behaviormonitor.cpp

来自「进程监控最简单的设备驱动」· C++ 代码 · 共 88 行

CPP
88
字号 
#include <stdio.h>

#include "DeviceDriverUserMode.h"

#include "windows.h"
#include "devioctl.h"

#define FILE_DEVICE_UNKNOWN             0x00000022
#define IOCTL_PROCOBSRV_ACTIVATE_MONITORING  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
#define IOCTL_PROCOBSRV_GET_PROCINFO   CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0801, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)

typedef struct _ActivateInfo
{
   BOOLEAN  bActivate;
} ACTIVATE_INFO, *PACTIVATE_INFO;

typedef struct _ProcessCallbackInfo
{
    HANDLE  hParentId;
    HANDLE  hProcessId;
    BOOLEAN bCreate;
	//
	BOOLEAN isThread;
    HANDLE hThreadId;
} PROCESS_CALLBACK_INFO, *PPROCESS_CALLBACK_INFO;

void main(int argc,char** argv)
{
   BOOL initResult = initDevice("ProcessMonitor.sys","ProcessMonitor");
   if(!initResult)
   {
       printf("initDevice NO\n");
	   //return;
   }
   else
   {
       printf("initDevice OK\n");
   }
   //
   HANDLE hDriverFile = ::CreateFile( TEXT("\\\\.\\ProcessMonitor"), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
   if (INVALID_HANDLE_VALUE == hDriverFile)
   {
      printf("CreateFile 1 NO\n");
   }
   else
   {
      printf("CreateFile 1 OK\n");
   }
   HANDLE m_hKernelEvent = ::OpenEvent(SYNCHRONIZE, FALSE, TEXT("ProcessMonitorProcessEvent") );
   if (INVALID_HANDLE_VALUE == m_hKernelEvent)
   {
      printf("OpenEvent 1 NO\n");
   }
   else
   {
      printf("OpenEvent 1 OK\n");
   }
   //
   ACTIVATE_INFO   activateInfo;
   activateInfo.bActivate = 1;
   DWORD   dwBytesReturned = 0;
   BOOL bReturnCode = ::DeviceIoControl(hDriverFile,IOCTL_PROCOBSRV_ACTIVATE_MONITORING, &activateInfo, sizeof(activateInfo), NULL, 0, &dwBytesReturned,	NULL);
   if (!bReturnCode)
   {
      printf("DeviceIoControl NO\n");
   }
   else
   {
      printf("DeviceIoControl OK\n");
   }
    PROCESS_CALLBACK_INFO  callbackInfo;
	ULONG dwReturn;
	while(1)
	{
		ResetEvent(m_hKernelEvent);
		WaitForSingleObject(m_hKernelEvent, INFINITE);
		BOOL status =DeviceIoControl(hDriverFile, IOCTL_PROCOBSRV_GET_PROCINFO, NULL, 0, &callbackInfo, sizeof(callbackInfo), &dwReturn, NULL); 
		if( !status)
		{
			printf("IO wrong+%d\n", GetLastError());
			return;
		}
		printf("Create=%d   Parent=%d   Process=%d   Thread=%d   IsThread=%d\n", callbackInfo.bCreate,callbackInfo.hParentId,callbackInfo.hProcessId,callbackInfo.hThreadId,callbackInfo.isThread);
	}	
   //OK
}

behaviormonitor.cpp - 源码说明

本页面展示了「进程监控最简单的设备驱动」中的 behaviormonitor.cpp 源码文件,采用 C++ 编程语言编写,共 88 行代码。您可以在线阅读完整代码内容,也可以返回资源详情页下载完整源码包进行本地学习和开发。

虫虫开发者社区收录了大量与Linux驱动相关的技术资源,包括源代码、技术文档、电路图等,是电子工程师和嵌入式开发者的专业学习平台。

⌨️ 快捷键说明

复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?