0

to protect my program I'd like to have a check that detects any program that executes OpenProcess with my PID? I want to prevent that other programs can get a handle to my program easily.

What options do I have? (WinAPI and so on) Does my program receive any notification as soon as another program uses OpenProcess?

Thanks

Nicolai
  • 328
  • 2
  • 10

1 Answers1

1

What options do I have? (WinAPI and so on) Does my program receive any notification as soon as another program uses OpenProcess?

No, OpenProcess happens in the kernel, and runs completely without interaction with the process being opened. Since it is used by debuggers (intended for) and could happen when your process is stuck or hung, it would be unpractical to have some sort of need for your process to be "aware" that it's been opened.

Your only option (and that's a bad one) is to use some form of intercept on the OpenProcess system call. Note that there are valid uses for OpenProcess, and I think many virus scanners use this at some point or another - preventing that would the virus scanner into "I've been attacked" mode, quite possibly.

And if you think you can do this in a way that can't be quite easily circumvented, then you are deluding yourself. It wouldn't be terribly hard to put ANOTHER layer of hooks into the OpenProcess system call that skips over your interference, and just calls the "real" OpenProcess. So, assuming your program is REALLY interesting to open, someone will find a way to do that...

Mats Petersson
  • 126,704
  • 14
  • 140
  • 227
  • Okay, thank you! Is there any option to see if any process has an open handle to my process? EnumProcesses + another function, maybe? Can I see if the program has the SeDebugPrivilege Token enabled? – Nicolai Jun 19 '13 at 09:12
  • Not that is reliable and isn't going to quite trivially be overridden by someone that knows what they are doing. – Mats Petersson Jun 19 '13 at 09:13
  • Okay, it's just about the theory so I don't mind if it gets overridden: Do you have any hints? :) – Nicolai Jun 19 '13 at 09:29
  • Well, if you are only doing something that doesn't matter, then hook into `OpenProcess`, if it's "your pid", return "no such process". No, I'm not going to write the code for you - I'm sure 30 seconds of googling will find it, if a search here doesn't. – Mats Petersson Jun 19 '13 at 09:32
  • Yeah, code is not required. I'll take a look into some more stuff. Thanks. :) – Nicolai Jun 19 '13 at 09:36