AW: RE: application start detection

If you want to prevent the start of an app you’re in for some
coding. While hooking ZwCreateProcess is fairly straightforward
(see sysinternals regmon for system call hooking),
the problem remains that from this hook you have to find out
the name of the app that is being started. So i guess you’ll
have to notify a user mode app that searches the process list
for the handle and tells your driver whether to reject the
process creation or not.

Holger Thiele
D.A.V.I.D. GmbH
mailto:xxxxx@david-gmbh.de

-----Urspr?ngliche Nachricht-----
Von: ?rd?gh L?szl? [mailto:xxxxx@digital.co.hu]
Gesendet: Freitag, 30. November 2001 16:13
An: NT Developers Interest List
Betreff: [ntdev] RE: application start detection

Thx for your answer Robert!

This is a very straightforward approach.
Is it possible to get some form of notification before
the OS launch the process? What if I want to prevent
the start of application? If I use the process list monitoring
method and I decide to not let to run the process I have to
kill it. I think this could be dangerous to kill a starting
(for example) database application.

---

?rd?gh L?szl?
mailto:xxxxx@digital.co.hu

> -----Original Message-----
> From: Fernando, Robert [mailto:xxxxx@anitetelecoms.com]
> Sent: Friday, November 30, 2001 3:43 PM
> To: NT Developers Interest List
> Subject: [ntdev] RE: application start detection
>
>
> Hi ?rd?gh
> Have a process which monitors the process list, and detects
> when your app appears on it.
>
> Download the kill process code which I have on my website,
> for example of how to walk the process list on win 95 / nt
>
http://www.rowanclose.com/utils/killps.html
http:
>
>Have fun and enjoyable weekend
>
>Take care
>
>
>Robert Fernando
>Anite Telecoms Ltd
>110 Fleet Road
>Fleet
>Hampshire GU51 4BL
>United Kingdom
>Tel: +44 (0) 1252 775200
>Fax: +44 (0) 1252 775 321
>Email: xxxxx@anitetelecoms.com
>
>Anite Telecoms Limited Registered in England No. 1721900 Registered
>Office: 100 Longwater Avenue, GreenPark, Reading, Berkshire RG2 6GP,
>United Kingdom
>
>
>
>-----Original Message-----
>From: ?rd?gh L?szl? [mailto:xxxxx@digital.co.hu]
>Sent: 30 November 2001 13:18
>To: NT Developers Interest List
>Subject: [ntdev] application start detection
>
>
>How can I detect the start of an application from
>another app? (Like some software metering program does.)
>
>-----------------------------------------------------------------
>?rd?gh L?szl?
> mailto:xxxxx mailto:xxxxx@digital.co.hu
>------------------------------------------------------------------
>
>
>—
>You are currently subscribed to ntdev as:
>xxxxx@anitetelecoms.com To unsubscribe send a blank email to
>leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>—
>You are currently subscribed to ntdev as: xxxxx@digital.co.hu To
>unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>—
>You are currently subscribed to ntdev as: xxxxx@david-gmbh.de
>To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></http:>

Hooking APIs is not a good way for production programming,
It is not documented as such by Microsoft and not guaranteed
to work. While APIs do exist to let third parties do things,
nobody ever guaranteed that OS components are obligated to go
through same APIs to do same things.

You guys can’t find a documented way to prevent a program
from starting, maybe there is none because there is no need.
Who can explain why would anybody ever want to stop a program
at start?

— Holger Thiele wrote:
> If you want to prevent the start of an app you’re in for some
> coding. While hooking ZwCreateProcess is fairly straightforward
> (see sysinternals regmon for system call hooking),
> the problem remains that from this hook you have to find out
> the name of the app that is being started. So i guess you’ll
> have to notify a user mode app that searches the process list
> for the handle and tells your driver whether to reject the
> process creation or not.
>
> Holger Thiele
> D.A.V.I.D. GmbH
> mailto:xxxxx@david-gmbh.de
>
>
> >-----Ursprüngliche Nachricht-----
> >Von: Ördögh László [mailto:xxxxx@digital.co.hu]
> >Gesendet: Freitag, 30. November 2001 16:13
> >An: NT Developers Interest List
> >Betreff: [ntdev] RE: application start detection
> >
> >
> >Thx for your answer Robert!
> >
> >This is a very straightforward approach.
> >Is it possible to get some form of notification before
> >the OS launch the process? What if I want to prevent
> >the start of application? If I use the process list monitoring
> >method and I decide to not let to run the process I have to
> >kill it. I think this could be dangerous to kill a starting
> >(for example) database application.
> >
> >-----------------------------------------------------------------
> >Ördögh László
> >mailto:xxxxx@digital.co.hu
> >------------------------------------------------------------------
> >
> >
> >
> >> -----Original Message-----
> >> From: Fernando, Robert [mailto:xxxxx@anitetelecoms.com]
> >> Sent: Friday, November 30, 2001 3:43 PM
> >> To: NT Developers Interest List
> >> Subject: [ntdev] RE: application start detection
> >>
> >>
> >> Hi Ördögh
> >> Have a process which monitors the process list, and detects
> >> when your app appears on it.
> >>
> >> Download the kill process code which I have on my website,
> >> for example of how to walk the process list on win 95 / nt
> >>
> >http://www.rowanclose.com/utils/killps.html
> >http:
> >
> >Have fun and enjoyable weekend
> >
> >Take care
> >
> >
> >Robert Fernando
> >Anite Telecoms Ltd
> >110 Fleet Road
> >Fleet
> >Hampshire GU51 4BL
> >United Kingdom
> >Tel: +44 (0) 1252 775200
> >Fax: +44 (0) 1252 775 321
> >Email: xxxxx@anitetelecoms.com
> >
> >Anite Telecoms Limited Registered in England No. 1721900 Registered
> >Office: 100 Longwater Avenue, GreenPark, Reading, Berkshire RG2 6GP,
> >United Kingdom
> >
> >
> >
> >-----Original Message-----
> >From: Ördögh László [mailto:xxxxx@digital.co.hu]
> >Sent: 30 November 2001 13:18
> >To: NT Developers Interest List
> >Subject: [ntdev] application start detection
> >
> >
> >How can I detect the start of an application from
> >another app? (Like some software metering program does.)
> >
> >-----------------------------------------------------------------
> >Ördögh László
> > mailto:xxxxx mailto:xxxxx@digital.co.hu
> >------------------------------------------------------------------
> >
> >
> >—
> >You are currently subscribed to ntdev as:
> >xxxxx@anitetelecoms.com To unsubscribe send a blank email to
> >leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
> >—
> >You are currently subscribed to ntdev as: xxxxx@digital.co.hu To
> >unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >—
> >You are currently subscribed to ntdev as: xxxxx@david-gmbh.de
> >To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
> —
> You are currently subscribed to ntdev as: xxxxx@yahoo.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></http:>

There is a declarative way to prevent applications from starting under NT.

Whenever a user-mode process is started, NT checks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options for a subkey whose name equals the unqualified filename of
the image being launched. If such a key exists, NT acts on any parameters
that may be defined beneath it as values. In this case, the Debugger value
can be used to specify an alternate executable to run in place of the one
being launched. What I’ve done when I need to stop an application from
running is write a tiny little C console app called DIE.EXE that looks like
this:

int main (int iArgs, char ** ppszArgs) {
return 0;
}

Then just define a registry key for the application you want to stop. For
example, if you never want NOTEPAD.EXE to run ever again, you would define
the following registry value (assuming DIE.EXE is in the system path
variable):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\NOTEPAD.EXE\Debugger (REG_SZ) = DIE.EXE

-----Original Message-----
From: Ntdev Reader [SMTP:xxxxx@yahoo.com]
Sent: Monday, December 03, 2001 3:19 PM
To: NT Developers Interest List
Subject: [ntdev] Re: AW: RE: application start detection

Hooking APIs is not a good way for production programming,
It is not documented as such by Microsoft and not guaranteed
to work. While APIs do exist to let third parties do things,
nobody ever guaranteed that OS components are obligated to go
through same APIs to do same things.

