notsure Posted June 17, 2009 Share Posted June 17, 2009 Hello, I'm trying to prevent processes from starting (think of a Firewall-alike tool). I'd like to intercept the messages from Shell/kernel(?) which causes (for example) notepad.exe to start. I read some things about ShellHook.Dll, can anyone inform me where to start? I'm not sure if this is possible with auto-it. Thanks in advance, notsure Link to comment Share on other sites More sharing options...
CrewXp Posted June 17, 2009 Share Posted June 17, 2009 Im not sure about 'preventing' an application from starting, an expert would have to give a reply here. But you can of course ProcessClose() an existing process if it finds the name running.. And... you using the terms 'Shell/Kernel messages'.. can you elaborate on that? What kind of messages are you wanting to intercept? Link to comment Share on other sites More sharing options...
monoceres Posted June 17, 2009 Share Posted June 17, 2009 Hello,I'm trying to prevent processes from starting (think of a Firewall-alike tool). I'd like to intercept the messages from Shell/kernel(?) which causes (for example) notepad.exe to start. I read some things about ShellHook.Dll, can anyone inform me where to start? I'm not sure if this is possible with auto-it. Thanks in advance,notsureTo make that hook reliable (and thus safe to use as a os-firewall) you will have to make the hook in kernel mode.However this is not possible in autoit, it will require that you write a kernel driver that talks to the kernel directly. Here's an article on the subject:http://www.codeproject.com/KB/system/sovie...ct_hooking.aspxYou can however make something that hooks all active processes on a per-process basis (this will not be safe because there are processes that are of have higher privileges than your process and that means you cannot hook them which gives them the ability to start more un-hookable processes), to do this you can use wraithdu's work here and then hook ntCreateProcess and zwCreateProcess.None of this is easy though so if you're not knowing what you're doing you will almost definitely fail. Broken link? PM me and I'll send you the file! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now