-3

My idea is, to make a pop up window for every new process that will be created so I can be sure, that there are only processes with my permission.

The question is, how I link my function in before Windows is creating the new process.

I tried some dll injections but it does not work.

Has anyone a solution for this problem or is it even not possible?

Thanks!

3DExtended
  • 153
  • 15
  • http://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra try this – Tony J Sep 01 '16 at 23:21
  • Possible duplicate of [How can I hook Windows functions in C/C++](http://stackoverflow.com/questions/873658) – Ken White Sep 02 '16 at 00:17

1 Answers1

3

The legitimte way of doing this is to create a kernel driver that uses PsSetCreate|ProcessNotifyRoutineEx (supported on Vista SP1 and later) to control process creation (and termination). This routine allows you to register a callback function that is invoked when either a process is being created, or is terminating. In the creation case, your callback may decide to block the process. The callback gets following information about the new process:

1) image file name,

2) command line arguments,

3) PID,

4) PID of its parent,

5) TID:PID of the creating process and thread.

If you do not wish to develop a kernel driver, you can an approximate solution. AFAIK WMI is able to notify you that a new process has just been created. When you get the notification, you may tre to suspend the process and ask the user about it (or do anything you wish).

Martin Drab
  • 667
  • 4
  • 6