📄 t-procmon.c
字号:
#include "ntddk.h"
#include "stdio.h"
#include "stdarg.h"
#include "T-ProcMonCtl.h"
#include "T-ProcMon.h"
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
{
PDEVICE_OBJECT DeviceObject;
NTSTATUS NtStatus;
WCHAR DeviceName[25]=L"\\Device\\";
WCHAR DeviceLink[25]=L"\\DosDevices\\";
UNICODE_STRING DeviceNameU;
UNICODE_STRING DeviceLinkU;
wcscat(DeviceName,DEVICE_DRIVER_NAME);
RtlInitUnicodeString(&DeviceNameU,DeviceName);
NtStatus = IoCreateDevice(DriverObject,
0,
&DeviceNameU,
FILE_DEVICE_PROCMON,
0,
FALSE,
&DeviceObject);
if(NT_SUCCESS(NtStatus))
{
wcscat(DeviceLink,DEVICE_DRIVER_NAME);
RtlInitUnicodeString(&DeviceLinkU,DeviceLink);
NtStatus = IoCreateSymbolicLink(&DeviceLinkU,&DeviceNameU);
if(!NT_SUCCESS(NtStatus))
{
IoDeleteDevice(DeviceObject);
return NtStatus;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = ProcMonDispath;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = ProcMonDispath;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ProcMonDispath;
DriverObject->DriverUnload = ProcMonUnload;
}
if(!NT_SUCCESS(NtStatus))
{
if(DeviceObject)
{
IoDeleteDevice(DeviceObject);
}
DbgPrint("IoCreateDevice(SymbolicLink) Error !\n");
return NtStatus;
}
MUTEX_INIT(MKMutex);
GetProcessNameOffset();
pFirstMK = ExAllocatePool(NonPagedPool,sizeof(MESSAGEK));
if(pFirstMK == NULL)
{
NtStatus = STATUS_INSUFFICIENT_RESOURCES;
}
else
{
pFirstMK->Length = 0;
pFirstMK->Next = NULL;
pCurrentMK = pFirstMK;
NumMessageK = 1;
}
pFirstNK = ExAllocatePool(NonPagedPool,sizeof(PROCNAMEK));
if(pFirstNK == NULL)
{
NtStatus = STATUS_INSUFFICIENT_RESOURCES;
}
else
{
RtlInitUnicodeString(&pFirstNK->Name,L"T-ProcMon.exe");
pFirstNK->Next = NULL;
}
return NtStatus;
}
NTSTATUS
ProcMonDispath(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP pIrp)
{
PIO_STACK_LOCATION IrpStack;
PVOID InputBuffer;
PVOID OutputBuffer;
ULONG InputBufferLength;
ULONG OutputBufferLength;
ULONG IoControlCode;
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation(pIrp);
InputBuffer = pIrp->AssociatedIrp.SystemBuffer;
OutputBuffer = pIrp->AssociatedIrp.SystemBuffer;
InputBufferLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
OutputBufferLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
switch(IrpStack->MajorFunction)
{
case IRP_MJ_CREATE:
DbgPrint("T-ProcMon:\tIRP_MJ_CREATE\n");
break;
case IRP_MJ_CLOSE:
DbgPrint("T-ProcMon:\tIRP_MJ_CLOSE\n");
ResetMessageK();
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint("T-ProcMon:\tIRP_MJ_DEVICE_CONTROL\n");
ProcmonControl(IrpStack->FileObject,
TRUE,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength,
IoControlCode,
&pIrp->IoStatus,
DeviceObject);
break;
default:
DbgPrint("T-ProcMon:\tIRP_MJ_DEFAULT\n");
break;
}
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
BOOLEAN ProcmonControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
IN PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject)
{
PMESSAGEK pReturnMK;
PPROCNAMEK pCurrentNK;
PPROCNAMEK pLastNK;
ANSI_STRING ProcessNameA;
TCHAR ProcessName[256];
ULONG dwIndex = 0;
ULONG dwStrLength = 0;
ULONG dwNameLength = 0;
ULONG dwTotalLength = 0;
IoStatus->Status = STATUS_SUCCESS;
IoStatus->Information = 0;
switch(IoControlCode)
{
case PROCMON_MONITOR:
DbgPrint("PROCMON_MONITOR\n");
if(MAX_MESSAGE > OutputBufferLength)
{
return FALSE;
}
else if(pFirstMK->Length != 0
|| pFirstMK->Next != NULL)
{
pReturnMK = pFirstMK;
MUTEX_P(MKMutex);
NewMessageK();
pFirstMK = pFirstMK->Next;
MUTEX_V(MKMutex);
memcpy(OutputBuffer,pReturnMK->Message,pReturnMK->Length);
IoStatus->Information = pReturnMK->Length;
ExFreePool(pReturnMK);
NumMessageK--;
}
else
{
IoStatus->Information = 0;
}
break;
case PROCMON_HIDDEN:
DbgPrint("PROCMON_HIDDEN\n");
pLastNK = pFirstNK;
while(dwIndex < InputBufferLength)
{
pCurrentNK = ExAllocatePool(NonPagedPool,sizeof(PROCNAMEK));
if(pCurrentNK == NULL)
{
IoStatus->Status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
else
{
dwStrLength = sprintf(ProcessName,"%s",(PTSTR)InputBuffer + dwIndex);
if(dwStrLength == 0)
{
break;
}
DbgPrint("Hidden ProcessName:\t%s\n",ProcessName);
ProcessName[dwStrLength-1] = '\0';
RtlInitAnsiString(&ProcessNameA,ProcessName);
RtlAnsiStringToUnicodeString(&pCurrentNK->Name,&ProcessNameA,TRUE);
pCurrentNK->Next = NULL;
pLastNK->Next = pCurrentNK;
pLastNK = pCurrentNK;
dwIndex += dwStrLength + 1;
}
}
break;
case PROCMON_HOOK:
DbgPrint("PROCMON_HOOK\n");
if(!IsHooked)
{
HookSystemService();
}
break;
case PROCMON_UNHOOK:
DbgPrint("PROCMON_UNHOOK\n");
if(IsHooked)
{
UnHookSystemService();
}
ResetMessageK();
break;
default:
DbgPrint("PROCMON_UNKNOW\n");
break;
}
return TRUE;
}
VOID
ProcMonUnload(
IN PDRIVER_OBJECT DriverObject)
{
WCHAR DeviceLink[25]=L"\\DosDevices\\";
UNICODE_STRING DeviceLinkU;
DbgPrint("T-ProcMon Unload !\n");
wcscat(DeviceLink,DEVICE_DRIVER_NAME);
if(IsHooked)
{
UnHookSystemService();
}
RtlInitUnicodeString(&DeviceLinkU,DeviceLink);
IoDeleteSymbolicLink(&DeviceLinkU);
IoDeleteDevice(DriverObject->DeviceObject);
FreeMessageK();
FreeProcessNameK();
}
NTSTATUS
HookSystemService()
{
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)(SYSCALL(ZwQuerySystemInformation));
OldZwOpenProcess = (ZWOPENPROCESS)(SYSCALL(ZwOpenProcess));
OldZwTerminateProcess = (ZWTERMINATEPROCESS)(SYSCALL(ZwTerminateProcess));
OldZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)(SYSCALL(ZwQueryInformationProcess));
OldZwSetInformationProcess = (ZWSETINFORMATIONPROCESS)(SYSCALL(ZwSetInformationProcess));
_asm cli
(ZWQUERYSYSTEMINFORMATION)(SYSCALL(ZwQuerySystemInformation)) = NewZwQuerySystemInformation;
(ZWOPENPROCESS)(SYSCALL(ZwOpenProcess)) = NewZwOpenProcess;
(ZWTERMINATEPROCESS)(SYSCALL(ZwTerminateProcess)) = NewZwTerminateProcess;
(ZWQUERYINFORMATIONPROCESS)(SYSCALL(ZwQueryInformationProcess)) = NewZwQueryInformationProcess;
(ZWSETINFORMATIONPROCESS)(SYSCALL(ZwSetInformationProcess)) = NewZwSetInformationProcess;
IsHooked = TRUE;
_asm sti
return STATUS_SUCCESS;
}
NTSTATUS
UnHookSystemService()
{
_asm cli
(ZWQUERYSYSTEMINFORMATION)(SYSCALL(ZwQuerySystemInformation)) = OldZwQuerySystemInformation;
(ZWOPENPROCESS)(SYSCALL(ZwOpenProcess)) = OldZwOpenProcess;
(ZWTERMINATEPROCESS)(SYSCALL(ZwTerminateProcess)) = OldZwTerminateProcess;
(ZWQUERYINFORMATIONPROCESS)(SYSCALL(ZwQueryInformationProcess)) = OldZwQueryInformationProcess;
(ZWSETINFORMATIONPROCESS)(SYSCALL(ZwSetInformationProcess)) = OldZwSetInformationProcess;
IsHooked = FALSE;
_asm sti
return STATUS_SUCCESS;
}
NTSTATUS
NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformaitonLength,
OUT PULONG ReturnLength OPTIONAL)
{
NTSTATUS NtStatus;
BOOLEAN bHide = TRUE;
PSYSTEM_PROCESSES ProcCur = NULL;
PSYSTEM_PROCESSES ProcPre = NULL;
PPROCNAMEK pCurrentNK;
ANSI_STRING ProcNameA;
ULONG dwCount;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -