-3

I've been looking for a way to do some stuff before an application starts and stop the started application and execute after "the stuff" is completed.

Like an Antivirus applications, when you open an application which may be dangerous or has no certification, it executes a scanning and only after that execution allow the application to starts.

Already tried with watchers and WMI (C#) but no success, since the calling event happens before the application starts and there is no way to cancel the opening.

If there is a name for that technique or someone knows an example code in C++ or C# or even any other language.

For those who are downvoting the question at least have the F** balls to explain why is downvoting... It's a legitimate question! Maybe i miss explain it but still a legitimate question. Ohh I forgot, in many years of your career you already had to know everything... What would happen if you lost internet connection for three days? Are you still be productive? Maybe you guys had the API and documentation injected by Tank from Matrix... That's how NEO learn to fight.

Thanks

Trxplz0
  • 371
  • 1
  • 2
  • 13
  • Do you mean that every time the user opens any application you perform your action first? – EJoshuaS - Stand with Ukraine Dec 19 '16 at 20:48
  • 3
    The easiest way would be to create a wrapper application that actually gets executed. It can do the pre-launch stuff, launch the nested application and handle "stuff" after the nested application exists. – itsme86 Dec 19 '16 at 20:49
  • Yes, that is exactly what I'm looking for. – Trxplz0 Dec 19 '16 at 20:49
  • @itsme86 the started application can be anyone... wrapping doesn't solve my problem since the started application is not mine. – Trxplz0 Dec 19 '16 at 20:55
  • Perhaps IShellExecuteHook can help ... but I currently don't know much about its usage. – EmDroid Dec 19 '16 at 20:56
  • @axalis I will look into it, thanks for the help. – Trxplz0 Dec 19 '16 at 21:01
  • @EJoshuaS, yes! – Trxplz0 Dec 19 '16 at 21:02
  • So you want to get a notification that the user opened an application and then prevent that application from opening? [I hope you get a nice bonus for that feature.](https://blogs.msdn.microsoft.com/oldnewthing/20061101-03/?p=29153) – lcs Dec 19 '16 at 21:07

1 Answers1

3

One option (which might be used by antiviruses, but not sure) is described here: https://www.codeproject.com/Articles/11985/Hooking-the-native-API-and-controlling-process-cre

Basically, hooking the functions NtCreateFile(), NtOpenFile() or NtCreateSection() (the last one being mentioned as the preferred).

However, the hook must be done from inside a kernel mode driver, which might be a "slight inconvenience" (especially under 64-bit Windows, where the drivers must be signed AFAIK).

Some options also mentioned here: How does a Windows antivirus hook into the file access process?

Community
  • 1
  • 1
EmDroid
  • 5,918
  • 18
  • 18