Click here to Skip to main content
Rate this: bad
Please Sign up or sign in to vote.
I'm attempting to write some software to vet processes, and stop unwanted processes from starting. In order to do this, I plan to hook various system calls (using Win32 C++) so I can check the application at various startup stages. The particular calls I'm interested in are:
* When the system receives a filename to load into memory (for an executable)
* When the system loads the process into memory (so I can do a checksum on it)
And then I plan to check it after it's started, which is probably a simpler task.
Is there a list of relevant calls I can check, or can someone tell me which calls correspond to these tasks?
Posted 6-Aug-12 20:12pm
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

Whenever PC is turned ON, BIOS takes the control, and it performs a lot of operations. It checks the Hardware, Ports etc and finally it loads the MBR program into memory (RAM).
Now, MBR takes control of the booting process. Functions of MBR, when there is only one OS is installed in the system are as given below:-
The boot process starts by executing code in the first sector of the disk, MBR.
The MBR looks over the partition table to find the Active Partition.
Control is passed to that partition's boot record (PBR) to continue booting.
The PBR locates the system-specific boot files (such as WinXP ntoskrnl).
Then these boot files continue the process of loading and initializing the rest of the OS.But , whenever there are multiple OSes, be it multiple Windows or Windows with Linux, then Boot process will be slightly different.
I think that you definitely need to read the following article:
How to develop your own Boot Loader
It just highlights some interesting points for you.
This article for those who have been always interested in the way the different things work. It is for those developers who usually create their applications in high-level languages such as C/C++, but faced with the necessity to develop something at low-level. This article about low-level programming on the example of working at system loading.
pasztorpisti at 7-Aug-12 18:11pm
Does this answer the question?
dawmail333 at 7-Aug-12 18:56pm
Detailed and informative, but the question was about hooking executables that are starting _inside Windows_. Thanks for the extensive answer, though!
Volynsky Alex at 8-Aug-12 4:16am
I agree, my answer does not answer the question fully.
But my answer is very close to what the questioner is interested...
pasztorpisti at 8-Aug-12 4:31am
Don't misunderstand my comment wasn't meant to be offensive! Just read the article, then the answer and they looked two totally different topics for me. :-)
Volynsky Alex at 8-Aug-12 16:54pm
I don't take offense :)
pasztorpisti at 8-Aug-12 18:06pm
Just wondering, can you hook somehow the operating system more easily/better then from a driver by executing your code before the operating system in the boot sequence? My old friend, SoftIce came to my mind but if I remember right that worked with drivers, but I'm not sure.
Volynsky Alex at 8-Aug-12 18:42pm
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

I never did such a hack but I guess you are searching for something like this:
Hooking the native API and controlling process creation on a system-wide basis[^]
Read the user comments too below the article! Those might also contain some useful info for you. Usually antivirus software does what you wanna do. Some of them check the file when you open it and either the open or read operation fails if the file is infected!
Volynsky Alex at 8-Aug-12 17:00pm
Good answer! +5!
pasztorpisti at 8-Aug-12 18:07pm
Thank you! :-)
Volynsky Alex at 8-Aug-12 18:28pm
Not at all!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 375
1 Gihan Liyanage 338
2 Vinay Mistry 160
3 Sergey Alexandrovich Kryukov 130
4 syed shanu 125
0 Sergey Alexandrovich Kryukov 9,021
1 OriginalGriff 7,941
2 CPallini 2,603
3 Richard MacCutchan 2,121
4 Abhinav S 1,928

Advertise | Privacy | Mobile
Web02 | 2.8.140827.1 | Last Updated 7 Aug 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100