Recursive process monitoring

Jul 10, 2009 at 2:09 AM

Hi guys,

I'm just wondering if there's a not-too-difficult way of recursively monitoring processes for files those processes open.

For example, I need to start gcc.exe and see what files it opens, but gcc.exe spawns cc1.exe and I need to see what files it opens too. EasyHook doesn't do this by default -- presumably because you'd have to hook CreateProcess and do some fancy re-injection into the subprocess ... is this even possible?

With strace under Linux it seems to trace API calls of child processes automatically, and that's the behaviour I'm trying to match.

---Cheers, Ben

Jul 16, 2009 at 6:22 AM

It does work to recursively monitor process by hooking CreateProcess and reinjecting!  I did try and it runs fine.  One issue is that the EasyHook dll use CreateProcess to fork child.  In your hooked target, you may need to hook not only CreateProcess but also CreateProcessAsUser / CreateProcessWithLogon /CreateProcessWithToken and redirect the calls to EasyHook.  You may need to modify EasyHook to handle the additional parameters of those APIs.

It is not-too-difficult but may need to change the interface of the library.  Chris, will you support it in the future?

Jul 16, 2009 at 7:49 PM

Thanks, foonson, that's really neat.

Out of curiosity, what's your application? Are you using the managed or the unmanaged API? I don't suppose you can post the relevant snippet of code?

Jul 17, 2009 at 1:40 AM

We use native unmanaged C++.  We make something to monitor and control behaviour of application by API hooking.