1

I have a list of CRC32 or MD5 Checksums of some apps. I will disable the execution of this apps, from a delphi app. So, i need to create a system wide hook to CreateProcess (or CreateProcessW?), inside a DLL to make this Hook System Wide. And while my app is running, be notified for all executed apps, calculate their hash, compare with my list and allow/disallow their execution. Some tip of how make a Dll that create a hook for CreateProcess and use from a Delphi app?

Thanks and sorry for my poor english !

Wo_0NDeR ᵀᴹ
  • 563
  • 5
  • 16
  • 3
    exactly for this task exist [`PsSetCreateProcessNotifyRoutineEx`](https://msdn.microsoft.com/en-us/library/windows/hardware/ff559953(v=vs.85).aspx). this task for driver but not for user mode – RbMm Nov 27 '17 at 12:07
  • 1
    I'll just kill your process. How will you react to that? – David Heffernan Nov 27 '17 at 12:11
  • You know that CRC32 and MD5 are totally insecure? One can easily create (or modify an existing) EXE so that it matches one of the given CRC32/MD5 hashes. A better choice would be one of the [SHA-2](https://en.wikipedia.org/wiki/SHA-2) algorithms. – zett42 Nov 28 '17 at 11:11

2 Answers2

4

You can't just hook kernel-level functions like you described, that would be horrible for the OS. You can, however, get close to that by injecting every process with your DLL, but it wouldn't work in your case because you need a hook before an arbitrary process even gets a chance to start. So as far as I know, there are two "proper" ways to this (i.e. using documented APIs):

  1. Using File System Filter Drivers. So you're gonna need the DDK to develop a driver to perform this task. This is most likely what anti-virus software use to block app execution, etc. It seems to be the most compatible across Windows versions. And also the intended way.

  2. Using AppLocker. This is more of a systems administrator tool, but with enough fiddling with its PowerShell API, you can actually create rules for application and/or script execution policies. This is probably a messier approach to take when doing this programmatically. It's also less compatible between Windows versions (7 and up only).

This question might interest you: How to trap file access attempts with a filter driver (kernel) and offer dialog to allow/deny (user)?

drescherjm
  • 10,365
  • 5
  • 44
  • 64
Toribio
  • 3,963
  • 3
  • 34
  • 48
2

You can use the Windows Software Restriction Policies (SRP) for this.

System requirements:
Software restriction policies can only be configured on and applied to computers running at least Windows Server 2003, and at least Windows XP.

You just need to create some group policy objects with rules. Use the Group Policy API for that.

A German magazine wrote some software which does the same thing you want. Here is their (German) homepage:

Restric'tor: Profi-Schutz für jedes Windows

(English translation)

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
coding Bott
  • 4,287
  • 1
  • 27
  • 44
  • Thanks a loot, but please i need some help with code. I'm more a web developer, i use delphi to make desk apps to manage data, etc. The api/hook world is obscure to me at the moment. – Wo_0NDeR ᵀᴹ Nov 28 '17 at 05:53
  • SRP is not a hook and it's less complicated compared to a hook/kernel driver (which you can't do in delphi). I'm sorry i cannot provide a complete solution here. Maybe as webdeveloper you should ask a windows developer to do this. you will need a lot of knowledge for the windows api. If you only have a list, then use the windows build in group policy administrator UI. https://www.youtube.com/watch?v=X_58wemtJZA – coding Bott Nov 28 '17 at 08:18