[request] process termination notification

c++ / delphi package - dll injection and api hooking
Post Reply
jgh0721
Posts: 28
Joined: Tue Apr 22, 2014 8:06 am

[request] process termination notification

Post by jgh0721 »

i use to madcodehook know process creation / termination notification.

but i dont know how to receive process termination notificatoin.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: [request] process termination notification

Post by madshi »

Have you looked at the HookProcessTermination demo?

http://madshi.net/HookProcessTermination.zip
jgh0721
Posts: 28
Joined: Tue Apr 22, 2014 8:06 am

Re: [request] process termination notification

Post by jgh0721 »

yes, i already know this demo.

but this demo hook exitprocess, terminateprocess, ntterminateprocess, etc. but, i can't receive process termination notification when process crash.

i want to know all process termination notification even if process was crashed.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: [request] process termination notification

Post by madshi »

In that case use process creation notification to build a list of running processes. Then you can use a separate thread to use WaitForMultipleObjects with the process handles of all the running processes. WaitForMultipleObjects will let you know as soon as one of the processes closes down, for whatever reason.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [request] process termination notification

Post by iconic »

WMI is the easiest and cleanest route to receive process creation and termination events from usermode. You just setup an event sink and don't have to build and/or maintain internal process lists, which can be problematic with protected processes on Vista+ etc. Small example using WMI can be seen here http://weblogs.asp.net/whaggard/438006

--Iconic
jgh0721
Posts: 28
Joined: Tue Apr 22, 2014 8:06 am

Re: [request] process termination notification

Post by jgh0721 »

i know wmi method. but these method is not reliable. and very high cpu usage even if wmi kernel trace was used. ;-(. besides, windows xp home edition is not support to wmi kernel trace method.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [request] process termination notification

Post by iconic »

Hi,

It's true that these event classes exist only on NT 6.0 (Vista) and above. If you need to support Windows XP, which is nearly 14 years old, and have it work on all OSs then use Madshi's idea of course.

P.S: I was referring to __InstanceDeletionEvent which only monitors process terminations with WMI, any other tracing is not needed. Since you care about CPU usage and performance the best solution is to register a Process Notification Routine within a driver and if the bCreate argument inside your callback is FALSE then this is a process termination. Of course if you can't sign a kernel mode driver then you'll not be able to load your driver on x64 (out of the box). PsSetCreateProcessNotifyRoutine can be seen here https://msdn.microsoft.com/en-us/librar ... 85%29.aspx

--Iconic
Post Reply