IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
)
{
//PsRemoveCreateThreadNotifyRoutine(ThreadCreateMon);
PVOID ptr=NULL;
if(BuildNumber==2195) //Windows 2000 Sp4,2195
//低于sp4的我没有调试
{
ptr=0x80484520;
}
else if(BuildNumber==2600)
{
if(wcscmp(Version,L"Service Pack 1")==0) //Windows Xp Sp1,2600
ptr=0x8054efc0;
else if(wcscmp(Version,L"Service Pack 2")==0) //Windows Xp Sp2,2600
ptr=0x80561d20;
}
else if(BuildNumber==3790) //Windows 2003 server,3790
{
ptr=0x80570f40;
}
if(ptr!=NULL)
memset(ptr, 0, sizeof(ULONG)*8);
}
VOID ThreadCreateMon (IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate)
{
PEPROCESS EProcess,PEProcess;
NTSTATUS status;
HANDLE dwParentPID;
status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if ( bCreate )
{
dwParentPID=PsGetCurrentProcessId();
status = PsLookupProcessByProcessId(
(ULONG)dwParentPID,
&PEProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if(PId==4) //System进程创建的东东我们不管
//在2000下是0,在XP后是4
return;
if((g_bMainThread==TRUE)
&&(g_dwParentId != dwParentPID)
&&(dwParentPID != PId)
)
{
g_bMainThread=FALSE;
sprintf(outBuf, "=============================="
"Remote Thread :"
"=============================="
"\nT:%18s%9d%9d%25s%9d\n"
"======================================"
"======================================\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId, TId,
(char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
if(CheckList.ONLYSHOWREMOTETHREAD) //只显示远线程
return;
DbgPrint( "T:%18s%9d%9d%25s%9d\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId, TId,
(char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
sprintf(outBuf, "T:%18s%9d%9d%25s%9d\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId, TId,
(char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
else if(CheckList.SHOWTERMINATETHREAD)
{
DbgPrint( "TERMINATED == THREAD ID: %d\n", TId);
sprintf(outBuf,"TERMINATED == THREAD ID: %d\n", TId);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
}
VOID ProcessCreateMon ( HANDLE hParentId, HANDLE PId, BOOLEAN bCreate )
{
PEPROCESS EProcess,PProcess;
NTSTATUS status;
HANDLE TId;
g_dwParentId = hParentId;
status = PsLookupProcessByProcessId((ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
status = PsLookupProcessByProcessId((ULONG)hParentId, &PProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if ( bCreate )
{
g_bMainThread = TRUE;
DbgPrint( "P:%18s%9d%9d%25s%9d\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId,PsGetCurrentThreadId(),
(char *)((char *)PProcess+ProcessNameOffset),
hParentId
);
sprintf(outBuf, "P:%18s%9d%9d%25s%9d\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId,PsGetCurrentThreadId(),
(char *)((char *)PProcess+ProcessNameOffset),
hParentId
);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
else if(CheckList.SHOWTERMINATEPROCESS)
{
DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
sprintf(outBuf,"TERMINATED == PROCESS ID: %d\n", PId);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
}
NTSTATUS OnUnload( IN PDRIVER_OBJECT pDriverObject )
{
NTSTATUS status;
DbgPrint("OnUnload called\n");
if(gpEventObject)
ObDereferenceObject(gpEventObject);
PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
MyRemoveCraeteThreadNotifyRoutine(ThreadCreateMon);
if(pDriverObject->DeviceObject != NULL)
{
status=IoDeleteSymbolicLink( &devLinkUnicd );
if ( !NT_SUCCESS( status ) )
{
DbgPrint(( "IoDeleteSymbolicLink() failed\n" ));
return status;
}
IoDeleteDevice( pDriverObject->DeviceObject );
}
return STATUS_SUCCESS;
}
NTSTATUS DeviceIoControlDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP pIrp
)
{
PIO_STACK_LOCATION irpStack;
NTSTATUS status;
PVOID inputBuffer;
ULONG inputLength;
PVOID outputBuffer;
ULONG outputLength;
OBJECT_HANDLE_INFORMATION objHandleInfo;
status = STATUS_SUCCESS;
// 取出IOCTL请求代码
irpStack = IoGetCurrentIrpStackLocation(pIrp);
switch (irpStack->MajorFunction)
{
case IRP_MJ_CREATE :
DbgPrint("Call IRP_MJ_CREATE\n");
break;
case IRP_MJ_CLOSE:
DbgPrint("Call IRP_MJ_CLOSE\n");
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint("IRP_MJ_DEVICE_CONTROL\n");
inputLength=irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputLength=irpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch (irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_PASSEVENT: //用事件做通信
inputBuffer = pIrp->AssociatedIrp.SystemBuffer;
DbgPrint("inputBuffer:%08x\n", (HANDLE)inputBuffer);
status = ObReferenceObjectByHandle(*(HANDLE *)inputBuffer,
GENERIC_ALL,
NULL,
KernelMode,
&gpEventObject,
&objHandleInfo);
if(status!=STATUS_SUCCESS)
{
DbgPrint("wrong\n");
break;
}
break;
case IOCTL_UNPASSEVENT:
if(gpEventObject)
ObDereferenceObject(gpEventObject);
DbgPrint("UNPASSEVENT called\n");
break;
case IOCTL_PASSBUF:
RtlCopyMemory(pIrp->UserBuffer, outBuf, outputLength);
break;
case IOCTL_PASSEVSTRUCT:
