When I run the demo (with admin rights), and run AFTER that any process, I get immediately the message where it ask me if it is allowed to terminate the process. Even before the program runs.
When I click YES, nothing happen, just an endless hourglass.
Wen I do not try to run a new process, and just try to terminate an already running process, all works fine.
EDIT: This issue appears only when the process I want to run open with admin rights / is elevated.
Problem with demo "HookProcessTermination" / Vista
I just removed all the getmodulfilename etc, so the callback in the demo is JUST a messagebox, nothing else.madshi wrote:The problem is caused by the call to "GetModuleFileName" in the hook dll. For whatever reason this causes problems. I've replaced that by "ProcessIdToFileName" now and that fixes the problem.
And when starting any program which runs with elevated rights, or using run as admin in the context menu, before even the UAC prompt popup, the callback is triggered and it ask me if I want to terminate the process... there is definitely something wrong.
Last edited by softtouch on Fri Jul 24, 2009 8:09 am, edited 1 time in total.
Try this dll code and inject it. When running ANY program after that which need elevation, the terminate callback is called before even the UAC popup...
Code: Select all
library HookProcessCreation;
{$IMAGEBASE $57800000}
uses Windows, madCodeHook,madStrings;
var
NtTerminateProcessNext : function (processHandle, exitCode: dword) : dword; stdcall;
function NtTerminateProcessCallback(processHandle, exitCode: dword) : dword; stdcall;
var
s:string;
begin
s:=madstrings.IntToStrEx(processhandle);
s:=s+'-'+madstrings.IntToStrEx(GetCurrentProcess);
messagebox(0,pchar(s),'',mb_ok);
result := NtTerminateProcessNext(processHandle, exitCode);
end;
begin
HookAPI('ntdll.dll','NtTerminateProcess',@NtTerminateProcessCallback,@NtTerminateProcessNext);
end.
I haven’t really followed this thread fully - I'm just skimming.
How do you know for certain - that the message box is being displayed from the program that you have tried to launch?
For example, say you try to launch Notepad.exe. It may be the case that Vista runs a whole host of other stuff before it actually executes notepad.exe i.e. rundll32.exe is often run for some strange reason. The message box may be being displayed as a result of some other process trying to legitimately terminate.
Secondly, although this is probably nothing to do with it, it's not a good idea to try UI stuff from within a hook unless you know it's a UI application. I guess if your injecting system wide, you won’t know this, and it's liable to cause problems.
Finally, I've hooked NtTerminateProcess on XP, Vista and Windows 7 and haven’t had any issues. My prototype also looks slightly different from yours.
Mike C
How do you know for certain - that the message box is being displayed from the program that you have tried to launch?
For example, say you try to launch Notepad.exe. It may be the case that Vista runs a whole host of other stuff before it actually executes notepad.exe i.e. rundll32.exe is often run for some strange reason. The message box may be being displayed as a result of some other process trying to legitimately terminate.
Secondly, although this is probably nothing to do with it, it's not a good idea to try UI stuff from within a hook unless you know it's a UI application. I guess if your injecting system wide, you won’t know this, and it's liable to cause problems.
Finally, I've hooked NtTerminateProcess on XP, Vista and Windows 7 and haven’t had any issues. My prototype also looks slightly different from yours.
Mike C
I know because there is no problem with any program which does not need elevation.mikec wrote:I haven’t really followed this thread fully - I'm just skimming.
How do you know for certain - that the message box is being displayed from the program that you have tried to launch?
For example, say you try to launch Notepad.exe. It may be the case that Vista runs a whole host of other stuff before it actually executes notepad.exe i.e. rundll32.exe is often run for some strange reason. The message box may be being displayed as a result of some other process trying to legitimately terminate.
Secondly, although this is probably nothing to do with it, it's not a good idea to try UI stuff from within a hook unless you know it's a UI application. I guess if your injecting system wide, you won’t know this, and it's liable to cause problems.
Finally, I've hooked NtTerminateProcess on XP, Vista and Windows 7 and haven’t had any issues. My prototype also looks slightly different from yours.
Mike C
I use the terminateprocess demo for example, untouched, original.
I run a program normal, nothing happen, I then try to terminate it, and I get the popup asking me to terminate it. Which is perfectly fine.
Now I run the same program, this time elevated. The popup appears and ask me \if I want to terminate the process before even the UAC ask me to run the program...???
Because of this, I thought something with th demo program is not ok, so I wrote just the minimum code (the dll I posted here), and it does exactly the same. The messagebox popup when I want ro RUN a program which need elevation, and this happen BERFORE the UAC ask me to run it...
The goal for me is to prevent that my own process will be terminated by other processes via terminate process or via injecting into my exe.
Just try it, run the demo of terminateprocess, and run a program after that elevated.
Thats what I thought is the cause, but was not sure...madshi wrote:Elevation is weird, it starts the process un-elevated first and then terminates it again and restarts it elevated. So it's correct that you get a callback when you start an elevated process.
And there is no way around this? I guess not...