#include
#include
#include "define.h"
int main()
{
HANDLE hDevice;
bool status;
HANDLE m_hCommEvent;
ULONG dwReturn;
char outbuf[255];
CHECKLIST CheckList;
hDevice = NULL;
m_hCommEvent = NULL;
hDevice = CreateFile( "\\\\.\\MyEvent",
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("createfile wrong\n");
getchar();
return 0;
}
m_hCommEvent = CreateEvent(NULL,
false,
false,
NULL);
printf("hEvent:%08x\n", m_hCommEvent);
status =DeviceIoControl(hDevice,
IOCTL_PASSEVENT,
&m_hCommEvent,
sizeof(m_hCommEvent),
NULL,
0,
&dwReturn,
NULL);
if( !status)
{
printf("IO wrong+%d\n", GetLastError());
getchar();
return 0;
}
CheckList.ONLYSHOWREMOTETHREAD=TRUE;
CheckList.SHOWTHREAD=TRUE;
CheckList.SHOWTERMINATETHREAD=FALSE;
CheckList.SHOWTERMINATEPROCESS=FALSE;
status =DeviceIoControl(hDevice,
IOCTL_PASSEVSTRUCT,
&CheckList,
sizeof(CheckList),
NULL,
0,
&dwReturn,
NULL);
if( !status)
{
printf("IO wrong+%d\n", GetLastError());
getchar();
return 0;
}
printf(" [Process Name] [PID] [TID] [Parent Process Name] [PID] [TID]\n");
while(1)
{
ResetEvent(m_hCommEvent);
WaitForSingleObject(m_hCommEvent, INFINITE);
status =DeviceIoControl(hDevice,
IOCTL_PASSBUF,
NULL,
0,
&outbuf,
sizeof(outbuf),
&dwReturn,
NULL);
if( !status)
{
printf("IO wrong+%d\n", GetLastError());
getchar();
return 0;
}
printf("%s", outbuf);
}
status =DeviceIoControl(hDevice,
IOCTL_UNPASSEVENT,
NULL,
0,
NULL,
0,
&dwReturn,
NULL);
if( !status)
{
printf("UNPASSEVENT wrong+%d\n", GetLastError());
getchar();
return 0;
}
status = CloseHandle( hDevice );
status = CloseHandle(m_hCommEvent);
getchar();
return 0;
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////
define.h
/////////////////////////////////////////////////////////////////////////////////////////////////////////
#include "stdio.h"
#define FILE_DEVICE_EVENT 0x8000
// Define Interface reference/dereference routines for
// Interfaces exported by IRP_MN_QUERY_INTERFACE
#define EVENT_IOCTL(index) \
CTL_CODE(FILE_DEVICE_EVENT, index, METHOD_BUFFERED, FILE_READ_DATA)
#define IOCTL_PASSEVENT \
CTL_CODE(FILE_DEVICE_EVENT, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PASSBUF \
CTL_CODE(FILE_DEVICE_EVENT, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_UNPASSEVENT \
CTL_CODE(FILE_DEVICE_EVENT, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PASSEVSTRUCT \
CTL_CODE(FILE_DEVICE_EVENT, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef struct //这个结构主要用于调试用
{
BOOL SHOWTHREAD;
BOOL ONLYSHOWREMOTETHREAD;
BOOL SHOWTERMINATEPROCESS;
BOOL SHOWTERMINATETHREAD;
}CHECKLIST, *PCHECKLIST;
////////////////////////////////////////////////////////////////////////////////////////////////////////////
先用驱动加载工具加载驱动,再运行程序,可以监视到进程线的操作信息,并且可以实现监视远线程的创建.个人认为很完美.
如果您有更好的方法,请告知我一声,谢谢了. ^_^
下面的运行结果:
hEvent:00000010
[Process Name] [PID] [TID] [Parent Process Name] [PID] [TID]
T: svchost.exe 940 3540 svchost.exe 940
T: explorer.exe 1680 3564 explorer.exe 1680
P: notepad.exe 3568 1684 explorer.exe 1680
T: notepad.exe 3568 3572 explorer.exe 1680
T: svchost.exe 1036 3576 svchost.exe 1036
T: cmd.exe 3580 3084 explorer.exe 1680
P: doskey.exe 3608 3084 cmd.exe 3580
T: taskmgr.exe 352 3752 explorer.exe 1680
T: svchost.exe 1036 2492 svchost.exe 1036
T: remote.exe 3824 3828 cmd.exe 3580
==============================Remote Thread :==============================
T: hh.exe 3116 3832 remote.exe 3824
============================================================================
参考资料:
1. 编写进程/线程监视器 -sinister
http://www.xfocus.net/articles/200303/495.html
2. 监视远程线程的创建 -一块三毛钱
http://www.luocong.com/bbs/dispbbs.asp?boardID=2&ID=6895&page=2
3. Windows 2000源代码http://www.hacker.cn/News/xtaq/2005-8/8/058810382021112.shtml
