Click here to Skip to main content
15,897,518 members
Search within:


Articles / Programming Languages / C++
 

Detecting Windows NT/2K process execution

Rate me:
Please Sign up or sign in to vote.
4.94/5 (69 votes)
25 Mar 2002CPOL7 min read 1.1M   11.4K   234  
An article on how to get notification from the OS when a process starts
 
//---------------------------------------------------------------------------
//
// CallbackHandler.h
//
// SUBSYSTEM:   
//              Monitoring process creation and termination  
//				
// MODULE:      
//              An abstract interface for receiving notification when a 
//              process has been created or terminated  
//
// DESCRIPTION: 
//             
// AUTHOR:		Ivo Ivanov
//
//---------------------------------------------------------------------------
#if !defined(_CALLBACKHANDLER_H_)
#define _CALLBACKHANDLER_H_

#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000


//---------------------------------------------------------------------------
//
//                   typedefs for PSAPI.DLL functions 
//
//---------------------------------------------------------------------------
typedef BOOL (WINAPI * PFNENUMPROCESSMODULES)(
    HANDLE   hProcess,
    HMODULE *lphModule,
    DWORD    cb,
    LPDWORD  lpcbNeeded
	);

typedef DWORD (WINAPI * PFNGETMODULEFILENAMEEX)(
    HANDLE  hProcess,
    HMODULE hModule,
    LPTSTR  lpFilename,
    DWORD   nSize
	);

//---------------------------------------------------------------------------
//
// class CCallbackHandler
//
//---------------------------------------------------------------------------
class CCallbackHandler  
{
public:
	CCallbackHandler();
	virtual ~CCallbackHandler();
	//
	// Define an abstract interface for receiving notifications
	//
	virtual void OnProcessEvent(
		PQUEUED_ITEM pQueuedItem, 
		PVOID        pvParam
		) = 0;
protected:
	//
	// Return the name of the process by its ID using PSAPI
	//
	BOOL GetProcessName(
		DWORD  dwProcessId,
		LPTSTR lpFileName, 
		DWORD  dwLen
		);
private:
	HMODULE                 m_hModPsapi;
	PFNENUMPROCESSMODULES   m_pfnEnumProcessModules;	
	PFNGETMODULEFILENAMEEX  m_pfnGetModuleFileNameEx;
};

#endif // !defined(_CALLBACKHANDLER_H_)
//----------------------------End of the file -------------------------------

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Ivo Ivanov
United States United States
I specialize in OS Internals and Reverse Engineering.
Before joining my current employer I used to run a security blog for malware analysis: http://vinsula.com/security-blog

Comments and Discussions

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 25 Mar 2002

Article Copyright 2002 by Ivo Ivanov
Everything else Copyright © CodeProject, 1999-2024

Web02 2.8:2024-04-02:1