📄 788.html
字号:
)<br />
{<br />
ULONG i;<br />
<br />
for (i=0; i < PSP_MAX_CREATE_PROCESS_NOTIFY; i++) {<br />
if (Remove) { <br />
if (PspCreateProcessNotifyRoutine[i] == NotifyRoutine) { //清除时就是简单的赋植操作<br />
PspCreateProcessNotifyRoutine[i] = NULL;<br />
PspCreateProcessNotifyRoutineCount -= 1; //将计数器减一<br />
return STATUS_SUCCESS;<br />
}<br />
} else {<br />
if (PspCreateProcessNotifyRoutine[i] == NULL) { //设置时也是简单的赋值操作<br />
PspCreateProcessNotifyRoutine[i] = NotifyRoutine;<br />
PspCreateProcessNotifyRoutineCount += 1; //将计数器加一<br />
return STATUS_SUCCESS;<br />
}<br />
}<br />
}<br />
<br />
return Remove ? STATUS_PROCEDURE_NOT_FOUND : STATUS_INVALID_PARAMETER;<br />
}<br />
<br />
好了,方法已经知道了,只要找出地址,我们就能够"全身而退"了.看一下windows2003下面的PsRemoveCreateThreadNotifyRoutine实现:<br />
lkd> u PsRemoveCreateThreadNotifyRoutine l 20<br />
nt!PsRemoveCreateThreadNotifyRoutine:<br />
80651d7b 53 push ebx<br />
80651d7c 56 push esi<br />
80651d7d 57 push edi<br />
80651d7e 33db xor ebx,ebx<br />
80651d80 bf400f5780 mov edi,0x80570f40 //起始地址<br />
80651d85 57 push edi<br />
80651d86 e8a7500100 call nt!ExWaitForRundownProtectionRelease+0x5cf (80666e32)<br />
80651d8b 8bf0 mov esi,eax<br />
80651d8d 85f6 test esi,esi<br />
80651d8f 7420 jz nt!PsRemoveCreateThreadNotifyRoutine+0x36 (80651db1)<br />
80651d91 56 push esi<br />
80651d92 e8ba1bffff call nt!IoReportTargetDeviceChange+0x7aa0 (80643951)<br />
80651d97 3b442410 cmp eax,[esp+0x10]<br />
80651d9b 750d jnz nt!PsRemoveCreateThreadNotifyRoutine+0x2f (80651daa)<br />
80651d9d 56 push esi<br />
80651d9e 6a00 push 0x0<br />
80651da0 57 push edi<br />
80651da1 e8c54f0100 call nt!ExWaitForRundownProtectionRelease+0x508 (80666d6b)<br />
80651da6 84c0 test al,al<br />
80651da8 751b jnz nt!PsRemoveCreateThreadNotifyRoutine+0x4a (80651dc5)<br />
80651daa 56 push esi<br />
80651dab 57 push edi<br />
80651dac e892510100 call nt!ExWaitForRundownProtectionRelease+0x6e0 (80666f43)<br />
80651db1 43 inc ebx<br />
80651db2 83c704 add edi,0x4<br />
80651db5 83fb08 cmp ebx,0x8 //看是否到了最大数(8)<br />
80651db8 72cb jb nt!PsRemoveCreateThreadNotifyRoutine+0xa (80651d85)<br />
80651dba b87a0000c0 mov eax,0xc000007a<br />
80651dbf 5f pop edi<br />
80651dc0 5e pop esi<br />
80651dc1 5b pop ebx<br />
80651dc2 c20400 ret 0x4<br />
<br />
lkd> dd 0x80570f40 //设置了监视函数后<br />
80570f40 e316e557 00000000 00000000 00000000<br />
.............................<br />
<br />
lkd> dd 0x80570f40 //清除了监视函数后<br />
80570f40 00000000 00000000 00000000 00000000<br />
<br />
哈哈.下面是实现代码,代码中实现了进线的的监视,并且实现了远线程的监视:<br />
<br />
Drivers.c<br />
/////////////////////////////////////////////////////////////////////////////////////////////////////////<br />
// <br />
// Made By ZwelL<br />
<br />
#include "ntddk.h"<br />
#include "windef.h"<br />
#include "define.h"<br />
<br />
#define SYSNAME "System"<br />
#define VERSIONLEN 100<br />
<br />
const WCHAR devLink[] = L"\\??\\MyEvent";<br />
const WCHAR devName[] = L"\\Device\\MyEvent";<br />
UNICODE_STRING devNameUnicd;<br />
UNICODE_STRING devLinkUnicd; <br />
PVOID gpEventObject = NULL; // 与应用程序通信的 Event 对象<br />
ULONG ProcessNameOffset =0;<br />
PVOID outBuf[255];<br />
BOOL g_bMainThread; <br />
ULONG g_dwParentId;<br />
CHECKLIST CheckList;<br />
ULONG BuildNumber; //系统版本号 <br />
ULONG SYSTEMID; //System进程的ID<br />
PWCHAR Version[VERSIONLEN];<br />
<br />
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);<br />
<br />
ULONG GetProcessNameOffset()<br />
{<br />
PEPROCESS curproc;<br />
int i;<br />
<br />
curproc = PsGetCurrentProcess();<br />
<br />
for( i = 0; i < 3*PAGE_SIZE; i++ ) <br />
{<br />
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) <br />
{<br />
return i;<br />
}<br />
}<br />
<br />
return 0;<br />
}<br />
<br />
NTSTATUS GetRegValue(PCWSTR RegPath,PCWSTR ValueName,PWCHAR Value)<br />
{<br />
int ReturnValue = 0;<br />
NTSTATUS Status;<br />
OBJECT_ATTRIBUTES ObjectAttributes;<br />
HANDLE KeyHandle;<br />
PKEY_VALUE_PARTIAL_INFORMATION valueInfoP;<br />
ULONG valueInfoLength,returnLength;<br />
UNICODE_STRING UnicodeRegPath;<br />
UNICODE_STRING UnicodeValueName;<br />
<br />
RtlInitUnicodeString(&UnicodeRegPath, RegPath);<br />
RtlInitUnicodeString(&UnicodeValueName, ValueName);<br />
<br />
InitializeObjectAttributes(&ObjectAttributes,<br />
&UnicodeRegPath,<br />
OBJ_CASE_INSENSITIVE, // Flags<br />
NULL, // Root directory<br />
NULL); // Security descriptor<br />
<br />
Status = ZwOpenKey(&KeyHandle,<br />
KEY_ALL_ACCESS,<br />
&ObjectAttributes);<br />
if (Status != STATUS_SUCCESS)<br />
{<br />
DbgPrint("ZwOpenKey Wrong\n");<br />
return 0;<br />
}<br />
<br />
valueInfoLength = sizeof(KEY_VALUE_PARTIAL_INFORMATION)+VERSIONLEN;<br />
valueInfoP = (PKEY_VALUE_PARTIAL_INFORMATION) ExAllocatePool<br />
(NonPagedPool, valueInfoLength);<br />
Status = ZwQueryValueKey(KeyHandle,<br />
&UnicodeValueName,<br />
KeyValuePartialInformation,<br />
valueInfoP,<br />
valueInfoLength,<br />
&returnLength);<br />
<br />
if (!NT_SUCCESS(Status))<br />
{<br />
DbgPrint("ZwQueryValueKey Wrong:%08x\n",Status);<br />
return Status;<br />
}<br />
else<br />
{<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -