📄 processmonitor.c
字号:
//进程和动态连接库映射监视
#include <ntddk.h>
#define FILE_DEVICE_UNKNOWN 0x00000022
#define IOCTL_UNKNOWN_BASE FILE_DEVICE_UNKNOWN
#define IOCTL_PROCOBSRV_ACTIVATE_MONITORING CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0800, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
#define IOCTL_PROCOBSRV_GET_PROCINFO CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0801, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
//处理函数声明
NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS DispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
void UnloadDriver(PDRIVER_OBJECT DriverObject);
//驱动回调
VOID ProcessCallback(IN HANDLE hParentId, IN HANDLE hProcessId, IN BOOLEAN bCreate);
//驱动激活去活标志结构
typedef struct _ActivateInfo
{
BOOLEAN bActivated;
} ACTIVATE_INFO, *PACTIVATE_INFO;
//回调信息结构
typedef struct _ProcessCallbackInfo
{
HANDLE hParentId;
HANDLE hProcessId;
BOOLEAN bCreate;
//
BOOLEAN isThread;
HANDLE hThreadId;
} PROCESS_CALLBACK_INFO, *PPROCESS_CALLBACK_INFO;
//进程查询的私有存储
typedef struct _DEVICE_EXTENSION
{
PDEVICE_OBJECT DeviceObject;
HANDLE hProcessId; //共享节
PKEVENT ProcessEvent; //进程节数据
HANDLE hParentId;
BOOLEAN bCreate;
//
BOOLEAN isThread;
HANDLE hThreadId;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
//全局变量
PDEVICE_OBJECT g_pDeviceObject;
ACTIVATE_INFO g_ActivateInfo;
//未公开函数
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT struct _EPROCESS ** pEProcess);
//驱动入口
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS ntStatus;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszDeviceString;
UNICODE_STRING uszProcessEventString;
PDEVICE_OBJECT pDeviceObject;
PDEVICE_EXTENSION extension;
HANDLE hProcessHandle;
//驱动名
RtlInitUnicodeString(&uszDriverString, L"\\Device\\ProcessMonitor");
//创建并初始设备
ntStatus = IoCreateDevice(DriverObject,sizeof(DEVICE_EXTENSION),&uszDriverString,FILE_DEVICE_UNKNOWN,0,FALSE,&pDeviceObject);
if(ntStatus != STATUS_SUCCESS)
{
return ntStatus;
}
//指派扩展变量
extension = pDeviceObject->DeviceExtension;
//设备名称
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ProcessMonitor");
//创建用户可见的符号连接
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
//如果不成功则删除驱动对象
IoDeleteDevice(pDeviceObject);
return ntStatus;
}
//指派全局指针到设备对象用于回调用
g_pDeviceObject = pDeviceObject;
//设置初试状态
g_ActivateInfo.bActivated = FALSE;
//装载结构指向IRP处理
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
//创建事件用于用户模式进程监视
RtlInitUnicodeString(&uszProcessEventString,L"\\BaseNamedObjects\\ProcessMonitorProcessEvent");
extension->ProcessEvent = IoCreateNotificationEvent(&uszProcessEventString,&hProcessHandle);
//清理
KeClearEvent(extension->ProcessEvent);
return ntStatus;
}
//创建
NTSTATUS DispatchCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//关闭
NTSTATUS DispatchClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//处理回调用
VOID ProcessCallback(IN HANDLE hParentId,IN HANDLE hProcessId,IN BOOLEAN bCreate)
{
//
PDEVICE_EXTENSION extension;
//
PEPROCESS EProcess;
NTSTATUS status = PsLookupProcessByProcessId( (ULONG)hProcessId, &EProcess);
if (!NT_SUCCESS( status ))
{
//return ;
}
//指派扩展变量
extension = g_pDeviceObject->DeviceExtension;
//指派当前值到扩展. 用户模式应用将使用DeviceIoControl调用来获取
extension->hParentId = hParentId;
extension->hProcessId = hProcessId;
extension->bCreate = bCreate;
//
