I would like to get notification of when any/all programs are being actively used.
To do this via windows hooks I'd use an unmanaged C++ dll that talks to C#. There is an article that explains this process here.
I was wondering though if there is any alternative to using system hooks though.
I haven't looked at all of the details of this library, but it might help you out.
Managed Windows API
C++ is not required to set a global windows hook, you just need to call the necessary winapis.
A global hook would be more efficient and more reliable than polling, assuming you are only interested in applications that have a window associated with the process. For example, a CMD prompt may not generate GWH events.
Ultimately the most reliable and efficient mechanism would be a system-wide injection, a good start would be the Detours library from Microsoft Research. Jefffrey Richter's classic "Advanced Windows Programming" book covered this in detail, offering 3 mechanisms for injection (including how to set up a system wide hook). Again, this doesn't require C++, and wouldn't necessarily tell you when an application was in use. Ultimately global window hooking is going to make the most sense.
List running processes:
http://codefreezer.com/codedetail.php?article=13
Determine which process is topmost:
http://www.pinvoke.net/default.aspx/user32/getwindowthreadprocessid.html
Related
I'm looking into writing a tool that mounts certain external disks as read-only when they are plugged-in to the machine. On MacOS, this was quite trivial with the Disk Arbitration framework. It sends out notifications from the OS when a new drive is attached to a machine and allows you to veto, accept, or change mounting options (such as forcing the mount as read-only, etc.) Is there any equivalent to this in Windows?
Thanks in advance.
There's no direct equivalent. For security reasons, Windows doesn't give user-mode code quite that much control (e.g., consider a virus deciding to stop you from mounting any disk it's suspicious might contain an anti-virus program).
The WM_DEVICECHANGE message notifies user-mode applications of things as they happen, but it's pretty limited -- in particular, while you can veto removal of a device, you're not allowed much (any?) control over addition of a device.
You can also use RegisterDeviceNotification for more complete information, but I don't believe it gives you the control you're looking for either.
At least as far as I know, .NET doesn't support RegisterDeviceNotification directly, so if you want to use it from C#, you'd probably have to do it via P/Invoke.
For more control over devices being mounted and unmounted, you'd have to write some kernel-mode code, but at least from the sound of things that may be a bit beyond what you're interested in considering, at least for the moment.
I need to monitor handle usage on a Windows CE box.
Essentially I want to be able to see handle usage over time to tell if my applications / services are leaking handles (which I believe they are).
Any example code would be great.
While it is not exactly what you are looking for, I can recommend a little tool that we are using called CodeSnitch (http://www.entrek.com/codesnitch.html). It will instrument your code and keep track allocation and de-allocation of resources, including handles. I have used it to clean up several of our applications with great success. You can download a 2 week trial version to try it out.
How can I snuggle into another process? Like, share another process's name? So if my application is griddemo.exe, and I want to snug into, let's say, explorer.exe, is that possible? Just read something about CreateRemoteThread() from kernel32. Is that in the right direction? Would there be security/UAC issues?
First of all sorry, but my answer will be longer as another answers.
I use DLL injection since years in different version of operation system (from windows NT 4.0 till Windows 7) and I had no time any problem with any virus scanner (inclusive both Norton and McAfee in different versions). So I disagree with Stephen Cleary (see his answer) in this aspect.
Usage of CreateRemoteThread() is really only one of the ways. AppInit_DLLs is another way. Both has its advantage and disadvantage. The main advantage of AppInit_DLLs is a simplicity to inject DLL in any process. The main disadvantages of AppInit_DLLs approach are following:
All GUI application will load the DLL. If you want to load it only in one process like explorer.exe you can't do this. So the working space of all GUI processes will be increased by your DLL. An error in your DLL (especially inside of DllMain or in any dependency DLL of your DLL) can crash many processes which you don't currently know.
You can not inject your DLL with respect of AppInit_DLLs approach in a console application or in any EXE which have no dependency to User32.dll.
You should be very careful inside of your DllMain, because it will be called before User32.dll will be full initialized. So a safe DLL which you can use inside of DllMain of your DLL is Kernel32.dll.
With respect of CreateRemoteThread() one can start an additional thread in a process. The main problem of CreateRemoteThread() is that its lpStartAddress parameter must be an address from the remote process. So one have to use functions OpenProcess, VirtualAllocEx and WriteProcessMemory to write some information into the memory of the destination process. To be able to open a process one have to have debug privilege enabled. If you want to do only 2 + 2 inside of the destination process you can copy the corresponding binary code directly into destination process. All real interesting work can be done with usage of some Windows API. So mostly one don't copy a code. Instead of that one call LoadLibrary("MyPath\\MyDll.dll") inside of destination process. Because the prototype of LoadLibrary is the same as prototype of ThreadProc of CreateThread you can call LoadLibrary as a ThreadProc of CreateRemoteThread(). This way has the name DLL Injection.
I recommend you to use this DLL Injection only if it really required. If your destination application has some other way like plug-ins to load you DLL inside the process your should use this way instead of DLL Injection.
Some general problems you will have to solve after you have a working example of DLL Injection. This problems you can don't see at the first time, but after a long usage of your application you will see its importance:
You should find the moment when the destination process are already running before you can use CreateRemoteThread().
The destination application must be already initialized before you call CreateRemoteThread(). So you should not use CreateRemoteThread() too early. In case of explorer.exe you can use a start of your small trigger program from Run registry key. At the moment is explorer.exe fully prepared for DLL injection.
You should take in consideration 64-bit version of Windows.
Don't forget about DLL relocation inside of destination process. Be careful, that you DLL can be loaded in the destination process at the other address as in your process. Mostly it is a good idea to choose a good base address (linker option) for you DLL which you will inject. The Kernel32.dll can be sometime (very seldom) loaded at the other address as in your source process. You can create a DLL Injection code which are free of this problem.
Terminal Services isolates each terminal session by design. Therefore, CreateRemoteThread fails if the target process is in a different session than the calling process. The problem you can see on XP (which is not connected to domain) or especially on Vista or Windows 7 if you try make DLL injection from a windows service. To fix the problem you should make DLL Injection either from the process running on the same terminal session as destination process or you have to switch current session before using of CreateRemoteThread. Your process must have SE_TCB_NAME privilege enabled and use SetTokenInformation with TokenSessionId parameter. To get session id of the destination process you can use different methods. Functions with the prefix WTS (like WTSGetActiveConsoleSessionId) can be very useful.
So everything is not very easy, but it is really interesting subject where you can study a lot of things about operating system. You should only spend a little time to analyse your problem and different ways to solve it before you choose one way which corresponds your project requirements and start programming.
DLL injection is the traditional method of doing this. It's quite tricky, especially since virus scanners look askance at the practice. So even if you get it working, Norton/McAfee would be likely to block you - or block you in the future.
One easy way of DLL injection is the AppInit_DLLs registry value. Note that Microsoft has reserved the right to simply remove this functionality (and likely will do so in the future).
The Microsoft-approved way to achieve DLL injection is licensing Microsoft Detours.
Note that your DLL must be built against the CLR version 4.0 or higher to perform DLL injection safely, because this is the first version to support in-proc side-by-side.
If you mean injecting your code into another process, then dll injection is one technique:
http://en.wikipedia.org/wiki/DLL_injection
Haven't done this for years, so not sure how happy modern MS Windows operating systems (i.e. post XP) are going to be with this.
I've not tried this lately, but another way to do this would be to create a Hook DLL:
Create a DLL that contains a Hook Procedure like MessageProc.
Install this DLL into Windows\System32.
Use FindWindows(Ex) to locate your victim process' window.
Use GetWindowThreadProcessId() to find the owning thread of that window. This is necessary to avoid injecting your DLL into every single process on the system.
Use SetWindowsHookEx to hook that thread.
PostMessage a WM_USER message to the window - activating your Hook DLL if it isn't already active.
This would likely invoke the new Windows Vista/7 UIPI/UAC if you're not a sufficiently privileged user but this depends on many factors - your mileage may vary.
I need to mute and unmute sounds from other processes in Windows XP. I am looking for the best strategy. It is possible to write a Kernel Mode mixer that will filter the inputs to the output device? My other approach would be set Hooks for the various API's to intercept their Win32 calls. I would strongly prefer the less invasive approach.
Some considerations:
Covering applications that use the WinMM and DirectSound System Componenets would probably be sufficient (i.e. I don't need to worry about other audio interfaces).
This will eventually need to be used from a C# app. I am reasonably skilled with interop, but don't have internal knowledge of Win32 to make this happen.
It would be possible to list all the applications that would need to be muted and approach each application separately, although the list is expected to grow.
P.S. In case anyone is concerned, these operations will be performed with the users consent (no shady business).
