📄 monitor.c
字号:
/*****************************************************************
file: monitor.c
function: this is a process/thread monitor,it can be dynamically
loaded or unloaded by w2k_load.exe
*****************************************************************/
#include "ntddk.h"
#include "string.h"
#define SYSNAME "System"
#define NPNAME "notepad"
UNICODE_STRING nameString, linkString;
ULONG ProcessNameOffset;
BOOLEAN g_MainThread;
static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);
VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate);
VOID ThreadCreateMon (IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate);
//VOID ImageCreateMon (IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo );
NTSTATUS OnUnload( IN PDRIVER_OBJECT DriverObject );
ULONG GetProcessNameOffset();
extern NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
//The entry of the driver
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
int i;
RtlInitUnicodeString( &nameString, L"\\Device\\Monitor" );
status = IoCreateDevice( DriverObject,
0,
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject
);
if (!NT_SUCCESS( status ))
return status;
RtlInitUnicodeString( &linkString, L"\\DosDevices\\Monitor" );
status = IoCreateSymbolicLink (&linkString, &nameString);
if (!NT_SUCCESS( status ))
{
IoDeleteDevice (DriverObject->DeviceObject);
return status;
}
/*
status = PsSetLoadImageNotifyRoutine(ImageCreateMon);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsSetLoadImageNotifyRoutine()\n");
return status;
}
*/
status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsSetCreateThreadNotifyRoutine()\n");
return status;
}
status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
return status;
}
// get the address of image name of the process from struct of eprocess
ProcessNameOffset = GetProcessNameOffset();
g_MainThread = FALSE;
DriverObject->DriverUnload = OnUnload;
for ( i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction[i] = MydrvDispatch;
}
return STATUS_SUCCESS;
}
NTSTATUS OnUnload( IN PDRIVER_OBJECT DriverObject )
{
NTSTATUS status;
PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
PsRemoveCreateThreadNotifyRoutine(ThreadCreateMon);
if(DriverObject->DeviceObject != NULL)
{
status=IoDeleteSymbolicLink( &linkString );
if ( !NT_SUCCESS( status ) )
{
DbgPrint(( "IoDeleteSymbolicLink() failed\n" ));
return status;
}
IoDeleteDevice( DriverObject->DeviceObject );
}
return STATUS_SUCCESS;
}
static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return Irp->IoStatus.Status;
}
ULONG GetProcessNameOffset()
{
PEPROCESS curproc;
int i;
curproc = PsGetCurrentProcess();
for( i = 0; i < 3*1024; i++ )
{
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) ))
{
return i;
}
}
return 0;
}
VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate )
{
PEPROCESS EProcess;
ULONG ulCurrentProcessId;
NTSTATUS status;
status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if ( bCreate )
{
LPTSTR lpCurProc;
lpCurProc = (LPTSTR)EProcess;
lpCurProc = (LPTSTR)(lpCurProc + ProcessNameOffset);
g_MainThread = TRUE;
//
DbgPrint( "CREATE PROCESS = PROCESS NAME: %s , PROCESS PARENTID: %d, PROCESS ID: %d, PROCESS ADDRESS %x:\n",
lpCurProc,
hParentId,
PId,
EProcess );
}
else
{
DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
}
}
VOID ThreadCreateMon (IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate)
{
PEPROCESS EProcess;
ULONG ulCurrentProcessId;
LPTSTR lpCurProc;
NTSTATUS status,funcofstatus;
HANDLE idProcess;
HANDLE idThread;
status = PsLookupProcessByProcessId((ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if ((ULONG)PId==4) //ignore the system process
{
return;
}
if (!g_MainThread)
{
if ( bCreate )
{
idProcess = PsGetCurrentProcessId();
idThread = PsGetCurrentThreadId();
if(idProcess != PId)
{
DbgPrint("This is a remote thread,catch you");
if(ZwTerminateProcess(0,0) == STATUS_SUCCESS)
DbgPrint("haha ZwTerminateProcess function return STATUS_OBJECT_TYPE_MISMATCH");
}
lpCurProc = (LPTSTR)EProcess;
lpCurProc = (LPTSTR)(lpCurProc + ProcessNameOffset);
DbgPrint( "CREATE THREAD = PROCESS NAME: %s PROCESS ID: %d, THREAD ID: %d\n", lpCurProc, PId, TId );
DbgPrint( "CurrentProcessId = %d , CurrentThreadId = %d", idProcess, idThread );
}
else
{
DbgPrint( "TERMINATED == THREAD ID: %d\n", TId);
}
}
g_MainThread = FALSE;
}
/*
VOID ImageCreateMon (IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo )
{
DbgPrint("FullImageName: %S,Process ID: %d\n",FullImageName->Buffer,ProcessId);
DbgPrint("ImageBase: %x,ImageSize: %d\n",ImageInfo->ImageBase,ImageInfo->ImageSize);
}
*/⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -