status = PsLookupProcessByProcessId((ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
status = PsLookupProcessByProcessId((ULONG)hParentId, &PProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if ( bCreate )
{
g_bMainThread = TRUE;
DbgPrint( "P:%18s%9d%9d%25s%9d\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId,PsGetCurrentThreadId(),
(char *)((char *)PProcess+ProcessNameOffset),
hParentId
);
sprintf(outBuf, "P:%18s%9d%9d%25s%9d\n",
(char *)((char *)EProcess+ProcessNameOffset),
PId,PsGetCurrentThreadId(),
(char *)((char *)PProcess+ProcessNameOffset),
hParentId
);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
else if(CheckList.SHOWTERMINATEPROCESS)
{
DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
sprintf(outBuf,"TERMINATED == PROCESS ID: %d\n", PId);
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
}
NTSTATUS OnUnload( IN PDRIVER_OBJECT pDriverObject )
{
NTSTATUS status;
DbgPrint("OnUnload called\n");
if(gpEventObject)
ObDereferenceObject(gpEventObject);
PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
MyRemoveCraeteThreadNotifyRoutine(ThreadCreateMon);
if(pDriverObject->DeviceObject != NULL)
{
status=IoDeleteSymbolicLink( &devLinkUnicd );
if ( !NT_SUCCESS( status ) )
{
DbgPrint(( "IoDeleteSymbolicLink() failed\n" ));
return status;
}
IoDeleteDevice( pDriverObject->DeviceObject );
}
return STATUS_SUCCESS;
}
NTSTATUS DeviceIoControlDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP pIrp
)
{
PIO_STACK_LOCATION irpStack;
NTSTATUS status;
PVOID inputBuffer;
ULONG inputLength;
PVOID outputBuffer;
ULONG outputLength;
OBJECT_HANDLE_INFORMATION objHandleInfo;
status = STATUS_SUCCESS;
// 取出IOCTL请求代码
irpStack = IoGetCurrentIrpStackLocation(pIrp);
switch (irpStack->MajorFunction)
{
case IRP_MJ_CREATE :
DbgPrint("Call IRP_MJ_CREATE\n");
break;
case IRP_MJ_CLOSE:
DbgPrint("Call IRP_MJ_CLOSE\n");
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint("IRP_MJ_DEVICE_CONTROL\n");
inputLength=irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputLength=irpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch (irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_PASSEVENT: //用事件做通信
inputBuffer = pIrp->AssociatedIrp.SystemBuffer;
DbgPrint("inputBuffer:%08x\n", (HANDLE)inputBuffer);
status = ObReferenceObjectByHandle(*(HANDLE *)inputBuffer,
GENERIC_ALL,
NULL,
KernelMode,
&gpEventObject,
&objHandleInfo);
if(status!=STATUS_SUCCESS)
{
DbgPrint("wrong\n");
break;
}
break;
case IOCTL_UNPASSEVENT:
if(gpEventObject)
ObDereferenceObject(gpEventObject);
DbgPrint("UNPASSEVENT called\n");
break;
case IOCTL_PASSBUF:
RtlCopyMemory(pIrp->UserBuffer, outBuf, outputLength);
break;
case IOCTL_PASSEVSTRUCT:
inputBuffer = pIrp->AssociatedIrp.SystemBuffer;
memset(&CheckList, 0, sizeof(CheckList));
RtlCopyMemory(&CheckList, inputBuffer, sizeof(CheckList));
DbgPrint("%d:%d\n", CheckList.ONLYSHOWREMOTETHREAD, CheckList.SHOWTHREAD);
break;
default:
break;
}
break;
default:
DbgPrint("Call IRP_MJ_UNKNOWN\n");
break;
}
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest (pIrp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath )
{
NTSTATUS Status;
PDEVICE_OBJECT pDevice;
DbgPrint("DriverEntry called!\n");
g_bMainThread = FALSE;
if(1!=GetRegValue(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"CSDVersion", Version))
{
DbgPrint("GetRegValueDword Wrong\n");
}
PsGetVersion(NULL, NULL, &BuildNumber, NULL);
DbgPrint("[[[%d]]]:[[[%ws]]]", BuildNumber, Version);
RtlInitUnicodeString (&devNameUnicd, devName );
RtlInitUnicodeString (&devLinkUnicd, devLink );
Status = IoCreateDevice ( pDriverObject,
0,
&devNameUnicd,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&pDevice );
if( !NT_SUCCESS(Status))
{
DbgPrint(("Can not create device.\n"));
return Status;
}
Status = IoCreateSymbolicLink (&devLinkUnicd, &devNameUnicd);
if( !NT_SUCCESS(Status))
{
DbgPrint(("Cannot create link.\n"));
return Status;
}
ProcessNameOffset = GetProcessNameOffset();
pDriverObject->DriverUnload = OnUnload;
pDriverObject->MajorFunction[IRP_MJ_CREATE] =
pDriverObject->MajorFunction[IRP_MJ_CLOSE] =
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoControlDispatch;
Status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
if (!NT_SUCCESS( Status ))
{
DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
return Status;
}
Status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);
if (!NT_SUCCESS( Status ))
{
DbgPrint("PsSetCreateThreadNotifyRoutine()\n");
return Status;
}
return STATUS_SUCCESS;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////
main.c, 这里我用事件做为通信驱动
////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Made By ZwelL
