Global Windows Hooks - specifically, CreateProcess

Banana fanna fo fanna · October 09, 2004, 11:12 AM

(Windows 2000/XP)

Is there a way that I can _globally_ (that is, for all processes) hook the CreateProcess call? If so, could you explain it to me/direct me on my quest?

drivehappy · October 09, 2004, 01:31 PM

This may be of some help (under System-wide Windows Hooks):
http://www.codeproject.com/system/hooksys.asp

Skywing · October 09, 2004, 05:47 PM

That will only work for Win32 processes.

If you want to make sure user mode code can't evade your hooks, or if you want to hook non-Win32 subsystem processes, you should use a kernel driver and PsSetCreateProcessNotifyRoutine().

DecA · November 26, 2004, 04:48 AM

I can explain this better to you St0rm on AIM

Adron · November 26, 2004, 08:47 AM

Quote from: DecA on November 26, 2004, 04:48 AM
I can explain this better to you St0rm on AIM

That'd be a shame. Then everyone else wouldn't get the chance to learn.

sixb0nes · December 10, 2004, 04:23 AM

Check out Phrack's great article on userland rootkits. It explains pretty much what you're asking for.
http://www.phrack.org/phrack/62/p62-0x0c_Win32_Portable_Userland_Rootkit.txt

Valhalla Legends Archive

Global Windows Hooks - specifically, CreateProcess

Banana fanna fo fanna

drivehappy

Skywing

DecA

Adron

sixb0nes