Why?Runner wrote:I will look at the possibility that Madshi mentioned but I must say I see little chance of succeding here.
Problem with NTCreateProcess again
I see problems because my hook monitors which processes may start and which not. uall's method is ok (thanks uall) but I must prevent the process from running, so I can't get process id because the process isn't created yet if I understand it right.
Sectionhandle might solve it, but it is again an optional parameter, at least how I read it from the prototype. So it can be empty. I need a method that works all the time. Or am I wrong here and SectionHandle is the right answer?
Sectionhandle might solve it, but it is again an optional parameter, at least how I read it from the prototype. So it can be empty. I need a method that works all the time. Or am I wrong here and SectionHandle is the right answer?
Now this is geting really interesting. I tried geting the ProcessHandle after I call NtCreateProcessExNextHook and the handle is as expected there. Then I tried to set the result to access denied status with Result := 3221225506 and it works. The process is created, but no threads are created yet. When I set the NTSTATUS as said the process is terminated. In my case that is perfectly ok if there are no leaks left behind. I don't mind the process existing for a breaf period of time. But interesting is that the function from madshi ProcessHandleToId returns zero, but the process is there when I enumerate all processes in my callback. Any Idea why? The code is bellow (just experimental).
How to get the image name from SectionHandle I haven't got the slightest idea. How do you do that?
How to get the image name from SectionHandle I haven't got the slightest idea. How do you do that?
Code: Select all
function NtCreateProcessExCallbackProc(ProcessHandle : Cardinal;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES;
InheritFromProcessHandle: DWORD;
InheritHandles: DWORD;
SectionHandle: DWORD;
DebugPort: DWORD;
ExceptionPort: DWORD;
dwSaferFlags: DWORD): NTSTATUS; stdcall;
var
ProcessList : TProcessList;
i : integer;
begin
Result := NtCreateProcessExNextHook(ProcessHandle,
DesiredAccess,
ObjectAttributes,
InheritFromProcessHandle,
InheritHandles,
SectionHandle,
DebugPort,
ExceptionPort,
dwSaferFlags);
ProcessList := GetProcessList;
MessageBox(0, PAnsiChar(IntToStr(ProcessHandle)),'Hooked',MB_OK);
for i:=0 to Length(ProcessList)-1 do
begin
if ProcessList[i].pid = ProcessHandleToId(ProcessHandle) then MessageBox(0, PAnsiChar(ProcessList[i].name),'Hooked',MB_OK);
end;
Result := 3221225506;
end;
Because I cannot make it work. It reports an error trying to load the driver that comes with the exe. Maybe it is an issue with Service Pack 2. Is there some other Process Monitor out there?
And even if I get the connection, I still don't know how will I get image name from SectionHandle. Which APIs do I have to use?
Oh BTW, I get the Process Handle. The variable ProcessHandle is not zero, but your function returns zero ID for given ProcessHandle.
And even if I get the connection, I still don't know how will I get image name from SectionHandle. Which APIs do I have to use?
Oh BTW, I get the Process Handle. The variable ProcessHandle is not zero, but your function returns zero ID for given ProcessHandle.
Ok, Stupid me. It was the var that was missing ofcourse. Now it works without problem. Ok this seems to be a good enough solution for me. But I am still listening on how I can get Image name from SectionHandle (sorry but PMON is not working on my machine).
And do you think my solution can cause any leaks? I think not, but I want to be sure.
And do you think my solution can cause any leaks? I think not, but I want to be sure.
Yes Handles and Process Explorer which is the visual handles works fine. But I can't find SectionHandle in there or any relation to the image file path.
I must say I cannot see how to obtain the file path from SectionHandle. I am no expert on kernel mode programing. Maybe you have some useful information. I only read that section handle points to the image section. But I can't see how to get the path out of it.
The other ways is this
I works and there should be no leaks because I call TerminateProcess before returning the access denied status.
But strange is that I cannot get the whole path because GetModuleFileNameEx returns only an empty string. Don't know why?
PMON is not working either on my computer at work or at home. Both have service pack 2 instaled. Maybe that is the problem. Ther error reported is the same which I posted a few posts back.
I must say I cannot see how to obtain the file path from SectionHandle. I am no expert on kernel mode programing. Maybe you have some useful information. I only read that section handle points to the image section. But I can't see how to get the path out of it.
The other ways is this
Code: Select all
function NtCreateProcessExCallbackProc(var ProcessHandle : Cardinal;
DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES;
InheritFromProcessHandle: DWORD;
InheritHandles: DWORD;
SectionHandle: DWORD;
DebugPort: DWORD;
ExceptionPort: DWORD;
dwSaferFlags: DWORD): NTSTATUS; stdcall;
var
PFile : string;
begin
Result := NtCreateProcessExNextHook(ProcessHandle,
DesiredAccess,
ObjectAttributes,
InheritFromProcessHandle,
InheritHandles,
SectionHandle,
DebugPort,
ExceptionPort,
dwSaferFlags);
MessageBox(0, PAnsiChar(IntToStr(SectionHandle)),'Hooked',MB_OK);
MessageBox(0, PAnsiChar(IntToStr(ProcessHandleToId(ProcessHandle))),'Hooked',MB_OK);
GetModuleFileNameEx(ProcessHandle, 0, PChar(PFile), MAX_PATH);
MessageBox(0, PChar(PFile),'Hooked',MB_OK);
TerminateProcess(ProcessHandle,0);
Result := 3221225506;
end;
But strange is that I cannot get the whole path because GetModuleFileNameEx returns only an empty string. Don't know why?
PMON is not working either on my computer at work or at home. Both have service pack 2 instaled. Maybe that is the problem. Ther error reported is the same which I posted a few posts back.