Intercepting Process Creation

OSR_Community_User · October 11, 2004, 1:33am

Hi All,

When any process get created , call goes to NtCreateProcess.I want that
when user want to create process eg. c:\abc.exe, then create some other
process d:\abc.exe , for this call, and use different user token for this
call.(something like user mode function CreateProcessAsUser does)

I am not getting correct way to do this. Besides hooking any other ways
for it? Hooking have some problems with XP.

Please tell me about how to do this.

Regards,
Naren.

Maxim_S_Shatskih · October 11, 2004, 6:45am

This is not supported by the OS design, and for a purpose. The thing is
that making any security decisions on EXE name is bad idea, and only the
illusion of security. Malware EXEs can be named any way.

So, hooking and hackery is your only chance.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “narendra.bhongale”
To: “Windows System Software Devs Interest List”
Sent: Monday, October 11, 2004 9:31 AM
Subject: [ntdev] Intercepting Process Creation

> Hi All,
>
> When any process get created , call goes to NtCreateProcess.I want that
> when user want to create process eg. c:\abc.exe, then create some other
> process d:\abc.exe , for this call, and use different user token for this
> call.(something like user mode function CreateProcessAsUser does)
>
> I am not getting correct way to do this. Besides hooking any other ways
> for it? Hooking have some problems with XP.
>
> Please tell me about how to do this.
>
> Regards,
> Naren.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · October 11, 2004, 7:18am

How about creating a filter kernel32.dll and then forward to the real
kernel32.dll? When the
CreateProcess is trapped, do the custom processing. But I don’t know if
there are any undocumented kernel32 exports which operating System dlls
use among themselves. This method to me would involve booting up in DOS
mode to get the kernel32.dll replaced as all win32 processes use it and
you won’t be able to overwrite it on a live system.

Alternatively, I can think of polling for processes and then spawning
the custom executeable.

BTW, this isn’t the group for these type of questions, there are more
generic win32 newsgroups for these topics.

Well, what OP missed out is telling what he wants to achieve. That would
have been more useful than telling what he had
tried. I pass the question to those who can read minds.

Vipin

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Monday, October 11, 2004 4:16 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Intercepting Process Creation

This is not supported by the OS design, and for a purpose. The thing
is that making any security decisions on EXE name is bad idea, and only
the illusion of security. Malware EXEs can be named any way.

So, hooking and hackery is your only chance.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “narendra.bhongale”
To: “Windows System Software Devs Interest List”
Sent: Monday, October 11, 2004 9:31 AM
Subject: [ntdev] Intercepting Process Creation

> Hi All,
>
> When any process get created , call goes to NtCreateProcess.I want
> that when user want to create process eg. c:\abc.exe, then create some

> other process d:\abc.exe , for this call, and use different user token

> for this call.(something like user mode function CreateProcessAsUser
> does)
>
> I am not getting correct way to do this. Besides hooking any other
> ways for it? Hooking have some problems with XP.
>
> Please tell me about how to do this.
>
> Regards,
> Naren.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@wipro.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Maxim_S_Shatskih · October 11, 2004, 4:25pm

AppInit_DLLs can do the same without replacing the kernel32.dll file.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, October 11, 2004 3:16 PM
Subject: RE: [ntdev] Intercepting Process Creation

> How about creating a filter kernel32.dll and then forward to the real
> kernel32.dll? When the
> CreateProcess is trapped, do the custom processing. But I don’t know if
> there are any undocumented kernel32 exports which operating System dlls
> use among themselves. This method to me would involve booting up in DOS
> mode to get the kernel32.dll replaced as all win32 processes use it and
> you won’t be able to overwrite it on a live system.
>
> Alternatively, I can think of polling for processes and then spawning
> the custom executeable.
>
> BTW, this isn’t the group for these type of questions, there are more
> generic win32 newsgroups for these topics.
>
> Well, what OP missed out is telling what he wants to achieve. That would
> have been more useful than telling what he had
> tried. I pass the question to those who can read minds.
>
> Vipin
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
> Shatskih
> Sent: Monday, October 11, 2004 4:16 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Intercepting Process Creation
>
>
> This is not supported by the OS design, and for a purpose. The thing
> is that making any security decisions on EXE name is bad idea, and only
> the illusion of security. Malware EXEs can be named any way.
>
> So, hooking and hackery is your only chance.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “narendra.bhongale”
> To: “Windows System Software Devs Interest List”
> Sent: Monday, October 11, 2004 9:31 AM
> Subject: [ntdev] Intercepting Process Creation
>
>
> > Hi All,
> >
> > When any process get created , call goes to NtCreateProcess.I want
> > that when user want to create process eg. c:\abc.exe, then create some
>
> > other process d:\abc.exe , for this call, and use different user token
>
> > for this call.(something like user mode function CreateProcessAsUser
> > does)
> >
> > I am not getting correct way to do this. Besides hooking any other
> > ways for it? Hooking have some problems with XP.
> >
> > Please tell me about how to do this.
> >
> > Regards,
> > Naren.
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@wipro.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>