madshi.net

high quality low level programming
http://forum.madshi.net/

[request] process termination notification

http://forum.madshi.net/viewtopic.php?f=7&t=28126

Page 1 of 1

[request] process termination notification

Posted: Tue Nov 10, 2015 5:32 am
by jgh0721
i use to madcodehook know process creation / termination notification.

but i dont know how to receive process termination notificatoin.

Re: [request] process termination notification

Posted: Tue Nov 10, 2015 5:11 pm
by madshi
Have you looked at the HookProcessTermination demo?

http://madshi.net/HookProcessTermination.zip

Re: [request] process termination notification

Posted: Wed Nov 11, 2015 7:18 am
by jgh0721
yes, i already know this demo.

but this demo hook exitprocess, terminateprocess, ntterminateprocess, etc. but, i can't receive process termination notification when process crash.

i want to know all process termination notification even if process was crashed.

Re: [request] process termination notification

Posted: Wed Nov 11, 2015 7:37 am
by madshi
In that case use process creation notification to build a list of running processes. Then you can use a separate thread to use WaitForMultipleObjects with the process handles of all the running processes. WaitForMultipleObjects will let you know as soon as one of the processes closes down, for whatever reason.

Re: [request] process termination notification

Posted: Wed Nov 11, 2015 10:35 pm
by iconic
WMI is the easiest and cleanest route to receive process creation and termination events from usermode. You just setup an event sink and don't have to build and/or maintain internal process lists, which can be problematic with protected processes on Vista+ etc. Small example using WMI can be seen here http://weblogs.asp.net/whaggard/438006

--Iconic

Re: [request] process termination notification

Posted: Thu Nov 12, 2015 12:14 am
by jgh0721
i know wmi method. but these method is not reliable. and very high cpu usage even if wmi kernel trace was used. ;-(. besides, windows xp home edition is not support to wmi kernel trace method.

Re: [request] process termination notification

Posted: Thu Nov 12, 2015 12:57 am
by iconic
Hi,

It's true that these event classes exist only on NT 6.0 (Vista) and above. If you need to support Windows XP, which is nearly 14 years old, and have it work on all OSs then use Madshi's idea of course.

P.S: I was referring to __InstanceDeletionEvent which only monitors process terminations with WMI, any other tracing is not needed. Since you care about CPU usage and performance the best solution is to register a Process Notification Routine within a driver and if the bCreate argument inside your callback is FALSE then this is a process termination. Of course if you can't sign a kernel mode driver then you'll not be able to load your driver on x64 (out of the box). PsSetCreateProcessNotifyRoutine can be seen here https://msdn.microsoft.com/en-us/librar ... 85%29.aspx

--Iconic
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited