Hello, I’v made a Plugin.exe for ProcessA.exe. What I want to do next is to
start Plugin.exe when ProcessA.exe is running. How can I monitor the
creation and start my process?
Scan the Process at regular intervals and search if ProcessA.exe is running
could works, but do I have other better option?
Thanks!
–
Danny
Kernel Mode:
recommended:
PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
PsSetLoadImageNotifyRoutine
(do not forget to remove them, see docs!)
User Mode:
A guide for WMI usage:
http://msdn.microsoft.com/en-us/library/aa390425(vs.85).aspx
.NET example, shows the basic concept:
http://weblogs.asp.net/whaggard/archive/2006/02/11/438006.aspx
Whatever you do, dont hook anything or use native assembly, since this will make your code not portable and can break security/safety of your application!
best
K.
Thanks for your help! K.
2011/3/24
> Kernel Mode:
>
> - hooking several kernel functions and parts (not recommended!)
>
> recommended:
>
> PsSetCreateProcessNotifyRoutine
> PsSetCreateProcessNotifyRoutineEx
> PsSetLoadImageNotifyRoutine
>
> (do not forget to remove them, see docs!)
>
> User Mode:
>
> - Interval based checking
> - hooking system and parts of it with several methods (not recommended!)
> - using wmi to monitor process creation (best option IMHO), recommended!
>
> A guide for WMI usage:
>
> http://msdn.microsoft.com/en-us/library/aa390425(vs.85).aspx
>
> .NET example, shows the basic concept:
>
> http://weblogs.asp.net/whaggard/archive/2006/02/11/438006.aspx
>
> Whatever you do, dont hook anything or use native assembly, since this will
> make your code not portable and can break security/safety of your
> application!
>
> best
>
> K.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Danny
You are welcome Danny,…
Dear K.
If I use PsSetLoadImageNotifyRoutine in Kernel mode to monitor ProcessA.exe,
how can I create a user mode process Plugin.exe in kernel mode safely when I
receive the event?
2011/3/24 Dang XiaoHui
> Thanks for your help! K.
>
>
>
> 2011/3/24
>
> Kernel Mode:
>>
>> - hooking several kernel functions and parts (not recommended!)
>>
>> recommended:
>>
>> PsSetCreateProcessNotifyRoutine
>> PsSetCreateProcessNotifyRoutineEx
>> PsSetLoadImageNotifyRoutine
>>
>> (do not forget to remove them, see docs!)
>>
>> User Mode:
>>
>> - Interval based checking
>> - hooking system and parts of it with several methods (not recommended!)
>> - using wmi to monitor process creation (best option IMHO), recommended!
>>
>> A guide for WMI usage:
>>
>> http://msdn.microsoft.com/en-us/library/aa390425(vs.85).aspx
>>
>> .NET example, shows the basic concept:
>>
>> http://weblogs.asp.net/whaggard/archive/2006/02/11/438006.aspx
>>
>> Whatever you do, dont hook anything or use native assembly, since this
>> will make your code not portable and can break security/safety of your
>> application!
>>
>> best
>>
>> K.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> Danny
>
–
Danny
>Dear K. If I use PsSetLoadImageNotifyRoutine in Kernel mode
to monitor ProcessA.exe, how can I create a user mode process
Plugin.exe in kernel mode safely when I receive the event?
This is not 100% straightforward and there are many ways to do this. Some have been explained pretty well here:
http://stackoverflow.com/questions/1135700/create-a-process-from-a-driver
http://www.codeproject.com/KB/system/KernelExec.aspx
I personally would use some IPC with a user mode watcher process, which in fact leads to the result to implement the complete solution in usermode using either process polling or wmi approach and the user mode process can (if really needed!) communicate with the driver with some IPC of your choice! If there is really no need for a driver, simply dont use it! Whats the idea behind all this, enlighten us,…
best
Kerem
If there is really no need for a driver, simply dont use it!
Yes, totally agree with that. And the communication between driver and user
mode application could be complicated when take USB plug in/out into
consideration, because my driver would be unload during USB plug out.
So, as you said before, user mode WMI should be the best choice.
I’ve tried the example Microsoft supplied in MSDN
http://msdn.microsoft.com/en-us/library/aa390425(vs.85).aspx
http:It could
capture Process Creation Event in EventSink::Indicate function.
