#ifndef TYPEDEF_H #define TYPEDEF_H typedef PPEB (__stdcall *P_PsGetProcessPeb)(PEPROCESS); typedef unsigned char BYTE; typedef struct _RTL_USER_PROCESS_PARAMETERS { BYTE Reserved1[16]; PVOID Reserved2[10]; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB_LDR_DATA { BYTE Reserved1[8]; PVOID Reserved2[3]; LIST_ENTRY InMemoryOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef VOID (NTAPI *PPS_POST_PROCESS_INIT_ROUTINE) ( VOID ); typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; BYTE Reserved4[104]; PVOID Reserved5[52]; PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; BYTE Reserved6[128]; PVOID Reserved7[1]; ULONG SessionId; } PEB, *PPEB; #endif#include
#include
#include
#include "typedef.h" DRIVER_INITIALIZE DriverEntry; DRIVER_UNLOAD UnloadDevice; DRIVER_DISPATCH DispatchGen; VOID ProcessMon(HANDLE In_hParentId, HANDLE In_hProcessId, BOOLEAN In_BIsCreate) { ANSI_STRING astrProcessImage = {0}; ANSI_STRING astrProcessParam = {0}; PPEB pPEB = NULL; PRTL_USER_PROCESS_PARAMETERS pParam = NULL; UNICODE_STRING unstrFunName = {0}; PEPROCESS pEProcess = NULL; P_PsGetProcessPeb PsGetProcessPeb = NULL; KAPC_STATE KAPC = {0}; BOOLEAN BIsAttached = FALSE; if (In_BIsCreate == FALSE) { goto fun_ret; } if (!NT_SUCCESS(PsLookupProcessByProcessId(In_hProcessId, &pEProcess))) { goto fun_ret; } //__debugbreak(); RtlInitUnicodeString(&unstrFunName, L"PsGetProcessPeb"); PsGetProcessPeb = MmGetSystemRoutineAddress(&unstrFunName); if (PsGetProcessPeb == NULL) { goto fun_ret; } pPEB = PsGetProcessPeb(pEProcess); if (pPEB == NULL) { goto fun_ret; } KeStackAttachProcess(pEProcess, &KAPC); BIsAttached = TRUE; pParam = pPEB->ProcessParameters; if (pParam == NULL) { goto fun_ret; } if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&astrProcessImage, &(pParam->ImagePathName), TRUE))) { DbgPrint("PID::%u\t%s\n", In_hProcessId, astrProcessImage.Buffer); } if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&astrProcessParam, &(pParam->CommandLine), TRUE))) { DbgPrint("PID::%u\t%s\n", In_hProcessId, astrProcessParam.Buffer); } fun_ret: if (BIsAttached != FALSE) { KeUnstackDetachProcess(&KAPC); } if (pEProcess != NULL) { ObDereferenceObject(pEProcess); pEProcess = NULL; } RtlFreeAnsiString(&astrProcessImage); RtlFreeAnsiString(&astrProcessParam); return; } NTSTATUS DispatchGen(PDEVICE_OBJECT In_pDevObj, PIRP In_pIRP) { if (In_pDevObj == NULL || In_pIRP == NULL) { return STATUS_SEVERITY_ERROR; } In_pIRP->IoStatus.Information = 0; In_pIRP->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(In_pIRP, IO_NO_INCREMENT); return STATUS_SUCCESS; } VOID UnloadDevice(PDRIVER_OBJECT In_pDriObj) { PsSetCreateProcessNotifyRoutine(ProcessMon, TRUE); if (In_pDriObj != NULL) { IoDeleteDevice(In_pDriObj->DeviceObject); } } NTSTATUS DriverEntry(PDRIVER_OBJECT In_pDriObj, PUNICODE_STRING In_punstrRegPath) { ULONG uli = 0; NTSTATUS stRetVal = STATUS_SUCCESS; PDEVICE_OBJECT pDevObj = NULL; if (In_pDriObj == NULL || In_punstrRegPath == NULL) { stRetVal = STATUS_SEVERITY_ERROR; goto fun_ret; } for (uli = 0; uli <= IRP_MJ_MAXIMUM_FUNCTION; uli ++) { In_pDriObj->MajorFunction[uli] = DispatchGen; } In_pDriObj->DriverUnload = UnloadDevice; stRetVal = IoCreateDevice(In_pDriObj, 0, NULL, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj); if (!NT_SUCCESS(stRetVal)) { goto fun_ret; } stRetVal = PsSetCreateProcessNotifyRoutine(ProcessMon, FALSE); fun_ret: return stRetVal; }
原文地址:http://www.cnblogs.com/codeape/p/3449382.html
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请联系我们举报,一经查实,本站将立刻删除。
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/215367.html原文链接:https://javaforall.net
