Intercept Exe Execution...

Hi everyone i would like to know how to intercept when X exe has been executed...so i can do something before the exe opens up, example...

lets say i want to do a msgbox when notepad has been executed because we intercepted the message before it was executed we can simple do a msgbox then let program run...

I was thinking this might be possible hooking...but here's the problem because the app. I want to intercept the execution is not always the same...so I would like to know how to intercept that message for any exe...

In conclusion what im trying to accomplish is a way to see when an exe has been executed or opened so i can do something BEFORE the exe opens and then open the exe after i've done what i want... :)

Thanks alot!

P.S. i know this is hard but well someone here might know how :p

EDIT: would never be solved...

EJ12N,

Why do you want to do something like that?

Quote:

---

Originally Posted by packetVB

EJ12N,

Why do you want to do something like that?

---

security program im working on :)
so if X program is called and admin doesnt want it to be called or he wants it but needs a password to use it then do my prompt and you know the rest...

EJ12N,

To intercept all program execution, you will have to create a driver. You can use a callback with PsCreateProcessNotifyRoutine or Hook the native API. The first way only works on NT and above and the second should work on all WinOS's.
I have done both ways.
Hooking the native API is alot more difficult, I never could get it to work in XP.
I have a freeware beta app that uses PsCreateProcessNotifyRoutine on my web page, sorry no source as it could be used for malicious purposes and I dont want to help anyone doing that.


packetvb

Well if this is legit, you could write a simple program to shell out the exe but only if the user enter the correct
password. You can replace the shortcut to the exe and point it to you simple shell program starter.

HTH

I've heard of this kind of behavior when following virus removal instructions. Here is a link that touches on it.
http://home.tvd.be/ws36178/security/...8/startup.html

Quote:

---

The 2nd #3. Using the Registry Shell Spawning capability of Windows, a specified program can be launched each time a file with a certain extension is started, setting it in the (Default) entry of the registry key HKEY_CLASSES_ROOT\EXTENSIONfile\shell\open\command, for example if we want to launch filename.exe every time another exe file is opened we should change the (Default) entry in HKEY_CLASSES_ROOT\exefile\shell\open\command from the standard "%1" %* to filename.exe "%1" %*.
If we want to apply this technique to files that aren't executables, such as HLP or MID, we should make filename.exe to invoke the actual file reader for that format (like C:\WINDOWS\winhlp32.exe %1 or "C:\Windows\mplayer2.exe" /Play "%L") in order to remain invisible to the user.

---

Phenix,

Would that work if a program was started by another program or by script?


packetvb

about registry stuff that wouldnt be secure enough to some users :/
to packetVB look im not trying to do a daymn virus or anything malware if i ever decided to do that trust me wont be on VB i would do it so...It is a simple secure password protector for exe files but i guess i'll just drop the project since i seem to find no help or info on net about it...thanks to all those that tried now [Removed by manavo11] this project

:wave:

Quote:

---

packetvb said
Phenix,

Would that work if a program was started by another program or by script?


packetvb

---

Good question. You'd have to test by making the registry change and tasting your flavor of "shell exec".

http://msdn.microsoft.com/library/de...execmethod.asp
http://vbforums.com/showthread.php?t...ght=shell+exec
http://vbforums.com/showthread.php?t...ght=shell+exec

One other way you could do this, I think, is to modify each executable you want to password protect as is done with programs like Password Protector.

You might be able to do this by adding a stub to the beginning of the program.
This involves learning how to manipulate the PE file format. See the thread Hook on API Call.

It's pretty complex and involves some considerable C++ programming.
For 20 bucks I'd just buy the program.

...

The way I would go about doing this would be:

A) Using the code from http://vbforums.com/showthread.php?t=324770 I monitor the system for new windows.

B) When a new window opens from an exe I'd store the exe name and then terminate the application.

C) Prompt the user for the password and if correctly supplied I'd shell the exe again while ignoring that instance.

Might require some timing to work out but shouldn't be that hard..Alternately I'd make a list of approved applications and simply terminate everything else unless I had previously been supplied with the admin password.

Quote:

---

Originally Posted by anotherVBnewbie

The way I would go about doing this would be:

A) Using the code from http://vbforums.com/showthread.php?t=324770 I monitor the system for new windows.

B) When a new window opens from an exe I'd store the exe name and then terminate the application.

C) Prompt the user for the password and if correctly supplied I'd shell the exe again while ignoring that instance.

Might require some timing to work out but shouldn't be that hard..Alternately I'd make a list of approved applications and simply terminate everything else unless I had previously been supplied with the admin password.

---

i though of that too but is kind of weak...

The only other thing that comes to mind would be to monitor the Task Manager and build a list of everything running..anytime you see something you havn't seen before, kill it and then prompt the user for the password. Depending upon the operating system the app is going to be on, or if it will be distributed across multiple operating systems (say 98, XP and 2k) that could take a lot of coding to accomplish as, at least 98 and XP, have different methods of reporting running processes...

I've created something you might find useful. It is a replacement for the windows shell (explorer), so if you login, you won't get the windows desktop, but the desktop I created (no start menu, no taskbar, just my form), and the only programs that can be started are the ones I put on my form. You can find it here : http://www.planet-source-code.com/vb...58789&lngWId=1

Sorry, link won't work since you have to be a member. I added it this time