extension->isThread = FALSE;
extension->hThreadId = NULL;
//发信号事件,用户模式应用将听到感兴趣的东西
KeSetEvent(extension->ProcessEvent, 0, FALSE);
KeClearEvent(extension->ProcessEvent);
}
VOID ThreadCallback(IN HANDLE hProcessId, IN HANDLE TId, IN BOOLEAN bCreate)
{
//PEPROCESS EProcess;
//NTSTATUS status = PsLookupProcessByProcessId( (ULONG)hProcessId, &EProcess);
//if (!NT_SUCCESS( status ))
//{
// return ;
//}
//
PDEVICE_EXTENSION extension;
//指派扩展变量
extension = g_pDeviceObject->DeviceExtension;
//指派当前值到扩展. 用户模式应用将使用DeviceIoControl调用来获取
extension->hParentId = NULL;
extension->hProcessId = hProcessId;
extension->bCreate = bCreate;
//
extension->isThread = TRUE;
extension->hThreadId = TId;
//发信号事件,用户模式应用将听到感兴趣的东西
KeSetEvent(extension->ProcessEvent, 0, FALSE);
KeClearEvent(extension->ProcessEvent);
}
//用于设置回调的IOCTL处理
NTSTATUS ActivateMonitoringHanlder(IN PIRP Irp)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PACTIVATE_INFO pActivateInfo;
if (irpStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(ACTIVATE_INFO))
{
pActivateInfo = Irp->AssociatedIrp.SystemBuffer;
if (g_ActivateInfo.bActivated != pActivateInfo->bActivated)
{
if (pActivateInfo->bActivated)
{
//设置回调程序
//ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);
//if (ntStatus != STATUS_SUCCESS)
//{
// return ntStatus;
//}
ntStatus = PsSetCreateThreadNotifyRoutine(ThreadCallback, FALSE);
if (ntStatus != STATUS_SUCCESS)
{
return ntStatus;
}
//设置全局数据结构
g_ActivateInfo.bActivated = pActivateInfo->bActivated;
}
else
{
//恢复回调程序,给用户模式的应用一个动态卸载的机会
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
if (ntStatus != STATUS_SUCCESS)
{
return ntStatus;
}
else
{
g_ActivateInfo.bActivated = FALSE;
}
}
ntStatus = STATUS_SUCCESS;
}
}
return ntStatus;
}
//分派程序
NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PDEVICE_EXTENSION extension = DeviceObject->DeviceExtension;
PPROCESS_CALLBACK_INFO pProcCallbackInfo;
//IOCTL是驱动和用户模式应用之间设置和获取接口
switch(irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_PROCOBSRV_ACTIVATE_MONITORING:
{
ntStatus = ActivateMonitoringHanlder( Irp );
break;
}
case IOCTL_PROCOBSRV_GET_PROCINFO:
{
if (irpStack->Parameters.DeviceIoControl.OutputBufferLength >= sizeof(PROCESS_CALLBACK_INFO))
{
pProcCallbackInfo = Irp->AssociatedIrp.SystemBuffer;
pProcCallbackInfo->hParentId = extension->hParentId;
pProcCallbackInfo->hProcessId = extension->hProcessId;
pProcCallbackInfo->bCreate = extension->bCreate;
pProcCallbackInfo->isThread = extension->isThread;
pProcCallbackInfo->hThreadId = extension->hThreadId;
ntStatus = STATUS_SUCCESS;
}
break;
}
default:
{
break;
}
}
Irp->IoStatus.Status = ntStatus;
//设置拷贝回用户模式的字节数据
if(ntStatus == STATUS_SUCCESS)
Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
else
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return ntStatus;
}
//卸载驱动
void UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uszDeviceString;
//缺省I/O设备被错误配置或者对驱动的配置参数错误
NTSTATUS ntStatus = STATUS_DEVICE_CONFIGURATION_ERROR;
if (g_ActivateInfo.bActivated)
{
//恢复回调程序,给用户模式的应用一个动态卸载的机会
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
}
IoDeleteDevice(DriverObject->DeviceObject);
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ProcessMonitor");
IoDeleteSymbolicLink(&uszDeviceString);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -