淘先锋技术网

首页 1 2 3 4 5 6 7

内核层监控进程 线程 创建和销毁 

#include "ntddk.h"  
#include "windef.h"  
#include "string.h"  

#define SYSNAME "System"  
ULONG ProcessNameOffset = 0;

ULONG GetProcessNameOffset();

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS CommonDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS *pEProcess);

VOID ProcessCreateMon(IN HANDLE hParentId, IN HANDLE PId, IN BOOLEAN bCreate);
VOID ThreadCreateMon(IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate);
//VOID ImageCreateMon(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo );  

// Çý¶¯Èë¿Ú  
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)

{
	UNICODE_STRING  nameString, linkString;
	PDEVICE_OBJECT  deviceObject;
	NTSTATUS        status;
	int             i;
	//½¨Á¢É豸  

	RtlInitUnicodeString(&nameString, L"\\Device\\ProcWatch");
	status = IoCreateDevice(DriverObject,
		0,
		&nameString,
		FILE_DEVICE_UNKNOWN,
		0,
		TRUE,
		&deviceObject
		);

	if (!NT_SUCCESS(status))
	{
		return status;
	}

	RtlInitUnicodeString(&linkString, L"\\DosDevices\\ProcWatch");
	status = IoCreateSymbolicLink(&linkString, &nameString);

	if (!NT_SUCCESS(status))
	{
		IoDeleteDevice(DriverObject->DeviceObject);
		return status;
	}
	ProcessNameOffset = GetProcessNameOffset();
	if (ProcessNameOffset == 0)
	{
		IoDeleteDevice(DriverObject->DeviceObject);
		return STATUS_UNSUCCESSFUL;
	}
	//status = PsSetLoadImageNotifyRoutine(ImageCreateMon);  

	//if (!NT_SUCCESS( status ))  
	//{  
	//  IoDeleteDevice(DriverObject->DeviceObject);  
	//  DbgPrint("PsSetLoadImageNotifyRoutine()\n");  
	//  return status;  
	//}  

	 status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);  
	 if (!NT_SUCCESS( status ))  
	 {  
	  IoDeleteDevice(DriverObject->DeviceObject);  
	  DbgPrint("PsSetCreateThreadNotifyRoutine()\n");  
	  return status;  
	 }    

	//status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
	//if (!NT_SUCCESS(status))
	//{
	//	IoDeleteDevice(DriverObject->DeviceObject);
	//	DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
	//	return status;
	//}

	for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
	{
		DriverObject->MajorFunction[i] = CommonDispatch;
	}

	DriverObject->DriverUnload = DriverUnload;

	return STATUS_SUCCESS;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
	UNICODE_STRING linkString;
	//PsRemoveLoadImageNotifyRoutine(ImageCreateMon);  
	PsRemoveCreateThreadNotifyRoutine(ThreadCreateMon);
	PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
	RtlInitUnicodeString(&linkString, L"\\DosDevices\\ProcWatch");
	IoDeleteSymbolicLink(&linkString);
	IoDeleteDevice(DriverObject->DeviceObject);
}

//´¦ÀíÉ豸¶ÔÏó²Ù×÷  
NTSTATUS CommonDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{
	Irp->IoStatus.Status = STATUS_SUCCESS;
	Irp->IoStatus.Information = 0L;
	IoCompleteRequest(Irp, 0);
	return Irp->IoStatus.Status;
}

HANDLE g_dwProcessId;
BOOL g_bMainThread;

VOID ProcessCreateMon(IN HANDLE hParentId, IN HANDLE PId, IN BOOLEAN bCreate)
{
	PEPROCESS   EProcess;
	ULONG       ulCurrentProcessId;
	LPTSTR      lpCurProc;
	NTSTATUS    status;

