Results 1 to 10 of 10

Thread: Hook process

  1. #1

    Thread Starter
    Member
    Join Date
    Aug 2005
    Posts
    35

    Hook process

    Hi all,

    a friend of mine needs to hook a process before it starts in order to stop it..

    Does anybody know how?

  2. #2
    Hyperactive Member
    Join Date
    Sep 2005
    Posts
    384

    Re: Hook process

    MAybe these APIs and functions will work..

    VB Code:
    1. Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
    2. Public Declare Function GetCurrentProcess Lib "kernel32" () As Long
    3. Public Declare Function RegisterServiceProcess Lib "kernel32" (ByVal dwProcessId As Long, ByVal dwType As Long) As Long
    4. Public Const RSP_SIMPLE_SERVICE = 1
    5. Public Const RSP_UNREGISTER_SERVICE = 0
    6. Private Const PROCESS_ALL_ACCESS = &H1F0FFF
    7.  
    8. Private Declare Function OpenProcess Lib "kernel32" _
    9.   (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, _
    10.    ByVal dwProcessId As Long) As Long
    11.  
    12. Private Declare Function GetExitCodeProcess Lib "kernel32" _
    13.    (ByVal hProcess As Long, lpExitCode As Long) As Long
    14.  
    15. Private Declare Function TerminateProcess Lib "kernel32" _
    16.    (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
    17.  
    18.    Private Type PROCESSENTRY32
    19.   dwSize As Long
    20.   cntUsage As Long
    21.   th32ProcessID As Long
    22.   th32DefaultHeapID As Long
    23.   th32ModuleID As Long
    24.   cntThreads As Long
    25.   th32ParentProcessID As Long
    26.   pcPriClassBase As Long
    27.   dwFlags As Long
    28.   szExeFile As String * 260
    29. End Type
    30.  
    31. Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
    32. Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
    33.  
    34. Private Const PROCESS_TERMINATE = &H1
    35. Public Const VER_PLATFORM_WIN32_WINDOWS = 1
    36. Private Const PROCESS_QUERY_INFORMATION = 1024
    37. Private Const PROCESS_VM_READ = 16
    38. Private Const TH32CS_SNAPPROCESS = &H2
    39.  
    40. Public Function GetEXEProcessID(ByVal sEXE As String) As Long
    41.   Dim aPID() As Long
    42.   Dim lProcesses As Long
    43.   Dim lProcess As Long
    44.   Dim lModule As Long
    45.   Dim sName As String
    46.   Dim iIndex As Integer
    47.   Dim bCopied As Long
    48.   Dim lSnapShot As Long
    49.   Dim tPE As PROCESSENTRY32
    50.   Dim bDone As Boolean
    51.   Dim lRet As Long
    52.  
    53.   If CheckVersion() = VER_PLATFORM_WIN32_WINDOWS Then
    54.     'Windows 9x
    55.     'Create a SnapShot of the Currently Running Processes
    56.     lSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
    57.     If lSnapShot < 0 Then Exit Function
    58.     tPE.dwSize = Len(tPE)
    59.     'Buffer the First Processes Info..
    60.     bCopied = Process32First(lSnapShot, tPE)
    61.     Do While bCopied
    62.       'While there are Processes List them..
    63.       sName = Left$(tPE.szExeFile, InStr(tPE.szExeFile, Chr(0)) - 1)
    64.       sName = Mid(sName, InStrRev(sName, "\") + 1)
    65.       If InStr(sName, Chr(0)) Then
    66.         sName = Left(sName, InStr(sName, Chr(0)) - 1)
    67.       End If
    68.       bCopied = Process32Next(lSnapShot, tPE)
