|
-
Sep 2nd, 2005, 02:10 AM
#1
Thread Starter
Member
Hook process
Hi all,
a friend of mine needs to hook a process before it starts in order to stop it..
Does anybody know how?
-
Sep 2nd, 2005, 02:28 AM
#2
Hyperactive Member
Re: Hook process
MAybe these APIs and functions will work..
VB Code:
Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function GetCurrentProcess Lib "kernel32" () As Long
Public Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessId As Long, ByVal dwType As Long) As Long
Public Const RSP_SIMPLE_SERVICE = 1
Public Const RSP_UNREGISTER_SERVICE = 0
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Declare Function OpenProcess Lib "kernel32" _
(ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, _
ByVal dwProcessId As Long) As Long
Private Declare Function GetExitCodeProcess Lib "kernel32" _
(ByVal hProcess As Long, lpExitCode As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" _
(ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Private Const PROCESS_TERMINATE = &H1
Public Const VER_PLATFORM_WIN32_WINDOWS = 1
Private Const PROCESS_QUERY_INFORMATION = 1024
Private Const PROCESS_VM_READ = 16
Private Const TH32CS_SNAPPROCESS = &H2
Public Function GetEXEProcessID(ByVal sEXE As String) As Long
Dim aPID() As Long
Dim lProcesses As Long
Dim lProcess As Long
Dim lModule As Long
Dim sName As String
Dim iIndex As Integer
Dim bCopied As Long
Dim lSnapShot As Long
Dim tPE As PROCESSENTRY32
Dim bDone As Boolean
Dim lRet As Long
If CheckVersion() = VER_PLATFORM_WIN32_WINDOWS Then
'Windows 9x
'Create a SnapShot of the Currently Running Processes
lSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
If lSnapShot < 0 Then Exit Function
tPE.dwSize = Len(tPE)
'Buffer the First Processes Info..
bCopied = Process32First(lSnapShot, tPE)
Do While bCopied
'While there are Processes List them..
sName = Left$(tPE.szExeFile, InStr(tPE.szExeFile, Chr(0)) - 1)
sName = Mid(sName, InStrRev(sName, "\") + 1)
If InStr(sName, Chr(0)) Then
sName = Left(sName, InStr(sName, Chr(0)) - 1)
End If
bCopied = Process32Next(lSnapShot, tPE)
If StrComp(sEXE, sName, vbTextCompare) = 0 Then
GetEXEProcessID = tPE.th32ProcessID
Exit Do
End If
Loop
Else
'Windows NT
'The EnumProcesses Function doesn't indicate how many Process there are,
'so you need to pass a large array and trim off the empty elements
'as cbNeeded will return the no. of Processes copied.
ReDim aPID(255)
Call EnumProcesses(aPID(0), 1024, lProcesses)
lProcesses = lProcesses / 4
ReDim Preserve aPID(lProcesses)
For iIndex = 0 To lProcesses - 1
'Get the Process Handle, by Opening the Process
lProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, aPID(iIndex))
If lProcess Then
'Just get the First Module, all we need is the Handle to get
'the Filename..
If EnumProcessModules(lProcess, lModule, 4, 0&) Then
sName = Space(260)
Call GetModuleFileNameExA(lProcess, lModule, sName, Len(sName))
If InStr(sName, "\") > 0 Then
sName = Mid(sName, InStrRev(sName, "\") + 1)
End If
If InStr(sName, Chr(0)) Then
sName = Left(sName, InStr(sName, Chr(0)) - 1)
End If
If StrComp(sEXE, sName, vbTextCompare) = 0 Then
GetEXEProcessID = aPID(iIndex)
bDone = True
End If
End If
'Close the Process Handle
lRet = CloseHandle(lProcess)
If bDone Then Exit For
End If
Next
End If
End Function
Public Function TerminateEXE(ByVal sEXE As String) As Boolean
Dim lPID As Long
Dim lProcess As Long
lPID = GetEXEProcessID(sEXE)
If lPID = 0 Then Exit Function
lProcess = OpenProcess(PROCESS_TERMINATE, 0, lPID)
Call TerminateProcess(lProcess, 0&)
Call CloseHandle(lProcess)
TerminateEXE = True
End Function
Public Function EndShelledProcess(ShellReturnValue As Long) _
As Boolean
'PURPOSE: End a process started with VB's Shell Statement
'INPUT: Task ID returned by Shell
'RETURNS: True if succesful, false otherwise
On Error Resume Next
Dim hInst As Long
Dim hProcess As Long
Dim lExitCode As Long
Dim lRet As Long
hInst = ShellReturnValue
If hInst = 0 Then Exit Function
'Get handle to process
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0&, hInst)
If hProcess <> 0 Then
'get exit code
GetExitCodeProcess hProcess, lExitCode
If lExitCode <> 0 Then
'bye-bye
lRet = TerminateProcess(hProcess, lExitCode)
EndShelledProcess = lRet > 0
End If
End If
End Function
-
Sep 2nd, 2005, 02:36 AM
#3
Thread Starter
Member
Re: Hook process
Tx, but it is possible without looping? I mean to stop the process as soon as it starts..(Hook it immediately!)
-
Sep 2nd, 2005, 02:50 AM
#4
Re: Hook process
You'd need to loop to keep checking the processes.
It's possible without looping with a WH_SHELL hook, but you can't do that in VB (we tried a while back).
-
Sep 2nd, 2005, 02:54 AM
#5
Thread Starter
Member
-
Dec 5th, 2005, 05:51 AM
#6
Junior Member
Re: Hook process
 Originally Posted by penagate
You'd need to loop to keep checking the processes.
It's possible without looping with a WH_SHELL hook, but you can't do that in VB (we tried a while back).
vbacceletator does have a windows hook library that could hook WM_SHELL:
http://www.vbaccelerator.com/home/VB...ry/article.asp
but I do not know what message I need to use
-
Dec 5th, 2005, 07:51 AM
#7
Re: Hook process
I'm familiar with the vbAccelerator hook library, but it is not possible to install a WH_SHELL hook using VB6.
Alternatively, you can use the RegisterShellWindow() function to receive shell notifications through your WndProc, which you can reach through normal subclassing. There is an example of that in the "more or less useful" link in my signature.
-
Dec 5th, 2005, 08:09 AM
#8
Junior Member
Re: Hook process
ok, it did works, but does WindowCreated event means "the process is created"? if so, that is not satisfactory, since I wish to do something BEFORE any process is started to execute.
I learned about the MS AntiSpyware, its secret is in shellextension.dll, I found some APIs:
CreateToolHelp32Snapshot: well, I don't think it is the key, since it has to loop all processes, and not BEFORE execution of process, far from satisfactory.
-
Dec 5th, 2005, 09:24 AM
#9
Junior Member
Re: Hook process
well, some guys ever said that it IS possible to "hook api", by modifying IAT(Import Address Table), some gurus ever did that:
http://www.Planet-Source-Code.com/vb...31105&lngWId=1
but when I do similar codes, nothing happened.
// in a form
VB Code:
Private m_pOrigCreateProcessA As Long
Private Sub Form_Load()
HookImportedFunctionByName _
GetModuleHandle("MSVBVM60.DLL"), _
"KERNEL32.DLL", _
"CreateProcessA", _
AddressOf MyCreateProcess, _
m_pOrigCreateProcessA
End Sub
//in a module
VB Code:
Private Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Declare Function CreateProcess Lib "kernel32.dll" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByRef lpEnvironment As Any, ByVal lpCurrentDriectory As String, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
Public Function MyCreateProcess(ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByRef lpEnvironment As Variant, ByVal lpCurrentDriectory As String, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
MsgBox lpApplicationName
MyCreateProcess = CreateProcess(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDriectory, lpStartupInfo, lpProcessInformation)
End Function
-
Dec 6th, 2005, 12:34 AM
#10
Junior Member
Re: Hook process
I found an excellent sample code:
http://www.vbforums.com/showthread.p...&highlight=IAT
but when I added hook for CreateProcess/OpenProcess/CreateThread etc. still no effect.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|