Ok, first to let others know what im doing, which I believe is legal (if im wrong please let me know). I am creating software to restrict certain applications from running and restict certain applications from accessing the registery. But im having a problem with the application running part.

I am using setwindowshookex to load my dll in every running process (probably should use a sys at level 0, but not that advanced yet) and then patching the IAT for CreateProcessW and redirecting to my own function to check the application thats trying to be started so i can stop it from starting.

Now, I can see my dll gets loaded into the top level explorer.exe process which I assume lets me catch all applications starting up by mouse clicks on desktop. The problem is that some applications I can catch and some I cant. i.e. when I click the link to RadAsm It works but when I click the link to ad-aware it doesnt.

Im not understand this at all. Can anyone give me any insight?

Posted on 2003-05-12 07:46:08 by packetvb

tell me something, any response will do. I even settle for the following too

a. It wont work, you have to make a driver.
b. your an idiot.
c. your wrong and what your trying to do is illegal and the police are coming to your house as I type.
d. we are ignoring you because your an anuse.
e. I cant understand a word you said.

Posted on 2003-05-12 15:53:39 by packetvb
Perhaps you should hook at NT native level? It seems like you're on NT (the *W suffix), and NT native is probably the lowest you can go without ring0. I dunno if there's any win32 process creation APIs that don't end up in CreateProcess, but it might be worth a try.

In the processes where createprocess hook fails, is your DLL being injected at all?
Posted on 2003-05-12 16:13:05 by f0dder
Sorry man, my tongue is tied :D
I used to work at such things and i have signed NDA ...

This can be done but is complex and has many issues, not that simple as you think it is...

For one example : Application might us GetProcAddress before you hook and then call it directly

but there are many other issues also and i can not tell you how to solve them :(
Posted on 2003-05-13 02:12:15 by BogdanOntanu
GetProcAddress isn't a problem - manual importing and kernel scanning are.
If you want to handle "everything ring3", you'd have to build a complete sandboxing system, with proxies around system DLLs. Quite a bit of work.
Posted on 2003-05-13 02:24:38 by f0dder
Posted on 2003-05-13 03:28:17 by abc123
Non-Disclosure Agreement. Evil stuff.
"Yeah, you can view our stuff. But first you have to sign this paper that allows us to sue you straight to hell if you tell anybody about it."
Posted on 2003-05-13 03:33:46 by f0dder
Thanks for the input,

Basically I was trying to inject a dll into the top level explorer process to catch all processes started from desktop or an explorer window. It works on most applications, After doing some research on a couple ones that dont work and I think it has something to do with the programs entry point, hence its being loaded and run by some other means than createprocess. But not sure as I lack the detailed knowlege of win32 arch.

Eventually I wanted to catch all processes started on the machine, didnt even think of the GetProcAddress way.

Ok so what is the best way to redirect all process creations to my own function so I can restrict certain apps from starting. I know its possible to restrict certain programs from running using the registery but this wouldnt achieve my goals. Am I going to have to jump down at ring 0 (scarry, hheeh he).
Any direction would be great.

Posted on 2003-05-13 06:43:17 by packetvb
It was a trojan virus of some kind. It removed the file, but did not fix the registry.

Anyway, It stay active in memory by modifying:

@="\"%1\" %*"

So I got an error, everytime I wanted to start a program ( after the file was removed ).

By inserting your program here, the shell will execute your program with the other program as a commandline.

I had to create a frame program to ProcessCreate the commandline to get my OS back to normal. Rename it to the original filename the virus was using.

Exported a good Key and imported it back to the crippled system to fix it back.

What's nice it's works across platforms. It fits the User intervension model to are trying to fit into.

Regards, P1

BTW, Your stated goal mis-matches your desired results. i.e. "every process" is over kill for User intervension. Why would you need a supervisor program supervising the OS? It makes more sense ( to me ) to monitor apps running, than to get that intimate with the OS. Then Kill the ones that don't meet the approved list for a machine/login.
Posted on 2003-05-14 12:36:38 by Pone

Well, I dont even want the program to get started. Going through the processes and terminating the ones that I want, wont work, because the program could have already done what im trying to stop before im able to terminate it.



Anyway looks like im going to be studing driver dev. From what Im told its the only way to make sure to catch every starting process. :(

Thanks all

Posted on 2003-05-16 03:33:49 by packetvb
I know the NT kernel keeps a PspCreateProcessNotifyRoutine variable for it, which is a pointer to routines to be called when a(ny!) process is created but I have no clue how/wether it's possible to set it yourself.
Posted on 2003-05-16 05:47:36 by Hiroshimator


Well, I dont even want the program to get started. Going through the processes and terminating the ones that I want, wont work, because the program could have already done what im trying to stop before im able to terminate it.

seems like you missed the point of pones post..., modifying the registry in that way redirects *ALL* attempts to run a .exe file as a paramater to your file


dbl click on "explorer.exe"

and your file gets that passed to it (probably with the full pathname) ...

anyway, its not fool proof, but it is by far the easiest.
Posted on 2003-05-16 06:43:47 by abc123
Hiro, I remember seeing some code on NT process notify stuff, might be what you're referring to. It seemed quite okay, but it was a notify - you couldn't use it to stop a process before it's launched. Might be the best "easy way" to handle this, but still not foolproof.

Unfortunately I cannot remember the title nor where I found it - perhaps www.codeproject.com . And perhaps it's mentioned here on the board somewhere.
Posted on 2003-05-16 06:52:16 by f0dder
Thanks, abc123 for the support.

packetvb, I'm sorry, I confused you with the BTW comment. It distracted you from the main point.

I learned there are many ways to get somethings to works. It's the 'KISS' ones that work the best. I was pointing out, how wonderfully simple approach to controling program execution, that this virus used.

As an Administrator, you still have the policy option available to you to control approved programs. You are the Administrator, aren't you?

I will admit, I'm still confused about the Scope of your intent vs the Issue of controling user's choices. Going outside of M$ established methods is definately got it's good points, as well as bad, but you need a reason to do so. What are your reasons?

Regards, P1

PS: I'll be plain, the only reason, I knew about this method of control, is a virus educated me on it. Unless you give some assurance, I am beginning to believe that we have virus coder. Please note: I did not call you one, just that, I have doubts. Because I am a Network Administrator on a medium size network. I do have legitimate control over this network through policies. Including limiting what programs that get ran. I have turn-off floppy disk support on the workstations, to control software access as well. Guess what prompted that policy change?
Posted on 2003-05-16 12:55:25 by Pone
true, you can set policies!
that's a lot easier than any driver or kernel programming you'll ever do for virtually the same result.

So easy to forget all the options you get. Goes to show that it's a long time since I used my PC ina different environment but me alone :tongue:
Posted on 2003-05-16 13:26:40 by Hiroshimator

As I stated im the start of this thread, I am trying to restrict certain applications from running. In the end I want to catch all processes started, regardless of how. In addition, the reason I cant use polocies for this is because the restrictions are based on something other than simply the name of the application. I wont say exately what Im doing as I dont want to give away any ideas.

Therefore, there is no way for me to 100% assure you that Im not a virus writer. But maybe some assurance, as you asked:
Im a Net Admin of a small network myself (Not by trade, only because there is no one else to fill the position) viruses make my job harder and being infected numerous times at home in the past, I despise the f*cks that write them. Also being in my 30's and working full time and trying to finish my bach for a career change, I have no desire to waste my time making such things.

Hope that squashes some of your concerns.

Anyways, thanks for the info on the reg entry. I didnt get what you were saying in your post the first time I read it. Sorry that I missed the point on that one.


Yes I did miss it. Thanks for clearing it up. :)

Ill look it to that, thanks.

Thanks again for all the responses.


Posted on 2003-05-17 07:14:00 by packetvb
Policies handles "stupid clueless users who'll doubleclick any email attachment" - they aren't much good for setting up a sandboxing system though :)
Posted on 2003-05-17 10:25:37 by f0dder
Registry hook = ShellExecute Hook = nonsense.

In no way this will catch applications started by CreateProcess.
Posted on 2003-05-17 11:17:56 by Axial
yes i had faced this problem of no exes running
even regedit.exe wasnt running
because this registry key was modified by a screeensaver in my comp

@="\"%1\" %*"
it has appended some blah blah loader before %1
and i had to rename regedit.exe to regedit.com and run it
and then edit this entry
only then i was able to run any exes
Posted on 2003-05-17 13:23:17 by bluffer
I had a virus overwrite it once. I deleted virus and could not run any applications. Had to edit win.ini to make regedit.exe my "shell" and then fixed it.
Posted on 2003-05-17 13:52:25 by comrade