    69.       If StrComp(sEXE, sName, vbTextCompare) = 0 Then
    70.         GetEXEProcessID = tPE.th32ProcessID
    71.         Exit Do
    72.       End If
    73.     Loop
    74.    
    75.   Else
    76.     'Windows NT
    77.     'The EnumProcesses Function doesn't indicate how many Process there are,
    78.     'so you need to pass a large array and trim off the empty elements
    79.     'as cbNeeded will return the no. of Processes copied.
    80.     ReDim aPID(255)
    81.     Call EnumProcesses(aPID(0), 1024, lProcesses)
    82.     lProcesses = lProcesses / 4
    83.     ReDim Preserve aPID(lProcesses)
    84.    
    85.     For iIndex = 0 To lProcesses - 1
    86.       'Get the Process Handle, by Opening the Process
    87.       lProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, aPID(iIndex))
    88.       If lProcess Then
    89.         'Just get the First Module, all we need is the Handle to get
    90.         'the Filename..
    91.         If EnumProcessModules(lProcess, lModule, 4, 0&) Then
    92.           sName = Space(260)
    93.           Call GetModuleFileNameExA(lProcess, lModule, sName, Len(sName))
    94.           If InStr(sName, "\") > 0 Then
    95.             sName = Mid(sName, InStrRev(sName, "\") + 1)
    96.           End If
    97.           If InStr(sName, Chr(0)) Then
    98.             sName = Left(sName, InStr(sName, Chr(0)) - 1)
    99.           End If
    100.           If StrComp(sEXE, sName, vbTextCompare) = 0 Then
    101.             GetEXEProcessID = aPID(iIndex)
    102.             bDone = True
    103.           End If
    104.         End If
    105.         'Close the Process Handle
    106.         lRet = CloseHandle(lProcess)
    107.         If bDone Then Exit For
    108.       End If
    109.     Next
    110.   End If
    111. End Function
    112.  
    113. Public Function TerminateEXE(ByVal sEXE As String) As Boolean
    114.   Dim lPID As Long
    115.   Dim lProcess As Long
    116.  
    117.   lPID = GetEXEProcessID(sEXE)
    118.   If lPID = 0 Then Exit Function
    119.   lProcess = OpenProcess(PROCESS_TERMINATE, 0, lPID)
    120.   Call TerminateProcess(lProcess, 0&)
    121.   Call CloseHandle(lProcess)
    122.  
    123.   TerminateEXE = True
    124. End Function
    125.  
    126. Public Function EndShelledProcess(ShellReturnValue As Long) _
    127.    As Boolean
    128.  
    129. 'PURPOSE: End a process started with VB's Shell Statement
    130. 'INPUT: Task ID returned by Shell
    131. 'RETURNS: True if succesful, false otherwise
    132.  
    133. On Error Resume Next
    134.  
    135. Dim hInst As Long
    136. Dim hProcess As Long
    137. Dim lExitCode As Long
    138. Dim lRet As Long
    139.  
    140. hInst = ShellReturnValue
    141. If hInst = 0 Then Exit Function
    142.  
    143. 'Get handle to process
    144. hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0&, hInst)
    145. If hProcess <> 0 Then
    146.     'get exit code
    147.     GetExitCodeProcess hProcess, lExitCode
    148.         If lExitCode <> 0 Then
    149.                 'bye-bye
    150.             lRet = TerminateProcess(hProcess, lExitCode)
    151.             EndShelledProcess = lRet > 0
    152.         End If
    153. End If
    154.  
    155. End Function

  3. #3

    Thread Starter
    Member
    Join Date
    Aug 2005
    Posts
    35

    Re: Hook process

    Tx, but it is possible without looping? I mean to stop the process as soon as it starts..(Hook it immediately!)

  4. #4
    I'm about to be a PowerPoster!
    Join Date
    Jan 2005
    Location
    Everywhere
    Posts
    13,647

    Re: Hook process

    You'd need to loop to keep checking the processes.

    It's possible without looping with a WH_SHELL hook, but you can't do that in VB (we tried a while back).

  5. #5

    Thread Starter
    Member
    Join Date
    Aug 2005
    Posts
    35

    Re: Hook process

    Tx

    Cheers

  6. #6
    Junior Member
    Join Date
    Dec 2005
    Posts
    21

    Question Re: Hook process

    Quote Originally Posted by penagate
    You'd need to loop to keep checking the processes.

    It's possible without looping with a WH_SHELL hook, but you can't do that in VB (we tried a while back).
    vbacceletator does have a windows hook library that could hook WM_SHELL:

    http://www.vbaccelerator.com/home/VB...ry/article.asp

    but I do not know what message I need to use

  7. #7
    I'm about to be a PowerPoster!
    Join Date
    Jan 2005
    Location
    Everywhere
    Posts
    13,647

    Re: Hook process

    I'm familiar with the vbAccelerator hook library, but it is not possible to install a WH_SHELL hook using VB6.

    Alternatively, you can use the RegisterShellWindow() function to receive shell notifications through your WndProc, which you can reach through normal subclassing. There is an example of that in the "more or less useful" link in my signature.

  8. #8
    Junior Member
    Join Date
    Dec 2005
    Posts
    21

    Question Re: Hook process

    ok, it did works, but does WindowCreated event means "the process is created"? if so, that is not satisfactory, since I wish to do something BEFORE any process is started to execute.

    I learned about the MS AntiSpyware, its secret is in shellextension.dll, I found some APIs:

    CreateToolHelp32Snapshot: well, I don't think it is the key, since it has to loop all processes, and not BEFORE execution of process, far from satisfactory.

  9. #9
    Junior Member
    Join Date
    Dec 2005
    Posts
    21

    Exclamation Re: Hook process

    well, some guys ever said that it IS possible to "hook api", by modifying IAT(Import Address Table), some gurus ever did that:

    http://www.Planet-Source-Code.com/vb...31105&lngWId=1

    but when I do similar codes, nothing happened.


    // in a form
    VB Code:
    1. Private m_pOrigCreateProcessA As Long
    2.  
    3. Private Sub Form_Load()
    4.     HookImportedFunctionByName _
    5.             GetModuleHandle("MSVBVM60.DLL"), _
    6.             "KERNEL32.DLL", _
    7.             "CreateProcessA", _
    8.             AddressOf MyCreateProcess, _
    9.             m_pOrigCreateProcessA
    10. End Sub


    //in a module
    VB Code:
    1. Private Type SECURITY_ATTRIBUTES
    2.     nLength As Long
    3.     lpSecurityDescriptor As Long
    4.     bInheritHandle As Long
    5. End Type
    6. Private Type STARTUPINFO
    7.     cb As Long
    8.     lpReserved As Long
    9.     lpDesktop As Long
    10.     lpTitle As Long
    11.     dwX As Long
    12.     dwY As Long
    13.     dwXSize As Long
    14.     dwYSize As Long
    15.     dwXCountChars As Long
    16.     dwYCountChars As Long
    17.     dwFillAttribute As Long
    18.     dwFlags As Long
    19.     wShowWindow As Integer
    20.     cbReserved2 As Integer
    21.     lpReserved2 As Byte
    22.     hStdInput As Long
    23.     hStdOutput As Long
    24.     hStdError As Long
    25. End Type
    26. Private Type PROCESS_INFORMATION
    27.     hProcess As Long
    28.     hThread As Long
    29.     dwProcessId As Long
    30.     dwThreadId As Long
    31. End Type
    32. Private Declare Function CreateProcess Lib "kernel32.dll" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByRef lpEnvironment As Any, ByVal lpCurrentDriectory As String, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
    33.  
    34.  
    35. Public Function MyCreateProcess(ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByRef lpProcessAttributes As SECURITY_ATTRIBUTES, ByRef lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByRef lpEnvironment As Variant, ByVal lpCurrentDriectory As String, ByRef lpStartupInfo As STARTUPINFO, ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
    36.         MsgBox lpApplicationName
    37.         MyCreateProcess = CreateProcess(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDriectory, lpStartupInfo, lpProcessInformation)
    38. End Function

  10. #10
    Junior Member
    Join Date
    Dec 2005
    Posts
    21

    Re: Hook process

    I found an excellent sample code:

    http://www.vbforums.com/showthread.p...&highlight=IAT

    but when I added hook for CreateProcess/OpenProcess/CreateThread etc. still no effect.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width