Click here to Skip to main content
15,907,687 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
I am developing an application to monitor new running processes before the main thread starts running. The problem is that the code below is executed when all threads in the process are loaded and the process is doing its job. I want to do something like the "sCreateProcessNotifyRoutineEx" function from C++ in C#. Please help with this

What I have tried:

        [DllImport("kernel32")]
        public extern static int OpenProcess(int access, bool inherit, int pid);
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern bool ReadProcessMemory(IntPtr hProcess, UIntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, IntPtr lpNumberOfBytesRead);

ManagementEventWatcher processStartEvent = new ManagementEventWatcher("SELECT * FROM Win32_ProcessStartTrace");

public Service1()
{
            InitializeComponent();
            processStartEvent.EventArrived += new 
            EventArrivedEventHandler(processStartEvent_EventArrived);
            processStartEvent.Start();
}

public async void processStartEvent_EventArrived(object sender, EventArrivedEventArgs e)
        {
            try
            {
                string processName = e.NewEvent.Properties["ProcessName"].Value.ToString();
                string processID = Convert.ToInt32(e.NewEvent.Properties["ProcessID"].Value).ToString();
                int pid = Convert.ToInt32(e.NewEvent.Properties["ProcessID"].Value);
                Process p = Process.GetProcessById(pid);
                string wholeFileName = p.MainModule.FileName;
                await AnalyzeStartup(wholeFileName, p);
            }
            catch { }
        }
Posted
Comments
[no name] 12-Nov-21 16:41pm    
I think that's the point of "managed code". You want to kludge it until it's "unmanaged"; so might as well do it in unmanaged code in the first place.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900