madshi.net Forum Index madshi.net
high quality low level programming
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Hook process creation on Vista
Goto page Previous  1, 2
 
Post new topic   Reply to topic    madshi.net Forum Index -> madCodeHook
View previous topic :: View next topic  
Author Message
Silver Black



Joined: 17 Feb 2006
Posts: 29
Location: Italy
PostPosted: Tue Jun 24, 2008 2:52 pm    Post subject: Re: miscommunication Reply with quote
torstenv wrote:
Yes, please, I'd love to.


Here it is.
Screenshots here (Italian blog).


mikec wrote:
AFAIK CreateProcess/CreateProcessEx is not enough. There are other CreateProcessXXX (CreateProcessAsUser i think) API's which do not desend down to CreateProcess/Ex therefore they will be missed by your hook. Also does you hook capture processes launched from the command prompt?


YESSS!!! cool


Quote:
If you have a white / black list, why do you need confirmation from the user? Surely what they can and cannot launch is determined by your listing.


Even a firewall (eg. ZoneAlarm) has white/black lists, but the first time a program access the Internet it asks the user for confirmation. My software the same: if process is on the lists ok, but if not it asks the user.


Quote:
You still have not explained how your injection is controlled - is it from a desktop applicaiton or a service. If it's from a desktop app, just thread the app and get it to create the confirmation GUI when it recieves notification from the IPC channel.


It a normal desktop application, for now (in future the server part will become a service). So I need to thread it... and then I need the IPC tutorial! crazy
Back to top
View user's profile Send private message
madshi
Site Admin


Joined: 21 Mar 2004
Posts: 5908
PostPosted: Thu Jul 03, 2008 8:09 pm    Post subject: Reply with quote
Hey guys,

I'm quite late to the party, but let me add my 2 cents:

Generally Vista64/PatchGuard blocks hooking in kernel land. But that's never what madCodeHook did. So Vista64/PatchGuard does not impose any restrictions on madCodeHook whatsoever. I have madCodeHook 3.0 (currently in closed beta) running perfectly fine on Vista64 including the full functionality you're used to.

Building a process creation notification/hook system based on hooking CreateProcess (and related APIs) in user land is a possible solution. Actually the very first versions of madCodeHook 2.x used this very logic. However, this logic may sometimes run into problems. E.g. what happens if there's another hooking library which has also hooked CreateProcess (etc)? What happens if that other hooking library removes your hooks? It's very common for firewalls and other security software to hook process creation APIs, so there's a lot of potential for conflicts between different hooking libraries. In my experience building a process creation notification/hooking logic on hooking process creation APIs in user land does work, but it tends to fail sometimes on some PCs with some specific 3rd party software installed. In my experience it's just not as reliable as a kernel based solution.
Back to top
View user's profile Send private message Send e-mail
dcsoft



Joined: 11 Dec 2004
Posts: 353
Location: San Francisco Bay Area, CA USA
PostPosted: Sat Jul 12, 2008 6:09 pm    Post subject: Reply with quote
Does Vista64 block hooking the NTDLL e.g. NtCreateProcess()? If allowed, I would think this would be the most reliable, since all? process creation calls go through this one?

Thanks,
David
Back to top
View user's profile Send private message Visit poster's website
madshi
Site Admin


Joined: 21 Mar 2004
Posts: 5908
PostPosted: Tue Jul 15, 2008 4:02 pm    Post subject: Reply with quote
dcsoft wrote:
Does Vista64 block hooking the NTDLL e.g. NtCreateProcess()?

It blocks every hooking attempt in kernel land and no hooking attempt in user land.

dcsoft wrote:
If allowed, I would think this would be the most reliable, since all? process creation calls go through this one?

There is also NtCreateProcessEx. But yes, hooking NtCreateProcess and NtCreateProcessEx is not a bad idea if you want to hook process creation. However, IIRC NtCreateProcess(Ex) do not really have any information about the executable file. They just create an empty process which is filled with information later, so to say. So in your NtCreateProcess hook callback function you'll have a hard time figuring out what exe file that NtCreateProcess call is all about...
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    madshi.net Forum Index -> madCodeHook All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group