How to capture End Process of task manager
-
Hi all, How can my application or process know that the user is going to End Process ( or End Process Tree ) it, with task manager? I am using Windows XP. Thank you. - NS -
Put simply, you cant... Task Manager calls TerminateProcess[^] which stops the process dead and doesn't allow it execute anymore code. End Process is designed to be a last resort for processes which have stopped responsing. Gavin Taylor w: http://www.gavspace.com
-
Put simply, you cant... Task Manager calls TerminateProcess[^] which stops the process dead and doesn't allow it execute anymore code. End Process is designed to be a last resort for processes which have stopped responsing. Gavin Taylor w: http://www.gavspace.com
-
Hi all, How can my application or process know that the user is going to End Process ( or End Process Tree ) it, with task manager? I am using Windows XP. Thank you. - NS -
Perhaps you can hook the TerminateProcess function in the kernel dll, then whenever it is called, check to see if the process to end is your process then return immediatly and don't call the hooked function. Hooking can be a tricky thing to accomplish actually, I've had some experience with it using Microsoft's Detours library, it took sometime but proved to be useful at last, maybe you can try and see what turns out for yourself :) -- Wessam Fathi
-
Perhaps you can hook the TerminateProcess function in the kernel dll, then whenever it is called, check to see if the process to end is your process then return immediatly and don't call the hooked function. Hooking can be a tricky thing to accomplish actually, I've had some experience with it using Microsoft's Detours library, it took sometime but proved to be useful at last, maybe you can try and see what turns out for yourself :) -- Wessam Fathi
-
Put simply, you cant... Task Manager calls TerminateProcess[^] which stops the process dead and doesn't allow it execute anymore code. End Process is designed to be a last resort for processes which have stopped responsing. Gavin Taylor w: http://www.gavspace.com
Almost but not quite true. If you select the "End Task" button from the "Applications" tab then task manager attempts to close the application gracefully by sending the window a
WM_CLOSEmessage and only resorts to terminating it if it doesn't die within a timeout. If the "End Process" button is selected from the "Process" tab the process is terminated on the spot (as you describe). Actually things are actually slightly more complicated then described above but this gives the general idea. Steve -
Perhaps you can hook the TerminateProcess function in the kernel dll, then whenever it is called, check to see if the process to end is your process then return immediatly and don't call the hooked function. Hooking can be a tricky thing to accomplish actually, I've had some experience with it using Microsoft's Detours library, it took sometime but proved to be useful at last, maybe you can try and see what turns out for yourself :) -- Wessam Fathi
Patching
TerminateProcessin one process will not effect other processes. Steve -
Patching
TerminateProcessin one process will not effect other processes. SteveDid you check out the detours library, Detours intercepts Win32 functions by re-writing target function images. I used it when developing a simple firewall, to re-route all calls to winsock functions (connect, listen, send, recv). It is a system wide hook where all calls to the patched functions from all processes are redirected to my detour function. -- Wessam Fathi
-
Did you check out the detours library, Detours intercepts Win32 functions by re-writing target function images. I used it when developing a simple firewall, to re-route all calls to winsock functions (connect, listen, send, recv). It is a system wide hook where all calls to the patched functions from all processes are redirected to my detour function. -- Wessam Fathi
I've used Detours extensively. Yes it re-writes the target image but that doesn't mean its effects are global. The changes would only be global if the page that contains the patched code was in a shared section; Code is never in a shared section. A simple example can prove this. This program detours MessageBoxA but only for its first instance. Run two instances and note that in the second (which doesn't apply a detour of its own) the detours from the first has no effect. The fact that Detours works this way is a consequence of the way the paging system and virtual memory works. To make it work the way you describe you would have to apply the patch to every process (which perhaps you done in your firewall). ---- // NotGlobal.cpp : Defines the entry point for the application. // #include "stdafx.h" #include #pragma data_seg(".SHARED") LONG s_InstancesMinusOne = -1; #pragma data_seg() #pragma comment(linker, "/SECTION:.SHARED,rws") DETOUR_TRAMPOLINE(int WINAPI Tram_MessageBoxA( HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType), MessageBoxA) int WINAPI My_MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { return Tram_MessageBoxA(hWnd, "Patched", lpCaption, uType); } int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { if ( InterlockedIncrement(&s_InstancesMinusOne)==0 ) { // First instance. DetourFunctionWithTrampoline((PBYTE)&Tram_MessageBoxA, (PBYTE)&My_MessageBoxA); } MessageBox(NULL, "Original", "Hello", MB_OK); InterlockedDecrement(&s_InstancesMinusOne); return 0; } Steve
-
I've used Detours extensively. Yes it re-writes the target image but that doesn't mean its effects are global. The changes would only be global if the page that contains the patched code was in a shared section; Code is never in a shared section. A simple example can prove this. This program detours MessageBoxA but only for its first instance. Run two instances and note that in the second (which doesn't apply a detour of its own) the detours from the first has no effect. The fact that Detours works this way is a consequence of the way the paging system and virtual memory works. To make it work the way you describe you would have to apply the patch to every process (which perhaps you done in your firewall). ---- // NotGlobal.cpp : Defines the entry point for the application. // #include "stdafx.h" #include #pragma data_seg(".SHARED") LONG s_InstancesMinusOne = -1; #pragma data_seg() #pragma comment(linker, "/SECTION:.SHARED,rws") DETOUR_TRAMPOLINE(int WINAPI Tram_MessageBoxA( HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType), MessageBoxA) int WINAPI My_MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { return Tram_MessageBoxA(hWnd, "Patched", lpCaption, uType); } int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { if ( InterlockedIncrement(&s_InstancesMinusOne)==0 ) { // First instance. DetourFunctionWithTrampoline((PBYTE)&Tram_MessageBoxA, (PBYTE)&My_MessageBoxA); } MessageBox(NULL, "Original", "Hello", MB_OK); InterlockedDecrement(&s_InstancesMinusOne); return 0; } Steve
Well I've used Detours extensively myself, when developing my graduation project back at college - it was an antivirus and a firewall package. I used detours in the antivirus part, to intercept all calls to CreateProcess function, when the user tries to run any program it was blocked until user Allows / Denies. It did work, I can send you videos for the application running if you want :) Here is the code I used, that's only a bit demonstrating the technique not the whole code, so it definetely won't compile: 1. Detours management code encapsulated in a dll: ------------------------------------------------- BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: hInst = (HINSTANCE)hModule; //intercept the API functions of the host program Intercept(); hook = NULL; //request a unique message number form the sytem for inter processes messaging WM_HOOKMESSAGE = RegisterWindowMessage("{398E8909-327E-4ce8-B523-012AA80808A0}"); return TRUE; case DLL_PROCESS_DETACH: //if we had a successful interception, de-intercept the detour function if(CreateProcessW_T && CreateProcessA_T) DeIntercept(); //if we had a successful windows hook, un install that hook if(hWndServer != NULL) ClearHook(hWndServer); return TRUE; } return TRUE; } //hook install function CREATEHOOK_API bool SetHook(HWND hWnd) { if(hWndServer != NULL) return FALSE; // already hooked! hook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)MyProc, hInst, 0); if(hook != NULL) { /* success */ hWndServer = hWnd; return TRUE; } /* success */ return FALSE; // failed to set hook } //hook un-install functions CREATEHOOK_API bool ClearHook(HWND hWnd) { if(hWnd != hWndServer || hWnd == NULL) return FALSE; BOOL unhooked = UnhookWindowsHookEx(hook); if(unhooked) hWndServer = NULL; return unhooked; } //this is a dummy hook proc, since the main use of the hook is to //load our library to all processes in the system static LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam) { return CallNextHookEx(hook, nCode, wParam, lParam); } //API interception installation function CREATEHOOK_API int Intercept() { //intercept the CreateProcessW function CreateProcessW_T =(BOOL(WINAPI *)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION))De
-
Well I've used Detours extensively myself, when developing my graduation project back at college - it was an antivirus and a firewall package. I used detours in the antivirus part, to intercept all calls to CreateProcess function, when the user tries to run any program it was blocked until user Allows / Denies. It did work, I can send you videos for the application running if you want :) Here is the code I used, that's only a bit demonstrating the technique not the whole code, so it definetely won't compile: 1. Detours management code encapsulated in a dll: ------------------------------------------------- BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: hInst = (HINSTANCE)hModule; //intercept the API functions of the host program Intercept(); hook = NULL; //request a unique message number form the sytem for inter processes messaging WM_HOOKMESSAGE = RegisterWindowMessage("{398E8909-327E-4ce8-B523-012AA80808A0}"); return TRUE; case DLL_PROCESS_DETACH: //if we had a successful interception, de-intercept the detour function if(CreateProcessW_T && CreateProcessA_T) DeIntercept(); //if we had a successful windows hook, un install that hook if(hWndServer != NULL) ClearHook(hWndServer); return TRUE; } return TRUE; } //hook install function CREATEHOOK_API bool SetHook(HWND hWnd) { if(hWndServer != NULL) return FALSE; // already hooked! hook = SetWindowsHookEx(WH_GETMESSAGE, (HOOKPROC)MyProc, hInst, 0); if(hook != NULL) { /* success */ hWndServer = hWnd; return TRUE; } /* success */ return FALSE; // failed to set hook } //hook un-install functions CREATEHOOK_API bool ClearHook(HWND hWnd) { if(hWnd != hWndServer || hWnd == NULL) return FALSE; BOOL unhooked = UnhookWindowsHookEx(hook); if(unhooked) hWndServer = NULL; return unhooked; } //this is a dummy hook proc, since the main use of the hook is to //load our library to all processes in the system static LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam) { return CallNextHookEx(hook, nCode, wParam, lParam); } //API interception installation function CREATEHOOK_API int Intercept() { //intercept the CreateProcessW function CreateProcessW_T =(BOOL(WINAPI *)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION))De
This will work to a point - But the fact that it works is consistent with my previous post. The reason is that you're detouring the function in every process by using the global hook mechanism via
SetWindowsHookEx.SetWindowsHookEx, when used to set a global hook, loads the hook DLL into every UI process and the DLL's entry point code sets up the detour. There is an obvious limitation to this technique inherited from the global hook mechanism; It will only work for processes that have a message pump. It will probably not work for console application for example. Also noteworthy is the licensing agreement of the Detours library - You can't use it in commercial applications without explicit permission. Steve -
This will work to a point - But the fact that it works is consistent with my previous post. The reason is that you're detouring the function in every process by using the global hook mechanism via
SetWindowsHookEx.SetWindowsHookEx, when used to set a global hook, loads the hook DLL into every UI process and the DLL's entry point code sets up the detour. There is an obvious limitation to this technique inherited from the global hook mechanism; It will only work for processes that have a message pump. It will probably not work for console application for example. Also noteworthy is the licensing agreement of the Detours library - You can't use it in commercial applications without explicit permission. SteveThanks for your reply, actually I didn't know that it won't work except for applications with a message bump, and that it probably won't for console applications. That's a valuable piece of information I didn't actually know :) Regarding the library licensing, I only used it for the college project - not a commercial application - so I didn't need to buy it. -- Wessam Fathi