Hossa

to know if a new program is running i use actual a "tasklist" and count the entrys ,when there is a new entry or another one is gone i pop up a warn message.

now i would ask if a hook on shell execute is a better solution ?
when i hook shellexecute ,whats about winexec ?

then most of you dont like hooks so can i do something other to know if a new file is executed ?

next :
to stop this file from running i have to close it first and then ask the user if he like to run it ,when he wish it i restart the program...right ?

is there no way to "freeze" a program first ?
lets say on your system start a new program ,a bootsektor killer.
if the program runs one time ,you lost.
so how can i block the execution first ?

i think on a hook or a replacement of the api call but as i say im unshure what to do and what is possible.

this is no question for ready made source !
only 2 questions to the prof. :-)

Thanks
Posted on 2002-01-03 03:02:25 by Max
Are you meaning you want to disable the possibility of multiple instances of your program or of the others one ?

The first, i can answer, the second, i don't know. :(
I heard that you can "patch" APIs but i never used that.

PS : winexec is obsolete right now, it stays here for backward compatibility purposes.
All the external programs has to be launched using CreateProcess.
WinExec API surely wraps to the CreateProcess code, though...
Posted on 2002-01-03 03:11:36 by JCP
Max,

to hook executions of progs you can create a "ShellExecuteHook". You will get control before any prog is executed. To implement such a hook you will have to write a Dll implementing IShellExecuteHook and an entry of your COM object in HKLM\Software\Microsoft\CurrentVersion\Explorer\ShellExecuteHooks.

Some stupid viruses use this hook too :) .

japheth
Posted on 2002-01-03 03:27:51 by japheth
CreateMutex for example.

on start of the app:

CreateMutex,0,0,offset MutexName
invoke GetLastError
cmp eax,ERROR_ALREADY_EXISTS
je @exit
........ here is normal code if there are no intstances running


@exit: call ExitProcess
Posted on 2002-01-03 04:03:03 by The Svin
i'm not sure but in my opinion you can add a shell-extension
to the HKEY_CLASSES_ROOT_\.exe reg-key... as i said i'm really
not sure about this but try to add the "shell\open\command -
"yourprog.exe" "%1"" and see what happens...
Posted on 2002-01-03 04:34:29 by mob
The mutex way is good to prevent more than one instance of your
own application.

However, to block other applcations, I think the solution is to hook
CreateProcess. Unless an app uses NT native api or vxd/kmd ,
all program execution should end at CreateProcess (*W on NT).
You can intercept before the call, and thus effectively block the
execution. I don't know if there's other ways to spawn processes,
but I think most should end at CreateProcess.

Check out EliCZ' APIHooks, it'll probably turn out useful.
Posted on 2002-01-03 04:42:20 by f0dder
Heres a IShellExecuteHook dll. It must be registered with regsvr32. It just displays a message on debug terminal. It is a VC project with many source files, but the only interesting part is in ExecHook.ASM, function "Execute".
Posted on 2002-01-03 05:15:58 by japheth
Thank you all for the bunch of ideas and tips !!!
now i know what i make on this weekend :-)
read read read.....

--------
PS : winexec is obsolete right now, it stays here for backward compatibility purposes.
All the external programs has to be launched using CreateProcess.
WinExec API surely wraps to the CreateProcess code, though...
--------
Thanks ,so i look on CreateProcess only :-)


-----
HKLM\Software\Microsoft\CurrentVersion\Explorer\Sh
ellExecuteHooks
------
Boah !!!
im browsing the reg since years up and down ,reading all carefully and looking for all i find suspect.
but i never see this key before then yet :(
very interresting because it seams i can get there infos on running hooks on my system.
THANKS !

--------
CreateMutex,0,0,offset MutexName
invoke GetLastError
cmp eax,ERROR_ALREADY_EXISTS
je @exit
-------
Hm this work only if i know the app first ,but if someone pack/crypt the file or if its just the first time i meet this file.....it wont work.
But thanks ;-)



---
However, to block other applcations, I think the solution is to hook
CreateProcess. Unless an app uses NT native api or vxd/kmd ,
all program execution should end at CreateProcess (*W on NT).
You can intercept before the call, and thus effectively block the
execution. I don't know if there's other ways to spawn processes,
but I think most should end at CreateProcess.

Check out EliCZ' APIHooks, it'll probably turn out useful.
-------
This "Block" the execution first ?
thats great ,so i need to make a hook....if exe is executed hook see this and block full execution ,i got the pop up and if i like to run this app i restart it
hm sounds much simple but im shure.....this will take much time :-)
but more time i need if i dont get those helpfull answeers ,thanks !


--------
i'm not sure but in my opinion you can add a shell-extension
to the HKEY_CLASSES_ROOT_\.exe reg-key... as i said i'm really
not sure about this but try to add the "shell\open\command -
"yourprog.exe" "%1"" and see what happens...
-----------
this idea sound for me first if its the best and easy way....but what if another program change the regkey,like sub7 use this for autostart ?
then my app cant check the file first.

so i think i try to code the hook.
but why are so much saying here that hooks are bad ?
are they meaning with a hook i can do bad things or do my system maybe crash or what ?

im coding since half a year on a security tool and i dont want to make it to hard to use for the user or do i like to see different systems crashing....

have a nice weekend and thanks for help :-)
Posted on 2002-01-05 03:28:01 by Max