Hook Process Creation

neji · Post by **neji** » Wed Mar 30, 2005 8:25 am

hello,

I just wanted to be notified, when a process is to be created. I tried the following :

{main}

procedure NotifyProc(name       : pchar;
                     messageBuf : pointer; messageLen : dword;
                     answerBuf  : pointer; answerLen  : dword); stdcall;
begin
  showmessage(pchar(messageBuf^));
end;

procedure TForm1.FormCreate(Sender: TObject);
begin
  CreateIpcQueueEx('EsLogin',NotifyProc);
  if InjectLibrary(ALL_SESSIONS,'EsLoginHook.dll') then showmessage('injected');
end;

procedure TForm1.FormDestroy(Sender: TObject);
begin
  UninjectLibrary(ALL_SESSIONS,'EsLoginHook.dll');
end;

{Hook dll}

Code: Select all

var
  CreateProcessANext  : function (appName, cmdLine: pchar;
                                  processAttr, threadAttr: PSecurityAttributes;
                                  inheritHandles: bool; creationFlags: dword;
                                  environment: pointer; currentDir: pchar;
                                  const startupInfo: TStartupInfo;
                                  var processInfo: TProcessInformation) : bool; stdcall;
  CreateProcessWNext  : function (appName, cmdLine: pwidechar;
                                  processAttr, threadAttr: PSecurityAttributes;
                                  inheritHandles: bool; creationFlags: dword;
                                  environment: pointer; currentDir: pwidechar;
                                  const startupInfo: TStartupInfo;
                                  var processInfo: TProcessInformation) : bool; stdcall;
  WinExecNext         : function (cmdLine: pchar; show: dword) : dword; stdcall;

function CreateProcessACallback(appName, cmdLine: pchar;
                                processAttr, threadAttr: PSecurityAttributes;
                                inheritHandles: bool; creationFlags: dword;
                                environment: pointer; currentDir: pchar;
                                const startupInfo: TStartupInfo;
                                var processInfo: TProcessInformation) : bool; stdcall;
begin
  SendIpcMessage('EsLogin', cmdLine, Length(cmdLine));
  result := CreateProcessANext(appName, cmdLine, processAttr, threadAttr,
                               inheritHandles, creationFlags,
                               environment, currentDir,
                               startupInfo, processInfo);
  RenewHook(@CreateProcessANext);
end;

function CreateProcessWCallback(appName, cmdLine: pwidechar;
                                processAttr, threadAttr: PSecurityAttributes;
                                inheritHandles: bool; creationFlags: dword;
                                environment: pointer; currentDir: pwidechar;
                                const startupInfo: TStartupInfo;
                                var processInfo: TProcessInformation) : bool; stdcall;
begin
    SendIpcMessage('EsLogin', cmdLine, Length(cmdLine));
    result := CreateProcessWNext(appName, cmdLine, processAttr, threadAttr,
                                 inheritHandles, creationFlags,
                                 environment, currentDir,
                                 startupInfo, processInfo);
    RenewHook(@CreateProcessWNext);

end;

function WinExecCallback(cmdLine: pchar; show: dword) : dword; stdcall;
begin
  SendIpcMessage('EsLogin', cmdLine, Length(cmdLine));
  result := WinExecNext(cmdLine, show);
  RenewHook(@WinExecNext);
end;

// ***************************************************************

begin
  HookAPI('kernel32.dll', 'CreateProcessA', @CreateProcessACallback, @CreateProcessANext);
  HookAPI('kernel32.dll', 'CreateProcessW', @CreateProcessWCallback, @CreateProcessWNext);
  HookAPI('kernel32.dll', 'WinExec',        @WinExecCallback,        @WinExecNext       );
end.

When i start a process the ShowMessage fires but i don't see the commandline. Just a few cryptic glyphs.
What do i do wrong?

Post by **madshi** » Wed Mar 30, 2005 12:50 pm

When hooking CreateProcessEx the data consists of wide chars. You're showing ansi chars instead. Also I'm not sure whether using "Length" on pchar and PWideChar is a good idea. You should use StrLen for pchar. There's no such function for PWideChar, so you should better count the chars yourself. Finally you should transport the terminating #0 with the string data. Otherwise the application doesn't know where the string ends.

Btw, you can have it much easier. Your hook dll is already loaded into every newly created process by madCodeHook. Why don't you simply transport the name of the current process to your app in the initialization of your dll? You don't even need to hook a single API.

Code: Select all

library EsLoginHook;

uses Windows, madCodeHook;

var arrCh : array [0..MAX_PATH] of char;
begin
  GetModuleFileName(0, arrCh, MAX_PATH);
  SendIpcMessage('EsLogin', @arrCh, StrLen(arrCh) + 1);
end.

However, if you just want to be notified about new processes there are other possibilities. If that is your only need, then using madCodeHook is possible, but a bit brute force, if you ask me.

neji · Post by **neji** » Wed Mar 30, 2005 1:08 pm

which other possibilities are this?

Post by **madshi** » Wed Mar 30, 2005 1:27 pm

One possibility is this:

http://www.codeproject.com/threads/proc ... ect=870932

Another one is WMI. Not used it myself, but I've heard that you can ask WMI to notify you about new processes.

neji · Post by **neji** » Wed Mar 30, 2005 2:07 pm

ok thanx for that. One Question left

How do i have to cast the messagebuf pointer....or better : how can i show the cmdline in a messagebox? Im always getting AV's

Post by **madshi** » Wed Mar 30, 2005 2:36 pm

How does the crashing code look like?

neji · Post by **neji** » Wed Mar 30, 2005 3:23 pm

Code: Select all

procedure NotifyProc(name       : pchar;
                     messageBuf : pointer; messageLen : dword;
                     answerBuf  : pointer; answerLen  : dword); stdcall;
begin
  showmessage(pchar(messageBuf^));
end;

i also tried string(messageBuf^) but it gets the same error

btw : I am not injecting this dll in systemprocesses only in CURRENT_USER

Post by **madshi** » Wed Mar 30, 2005 6:02 pm

Did you change what I told you? Namely adding the #0 char and using StrLen instead of Length etc? Did you correctly change the CreateProcessW hook code?

neji · Post by **neji** » Wed Mar 30, 2005 6:20 pm

ah im a stupid fool

i've done the "short" version you posted above

Now it works as it should.

Thank you