Am having trouble creating process, when I execute an exe the exe itself should run as a process (the goal is to monitor the registry activity). But when the exe is executed there are many instances of the same process created.

.data?

startupinfo STARTUPINFO <>
processinfo PROCESS_INFORMATION <>

modhWnd dd ?

fileName db 200 DUP(?)

.code
start:

invoke GetModuleHandle, 0
mov modhWnd, eax

invoke GetModuleFileName, modhWnd, ADDR fileName, SIZEOF fileName

mov startupinfo.lpReserved, NULL

invoke CreateProcess, ADDR fileName, NULL, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE, NULL, NULL, ADDR startupinfo, ADDR processinfo

::::::::::::::
::::::::::::::

invoke ExitProcess, NULL

end start


Any help on this regard is very much appreciated.

Thanks,

C K
Posted on 2009-06-02 06:17:42 by karthikeyanck
well, if run normally, does the program make multiple instances too?

some protections do do this, armadillo in particular...
Posted on 2009-06-02 07:13:00 by evlncrn8
According to your code, you get the filename of the executable itself and then start it using createprocess, which gets the filename of the executable itself and then starts it using createprocess, which gets the filename of the executable itself and then starts it using createprocess, which gets the filename of the executable itself and then starts it using createprocess, which gets the filename of the executable itself and then starts it using createprocess, which gets the filena...........
Posted on 2009-06-02 07:13:17 by JimmyClif
Thanks JimmyClif & evlncrn8, I agree with JimmyClif, please can you advise if there are other ways to achieve this, probably I just wanted the process to have one single instance of it running on the machine.

I had other executables run from this particular file and they all worked fine (obviously they should)... But I believe this is not the way to do this.   :shock:

Thanks,

C K
Posted on 2009-06-02 08:06:23 by karthikeyanck
i think you also need to initialise the startup info a bit more than you have already...
the usual method is do a GetStatupInfo from your process, and have the child process 'use' that setup...
Posted on 2009-06-02 08:42:49 by evlncrn8
The following snippet returns the the handle of your executable itself:


invoke GetModuleHandle, 0
mov modhWnd, eax


This snippet returns the name and path of the application using the handle you received in upper snippet. (which will be your executable's name!!!)


invoke GetModuleFileName, modhWnd, ADDR fileName, SIZEOF fileName


Then you proceed on starting your executable using CreateProcess using this snippet:


mov startupinfo.lpReserved, NULL
invoke CreateProcess, ADDR fileName, NULL, NULL, NULL, FALSE,
CREATE_DEFAULT_ERROR_MODE, NULL, NULL, ADDR startupinfo, ADDR processinfo


So, if you would like to start another process you would have to use another filename in the CreateProcess api. A great way of getting another process' name and path is to use an OPENFILENAME Dialog.
Posted on 2009-06-02 17:05:23 by JimmyClif
Thanks for the reply - JimmyClif

But the goal here is to have the same file which am executing to run an a process, can this be achieved? or my understanding is wrong.

Any help is much appreciated.

Thanks,

C K
Posted on 2009-06-10 07:55:45 by karthikeyanck