在系统中监控进程启动 [英] Monitor process start in the system

问题描述

有没有办法在进程启动之前监控系统中启动的进程?

Is there a way to monitor processes starting in the system before they start?

示例:
在 ZoneAlarm 或 Antivirus 程序等程序中，当您运行某个程序时，它会询问您是否允许运行该程序，然后再运行...

Example:
On programs like ZoneAlarm or Antivirus programs, when you run a program it asks you if you allow running this program or not before it runs...

推荐答案

有几种方法可以做到这一点.如果您只需要跟踪来自特定程序(或几个程序)的进程创建，这里提到的 EasyHook/Detours 方法将工作得很好，但您实际上需要在 CreateProcess 上安装一个钩子到每个程序中，所以它不是如果您想跟踪系统中的所有进程创建，这是一个很好的解决方案.

There's a few ways to do this. If you only need to track process creation coming from a specific program (or a few programs), the EasyHook/Detours method mentioned here will work pretty well, but you effectively need to install a hook on CreateProcess into each program, so it's not a great solution if you want to track all process creation in the system.

在基于 NT 的 Windows 变体 (NT/2000/XP/Vista) 中有一个特定的 API，称为 PsSetCreateProcessNotifyRoutine().不幸的是，您只能从ring0 调用此函数，因此需要在驱动程序中完成.这篇 CodeProject 文章中有一个方便的解释(和代码):http://www.codeproject.com/KB/threads/procmon.aspx.

There's a specific API for this in NT-based Windows variants (NT/2000/XP/Vista) called PsSetCreateProcessNotifyRoutine(). Unfortunately, you can only call this function from ring0, so it needs to be done in a driver. There's a handy explanation (and code) in this CodeProject article: http://www.codeproject.com/KB/threads/procmon.aspx.

AFAIK，这只是一个通知，它本身并不能让您告诉系统是否应该创建进程.但是，如果您需要这样做，您可以在您的代码决定是否终止该进程时暂停该进程(例如，通过将其作为调试器附加到该进程).

AFAIK, this is just a notification, and does not by itself allow you to tell the system whether the process should be created or not. However, if you needed to do this, you could pause the process (e.g. by attaching to it as a debugger) while your code decides whether to kill it or not.

这篇关于在系统中监控进程启动的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！