE.
NtTerminateProcess forces all process’ threads to terminate.
Id does not work for system processes which are terminated
after all their threads terminate.
NtTerminateThread calls PspExitThread (either immediately
if the thread to terminate is current thread or through an APC
if it isn’t).
PsTerminateSystemThread calls PspExitThread immediately
because this routine can terminate itself only.
PspExitThread calls registered thread callbacks with the third
argument = FALSE and if this is the last process’ thread
it calls PspExitProcess.
PspExitProcess calls registered process callbacks with the
thirs argument = FALSE.
So you should register process creatin/termination callback
and do your task inside it. This callback can reside in pageable
code section and one only disadvantage is you have passed
process ID only not process pointer (of type PEPROCESS).
If you want to get this value call PsReferenceProcessById
(only for process creating, on terminating when the callback
is called the process ID is no longer valid so you must search
in your data by ID).
Hope this helps for NT to do you task more correctly.
Paul
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Abel Mu?oz Alcaraz
Sent: Monday, October 02, 2000 6:28 PM
To: NT Developers Interest List
Subject: [ntdev] How I can hook processes?
Hi everybody!
I want to develop a VXD and SYS driver for hooking the
start/stop
processes.
In NT/2000 I replace the NtCreateProcess() and
NtTerminateProcess() native
API, but
in W9x I don’t know how to do this. I think that I can replace the INT
21h
AH=4B.
Can you help me?
Thanks in advance.
-Abel.
You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)