[_Lynn]

I am work with a user-mode program that able to detect if it already runs. Here are ways I have covered that could possibly lead to it knowing...

-NtQuerySystemInformation - (win32 wrappers obviously)

-Load count of a unique specified DLL in its peb ldr data

-Memory section name created in one, opened in another (ntopensection, ntcreatesection)

-creating a temporary file for some IPC

anyone knows perhaps some other ways? this not involve any kernel modules, we strictly usermode only here.

thanks you and sorry for my english.

[a_d_13]

Hello,

You can create a named mutex, and then try to open it in each process. For example (not tested):

Code: Select all

BOOLEAN CheckIfRunning()
{
  HANDLE hMutex;
  
  hMutex = CreateMutex(NULL, FALSE, "appname");
  switch(GetLastError())
  {
    case ERROR_SUCCESS:
      return FALSE;
      break;
    
    case ERROR_ALREADY_EXISTS:
      return TRUE;
      break;
    
    default:
      return FALSE;    // Unknown error - you choose what happens here.
  };
}

Change "appname" to something unique.

Thanks,
--AD

[_Lynn]

Hello,

You can create a named mutex, and then try to open it in each process. For example (not tested):

Code: Select all

BOOLEAN CheckIfRunning()
{
  HANDLE hMutex;
  
  hMutex = CreateMutex(NULL, FALSE, "appname");
  switch(GetLastError())
  {
    case ERROR_SUCCESS:
      return FALSE;
      break;
    
    case ERROR_ALREADY_EXISTS:
      return TRUE;
      break;
    
    default:
      return FALSE;    // Unknown error - you choose what happens here.
  };
}

Change "appname" to something unique.

Thanks,
--AD

thank you for this. i appreciate it

[rkhunter]

- Creates variable at shared EXE section and increment it once application running - #pragma section("mysec", shared).
http://msdn.microsoft.com/en-us/library ... s.71).aspx

[EP_X0FF]

FindWindow :)

[everdox]

events as well. could fall under mutex's i guess but the two aren't synonymous.

[Tigzy]

Hello

What I use is Mutex also

Code: Select all

static HANDLE hMutex;

//Mutex
SetLastError(0);
hMutex = CreateMutex (NULL,FALSE, "RogueKiller");
if (GetLastError() == ERROR_ALREADY_EXISTS) 
{
	MessageBox(NULL, "RogueKiller is already running", "Error", MB_OK | MB_ICONEXCLAMATION);
	return 0;
}


//.... End of program

ReleaseMutex(hMutex);
return 0;

[EP_X0FF]

For all of us who use base named objects to limit instances of your application. There is official security warning from Microsoft available.
http://msdn.microsoft.com/en-us/library ... s.85).aspx

If you are using a named mutex to limit your application to a single instance, a malicious user can create this mutex before you do and prevent your application from starting.

Also in case of GUI based detection - don't forget about different WinSta0 desktops. From my point of view the best and low cost solution posted here http://www.kernelmode.info/forum/viewto ... 275#p11275 (exactly this explained in last Richter book "Windows via Visual C/C++"). Takes few lines of code to implement, no additional objects, nothing named.

[Tigzy]

If you are using a named mutex to limit your application to a single instance, a malicious user can create this mutex before you do and prevent your application from starting.

Yes. you can also use a dynamicly generated mutex name, based on PC name / processor ID / whatever.
It will be harder for one to hijack your mutex, but not impossible

EDIT: EP_X0FF , problem with your link http://msdn.microsoft.com/en-us/library ... s.85).aspx

EDIT2: Arf, this was in the MSDN...

create a randomly named mutex and store the name so that it can only be obtained by an authorized user. Alternatively, you can use a file for this purpose. To limit your application to one instance per user, create a locked file in the user's profile directory.

[EP_X0FF]

EDIT: EP_X0FF , problem with your link http://msdn.microsoft.com/en-us/library ... s.85).aspx

Yeah, this forum software does not like ")" bracket in url without direct [ url ] [/ url ] tags.