⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 behaviormonitor.cpp

📁 进程监控最简单的设备驱动
💻 CPP
字号:
🔍 
#include <stdio.h>

#include "DeviceDriverUserMode.h"

#include "windows.h"
#include "devioctl.h"

#define FILE_DEVICE_UNKNOWN             0x00000022
#define IOCTL_PROCOBSRV_ACTIVATE_MONITORING  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
#define IOCTL_PROCOBSRV_GET_PROCINFO   CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0801, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)

typedef struct _ActivateInfo
{
   BOOLEAN  bActivate;
} ACTIVATE_INFO, *PACTIVATE_INFO;

typedef struct _ProcessCallbackInfo
{
    HANDLE  hParentId;
    HANDLE  hProcessId;
    BOOLEAN bCreate;
	//
	BOOLEAN isThread;
    HANDLE hThreadId;
} PROCESS_CALLBACK_INFO, *PPROCESS_CALLBACK_INFO;

void main(int argc,char** argv)
{
   BOOL initResult = initDevice("ProcessMonitor.sys","ProcessMonitor");
   if(!initResult)
   {
       printf("initDevice NO\n");
	   //return;
   }
   else
   {
       printf("initDevice OK\n");
   }
   //
   HANDLE hDriverFile = ::CreateFile( TEXT("\\\\.\\ProcessMonitor"), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
   if (INVALID_HANDLE_VALUE == hDriverFile)
   {
      printf("CreateFile 1 NO\n");
   }
   else
   {
      printf("CreateFile 1 OK\n");
   }
   HANDLE m_hKernelEvent = ::OpenEvent(SYNCHRONIZE, FALSE, TEXT("ProcessMonitorProcessEvent") );
   if (INVALID_HANDLE_VALUE == m_hKernelEvent)
   {
      printf("OpenEvent 1 NO\n");
   }
   else
   {
      printf("OpenEvent 1 OK\n");
   }
   //
   ACTIVATE_INFO   activateInfo;
   activateInfo.bActivate = 1;
   DWORD   dwBytesReturned = 0;
   BOOL bReturnCode = ::DeviceIoControl(hDriverFile,IOCTL_PROCOBSRV_ACTIVATE_MONITORING, &activateInfo, sizeof(activateInfo), NULL, 0, &dwBytesReturned,	NULL);
   if (!bReturnCode)
   {
      printf("DeviceIoControl NO\n");
   }
   else
   {
      printf("DeviceIoControl OK\n");
   }
    PROCESS_CALLBACK_INFO  callbackInfo;
	ULONG dwReturn;
	while(1)
	{
		ResetEvent(m_hKernelEvent);
		WaitForSingleObject(m_hKernelEvent, INFINITE);
		BOOL status =DeviceIoControl(hDriverFile, IOCTL_PROCOBSRV_GET_PROCINFO, NULL, 0, &callbackInfo, sizeof(callbackInfo), &dwReturn, NULL); 
		if( !status)
		{
			printf("IO wrong+%d\n", GetLastError());
			return;
		}
		printf("Create=%d   Parent=%d   Process=%d   Thread=%d   IsThread=%d\n", callbackInfo.bCreate,callbackInfo.hParentId,callbackInfo.hProcessId,callbackInfo.hThreadId,callbackInfo.isThread);
	}	
   //OK
}

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -