Recursively hook child processes by hooking function CreateProcess

Jan 23, 2009 at 11:56 AM
Edited Jan 23, 2009 at 11:58 AM

I found easyhook by searching some other documents. It's really nice and helpful. Thanks a lot for your greate project!

In some cases I may need to recursively hook API from the child processes. So my approach is to hook the function CreateProcess and inject the easyhook into the new process. I found the function RhCreateAndInject may be able to achieve it, but may not be able to completely pass all the information to new processes. Microsoft Detours has the function DetoursCreateProcess (something like that) accepts all the parameters of CreateProcess and has its own callback. If I want to recursively hook child processes, how to complete it with easyhook?

(I'm using the unmanaged APIs.)

Jan 23, 2009 at 4:11 PM
I have no clue what you are going to do ;-)...

Could you explain your thoughts with an example or with more details (pseudo code or whatever)?
Jan 24, 2009 at 3:30 AM
Edited Jan 24, 2009 at 3:59 AM
For example, I have an application called "ShortcutHost", which is manages the shortcut of other applications. I may invoke invoke some other applications by click buttons on the GUI of ShortcutHost. I injected easyhook to ShortcutHost, and monitor the file open/close operations. Furhtermore, I want to monitor all the file open/close operations of child processes. If I opened notepad from ShortcutHost, and notepad saved a file. I still want to monitor the file open/close from notepad without explictly inject easyhook by user.
My approach is, hook the function "CreateProcess" in ShortcutHost, and inject easyhook when a new application launched from ShortcutHost. RhCreateAndInject didn't have all the parameters from CreateProcess. So I have to either discard some parameters from CreateProcess, or use CreateProcess to create a suspended process and then inject easyhook.dll.  In Microsoft Detours, the API is:

BOOL DetourCreateProcessWithDll(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPCSTR lpDetouredDllPath,
LPCSTR lpDllName,

And some information from the help file:

DetourCreateProcessWithDll creates a new process with the specified DLL inserted into it.

The process is created in a suspended state with the CREATE_SUSPENDED flag to CreateProcess. Detours then modifies the image of the application binary in the new process to include the specified DLL as its first import. Execution in the process is then resumed. When execution resumes, the Windows process loader will first load the target DLL and then any other DLLs in the application's import table, before calling the application entry point.

DetourCreateProcessWithDll modifies the in-memory import table of the target PE binary program in the new process it creates. The updated import table will contain a reference to function ordinal #1 exported from the target DLL.

Jan 24, 2009 at 4:00 AM
Finally I think CreateProcess with suspend flag, then inject the dll should work for me. I'll try this library soon and let you know the result.
Oct 4, 2009 at 12:40 AM

I have the same problem as you ; I want  to recursively hook API from the children processes.
So please can you help me. what was your approach to solve this case.
thanks a lot.
Best regards.

Aug 2, 2010 at 11:28 PM
Aladdina wrote:
Finally I think CreateProcess with suspend flag, then inject the dll should work for me. I'll try this library soon and let you know the result.

Any progress on this. I also want to know how Easyhook insert dll into recursive child processes. Thanks!