Print Page - Global Windows Hooks - specifically, CreateProcess

Title: Global Windows Hooks - specifically, CreateProcess
Post by: Banana fanna fo fanna on October 09, 2004, 11:12 AM

(Windows 2000/XP)

Is there a way that I can _globally_ (that is, for all processes) hook the CreateProcess call? If so, could you explain it to me/direct me on my quest?

Title: Re: Global Windows Hooks - specifically, CreateProcess
Post by: drivehappy on October 09, 2004, 01:31 PM

This may be of some help (under System-wide Windows Hooks):
http://www.codeproject.com/system/hooksys.asp

Title: Re: Global Windows Hooks - specifically, CreateProcess
Post by: Skywing on October 09, 2004, 05:47 PM

That will only work for Win32 processes.

If you want to make sure user mode code can't evade your hooks, or if you want to hook non-Win32 subsystem processes, you should use a kernel driver and PsSetCreateProcessNotifyRoutine().

Title: Re: Global Windows Hooks - specifically, CreateProcess
Post by: DecA on November 26, 2004, 04:48 AM

I can explain this better to you St0rm on AIM

Title: Re: Global Windows Hooks - specifically, CreateProcess
Post by: Adron on November 26, 2004, 08:47 AM

Quote from: DecA on November 26, 2004, 04:48 AM
I can explain this better to you St0rm on AIM

That'd be a shame. Then everyone else wouldn't get the chance to learn.

Title: Re: Global Windows Hooks - specifically, CreateProcess
Post by: sixb0nes on December 10, 2004, 04:23 AM

Check out Phrack's great article on userland rootkits. It explains pretty much what you're asking for.
http://www.phrack.org/phrack/62/p62-0x0c_Win32_Portable_Userland_Rootkit.txt

Valhalla Legends Archive

Programming => Advanced Programming => Topic started by: Banana fanna fo fanna on October 09, 2004, 11:12 AM