The only problem left for me is: how to find the process id or process name
via IWbemClassObject ** apObjArray. I’m new to COM.
- -??
2011/3/24
> >Dear K. If I use PsSetLoadImageNotifyRoutine in Kernel mode
> >to monitor ProcessA.exe, how can I create a user mode process
> >Plugin.exe in kernel mode safely when I receive the event?
>
> This is not 100% straightforward and there are many ways to do this. Some
> have been explained pretty well here:
>
> http://stackoverflow.com/questions/1135700/create-a-process-from-a-driver
>
> http://www.codeproject.com/KB/system/KernelExec.aspx
>
> I personally would use some IPC with a user mode watcher process, which in
> fact leads to the result to implement the complete solution in usermode
> using either process polling or wmi approach and the user mode process can
> (if really needed!) communicate with the driver with some IPC of your
> choice! If there is really no need for a driver, simply dont use it! Whats
> the idea behind all this, enlighten us,…
>
> best
>
> Kerem
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Danny</http:>
The only reason of using driver is, I can easily get the ProcessId and
ProcessName, to decide whether it’s the process I want to monitor. - -??
Thanks again for your help, Kerem.
?? 2011??3??24?? ???12:55??Dang XiaoHui д???
> If there is really no need for a driver, simply dont use it!
>
> Yes, totally agree with that. And the communication between driver and user
> mode application could be complicated when take USB plug in/out into
> consideration, because my driver would be unload during USB plug out.
>
> So, as you said before, user mode WMI should be the best choice.
>
> I’ve tried the example Microsoft supplied in MSDN
> http://msdn.microsoft.com/en-us/library/aa390425(vs.85).aspx
> http:It
> could capture Process Creation Event in EventSink::Indicate function.
>
> The only problem left for me is: how to find the process id or process name
> via IWbemClassObject ** apObjArray. I’m new to COM.
> - -??
>
>
> 2011/3/24
>
>> >Dear K. If I use PsSetLoadImageNotifyRoutine in Kernel mode
>>
>> >to monitor ProcessA.exe, how can I create a user mode process
>> >Plugin.exe in kernel mode safely when I receive the event?
>>
>> This is not 100% straightforward and there are many ways to do this. Some
>> have been explained pretty well here:
>>
>> http://stackoverflow.com/questions/1135700/create-a-process-from-a-driver
>>
>> http://www.codeproject.com/KB/system/KernelExec.aspx
>>
>> I personally would use some IPC with a user mode watcher process, which in
>> fact leads to the result to implement the complete solution in usermode
>> using either process polling or wmi approach and the user mode process can
>> (if really needed!) communicate with the driver with some IPC of your
>> choice! If there is really no need for a driver, simply dont use it! Whats
>> the idea behind all this, enlighten us,…
>>
>> best
>>
>> Kerem
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> Danny
>
–
Danny</http:>
For COM questions refer to this community:
http://social.msdn.microsoft.com/Forums/en/vcgeneral/threads
The only reason of using driver is, I can easily get the ProcessId and ProcessName,
Well, thats no real reason to do this. Using WMI or even polling the data is the best, you will get a lot more information than only PID and PName. Leave the Kernel code to kernel tasks only. Your solution is placed in user mode and not kernel.
Read this:
http://msdn.microsoft.com/en-us/library/aa390425(vs.85).aspx
and this:
http://cboard.cprogramming.com/windows-programming/100412-how-monitor-process-creation.html
As said, go for other topic related/specific if you have COM issues,…
K.
Great!
Thank you so much! 
2011/3/24
> For COM questions refer to this community:
>
> http://social.msdn.microsoft.com/Forums/en/vcgeneral/threads
>
>
> >The only reason of using driver is, I can easily get the ProcessId and
> ProcessName,
>
> Well, thats no real reason to do this. Using WMI or even polling the data
> is the best, you will get a lot more information than only PID and PName.
> Leave the Kernel code to kernel tasks only. Your solution is placed in user
> mode and not kernel.
>
> Read this:
>
> http://msdn.microsoft.com/en-us/library/aa390425(vs.85).aspx
>
> and this:
>
>
> http://cboard.cprogramming.com/windows-programming/100412-how-monitor-process-creation.html
>
> As said, go for other topic related/specific if you have COM issues,…
>
> K.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Danny