内核进程监控框架

于 2019-09-19 23:12:42 发布
阅读量318 收藏
点赞数
分类专栏: 二进制
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/CosmopolitanMe/article/details/101039796
版权
本文介绍了一个在Windows 7 x64环境下运行的驱动程序,该程序能够监测进程创建和终止事件,特别关注chrome.exe进程。通过使用内核模式API如PsGetProcessPeb和PsGetProcessImageFileName,它获取了进程信息,并在控制台打印了通知信息。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

//win7 x64下测试通过:
#include <ntifs.h>
#include <ntddk.h>

VOID UnloadDriver(PDRIVER_OBJECT pDriver);

VOID
CreateProcessRoutineSpy(
IN HANDLE  ParentId,
IN HANDLE  ProcessId,
IN BOOLEAN  Create
);

typedef PPEB(__fastcall *P_PsGetProcessPeb)(PEPROCESS);
typedef CHAR*(__fastcall *F_QueryProcessImageFileName)(PEPROCESS);
P_PsGetProcessPeb PsGetProcessPeb = NULL;
F_QueryProcessImageFileName QueryProcessImageFileName = NULL;


NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING Registry)
{
	NTSTATUS status = STATUS_SUCCESS;
	UNICODE_STRING unstrFunName;
	UNREFERENCED_PARAMETER(pDriver);
	UNREFERENCED_PARAMETER(Registry);
	KdPrint(("[SysTest] DriverEntry Loading.\n"));

	RtlInitUnicodeString(&unstrFunName, L"PsGetProcessPeb");
	PsGetProcessPeb = MmGetSystemRoutineAddress(&unstrFunName);
	if (PsGetProcessPeb == NULL)
	{
		DbgPrint("PsGetProcessPeb Resolve Failed");
		return STATUS_SUCCESS;
	}
	DbgPrint("PsGetProcessPeb:%p", PsGetProcessPeb);
	RtlInitUnicodeString(&unstrFunName, L"PsGetProcessImageFileName");
	QueryProcessImageFileName = MmGetSystemRoutineAddress(&unstrFunName);
	if (QueryProcessImageFileName == NULL)
	{
		DbgPrint("PsGetProcessImageFileName Resolve Failed");
		return status;
	}
	status = PsSetCreateProcessNotifyRoutine(CreateProcessRoutineSpy, FALSE);
	if (!NT_SUCCESS(status))
	{
		KdPrint(("[SysTest] PsSetCreateProcessNotifyRoutine failed status:(%x).\n", status));
		return status;
	}

	pDriver->DriverUnload = UnloadDriver;
	return status;
}

//void LockFirefox(PEPROCESS CurrentProcess)
//{
//	PPEB iePeb = NULL;
//	if (!PsGetProcessPeb){
//		return;
//	}
//	iePeb = PsGetProcessPeb(CurrentProcess);
//	KeAttachProcess(CurrentProcess);
//	if (iePeb != NULL)
//	{
//		ULONG_PTR* param = (ULONG_PTR*)*((ULONG_PTR*)((ULONG_PTR)iePeb + 0x20));
//		PUNICODE_STRING commandline = (PUNICODE_STRING)((ULONG_PTR)param + 0x70);
//		commandline->MaximumLength += 100;
//		NTSTATUS Sta = RtlAppendUnicodeToString(commandline, LockUrl);
//		DbgPrint("sta:0x%x\n", Sta);
//		DbgPrint("command:%ws\n", commandline->Buffer);
//	}
//	KeDetachProcess();
//}

VOID
CreateProcessRoutineSpy(
__inout PEPROCESS  Process,
__in HANDLE  ProcessId,
BOOLEAN Create
)
{
	CHAR* ProcessName = NULL;
	PEPROCESS CurrentProcess = NULL;
	PsLookupProcessByProcessId(ProcessId, &CurrentProcess);
	ProcessName = QueryProcessImageFileName(CurrentProcess);
	if (Create)
	{
		KdPrint(("[SysTest] Process Created. ParentId:(%d) Process:(%s).\n", Process, ProcessName));
		if (strstr(ProcessName, "chrome.exe") != NULL)
		{
			//LockFirefox(CurrentProcess);
		}
	}
	else
	{
		KdPrint(("[SysTest] Process Terminated ProcessId:(%d).ParentId:(%d) .\n", ProcessId, Process));
	}

	return;
}

VOID UnloadDriver(PDRIVER_OBJECT pDriver)
{
	UNREFERENCED_PARAMETER(pDriver);

	NTSTATUS status;

	status = PsSetCreateProcessNotifyRoutine(CreateProcessRoutineSpy, TRUE);
	if (NT_SUCCESS(status))
	{
		KdPrint(("[SysTest] UnloadDriver.\n"));
	}

	return;
}
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值