Watching for a process to start

Sup /prog/,

Trying to find an elegant way to watch for when a specific process/application starts in C++. Could of course do something like EnumProcesses() from the PSAPI and go through the list to see if the one I'm looking for is in it... and put that on a timer to poll for it every so often.

But that seems rather messy and polling is evil. Not to mention the process will show up there before it's fully loaded into memory if I'm not mistaken... And I need it to be completely loaded and running.

Anyone know of a better/cleaner way to do it?

Install a global message hook.

>>2
I considered that, but doesn't global hooking come with a lot of "bulk"? Trying to be as non-intrusive to the system it'll be running on as possible... that's why I want to avoid polling to begin with.

Use DTrace.

>>4
Needs to work on Windows, unfortunately.

>>1
http://dis.4chan.org/read/prog/1214685239/2

>>6
Thanks, but no thanks. I did mention I'm trying to make it elegant, didn't I?

>>7
Then Sepples is not the langauge you're looking for.

Patch the binary of the process you want to watch such that it launches your malware instead, then exits. Your malware then re-launches the modified binary (passing a --nofork or whatever) such that it runs normally.

Then do whatever.

>>1
This is operating system dependant, you can't do it with C++.

>>10
It may be assumed that everyone on /prog/ uses a Unix-like operating system.

>>9
When I say elegant I'm talking about how it works underneath, not what the code looks like superficially.

>>10
Since the application I'll be watching for only runs on Windows, that's hardly an issue in this case.

>>9
Woops, last >>9 was actually supposed to be >>8

Anyway, that's not an option because the target process is started by a launcher which in turn replaces it if it's been tampered with.

Oh, and it's not malware... not that it matters.

http://support.microsoft.com/kb/197571

>>14
Could do that... but then there's the problem of overhead caused by loading (and subsequently unloading) the DLL for every process that starts and not just the one I'm looking for. Not to mention requiring a system restart to take effect. Would be better off using a global hook as >>2 suggested then.

>>15
I wonder -- when you realize that there is no clean elegant way to butcher such a thing, will you settle for one of the solutions we've already posted, or just give up?

You must either register a callback or use a polling approach. Both have been discussed, are you holding out for some magical third option?

Ooh, I know, you can use quantum polling! Choose any extent of time as an acceptable response delay. Now pick a random point of time in the future and sleep until then. Wake up and check if the process is running. If it is not, destroy the universe.
If the process is running, ask for its running time. If the process have been running for longer than your acceptable response delay, destroy the universe.
This guarantees that you in the remaining universes will have observed the thread sleep until the process starts, and then wake up and poll once^[1][2].
___________
<sup>1. This assumes that the process you're monitoring will only be run once. Refining the algorithm to notice if the detected event is not the first execution of the program and modify its behavior accordingly is left as an exercise to the reader.
2. You will also observe your program oversleeping and ignoring the process in a large amount of universes. Don't worry, this will eventually rectify itself. The algorithm guarantees correct behavior in the end.</sup>

>>17
That's not funny, my brother died that way.

>>17
Now pick a random point of time in the future
You make it sound easy.

>>17
Excellent, just what I was looking for. I'll get right on that.

No seriously; A callback would be dandy. But where do you see one discussed here? The global hook?

Well, sure, that's a callback. But a pretty massive/messy one. I mean... what kind of hook would you create? WH_CBT, right? And watch for HCBT_CREATEWND, right?

Sounds good on paper, but you have to realize how much overhead that creates. The DLL with the hook will now have to be loaded by each and every process that gets run on the system. Furthermore, the callback procedure gets called not only for HCBT_CREATEWND, but for every message that's covered by WH_CBT. So every time a window is created, destroyed, moved, resized, maximized, restored, et cetera your hook function is invoked. Sure, it returns without doing much. But it still gets called. For all of those events and more. For every process on the system.

That's a hell of a mess over just wanting to be notified when a process gets launched. Almost makes polling look more attractive.

Was hoping there'd be something specific to processes being launched.

>>20
WHBTC

http://msdn.microsoft.com/en-us/library/ms802952.aspx

Study some malware, I know the Storm botnet one does this to hide itself from processes.

It hooks LdrpInitOnLoadEntry() or something like that.

Lain.

Lain.

All work and no play makes Jack a dull boy
All噠 work and no play makes跞쓧 Jack a dullﷸ辟 boy
All奉 work and no play makes躋쓾 Jack a dull昽 boy
All嫳蛪 work and no play makes㿪䱕 Jack a dull첶 boy
All兰 work and no play makes帍繰 Jack a dullǧ删 boy
All៉쪯 work and no play makes㇩꽋 Jack a dull找칵 boy
All嚍옖 work and no play makesቓ㷿 Jack a dullᲾ秹 boy
Allﮗﾐ work and no play makes෋羮 Jack a dull嚱撿 boy
All⹉翖 work and no play makesሑ䱝 Jack a dull땶 boy
All␮྄ work and no play makes桭 Jack a dull뮎 boy
All鋟 work and no play makes㍷੄ Jack a dull珪ﾲ boy
All郱₦ work and no play makesՙ䣿 Jack a dull늑瑩 boy
All銘뱷 work and no play makes峐仢 Jack a dullګ嫟 boy
All欷쎖 work and no play makes骨큅 Jack a dull♫Վ boy
All첾墥 work and no play makes塕ఀ Jack a dull鉒 boy

bampu pantsu