Process creation notification in user mode

OSR_Community_User · May 15, 2003, 6:45am

Hi to all driver experts.

I have one problem. I need to modify some EXE file in order to prevent its
normal standalone running. And then I need to write some kind of loader
application that will run this EXE file in normal way. So this loader
application should be notified of the EXE file loading in order to
reconstruct this EXE for its further normal execution. How can I accomplish
this task??? I know there are some functions in NT kernel
(PsSetXXXNotifyRoutine) which set callback functions for image
loading/process/thread creation notification. Are there any analogues in
User Mode?

Many thanks beforehand.

Konstantin Manurin
Programmer
Nival Interactive
mailto:xxxxx@nival.com

10a bld. 5, 1st Volokolamsky proezd
Moscow 123060 Russia
Tel: +7 (095) 363-9630
Fax: +7 (095) 363-9631
http://www.nival.com
http://www.etherlords.com
http://www.evil-islands.com

OSR_Community_User · May 15, 2003, 6:51am

Konstantin,

None in user mode.just write a simple driver which registers
PsSetXXXNotifyRoutine(s) , collect the information and Use
IoCreateNotification Event mechanism to notify the user mode application
about the new process, and share the information using IOCTLs.

Hope this helps…
Subodh Radheshyam Gupta

----- Original Message -----
From: “Konstantin Manurin”
To: “NT Developers Interest List”
Sent: Thursday, May 15, 2003 4:15 PM
Subject: [ntdev] Process creation notification in user mode

> Hi to all driver experts.
>
> I have one problem. I need to modify some EXE file in order to prevent its
> normal standalone running. And then I need to write some kind of loader
> application that will run this EXE file in normal way. So this loader
> application should be notified of the EXE file loading in order to
> reconstruct this EXE for its further normal execution. How can I
accomplish
> this task??? I know there are some functions in NT kernel
> (PsSetXXXNotifyRoutine) which set callback functions for image
> loading/process/thread creation notification. Are there any analogues in
> User Mode?
>
> Many thanks beforehand.
>
>
> Konstantin Manurin
> Programmer
> Nival Interactive
> mailto:xxxxx@nival.com
>
> 10a bld. 5, 1st Volokolamsky proezd
> Moscow 123060 Russia
> Tel: +7 (095) 363-9630
> Fax: +7 (095) 363-9631
> http://www.nival.com
> http://www.etherlords.com
> http://www.evil-islands.com
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@softhome.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 17, 2003, 1:32am

Hi,

The PsSetXXXNotifyRoutines are called after the process has been created or
loaded into memory. The code segment of a process is read-only. Thus, if you
need to modify the exe you cannot do that now atleast in user-space.

So, you have to patch the EXE before it is loaded into memory and not
afterwards.

Regards,

Samarth

“subodh gupta” wrote in message
news:xxxxx@ntdev…
>
> Konstantin,
>
> None in user mode.just write a simple driver which registers
> PsSetXXXNotifyRoutine(s) , collect the information and Use
> IoCreateNotification Event mechanism to notify the user mode application
> about the new process, and share the information using IOCTLs.
>
> Hope this helps…
> Subodh Radheshyam Gupta
>
> ----- Original Message -----
> From: “Konstantin Manurin”
> To: “NT Developers Interest List”
> Sent: Thursday, May 15, 2003 4:15 PM
> Subject: [ntdev] Process creation notification in user mode
>
>
> > Hi to all driver experts.
> >
> > I have one problem. I need to modify some EXE file in order to prevent
its
> > normal standalone running. And then I need to write some kind of loader
> > application that will run this EXE file in normal way. So this loader
> > application should be notified of the EXE file loading in order to
> > reconstruct this EXE for its further normal execution. How can I
> accomplish
> > this task??? I know there are some functions in NT kernel
> > (PsSetXXXNotifyRoutine) which set callback functions for image
> > loading/process/thread creation notification. Are there any analogues in
> > User Mode?
> >
> > Many thanks beforehand.
> >
> >
> > Konstantin Manurin
> > Programmer
> > Nival Interactive
> > mailto:xxxxx@nival.com
> >
> > 10a bld. 5, 1st Volokolamsky proezd
> > Moscow 123060 Russia
> > Tel: +7 (095) 363-9630
> > Fax: +7 (095) 363-9631
> > http://www.nival.com
> > http://www.etherlords.com
> > http://www.evil-islands.com
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@softhome.net
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>