You guys can’t find a documented way to prevent a program
from starting, maybe there is none because there is no need.
Who can explain why would anybody ever want to stop a program
at start?

— Holger Thiele wrote:
> > If you want to prevent the start of an app you’re in for some
> > coding. While hooking ZwCreateProcess is fairly straightforward
> > (see sysinternals regmon for system call hooking),
> > the problem remains that from this hook you have to find out
> > the name of the app that is being started. So i guess you’ll
> > have to notify a user mode app that searches the process list
> > for the handle and tells your driver whether to reject the
> > process creation or not.
> >
> > Holger Thiele
> > D.A.V.I.D. GmbH
> > mailto:xxxxx@david-gmbh.de
> >
> >
> > >-----Urspr?ngliche Nachricht-----
> > >Von: ?rd?gh L?szl? [mailto:xxxxx@digital.co.hu]
> > >Gesendet: Freitag, 30. November 2001 16:13
> > >An: NT Developers Interest List
> > >Betreff: [ntdev] RE: application start detection
> > >
> > >
> > >Thx for your answer Robert!
> > >
> > >This is a very straightforward approach.
> > >Is it possible to get some form of notification before
> > >the OS launch the process? What if I want to prevent
> > >the start of application? If I use the process list monitoring
> > >method and I decide to not let to run the process I have to
> > >kill it. I think this could be dangerous to kill a starting
> > >(for example) database application.
> > >
> > >-----------------------------------------------------------------
> > >?rd?gh L?szl?
> > >mailto:xxxxx@digital.co.hu
> > >------------------------------------------------------------------
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: Fernando, Robert [mailto:xxxxx@anitetelecoms.com]
> > >> Sent: Friday, November 30, 2001 3:43 PM
> > >> To: NT Developers Interest List
> > >> Subject: [ntdev] RE: application start detection
> > >>
> > >>
> > >> Hi ?rd?gh
> > >> Have a process which monitors the process list, and detects
> > >> when your app appears on it.
> > >>
> > >> Download the kill process code which I have on my website,
> > >> for example of how to walk the process list on win 95 / nt
> > >>
> > >http://www.rowanclose.com/utils/killps.html
> > >http:
> > >
> > >Have fun and enjoyable weekend
> > >
> > >Take care
> > >
> > >
> > >Robert Fernando
> > >Anite Telecoms Ltd
> > >110 Fleet Road
> > >Fleet
> > >Hampshire GU51 4BL
> > >United Kingdom
> > >Tel: +44 (0) 1252 775200
> > >Fax: +44 (0) 1252 775 321
> > >Email: xxxxx@anitetelecoms.com
> > >
> > >Anite Telecoms Limited Registered in England No. 1721900 Registered
> > >Office: 100 Longwater Avenue, GreenPark, Reading, Berkshire RG2 6GP,
> > >United Kingdom
> > >
> > >
> > >
> > >-----Original Message-----
> > >From: ?rd?gh L?szl? [mailto:xxxxx@digital.co.hu]
> > >Sent: 30 November 2001 13:18
> > >To: NT Developers Interest List
> > >Subject: [ntdev] application start detection
> > >
> > >
> > >How can I detect the start of an application from
> > >another app? (Like some software metering program does.)
> > >
> > >-----------------------------------------------------------------
> > >?rd?gh L?szl?
> > > mailto:xxxxx mailto:xxxxx@digital.co.hu
> > >------------------------------------------------------------------
> > >
> > >
> > >—
> > >You are currently subscribed to ntdev as:
> > >xxxxx@anitetelecoms.com To unsubscribe send a blank email to
> > >leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> > >
> > >—
> > >You are currently subscribed to ntdev as: xxxxx@digital.co.hu To
> > >unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> > >—
> > >You are currently subscribed to ntdev as: xxxxx@david-gmbh.de
> > >To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@yahoo.com
> > To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> __________________________________________________
> Do You Yahoo!?
> Buy the perfect holiday gifts at Yahoo! Shopping.
> http://shopping.yahoo.com
>
> —
> You are currently subscribed to ntdev as: xxxxx@fmr.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</mailto:xxxxx></http:>

