Windows API(kernel)
-
Need your help guys, I've been trying to make a program like ProcessGuard and Sanctuary. This product prevents execution of any program that does not appear on the list of software that is allowed to run on a particular machine. I have made some research about it and I found out that you have to go to kernel-mode and hook its API on process creation(CreateProcess). But I failed to utilize the use of kernel32.dll or ntdll.dll. Is there someone here where that could me give some tips where to start, provide the basics of Windows API process hooking in C# or even better provide a working C# source code. Thanks in advance... bryandel3@yahoo.com http://www.bryandel.net/ -- modified at 5:48 Thursday 5th January, 2006
-
Need your help guys, I've been trying to make a program like ProcessGuard and Sanctuary. This product prevents execution of any program that does not appear on the list of software that is allowed to run on a particular machine. I have made some research about it and I found out that you have to go to kernel-mode and hook its API on process creation(CreateProcess). But I failed to utilize the use of kernel32.dll or ntdll.dll. Is there someone here where that could me give some tips where to start, provide the basics of Windows API process hooking in C# or even better provide a working C# source code. Thanks in advance... bryandel3@yahoo.com http://www.bryandel.net/ -- modified at 5:48 Thursday 5th January, 2006
look at [Hooking the native API and controlling process creation on a system-wide basis](<a href=) [^]" rel="nofollow"> MCAD -- modified at 12:59 Wednesday 4th January, 2006
-
look at [Hooking the native API and controlling process creation on a system-wide basis](<a href=) [^]" rel="nofollow"> MCAD -- modified at 12:59 Wednesday 4th January, 2006
-
Need your help guys, I've been trying to make a program like ProcessGuard and Sanctuary. This product prevents execution of any program that does not appear on the list of software that is allowed to run on a particular machine. I have made some research about it and I found out that you have to go to kernel-mode and hook its API on process creation(CreateProcess). But I failed to utilize the use of kernel32.dll or ntdll.dll. Is there someone here where that could me give some tips where to start, provide the basics of Windows API process hooking in C# or even better provide a working C# source code. Thanks in advance... bryandel3@yahoo.com http://www.bryandel.net/ -- modified at 5:48 Thursday 5th January, 2006
-
Need your help guys, I've been trying to make a program like ProcessGuard and Sanctuary. This product prevents execution of any program that does not appear on the list of software that is allowed to run on a particular machine. I have made some research about it and I found out that you have to go to kernel-mode and hook its API on process creation(CreateProcess). But I failed to utilize the use of kernel32.dll or ntdll.dll. Is there someone here where that could me give some tips where to start, provide the basics of Windows API process hooking in C# or even better provide a working C# source code. Thanks in advance... bryandel3@yahoo.com http://www.bryandel.net/ -- modified at 5:48 Thursday 5th January, 2006
Hello bryan, first include in your class the System.Runtime.InteropServices using System.Runtime.InteropServices; Then is simple: [DllImport ("user32.dll")] public static extern long DestroyWindow (long hWnd); Now use this site http://custom.programming-in.net/ to find out the dll of your function and then import it!! If i din't got your question, and i'm completely off, oups sorry, give some more details Happy new year to all!! GanDad
-
C# is not appropriate for this. It is designed for making user mode applications only. I have taken a vow of poverty. If you want to really piss me off, send me money.
-
Hello bryan, first include in your class the System.Runtime.InteropServices using System.Runtime.InteropServices; Then is simple: [DllImport ("user32.dll")] public static extern long DestroyWindow (long hWnd); Now use this site http://custom.programming-in.net/ to find out the dll of your function and then import it!! If i din't got your question, and i'm completely off, oups sorry, give some more details Happy new year to all!! GanDad
Thank you very much for the link. I really appreciate it. Details: "ProcessGuard stops applications from executing without the users consent, stops malicious worms and trojans from being executed silently in the background." Based on this C++ article "Hooking NtCreateSection() is a much more reasonable thing to do - if we intercept a call to NtCreateSection() with the request of mapping the executable file as an image (SEC_IMAGE attribute), combined with the request of page protection that allows execution, we can be sure that the process is about to be launched. At this point we are able to take a decision, and, in case if we don't want the process to be created, make NtCreateSection() return STATUS_ACCESS_DENIED. Therefore, in order to gain full control over process creation on the target machine, all we have to do is to hook NtCreateSection() on a system-wide basis.'" NtCreateSection() is from ntdll.dll. I'm trying to import it but I don't know how to use it. I hope you can help me more. Again thanks for the link :)
-
Thank you very much for the link. I really appreciate it. Details: "ProcessGuard stops applications from executing without the users consent, stops malicious worms and trojans from being executed silently in the background." Based on this C++ article "Hooking NtCreateSection() is a much more reasonable thing to do - if we intercept a call to NtCreateSection() with the request of mapping the executable file as an image (SEC_IMAGE attribute), combined with the request of page protection that allows execution, we can be sure that the process is about to be launched. At this point we are able to take a decision, and, in case if we don't want the process to be created, make NtCreateSection() return STATUS_ACCESS_DENIED. Therefore, in order to gain full control over process creation on the target machine, all we have to do is to hook NtCreateSection() on a system-wide basis.'" NtCreateSection() is from ntdll.dll. I'm trying to import it but I don't know how to use it. I hope you can help me more. Again thanks for the link :)
Bryan, Sorry my knowlege is limited on winAPI but i found just now a site for the proper way of the function parameters, so here it is : http://undocumented.ntinternals.net/ Under UserMode -->NTDLL-->NTObjects-->Section. Good luck dude GanDad
-
Bryan, Sorry my knowlege is limited on winAPI but i found just now a site for the proper way of the function parameters, so here it is : http://undocumented.ntinternals.net/ Under UserMode -->NTDLL-->NTObjects-->Section. Good luck dude GanDad
-
But is it possible? About the money, I'm sorry but I can't send any. I'm still a student. And I might make this program as my thesis. But still thanks for the offer.
I dont think it is possible but I could be wrong. If you use c# then you have a dependancy on the Dot Net runtime. I dont beleive that it is currently possible to use this with in kernal mode. I suggest you have a look around the "sys internals" web site I have taken a vow of poverty. If you want to really piss me off, send me money.
-
Thanks for this another great site. This help alot. As my token of appreciation I'll add you to my Acknowledgement Page. This is the only way I can express my gratitude I hope you appreciate it.
Dear Bryan, I feel honnored by your post, but what goes around comes around, that is the beuty of software community, lets all share our knowlege. thank again for your post, Happy coding mate ;) GanDad