[request] process termination notification

c++ / delphi package - dll injection and api hooking

[request] process termination notification

Postby jgh0721 » Tue Nov 10, 2015 5:32 am

i use to madcodehook know process creation / termination notification.

but i dont know how to receive process termination notificatoin.
jgh0721
 
Posts: 10
Joined: Tue Apr 22, 2014 8:06 am

Re: [request] process termination notification

Postby madshi » Tue Nov 10, 2015 5:11 pm

Have you looked at the HookProcessTermination demo?

http://madshi.net/HookProcessTermination.zip
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: [request] process termination notification

Postby jgh0721 » Wed Nov 11, 2015 7:18 am

yes, i already know this demo.

but this demo hook exitprocess, terminateprocess, ntterminateprocess, etc. but, i can't receive process termination notification when process crash.

i want to know all process termination notification even if process was crashed.
jgh0721
 
Posts: 10
Joined: Tue Apr 22, 2014 8:06 am

Re: [request] process termination notification

Postby madshi » Wed Nov 11, 2015 7:37 am

In that case use process creation notification to build a list of running processes. Then you can use a separate thread to use WaitForMultipleObjects with the process handles of all the running processes. WaitForMultipleObjects will let you know as soon as one of the processes closes down, for whatever reason.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: [request] process termination notification

Postby iconic » Wed Nov 11, 2015 10:35 pm

WMI is the easiest and cleanest route to receive process creation and termination events from usermode. You just setup an event sink and don't have to build and/or maintain internal process lists, which can be problematic with protected processes on Vista+ etc. Small example using WMI can be seen here http://weblogs.asp.net/whaggard/438006

--Iconic
iconic
 
Posts: 838
Joined: Wed Jun 08, 2005 5:08 am

Re: [request] process termination notification

Postby jgh0721 » Thu Nov 12, 2015 12:14 am

i know wmi method. but these method is not reliable. and very high cpu usage even if wmi kernel trace was used. ;-(. besides, windows xp home edition is not support to wmi kernel trace method.
jgh0721
 
Posts: 10
Joined: Tue Apr 22, 2014 8:06 am

Re: [request] process termination notification

Postby iconic » Thu Nov 12, 2015 12:57 am

Hi,

It's true that these event classes exist only on NT 6.0 (Vista) and above. If you need to support Windows XP, which is nearly 14 years old, and have it work on all OSs then use Madshi's idea of course.

P.S: I was referring to __InstanceDeletionEvent which only monitors process terminations with WMI, any other tracing is not needed. Since you care about CPU usage and performance the best solution is to register a Process Notification Routine within a driver and if the bCreate argument inside your callback is FALSE then this is a process termination. Of course if you can't sign a kernel mode driver then you'll not be able to load your driver on x64 (out of the box). PsSetCreateProcessNotifyRoutine can be seen here https://msdn.microsoft.com/en-us/librar ... 85%29.aspx

--Iconic
iconic
 
Posts: 838
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests

cron