ULONG GetProcessNameOffset()
{
PEPROCESS curproc;
int i;
curproc = PsGetCurrentProcess();
for( i = 0; i < 3*PAGE_SIZE; i++ )
{
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) ))
{
return i;
}
}
return 0;
}
NTSTATUS GetRegValue(PCWSTR RegPath,PCWSTR ValueName,PWCHAR Value)
{
int ReturnValue = 0;
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE KeyHandle;
PKEY_VALUE_PARTIAL_INFORMATION valueInfoP;
ULONG valueInfoLength,returnLength;
UNICODE_STRING UnicodeRegPath;
UNICODE_STRING UnicodeValueName;
RtlInitUnicodeString(&UnicodeRegPath, RegPath);
RtlInitUnicodeString(&UnicodeValueName, ValueName);
InitializeObjectAttributes(&ObjectAttributes,
&UnicodeRegPath,
OBJ_CASE_INSENSITIVE, // Flags
NULL, // Root directory
NULL); // Security descriptor
Status = ZwOpenKey(&KeyHandle,
KEY_ALL_ACCESS,
&ObjectAttributes);
if (Status != STATUS_SUCCESS)
{
DbgPrint("ZwOpenKey Wrong\n");
return 0;
}
valueInfoLength = sizeof(KEY_VALUE_PARTIAL_INFORMATION)+VERSIONLEN;
valueInfoP = (PKEY_VALUE_PARTIAL_INFORMATION) ExAllocatePool
(NonPagedPool, valueInfoLength);
Status = ZwQueryValueKey(KeyHandle,
&UnicodeValueName,
KeyValuePartialInformation,
valueInfoP,
valueInfoLength,
&returnLength);
if (!NT_SUCCESS(Status))
{
DbgPrint("ZwQueryValueKey Wrong:%08x\n",Status);
return Status;
}
else
{
RtlCopyMemory((PCHAR)Value, (PCHAR)valueInfoP->Data, valueInfoP->DataLength);
ReturnValue = 1;
}
if(!valueInfoP);
ExFreePool(valueInfoP);
ZwClose(KeyHandle);
return ReturnValue;
}
VOID MyRemoveCraeteThreadNotifyRoutine(
IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
)
{
//PsRemoveCreateThreadNotifyRoutine(ThreadCreateMon);
PVOID ptr=NULL;
if(BuildNumber==2195) //Windows 2000 Sp4,2195
//低于sp4的我没有调试
{
ptr=0x80484520;
}
else if(BuildNumber==2600)
{
if(wcscmp(Version,L"Service Pack 1")==0) //Windows Xp Sp1,2600
ptr=0x8054efc0;
else if(wcscmp(Version,L"Service Pack 2")==0) //Windows Xp Sp2,2600
ptr=0x80561d20;
}
else if(BuildNumber==3790) //Windows 2003 server,3790
{
ptr=0x80570f40;
}
if(ptr!=NULL)
memset(ptr, 0, sizeof(ULONG)*8);
}
VOID ThreadCreateMon (IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate)
{
PEPROCESS EProcess,PEProcess;
NTSTATUS status;
HANDLE dwParentPID;
status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if ( bCreate )
{
dwParentPID=PsGetCurrentProcessId();
status = PsLookupProcessByProcessId(
(ULONG)dwParentPID,
&PEProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if(PId==4) //System进程创建的东东我们不管
//在2000下是0,在XP后是4
return;
if((g_bMainThread==TRUE)
&&(g_dwParentId != dwParentPID)
&&(dwParentPID != PId)
)
{
g_bMainThread=FALSE;
sprintf(outBuf, "=============================="
"Remote Thread :"
"=============================="
"\nT:%18s%9d%9d%25s%9d\n"
"======================================"
"======================================\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId, TId,
(char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
if(CheckList.ONLYSHOWREMOTETHREAD) //只显示远线程
return;
DbgPrint( "T:%18s%9d%9d%25s%9d\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId, TId,
(char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
sprintf(outBuf, "T:%18s%9d%9d%25s%9d\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId, TId,
(char *)((char *)PEProcess+ProcessNameOffset),dwParentPID);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
else if(CheckList.SHOWTERMINATETHREAD)
{
DbgPrint( "TERMINATED == THREAD ID: %d\n", TId);
sprintf(outBuf,"TERMINATED == THREAD ID: %d\n", TId);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
}
VOID ProcessCreateMon ( HANDLE hParentId, HANDLE PId, BOOLEAN bCreate )
{
PEPROCESS EProcess,PProcess;
NTSTATUS status;
HANDLE TId;
