Text only | Text with Images

Valhalla Legends Archive

Programming => General Programming => Topic started by: iNsAnE-MS on May 22, 2005, 08:44 AM

Title: hooking system stuff
Post by: iNsAnE-MS on May 22, 2005, 08:44 AM
Is there any way to hook into like... windows? I need to see what process spawns another process. (Trying to write a tool I can use to kill this goofy spyware.)
Title: Re: hooking system stuff
Post by: iNsAnE-MS on May 22, 2005, 09:27 AM
I managed to whack the spyware spawner at the source by killing the power to my computer and then starting computer in safe mode, replacing the offending exe with a harmless nothing exe with read-only and system attribs, and deleting registry entries. Still need to know how to hook stuff like that though...
Title: Re: hooking system stuff
Post by: Warrior on May 22, 2005, 09:51 AM
You're a die hard Spyware killer. :]
Title: Re: hooking system stuff
Post by: iNsAnE-MS on May 22, 2005, 11:07 AM
Rawr.
Title: Re: hooking system stuff
Post by: OnlyMeat on May 22, 2005, 09:45 PM
Quote from: iNsAnE[m-s] on May 22, 2005, 08:44 AM
Is there any way to hook into like... windows? I need to see what process spawns another process. (Trying to write a tool I can use to kill this goofy spyware.)

Don't install spyware?
Title: Re: hooking system stuff
Post by: iNsAnE-MS on May 23, 2005, 04:32 AM
No choice, didn't have XP all updated and it hijacked me. First time I've had spyware in two years.
Title: Re: hooking system stuff
Post by: MyndFyre on May 23, 2005, 05:25 PM
You need the Windows DDK to hook the CreateProcess() routine.  You'll need to create a kernel-mode driver that uses the PsSetCreateProcessNotifyRoutine (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k108_6ae7797a-ecbe-4665-85d5-e199f13613cd.xml.asp) system function.

Note that products like Norton Internet Security and Microsoft Anti-Spyware already do things like this.
Title: Re: hooking system stuff
Post by: iNsAnE-MS on May 24, 2005, 04:00 AM
Although they do this already, they don't notify of what program performs certain actions like modifying the registry, and do not notify me of what spawns 'approved' programs.
Title: Re: hooking system stuff
Post by: Adron on June 01, 2005, 01:05 PM
Quote from: iNsAnE[m-s] on May 24, 2005, 04:00 AM
Although they do this already, they don't notify of what program performs certain actions like modifying the registry, and do not notify me of what spawns 'approved' programs.

To find out what program spawns a program I think you can just turn on process tracking in the security auditing settings for 2k+. To find out who modifies the registry you need to write a kernel mode driver that hooks the registry functions. Or use regmon....

Title: Re: hooking system stuff
Post by: Stealth on June 02, 2005, 12:33 AM
Quote from: iNsAnE[m-s] on May 22, 2005, 08:44 AM
Is there any way to hook into like... windows? I need to see what process spawns another process. (Trying to write a tool I can use to kill this goofy spyware.)

One of my favorite anti-spyware tools will help you here: SysInternals' ProcessExplorer (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml) lets you see and terminate entire process trees as well as process handle information and plenty of other good stuff.
Text only | Text with Images