Jump to content
Sign in to follow this  
notsure

Prevent process from starting?

Recommended Posts

notsure

Hello,

I'm trying to prevent processes from starting (think of a Firewall-alike tool). I'd like to intercept the messages from Shell/kernel(?) which causes (for example) notepad.exe to start. I read some things about ShellHook.Dll, can anyone inform me where to start? I'm not sure if this is possible with auto-it.

Thanks in advance,

notsure

Share this post


Link to post
Share on other sites
CrewXp

Im not sure about 'preventing' an application from starting, an expert would have to give a reply here.

But you can of course ProcessClose() an existing process if it finds the name running..

And... you using the terms 'Shell/Kernel messages'.. can you elaborate on that? What kind of messages are you wanting to intercept?

Share this post


Link to post
Share on other sites
monoceres

Hello,

I'm trying to prevent processes from starting (think of a Firewall-alike tool). I'd like to intercept the messages from Shell/kernel(?) which causes (for example) notepad.exe to start. I read some things about ShellHook.Dll, can anyone inform me where to start? I'm not sure if this is possible with auto-it.

Thanks in advance,

notsure

To make that hook reliable (and thus safe to use as a os-firewall) you will have to make the hook in kernel mode.

However this is not possible in autoit, it will require that you write a kernel driver that talks to the kernel directly. Here's an article on the subject:

http://www.codeproject.com/KB/system/sovie...ct_hooking.aspx

You can however make something that hooks all active processes on a per-process basis (this will not be safe because there are processes that are of have higher privileges than your process and that means you cannot hook them which gives them the ability to start more un-hookable processes), to do this you can use wraithdu's work here and then hook ntCreateProcess and zwCreateProcess.

None of this is easy though so if you're not knowing what you're doing you will almost definitely fail.


Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×