简体繁体 English

我怎么知道何时创建进程并停止执行该进程或在Windows中终止该进程？

[英]How can i know when a process is being created and stop it from being executed or terminated it in windows?

原文 2013-11-25 12:20:27 2 3 c#/ c++/ windows

I am trying to create an application where it checks all running process against a white-list and any processes which is not in the list would get terminated. 我正在尝试创建一个应用程序，其中它针对白名单检查所有正在运行的进程，并且不在列表中的所有进程都会被终止。
my thought was first try to use tasklikst command and get the list in lets say each second and check it against the list. 我的想法是首先尝试使用tasklikst命令并获取列表，让我们每秒说一次并对照列表进行检查。
Then i thought it would be a better idea to check even sooner, when a process is created and is not yet executed, there we check it against our list and then if not in the list terminate it. 然后，我认为最好是更早检查，当一个进程被创建并且尚未执行时，我们在列表中进行检查，如果不在列表中，则终止它。 So how can i go about it? 那我该怎么办呢？
Which way do you suggest to tackle this issue? 您建议采用哪种方式解决此问题？
I am also skeptical by which language to do it, C++ or C#? 我也对使用哪种语言（C ++或C＃）表示怀疑？ Will it make any difference in this case at all? 在这种情况下是否有任何不同？

3 个解决方案

The simplest way in C# would be to just use Process.GetProcesses periodically, and then kill any you want dead using Process.Kill. C＃中最简单的方法是定期使用Process.GetProcesses，然后使用Process.Kill杀死所有您想死掉的东西。 However, do note that the process could be in the middle of doing some work when you kill it - it will only help you against games (etc.), not against malicious software. 但是，请注意，该过程可能会在您杀死某些工作的过程中进行-只会帮助您对抗游戏（等），而不是针对恶意软件。 Also, don't forget that the user could just rename the exe file to something like "notepad.exe". 另外，不要忘记用户可以将exe文件重命名为“ notepad.exe”。 If that is an issue, you can check the full path to the executable instead of just the file name. 如果这是一个问题，则可以检查可执行文件的完整路径，而不仅仅是文件名。

If you want a smarter way, without polling, you can create a hook on the start process call - see Monitor process start in the system . 如果您想要一种更智能的方式而不进行轮询，则可以在启动流程调用上创建一个钩子-请参阅在系统中监控进程启动。 This way, you can actually prevent the process from running in the first place. 这样，您实际上可以首先阻止该进程运行。

You can implement this in C++ or C#, this doesn't really matter. 您可以在C ++或C＃实现这一点，这其实并不重要。 Choose the one you are most comfortable with. 选择最适合的一种。 Here is an algorithm: 这是一个算法：

Set up a timer or scheduled task or anything like that that will execute the code once in a while 设置计时器或计划任务或类似的任务，以偶尔执行一次代码
Enumerate processes 枚举过程
For each found process check the name against the white-listed dictionary 对于每个找到的进程，请根据白名单中的字典检查名称
Attempt to kill a process 试图杀死一个进程

In C# you can use Process class to enumerate and kill. 在C＃中，您可以使用Process类进行枚举和杀死。

Now things to understand: 现在要了解的事情：

Your application may not have sufficient privileges to enumerate or kill other applications 您的应用程序可能没有足够的特权来枚举或杀死其他应用程序
Your code will likely to demand Admin privileges 您的代码可能需要管理员权限
Things may get complicated if running in an Active Directory set up with group policies 如果在使用组策略设置的Active Directory中运行，事情可能会变得复杂
Virus or other undesired applications can "inject" their code into something well-known or innocent apps (that is into one of your white-listed applications) 病毒或其他不受欢迎的应用程序可以将其代码“注入”到知名或无辜的应用程序中（即您列入白名单的应用程序之一）
You will fail to kill most of the system tasks, so just don't attempt that 您将无法杀死大多数系统任务，所以不要尝试
Check support for globalization, process names can get changed 检查对全球化的支持，可以更改进程名称
Relying solely on names is a poor practice. 仅仅依靠名字是一种不好的做法。 If you want to check authenticity, you should rely on some crypto signatures, and of course that is a pain to maintain, as the apps get updated. 如果要检查真实性，则应依赖一些加密签名，随着应用程序的更新，这当然很难维护。

Given the last paragraph, the solution you attempt to implement is pretty basic. 鉴于最后一段，您尝试实现的解决方案非常基本。 Nothing will stop a user just to kill your application. 没有什么能阻止用户杀死您的应用程序。 Or rename a virus application to something standard. 或者将病毒应用程序重命名为某种标准。 It looks pretty much like "security through obscurity", which has some benefits, but is really weak in terms of defense strength. 它看起来很像“默默无闻的安全性”，虽然有一些好处，但在防御能力上确实很弱。

One technique is to create a global hook DLL using SetWindowsHookEx , which will be injected into every process. 一种技术是使用SetWindowsHookEx创建全局钩子DLL，它将被注入到每个进程中。 This way you'll get notification for any new processes, and you can take action however you want. 这样，您将收到有关任何新流程的通知，并且可以根据需要采取措施。

Of course you need to make this DLL as lightweight as possible considering it will be loaded into every process, ever. 当然，您需要使该DLL尽可能轻巧，因为它将被加载到每个进程中。 But I still think this would be slimmer than polling constantly, or IAT patching. 但是我仍然认为这比持续轮询或IAT修补程序更苗条。