I am trying to create an application where it checks all running process against a white-list and any processes which is not in the list would get terminated.
my thought was first try to use tasklikst command and get the list in lets say each second and check it against the list.
Then i thought it would be a better idea to check even sooner, when a process is created and is not yet executed, there we check it against our list and then if not in the list terminate it.
So how can i go about it?
Which way do you suggest to tackle this issue?
I am also skeptical by which language to do it, C++ or C#?
Will it make any difference in this case at all?
Asked
Active
Viewed 247 times
1
Hossein
- 24,202
- 35
- 119
- 224
-
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684865(v=vs.85).aspx – Abhineet Nov 25 '13 at 12:23
-
You need WMI for this IIRC – David Heffernan Nov 25 '13 at 12:31
-
2There are already group policies for this. Use them. No need to reinvent the wheel. – Raymond Chen Nov 25 '13 at 14:52
3 Answers
3
The simplest way in C# would be to just use Process.GetProcesses periodically, and then kill any you want dead using Process.Kill. However, do note that the process could be in the middle of doing some work when you kill it - it will only help you against games (etc.), not against malicious software. Also, don't forget that the user could just rename the exe file to something like "notepad.exe". If that is an issue, you can check the full path to the executable instead of just the file name.
If you want a smarter way, without polling, you can create a hook on the start process call - see Monitor process start in the system. This way, you can actually prevent the process from running in the first place.
1
You can implement this in C++ or C#, this doesn't really matter. Choose the one you are most comfortable with. Here is an algorithm:
- Set up a timer or scheduled task or anything like that that will execute the code once in a while
- Enumerate processes
- For each found process check the name against the white-listed dictionary
- Attempt to kill a process
In C# you can use Process class to enumerate and kill.
Now things to understand:
- Your application may not have sufficient privileges to enumerate or kill other applications
- Your code will likely to demand Admin privileges
- Things may get complicated if running in an Active Directory set up with group policies
- Virus or other undesired applications can "inject" their code into something well-known or innocent apps (that is into one of your white-listed applications)
- You will fail to kill most of the system tasks, so just don't attempt that
- Check support for globalization, process names can get changed
- Relying solely on names is a poor practice. If you want to check authenticity, you should rely on some crypto signatures, and of course that is a pain to maintain, as the apps get updated.
Given the last paragraph, the solution you attempt to implement is pretty basic. Nothing will stop a user just to kill your application. Or rename a virus application to something standard. It looks pretty much like "security through obscurity", which has some benefits, but is really weak in terms of defense strength.
oleksii
- 35,458
- 16
- 93
- 163
1
One technique is to create a global hook DLL using SetWindowsHookEx, which will be injected into every process. This way you'll get notification for any new processes, and you can take action however you want.
Of course you need to make this DLL as lightweight as possible considering it will be loaded into every process, ever. But I still think this would be slimmer than polling constantly, or IAT patching.
tenfour
- 36,141
- 15
- 83
- 142
-
can i hook createprocess function using SetWindowsHookEx?if yes how and if no how can i hook createprocess? – Hossein Dec 31 '13 at 19:22