Click here to Skip to main content
11,926,961 members (49,620 online)
Rate this:
Please Sign up or sign in to vote.
I'm attempting to write some software to vet processes, and stop unwanted processes from starting. In order to do this, I plan to hook various system calls (using Win32 C++) so I can check the application at various startup stages. The particular calls I'm interested in are:

* When the system receives a filename to load into memory (for an executable)
* When the system loads the process into memory (so I can do a checksum on it)

And then I plan to check it after it's started, which is probably a simpler task.

Is there a list of relevant calls I can check, or can someone tell me which calls correspond to these tasks?
Posted 6-Aug-12 21:12pm
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

Whenever PC is turned ON, BIOS takes the control, and it performs a lot of operations. It checks the Hardware, Ports etc and finally it loads the MBR program into memory (RAM).
Now, MBR takes control of the booting process. Functions of MBR, when there is only one OS is installed in the system are as given below:-
The boot process starts by executing code in the first sector of the disk, MBR.
The MBR looks over the partition table to find the Active Partition.
Control is passed to that partition's boot record (PBR) to continue booting.
The PBR locates the system-specific boot files (such as WinXP ntoskrnl).
Then these boot files continue the process of loading and initializing the rest of the OS.But , whenever there are multiple OSes, be it multiple Windows or Windows with Linux, then Boot process will be slightly different.

I think that you definitely need to read the following article:
How to develop your own Boot Loader

It just highlights some interesting points for you.
This article for those who have been always interested in the way the different things work. It is for those developers who usually create their applications in high-level languages such as C/C++, but faced with the necessity to develop something at low-level. This article about low-level programming on the example of working at system loading.
pasztorpisti 7-Aug-12 18:11pm
Does this answer the question?
dawmail333 7-Aug-12 18:56pm
Detailed and informative, but the question was about hooking executables that are starting _inside Windows_. Thanks for the extensive answer, though!
Volynsky Alex 8-Aug-12 4:16am
I agree, my answer does not answer the question fully.
But my answer is very close to what the questioner is interested...
pasztorpisti 8-Aug-12 4:31am
Don't misunderstand my comment wasn't meant to be offensive! Just read the article, then the answer and they looked two totally different topics for me. :-)
Volynsky Alex 8-Aug-12 16:54pm
I don't take offense :)
pasztorpisti 8-Aug-12 18:06pm
Just wondering, can you hook somehow the operating system more easily/better then from a driver by executing your code before the operating system in the boot sequence? My old friend, SoftIce came to my mind but if I remember right that worked with drivers, but I'm not sure.
Volynsky Alex 8-Aug-12 18:42pm
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

I never did such a hack but I guess you are searching for something like this:
Hooking the native API and controlling process creation on a system-wide basis[^]
Read the user comments too below the article! Those might also contain some useful info for you. Usually antivirus software does what you wanna do. Some of them check the file when you open it and either the open or read operation fails if the file is infected!
Volynsky Alex 8-Aug-12 17:00pm
Good answer! +5!
pasztorpisti 8-Aug-12 18:07pm
Thank you! :-)
Volynsky Alex 8-Aug-12 18:28pm
Not at all!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy | Mobile
Web03 | 2.8.151126.1 | Last Updated 7 Aug 2012
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100