inputBuffer = pIrp->AssociatedIrp.SystemBuffer;
memset(&CheckList, 0, sizeof(CheckList));
RtlCopyMemory(&CheckList, inputBuffer, sizeof(CheckList));
DbgPrint("%d:%d\n", CheckList.ONLYSHOWREMOTETHREAD, CheckList.SHOWTHREAD);
break;
default:
break;
}
break;
default:
DbgPrint("Call IRP_MJ_UNKNOWN\n");
break;
}
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest (pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING
theRegistryPath )
{
NTSTATUS Status;
PDEVICE_OBJECT pDevice;
DbgPrint("DriverEntry called!\n");
g_bMainThread = FALSE;
if(1!=GetRegValue(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion", L"CSDVersion", Version))
{
DbgPrint("GetRegValueDword Wrong\n");
}
PsGetVersion(NULL, NULL, &BuildNumber, NULL);
DbgPrint("[[[%d]]]:[[[%ws]]]", BuildNumber, Version);
RtlInitUnicodeString (&devNameUnicd, devName );
RtlInitUnicodeString (&devLinkUnicd, devLink );
Status = IoCreateDevice ( pDriverObject,
0,
&devNameUnicd,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&pDevice );
if( !NT_SUCCESS(Status))
{
DbgPrint(("Can not create device.\n"));
return Status;
}
Status = IoCreateSymbolicLink (&devLinkUnicd, &devNameUnicd);
if( !NT_SUCCESS(Status))
{
DbgPrint(("Cannot create link.\n"));
return Status;
}
ProcessNameOffset = GetProcessNameOffset();
pDriverObject->DriverUnload = OnUnload;
pDriverObject->MajorFunction[IRP_MJ_CREATE] =
pDriverObject->MajorFunction[IRP_MJ_CLOSE] =
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoControlDispatch;
Status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
if (!NT_SUCCESS( Status ))
{
DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
return Status;
}
Status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);
if (!NT_SUCCESS( Status ))
{
DbgPrint("PsSetCreateThreadNotifyRoutine()\n");
return Status;
}
return STATUS_SUCCESS;
}
//////////////////////////////////////////////////////////////////////////////////////////
main.c,这里我用事件做为通信驱动
//////////////////////////////////////////////////////////////////////////////////////////
// Made By ZwelL
#include <windows.h>
#include <stdio.h>
#include "define.h"
int main()
{
HANDLE hDevice;
bool status;
HANDLE m_hCommEvent;
ULONG dwReturn;
char outbuf[255];
CHECKLIST CheckList;
hDevice = NULL;
m_hCommEvent = NULL;
hDevice = CreateFile( "\\\\.\\MyEvent",
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("createfile wrong\n");
getchar();
return 0;
}
m_hCommEvent = CreateEvent(NULL,
false,
false,
NULL);
printf("hEvent:%08x\n", m_hCommEvent);
status =DeviceIoControl(hDevice,
IOCTL_PASSEVENT,
&m_hCommEvent,
sizeof(m_hCommEvent),
NULL,
0,
&dwReturn,
NULL);
if( !status)
{
printf("IO wrong+%d\n", GetLastError());
getchar();
return 0;
}
CheckList.ONLYSHOWREMOTETHREAD=TRUE;
CheckList.SHOWTHREAD=TRUE;
CheckList.SHOWTERMINATETHREAD=FALSE;
CheckList.SHOWTERMINATEPROCESS=FALSE;
status =DeviceIoControl(hDevice,
IOCTL_PASSEVSTRUCT,
&CheckList,
sizeof(CheckList),
NULL,
0,
&dwReturn,
NULL);
if( !status)
{
printf("IO wrong+%d\n", GetLastError());
getchar();
return 0;
}
printf(" [Process Name] [PID] [TID] [Parent Process Name] [PID]
[TID]\n");
while(1)
{
ResetEvent(m_hCommEvent);
WaitForSingleObject(m_hCommEv, ent, INFINITE);
status =DeviceIoControl(hDevice,
IOCTL_PASSBUF,
NULL,
0,
&outbuf,
sizeof(outbuf),
&dwReturn,
NULL);
if( !status)
{
printf("IO wrong+%d\n", GetLastError());
getchar();
return 0;
}
printf("%s", outbuf);
}
status =DeviceIoControl(hDevice,
IOCTL_UNPASSEVENT,
NULL,
0,
NULL,
0,
&dwReturn,
NULL);
if( !status)
{
printf("UNPASSEVENT wrong+%d\n", GetLastError());
getchar();
return 0;
}
status = CloseHandle( hDevice );
status = CloseHandle(m_hCommEvent);
getchar();
return 0;
}
//////////////////////////////////////////////////////////////////////////////////////////
define.h
//////////////////////////////////////////////////////////////////////////////////////////
#include "stdio.h"
#define FILE_DEVICE_EVENT 0x8000
// Define Interface reference/dereference routines for
// Interfaces exported by IRP_MN_QUERY_INTERFACE
#define EVENT_IOCTL(index) \
CTL_CODE(FILE_DEVICE_EVENT, index, METHOD_BUFFERED, FILE_READ_DATA)
#define IOCTL_PASSEVENT \
CTL_CODE(FILE_DEVICE_EVENT, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PASSBUF \
CTL_CODE(FILE_DEVICE_EVENT, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_UNPASSEVENT \
CTL_CODE(FILE_DEVICE_EVENT, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PASSEVSTRUCT \
CTL_CODE(FILE_DEVICE_EVENT, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef struct //这个结构主要用于调试用
{
BOOL SHOWTHREAD;
BOOL ONLYSHOWREMOTETHREAD;
BOOL SHOWTERMINATEPROCESS;
BOOL SHOWTERMINATETHREAD;
}CHECKLIST, *PCHECKLIST;
//////////////////////////////////////////////////////////////////////////////////////////
先用驱动加载工具加载驱动,再运行程序,可以监视到进程线的操作信息,并且可以实现监视远线程的创建。个人认为很完美。
下面的运行结果:
|
