什么调用用于启动Windows可执行文件? [英] What calls are used to start a Windows executable?

问题描述

我正在尝试编写一些软件来审查进程，并阻止不需要的进程启动.为此，我计划挂接各种系统调用(使用Win32 C ++)，以便可以在各个启动阶段检查应用程序.我感兴趣的特定呼叫是:

*当系统收到要加载到内存中的文件名(用于可执行文件)时
*当系统将进程加载到内存中时(因此我可以对其进行校验和)

然后，我计划在启动后对其进行检查，这可能是一个更简单的任务.

有没有我可以检查的相关呼叫列表，或者有人可以告诉我哪些呼叫与这些任务相对应?

I''m attempting to write some software to vet processes, and stop unwanted processes from starting. In order to do this, I plan to hook various system calls (using Win32 C++) so I can check the application at various startup stages. The particular calls I''m interested in are:

* When the system receives a filename to load into memory (for an executable)
* When the system loads the process into memory (so I can do a checksum on it)

And then I plan to check it after it''s started, which is probably a simpler task.

Is there a list of relevant calls I can check, or can someone tell me which calls correspond to these tasks?

推荐答案

每当PC开机时，BIOS都会进行控制，它执行很多操作.它检查硬件，端口等，最后将MBR程序加载到内存(RAM)中.
现在，MBR可以控制启动过程.当系统中仅安装一个OS时，MBR的功能如下:-
引导过程通过在磁盘的第一个扇区MBR中执行代码开始.
MBR查看分区表以查找活动分区.
控制权传递给该分区的启动记录(PBR)以继续启动.
PBR查找系统特定的启动文件(例如WinXP ntoskrnl).
然后，这些引导文件会继续加载和初始化其余OS的过程.但是，无论何时有多个OS，无论是多个Windows还是Linux的Windows，引导过程都会稍有不同.

我认为您绝对需要阅读以下文章:
如何开发自己的Boot Loader

它只是为您突出了一些有趣的观点.
本文适合那些一直对不同事物的工作方式感兴趣的人.适用于那些通常使用高级语言(例如C/C ++)创建应用程序，但又有必要在低级进行开发的开发人员.本文是关于在系统加载时进行工作的示例的低级编程.

Whenever PC is turned ON, BIOS takes the control, and it performs a lot of operations. It checks the Hardware, Ports etc and finally it loads the MBR program into memory (RAM).
Now, MBR takes control of the booting process. Functions of MBR, when there is only one OS is installed in the system are as given below:-
The boot process starts by executing code in the first sector of the disk, MBR.
The MBR looks over the partition table to find the Active Partition.
Control is passed to that partition''s boot record (PBR) to continue booting.
The PBR locates the system-specific boot files (such as WinXP ntoskrnl).
Then these boot files continue the process of loading and initializing the rest of the OS.But , whenever there are multiple OSes, be it multiple Windows or Windows with Linux, then Boot process will be slightly different.

I think that you definitely need to read the following article:
How to develop your own Boot Loader

It just highlights some interesting points for you.
This article for those who have been always interested in the way the different things work. It is for those developers who usually create their applications in high-level languages such as C/C++, but faced with the necessity to develop something at low-level. This article about low-level programming on the example of working at system loading.

我从来没有做过这样的hack，但我想您正在搜索这样的内容:
挂钩本机API并在系统范围内控制流程的创建 [ ^ ]
在文章下方也请阅读用户评论！这些可能还包含一些对您有用的信息.通常，防病毒软件可以完成您想做的事情.其中一些会在您打开文件时检查文件，如果文件被感染，则打开或读取操作将失败！

I never did such a hack but I guess you are searching for something like this:
Hooking the native API and controlling process creation on a system-wide basis[^]
Read the user comments too below the article! Those might also contain some useful info for you. Usually antivirus software does what you wanna do. Some of them check the file when you open it and either the open or read operation fails if the file is infected!

这篇关于什么调用用于启动Windows可执行文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！