Valhalla Legends Forums Archive | General Programming | hooking system stuff

AuthorMessageTime
iNsAnE-MS
Is there any way to hook into like... windows? I need to see what process spawns another process. (Trying to write a tool I can use to kill this goofy spyware.)
May 22, 2005, 1:44 PM
iNsAnE-MS
I managed to whack the spyware spawner at the source by killing the power to my computer and then starting computer in safe mode, replacing the offending exe with a harmless nothing exe with read-only and system attribs, and deleting registry entries. Still need to know how to hook stuff like that though...
May 22, 2005, 2:27 PM
Quarantine
You're a die hard Spyware killer. :]
May 22, 2005, 2:51 PM
iNsAnE-MS
Rawr.
May 22, 2005, 4:07 PM
OnlyMeat
[quote author=iNsAnE[m-s] link=topic=11665.msg113342#msg113342 date=1116769446]
Is there any way to hook into like... windows? I need to see what process spawns another process. (Trying to write a tool I can use to kill this goofy spyware.)
[/quote]

Don't install spyware?
May 23, 2005, 2:45 AM
iNsAnE-MS
No choice, didn't have XP all updated and it hijacked me. First time I've had spyware in two years.
May 23, 2005, 9:32 AM
Myndfyr
You need the Windows DDK to hook the CreateProcess() routine.  You'll need to create a kernel-mode driver that uses the PsSetCreateProcessNotifyRoutine system function.

Note that products like Norton Internet Security and Microsoft Anti-Spyware already do things like this.
May 23, 2005, 10:25 PM
iNsAnE-MS
Although they do this already, they don't notify of what program performs certain actions like modifying the registry, and do not notify me of what spawns 'approved' programs.
May 24, 2005, 9:00 AM
Adron
[quote author=iNsAnE[m-s] link=topic=11665.msg113590#msg113590 date=1116925217]
Although they do this already, they don't notify of what program performs certain actions like modifying the registry, and do not notify me of what spawns 'approved' programs.
[/quote]

To find out what program spawns a program I think you can just turn on process tracking in the security auditing settings for 2k+. To find out who modifies the registry you need to write a kernel mode driver that hooks the registry functions. Or use regmon....

June 1, 2005, 6:05 PM
Stealth
[quote author=iNsAnE[m-s] link=topic=11665.msg113342#msg113342 date=1116769446]
Is there any way to hook into like... windows? I need to see what process spawns another process. (Trying to write a tool I can use to kill this goofy spyware.)
[/quote]

One of my favorite anti-spyware tools will help you here: SysInternals' ProcessExplorer lets you see and terminate entire process trees as well as process handle information and plenty of other good stuff.
June 2, 2005, 5:33 AM

Search