4

Is there a way (in C++ & windows XP) to detect if one process spawns any other processes?

for example,

write.exe in system32 spawns wordpad.exe then disappears, is there a function that tells me if the process is about to do this?

for those interested i solved the problem using this section of msdn:
http://msdn.microsoft.com/en-us/library/aa390425(v=VS.85).aspx

pnuts
  • 58,317
  • 11
  • 87
  • 139
Tom
  • 908
  • 1
  • 6
  • 14
  • The answer will be Windows-specific and somewhat irrelevant to C++ in particular since C++ itself knows nothing of such concepts. But I'm curious about the answer. – John Dibling Oct 14 '10 at 15:39
  • @John Dibling: Do you mean OS-specific? I'm fairly sure you can determine 'parent process' under Linux. – sje397 Oct 14 '10 at 15:41
  • i know that you can detect parents of a process, but that's not my question. i would like to know if it's possible to detect when a process spawns another one – Tom Oct 14 '10 at 15:45
  • Even Windows specific is a bit broad because it will require drivers so it will vary between Windows 'flavors'. For a rather old example of how it can be done on XP (and should work on older NTs) see here: http://www.codeproject.com/KB/system/soviet_protector.aspx – Eugen Constantin Dinca Oct 14 '10 at 15:55
  • AFAIK no direct API for that, but you can always watch the processes (polling). Checking for process parent is a bit undocumented and it's also unreliable. Why do you want to do this? – Cheers and hth. - Alf Oct 14 '10 at 15:55
  • @alf: updated with an example @eugen: thanks, i will have a read of that when i get back from work – Tom Oct 14 '10 at 16:03
  • @sje397: Tom tagged the question "windows" so I drilled down. – John Dibling Oct 14 '10 at 16:12

3 Answers3

3

You can enumerate over the process tree, which identifies running processes and their parents. This is the inverse of what you want (you want to identify child processes, not parent processes). But of course by keeping track of parent process IDs while enumerating, you can identify which sub-processes a given process has spawned.

To do this, call CreateToolhelp32Snapshot and then use Process32First and Process32Next to enumerate the processes. The enumeration will fill in a PROCESSENTRY32 struct that contains a th32ParentProcessID member.

This is a polling method; there may be another way of actually hooking the CreateProcess function, but I don’t have any information about that.

Nate
  • 18,752
  • 8
  • 48
  • 54
  • hi, yes i have that functionality already in the program, but your method would mean iterating over the process tree even when there might not have been child processes spawned. i would rather it was an events based solution i.e something is emitted when one process calls createprocess (or similar functions) – Tom Oct 14 '10 at 16:00
3

Nothing in the Win32 API for this. However, it is supported through WMI with the Win32_ProcessStartTrace query. You'll find some C# code that demonstrates the query in my answer in this thread. Writing WMI code in C++ is fairly painful, you'll find a link to boilerplate code you have to write in the MSDN Library article.

Do beware that this isn't particularly fast. It isn't clear to me how much help the WMI provider gets from the kernel to generate the notification but given the speed it quacks like polling. In other words, the process is likely to be well on its way by the time you get the notification. This is otherwise par for the course on a multitasking operating system.

Community
  • 1
  • 1
Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
  • 1
    thanks, found this section of msdn that answered my question :) http://msdn.microsoft.com/en-us/library/aa390425(v=VS.85).aspx – Tom Oct 15 '10 at 08:56
  • @Tom, I tried the sample, it does do the event notification but it's through a COM interface. Do you have example how you got it to work? – Robin Jul 07 '17 at 08:55
0

I think you would need to make a global hook DLL that attaches itself to every running process. DLL then finds a place where a function call to CreateProcess is mapped to actual CreateProcess from kernel32, and change a table entry to redirect the call to it's own code to "detect" the call to CreateProcess. All this assuming that some user firewall will not prevent your global hook from executing.

Dialecticus
  • 16,400
  • 7
  • 43
  • 103