…

You guys can’t find a documented way to prevent a program
from starting, maybe there is none because there is no need.
Who can explain why would anybody ever want to stop a program
at start?
Hmm. Maybe I want to prevent users to run more concurrent instance
of a (third-party) program than the number of purchased licenses…
Or I’m just curious…

?rd?gh L?szl?
mailto:xxxxx@digital.co.hu

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

>You guys can’t find a documented way to prevent a program

from starting, maybe there is none because there is no need.
Who can explain why would anybody ever want to stop a program
at start?

Yes, there is. Suppose you want to develop some utility to prevent users
from running unauthorized/corrupt/infected software. Then, prior to
executing, all executable files would be checked against a database
containing the CRCs or MD5 hashes of all “authorized” executables on a
particular system. If the check fails, the utility will not start.

Marcos

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

“Ntdev Reader” wrote in message news:xxxxx@ntdev…
>
> You guys can’t find a documented way to prevent a program
> from starting, maybe there is none because there is no need.
> Who can explain why would anybody ever want to stop a program
> at start?
>

I can think of several reasons for wanting to prevent a program from
starting. License management applications are a major one (i.e. only n
instances of a given program can be active at one time). Secure
environments provide another (i.e. only certain programs can be run by
certain users, either ever or at certain times or under certain conditions).
Those are off the top of my head.

Having said all that, I agree that hooking APIs isn’t typically a very good
idea. But, there ARE those times, or at least there may be, when the risks
justify the benefits within a particular, specific, environment.

Peter
OSR

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Create a tiny DLL with shared data section and maintain a refcount there.

Max

----- Original Message -----
From: “Ördögh László”
To: “NT Developers Interest List”
Sent: Tuesday, December 04, 2001 7:58 PM
Subject: [ntdev] Re: AW: RE: application start detection

…
> You guys can’t find a documented way to prevent a program
> from starting, maybe there is none because there is no need.
> Who can explain why would anybody ever want to stop a program
> at start?
Hmm. Maybe I want to prevent users to run more concurrent instance
of a (third-party) program than the number of purchased licenses…
Or I’m just curious…

-----------------------------------------------------------------
Ördögh László
mailto:xxxxx@digital.co.hu
------------------------------------------------------------------

—
You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

IIRC there was a way using registry to inject your DLL to ALL processes in the OS.
At least all Win32 processes.
Use the DllMain of this DLL to check the EXE’s MD5sum.

Max

----- Original Message -----
From: “Marcos Balreira de Souza”
To: “NT Developers Interest List”
Sent: Tuesday, December 04, 2001 9:12 PM
Subject: [ntdev] Re: AW: RE: application start detection

>
> >You guys can’t find a documented way to prevent a program
> >from starting, maybe there is none because there is no need.
> >Who can explain why would anybody ever want to stop a program
> >at start?
>
> Yes, there is. Suppose you want to develop some utility to prevent users
> from running unauthorized/corrupt/infected software. Then, prior to
> executing, all executable files would be checked against a database
> containing the CRCs or MD5 hashes of all “authorized” executables on a
> particular system. If the check fails, the utility will not start.
>
> Marcos
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

I guess I’m missing the part where kernel process/thread notification is
insufficient to achieve the desired results. Unless what the poster is
really saying is: ‘will somebody please send me the prototypes of
ZwTerminateProcess or NtTerminateProcess’, both of which can be found in
about 3 seconds with google.