The problem with kernel mode drivers is that they are generally not process-aware. This is part of a clean layered architecture. Dealing with processes is the responsibility of the OS itself. The audio driver should handle audio. Now, the mixer should definitely handle multiple audiostreams, and may give them unequal weight, but it should not particularly care where the came from. Also, the built-in mixer is not designed to be replacable, so you'd have to intercept the audiostreams before they're mixed.
For that reason, on XP it makes much more sense to use Microsoft Detours to intercept the calls at API level. You have the calling process info there. Detours basically injects assembly into the user-mode parts of the OS, so I would advice using C++ rather than C# with Detours.
As I understand it, on Vista the audiostack is rewritten such that it is possible to associate audiostreams with applications, but this is a system-wide feature.
I know how antivirus detects viruses. I read few aticles:
How do antivirus programs detect viruses?
http://www.antivirusworld.com/articles/antivirus.php
http://www.agusblog.com/wordpress/what-is-a-virus-signature-are-they-still-used-3.htm
http://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-creating-anti-virus-signatures.html
During this one month vacation I'm having. I want to learn & code a simple virus detection program:
So, there are 2-3 ways (from above articles):
Virus Dictionary : Searching for virus signatures
Detecting malicious behavior
I want to take the 2nd approach. I want to start off with simple things.
As a side note, recently I encountered a software named "ThreatFire" for this purpose. It does a pretty good job.
1st thing I don't understand is how can this program inter vent an execution of another between and prompt user about its action. Isnt it something like violation?
How does it scan's memory of other programs? A program is confined to only its virtual space right?
Is C# .NET correct for doing this kind of stuff?
Please post your ideas on how to go about it? Also mention some simple things that I could do.
This happens because the software in question likely has a special driver installed to allow it low level kernel access which allows it to intercept and deny various potentially malicious behavior.
By having the rights that many drivers do, this grants it the ability to scan another processes memory space.
No. C# needs a good chunk of the operating system already loaded. Drivers need to load first.
Learn about driver and kernel level programming. . . I've not done so, so I can't be of more help here.
I think system calls are the way to go, and a lot more doable than actually trying to scan multiple processes' memory spaces. While I'm not a low-level Windows guy, it seems like this can be accomplished using Windows API hooks- tie-ins to the low-level API that can modify system-wide response to a system call. These hooks can be installed as something like a kernel module, and intercept and potentially modify system calls. I found an article on CodeProject that offers more information.
In a machine learning course I took, a group decided to try something similar to what you're describing for a semester project. They used a list of recent system calls made by a program to determine whether or not the executing program was malicious, and the results were promising (think 95% recognition on new samples). In their project, they trained using SVMs on windowed call lists, and used that to determine a good window size. After that, you can collect system call lists from different malicious programs, and either train on the entire list, or find what you consider "malicious activity" and flag it. The cool thing about this approach (aside from the fact that it's based on ML) is that the window size is small, and that many trained eager classifiers (SVM, neural nets) execute quickly.
Anyway, it seems like it could be done without the ML if it's not your style. Let me know if you'd like more info about the group- I might be able to dig it up. Good luck!
Windows provides APIs to do that (generally the involve running at least some of your code in kernel). If you have sufficient privileges, you can also inject a .dll into other process. See http://en.wikipedia.org/wiki/DLL_injection.
When you have the powers described above, you can do that. You are either in kernel space and have access to everything, or inside the target process.
At least for the low-level in-kernel stuff you'd need something more low-level than C#, like C or C++. I'm not sure, but you might be able to do some of the rest things in a C# app.
The DLL injection sounds like the simplest starting point. You're still in user space, and don't have to learn how to live in the kernel world (it's completely different world, really).
Some loose ideas on topic in general:
you can interpose system calls issued by the traced process. It is generally assumed that a process cannot do anything "dangerous" without issuing a system call.
you can intercept its network traffic and see where it connects to, what does it send, what does it receive, which files does it touch, which system calls fail
you can scan its memory and simulate its execution in a sandbox (really hard)
with the system call interposition, you can simulate some responses to the system calls, but really just sandbox the process
you can scan the process memory and extract some general characteristics from it (connects to the network, modifies registry, hooks into Windows, enumerates processes, and so on) and see if it looks malicious
just put the entire thing in a sandbox and see what happens (a nice sandbox has been made for Google Chrome, and it's open source!)