Usermode equalent of PsSetCreateProcessNotifyRoutine

Hi All,

Is there some API that does the job of PsSetCreateProcessNotifyRoutine() so
that any application/dll could register for process creation notification
from OS.

Any information is helpful.

Thanks,
Kedar.

Hi, there is no such thing in user mode however you can

  • create a service or user mode app which gets notified by your kernel
    component
  • monitor window creation and destruction, which may allow you to find out
    that a certain process has started
  • hook the user mode create process functions for all processes in the
    system by injecting DLLs and patching entry tables

Regards,

Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com

“kedar” wrote in message news:xxxxx@ntdev…
> Hi All,
>
> Is there some API that does the job of PsSetCreateProcessNotifyRoutine()
> so that any application/dll could register for process creation
> notification from OS.
>
> Any information is helpful.
>
> Thanks,
> Kedar.
>
>

Hi,

How to " hook the user mode create process functions for all processes in
the
system by injecting DLLs and patching entry tables
" do this, any pointers for this.

Any information is helpful.

Thanks,
Kedar.


“Daniel Terhell” wrote in message
news:xxxxx@ntdev…
> Hi, there is no such thing in user mode however you can
> - create a service or user mode app which gets notified by your kernel
> component
> - monitor window creation and destruction, which may allow you to find out
> that a certain process has started
> - hook the user mode create process functions for all processes in the
> system by injecting DLLs and patching entry tables
>
> Regards,
>
> Daniel Terhell
> Resplendence Software Projects Sp
> xxxxx@resplendence.com
> http://www.resplendence.com
>
>
>
>
>
>
>
> “kedar” wrote in message news:xxxxx@ntdev…
>> Hi All,
>>
>> Is there some API that does the job of PsSetCreateProcessNotifyRoutine()
>> so that any application/dll could register for process creation
>> notification from OS.
>>
>> Any information is helpful.
>>
>> Thanks,
>> Kedar.
>>
>>
>
>
>

You can check : http://research.microsoft.com/sn/detours/ library for API’s
hooking.

Regards,
Satish K.S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kedar
Sent: Tuesday, March 08, 2005 10:32 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Usermode equalent of PsSetCreateProcessNotifyRoutine

Hi,

How to " hook the user mode create process functions for all processes in
the
system by injecting DLLs and patching entry tables
" do this, any pointers for this.

Any information is helpful.

Thanks,
Kedar.


“Daniel Terhell” wrote in message
news:xxxxx@ntdev…
> Hi, there is no such thing in user mode however you can
> - create a service or user mode app which gets notified by your kernel
> component
> - monitor window creation and destruction, which may allow you to find out
> that a certain process has started
> - hook the user mode create process functions for all processes in the
> system by injecting DLLs and patching entry tables
>
> Regards,
>
> Daniel Terhell
> Resplendence Software Projects Sp
> xxxxx@resplendence.com
> http://www.resplendence.com
>
>
>
>
>
>
>
> “kedar” wrote in message news:xxxxx@ntdev…
>> Hi All,
>>
>> Is there some API that does the job of PsSetCreateProcessNotifyRoutine()
>> so that any application/dll could register for process creation
>> notification from OS.
>>
>> Any information is helpful.
>>
>> Thanks,
>> Kedar.
>>
>>
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@epiance.com
To unsubscribe send a blank email to xxxxx@lists.osr.com