Oh, and license management is typically provided by the application
vendor in the form of a dll of some sort, not by some third party
feature that can’t have hooks in the app itself.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
Sent: Tuesday, December 04, 2001 6:29 PM
To: NT Developers Interest List
Subject: [ntdev] Re: AW: RE: application start detection

“Ntdev Reader” wrote in message
> news:xxxxx@ntdev…
> >
> > You guys can’t find a documented way
> to prevent a program from
> > starting, maybe there is none because there is no need. Who can
> > explain why would anybody ever want to stop a program at start?
> >
>
> I can think of several reasons for wanting to prevent a
> program from starting. License management applications are a
> major one (i.e. only n instances of a given program can be
> active at one time). Secure environments provide another
> (i.e. only certain programs can be run by certain users,
> either ever or at certain times or under certain conditions).
> Those are off the top of my head.
>
> Having said all that, I agree that hooking APIs isn’t
> typically a very good idea. But, there ARE those times, or
> at least there may be, when the risks justify the benefits
> within a particular, specific, environment.
>
> Peter
> OSR
>
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@hollistech.com To unsubscribe send a blank email to
> leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Yes, there is a way to do this and Jeffrey Richter wrote an paper on just
how to do it. The problem is that now the DLL that you wrote gets loaded
into the memory space of *every* user mode process running on the system. I
believe its original purpose was to allow you to hook any API call with your
own code. This could be a powerful tool if you needed to monitor the API
usage of a program, but for a general purpose way of controlling how many
instances of a program are running I think its a bit too much.

Jim

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Tuesday, December 04, 2001 3:27 PM
To: NT Developers Interest List
Subject: [ntdev] Re: AW: RE: application start detection

IIRC there was a way using registry to inject your DLL to ALL processes in
the OS.
At least all Win32 processes.
Use the DllMain of this DLL to check the EXE’s MD5sum.

Max

----- Original Message -----
From: “Marcos Balreira de Souza”
To: “NT Developers Interest List”
Sent: Tuesday, December 04, 2001 9:12 PM
Subject: [ntdev] Re: AW: RE: application start detection

>
> >You guys can’t find a documented way to prevent a program
> >from starting, maybe there is none because there is no need.
> >Who can explain why would anybody ever want to stop a program
> >at start?
>
> Yes, there is. Suppose you want to develop some utility to prevent users
> from running unauthorized/corrupt/infected software. Then, prior to
> executing, all executable files would be checked against a database
> containing the CRCs or MD5 hashes of all “authorized” executables on a
> particular system. If the check fails, the utility will not start.
>
> Marcos
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>

—
You are currently subscribed to ntdev as: xxxxx@youngendeavors.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

NT has security mechanisms built into it. So, the vast majority of the
app launch restrictions can be implemented by system administrator.
I don’t know without research if its access controls can provide for
time frames. Even if not, it is probably possible to write a service
that would change access control flags on files/directories/registry
according to “certain conditions”. Restriction on the number of app
instanses looks like a duty of the app manufacturer. Of course, it is
always possible to come up with a reason why a feature is needed, but,
as usual, it is not possible to serve for every imaginable need when
creating system interfaces. So, I must restate my assertion and say
“there is probably no compelling need” for this feature

— Peter Viscarola wrote:
> “Ntdev Reader” wrote in message news:xxxxx@ntdev…
> >
> > You guys can’t find a documented way to prevent a program
> > from starting, maybe there is none because there is no need.
> > Who can explain why would anybody ever want to stop a program
> > at start?
> >
>
> I can think of several reasons for wanting to prevent a program from
> starting. License management applications are a major one (i.e. only n
> instances of a given program can be active at one time). Secure
> environments provide another (i.e. only certain programs can be run by
> certain users, either ever or at certain times or under certain conditions).
> Those are off the top of my head.
>
> Having said all that, I agree that hooking APIs isn’t typically a very good
> idea. But, there ARE those times, or at least there may be, when the risks
> justify the benefits within a particular, specific, environment.
>
> Peter
> OSR
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@yahoo.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com