my idea is, make pop window every new process created can sure, there processes permission.
the question is, how link function in before windows creating new process.
i tried dll injections not work.
has solution problem or not possible?
thanks!
the legitimte way of doing create kernel driver uses pssetcreate|processnotifyroutineex (supported on vista sp1 , later) control process creation (and termination). routine allows register callback function invoked when either process being created, or terminating. in creation case, callback may decide block process. callback gets following information new process:
1) image file name,
2) command line arguments,
3) pid,
4) pid of parent,
5) tid:pid of creating process , thread.
if not wish develop kernel driver, can approximate solution. afaik wmi able notify new process has been created. when notification, may tre suspend process , ask user (or wish).
Comments
Post a Comment