Hooking process creation/destruction not capturing all processes

[kdschlosser]

I have downloaded and compiled Deviare from source.
Windows 7 x64 SP1
Python 2.7.9 Stackless 32bit
pywin32 220

when running the following code not all process creation/destruction notifications show. There are specific process that i am looking for that happen very quickly and some of them are getting passed by. I have tested this in many different ways. but in this example I am using threading.Event() to stall the process creation. but it seems to be the "sweet spot" 0.728 seconds. with 4 creation and 4 destruction notifications out of 10 processes created and destroyed.

please excuse the code this is for testing purposes and wasn't meant to be pretty

import os
import win32com.client
import ctypes
import sys
import threading

dllPath = os.path.join(os.path.split(__file__)[0], 'DeviareCOM.dll')
dll = ctypes.windll[dllPath]
dll.DllRegisterServer()


class ProcessEvents:

    def OnProcessStarted(self, pyPID):
        process = win32com.client.Dispatch(pyPID)

        name = process.Name.split('.')[0]
        pid = process.Id
        user = process.UserName

        print 'OnProcessStarted:', name, pid, user

    def OnProcessTerminated(self, pyPID):
        process = win32com.client.Dispatch(pyPID)
        name = process.Name.split('.')[0]
        pid = process.Id
        user = process.UserName

        print 'OnProcessTerminated:', name, pid, user

win32com.client.pythoncom.CoInitialize()

processManager = win32com.client.DispatchWithEvents("DeviareCOM.NktSpyMgr", ProcessEvents)
processManager.Initialize()

hook = processManager.CreateHook("kernel32.dll!CreateProcess", 0)
hook.Hook(True)

event = threading.Event()
event.set()


def run():
    while event.isSet():
        pass

    for i in range(10):
        os.system("cmd /c echo Test")
    event.wait(0.0728)


threading.Thread(target=run).start()

MessageBox = ctypes.windll.user32.MessageBoxW
event.clear()
MessageBox(None, "", "", 0)

I am not sure if this is normal behavior please advise

[mxmauro]

Hi @kdschlosser, yes it is. Because on usermode all notifications are async and/or you have to poll for new/destroyed processes, the chance of miss a short-live process exists.

The only reliable alternative is to create a kernel driver to suscribe for process creation/deletion events.

You can also suscribe to WMI process events but still exists the chance of miss some events.

[kdschlosser]

@mxmauro
Thanks for the fast reply. I do have a couple of questions if ya don't mind and have a spare couple of minutes.. And I am going to apologize for my lack of knowledge ahead of time. I am still newish to programming. I have heard the term user mode and I know what the kernel is. I don't know how communications between them work.

I had thought that this line "kernel32.dll!CreateProcess" meant that i was dealing with the kernel. my assumption now is that I am but doing so via usermode. tell me if i am wrong here. and by creating a driver this driver would be able to communicate directly.

Now my questions would be can this driver be "initialized" from code. and be shutdown from code. and on an x64 system would i have an issue with driver signing??

WMI is slow. and also puts a polling load on the CPU and does miss things.

I am looking for something that will not put excessive load on the CPU... for instance.. a polling rate of .01 seconds on my machine causes a 5% jump in CPU usage and this is really not a good thing because the impact would be a lot more on a lesser computer. and I need something that can be installed .. and removed.. from code (not an installer). I do not know how the whole thing with driver signing works. but if the machine would have to have test signing turned on and integrity checks turned off.. it wouldn't work either.

If you know of something that would fit point me in the direction please.

[Helios-vmg]

kernel32.dll is just a user-mode DLL that implements system-related functions. See https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#KERNEL32.DLL
By hooking CreateProcess(), all you're doing is getting a callback when a specific process calls that particular user-mode function. That's all.

And yes, should you choose to go the driver route, you will need to sign your driver in order for it to be loaded on systems that haven't been configured to load testing drivers.