none
Receiving null command line for COM processes RRS feed

  • Question

  • Hi All,

          I am trying to get command line of process in pssetcreateprocessnotifyroutineex callback routine, as I wanted to get commandline of process and retrieve a filepath from commandline.

    1. I got proper commandline for non COM based processes

    2. But, with COM based processes(MS excel) I receive NULL command line because COM uses late late binding to load any file.

    So, I need command line of process in pssetcreateprocessnotifyroutineex routine. please help. Thanks

    Babaloo




    • Edited by babalooH Wednesday, February 10, 2016 7:31 AM
    Wednesday, February 10, 2016 7:28 AM

Answers

  • You've gotten what PsSetCreateProcessNotifyRoutineEx can deliver. That;s all about it. If you need to intercept COM messages, it can't possibly help more.

    --pa

    Wednesday, February 10, 2016 11:06 AM

All replies

  • You've gotten what PsSetCreateProcessNotifyRoutineEx can deliver. That;s all about it. If you need to intercept COM messages, it can't possibly help more.

    --pa

    Wednesday, February 10, 2016 11:06 AM
  • Thanks Pavel A.

    Is there any way how I could get COM messages at driver level?

    can you help ? I am new to COM.


    • Edited by babalooH Wednesday, February 10, 2016 2:11 PM
    Wednesday, February 10, 2016 2:10 PM
  • Most likely yes, at the kernel level almost everything is possible.

    But I don't know how.

    -- pa

    Wednesday, February 10, 2016 3:28 PM
  • Can you instead deploy an add-in to Excel and handle the AppEvents_Event.WorkbookOpen event?


    Wednesday, February 10, 2016 7:55 PM
  • Thanks ranta!

    I don't know how to deploy an add-in to Excel.

    But, I think it will not be a generalized solution, I mean if any other application uses COM for its creation, then it will be difficult to provide support.

    Thursday, February 11, 2016 12:42 PM
  • Here are some ideas but I cannot promise that any of them will help you.

    There are many ways for the Shell to pass file names to the application: command line, DDE, IDropTarget, IExecuteCommand, perhaps IContextMenu. DDE is deprecated but Excel 2007 still used that. COM may then use window messages or RPC underneath. I don't think there is any documented way for a kernel-mode driver to capture or decode the messages.

    Hooking ShellExecuteEx would cover all of those. Unfortunately, IShellExecuteHook was deprecated in Windows Vista. Windows 8 has IHandlerActivationHost::BeforeCoCreateInstance, which might work, but the documentation is scarce and I have no idea how to register an implementation of that.

    If you only want to log which documents are opened, then you might be able to do that by polling the Running Object Table, or perhaps by polling the recent-document lists via IApplicationDocumentLists if you can find the correct AppUserModelID. On the other hand, a file system minifilter driver could also get that information by looking at which files Excel opens.

    If you want to prevent the user from opening some documents, then the APIs intended for virus scanning might do the job: IOfficeAntiVirus and AMSI. I expect that registering an AMSI provider requires a non-disclosure agreement, though. Unlike the file system minifilter, these could also give you the URLs of documents downloaded from the Internet.

    I'm sure Microsoft would hate you if you implemented a driver that returns false data whenever the Shell is reading DropTarget or DelegateExecute or DDE settings from the Registry.

    Thursday, February 11, 2016 6:21 PM