#ifdef _AMD64_  
	ULONG ProcessId = HandleToUlong(PId);
	status = PsLookupProcessByProcessId(ProcessId, &EProcess);
#else  
	HANDLE ProcessId = PId;
	status = PsLookupProcessByProcessId((ULONG)PId, &EProcess);
#endif  

	if (!NT_SUCCESS(status))
	{
		DbgPrint("PsLookupProcessByProcessId()\n");
		return;
	}

	if (bCreate)
	{
		g_bMainThread = TRUE;
		lpCurProc = (LPTSTR)EProcess;
		lpCurProc = lpCurProc + ProcessNameOffset;
		DbgPrint("CREATE PROCESS = PROCESS NAME: %s , PROCESS PARENTID: %d, PROCESS ID: %d, PROCESS ADDRESS %x:\n",
			lpCurProc,
			hParentId,
			PId,
			EProcess);
	}
	else
	{
		DbgPrint("TERMINATED == PROCESS ID: %d\n", PId);
	}
}


VOID ThreadCreateMon(IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate)

{
	PEPROCESS  EProcess, ParentEProcess;
	LPTSTR     lpCurProc, lpParnentProc;
	NTSTATUS   status;

#ifdef _AMD64_  
	ULONG System = 4;
	ULONG dwParentPID = HandleToUlong(PsGetCurrentProcessId());//´´½¨¸ÃÏ̵߳Ľø³Ì  
	ULONG ProcessId = HandleToUlong(PId);
	status = PsLookupProcessByProcessId(ProcessId, &EProcess);
	status = PsLookupProcessByProcessId(dwParentPID, &ParentEProcess);
#else  
	HANDLE System = (HANDLE)4;
	HANDLE dwParentPID = PsGetCurrentProcessId();//´´½¨¸ÃÏ̵߳Ľø³Ì  
	HANDLE ProcessId = PId;//ProcessId Êǽø³ÌºÅ£¬ÕâÀïµÄ½ø³ÌºÅÊÇÖ¸Ïò°üÀ¨¸ÃÏ̵߳Ľø³Ì£¬¶ø²»ÊÇ´´½¨¸ÃÏ̵߳Ľø³Ì  
	status = PsLookupProcessByProcessId((ULONG)ProcessId, &EProcess);
	status = PsLookupProcessByProcessId((ULONG)dwParentPID, &ParentEProcess);
#endif  

	if (!NT_SUCCESS(status))
	{
		DbgPrint("PsLookupProcessByProcessId()\n");
		return;
	}

	if (bCreate)
	{
		if ((g_bMainThread == TRUE) && (ProcessId != System) && (ProcessId != dwParentPID))
		{
			HANDLE dwParentTID = PsGetCurrentThreadId();
			lpCurProc = (LPTSTR)EProcess;
			lpParnentProc = (LPTSTR)ParentEProcess;
			lpCurProc += ProcessNameOffset;
			lpParnentProc += ProcessNameOffset;
			DbgPrint("caller: Name=%s PID=%d TID=%d\t\tcalled: Name=%s PID=%d TID=%d\n", \
				lpParnentProc, dwParentPID, dwParentTID, lpCurProc, ProcessId, TId);
			g_bMainThread = FALSE;
		}

		lpCurProc = (LPTSTR)EProcess;
		lpCurProc = lpCurProc + ProcessNameOffset;
		DbgPrint("CREATE THREAD = PROCESS NAME: %s PROCESS ID: %d, THREAD ID: %d\n", lpCurProc, PId, TId);
	}
	else
	{
		DbgPrint("TERMINATED == THREAD ID: %d\n", TId);
	}
}

VOID ImageCreateMon(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo)

{
	DbgPrint("FullImageName: %S,Process ID: %d\n", FullImageName->Buffer, ProcessId);
	DbgPrint("ImageBase: %x,ImageSize: %d\n", ImageInfo->ImageBase, ImageInfo->ImageSize);
}

ULONG GetProcessNameOffset()
{
	PEPROCESS   curproc;
	int         i;

	curproc = PsGetCurrentProcess();

	//  
	// Scan for 12KB, hopping the KPEB never grows that big!  
	//  
	for (i = 0; i < 3 * PAGE_SIZE; i++)
	{

		if (!strncmp(SYSNAME, (PCHAR)curproc + i, strlen(SYSNAME)))
		{
			return i;
		}
	}

	//  
	// Name not found - oh, well  
	//  
	return 0;
}