qq空间老贴转载-32位win下进程创建的拦截
32位win下进程创建的拦截驱动部分:
#include "Driver.h"
#define
SYSNAME "System"
#define VERSIONLEN 100
const WCHAR devLink[]=
L"\\??\\MyEvent";
const WCHAR devName[]=
L"\\Device\\MyEvent";
UNICODE_STRING
devNameUnicd;
UNICODE_STRING
devLinkUnicd;
PVOID gpEventObject =
NULL; //
与应用程序通信的 Event 对象
HANDLE
outBuf;
BOOLEAN BeginLog=FALSE;
#pragma
code_seg("INIT")
extern "C" NTSTATUS DriverEntry(__in PDRIVER_OBJECT
pDriverObject,__in PUNICODE_STRING RegistryPath)
{
NTSTATUS Status;
PDEVICE_OBJECT pDevice;
KdPrint(("DriverEntry
called!\n"));
UNREFERENCED_PARAMETER(RegistryPath);
RtlInitUnicodeString
(&devNameUnicd, devName );
RtlInitUnicodeString (&devLinkUnicd,
devLink );
Status = IoCreateDevice
(pDriverObject,0,&devNameUnicd,FILE_DEVICE_UNKNOWN,0,TRUE,&pDevice);
if( !NT_SUCCESS(Status))
{
KdPrint(("Can not create
device.\n"));
return Status;
}
Status =
IoCreateSymbolicLink (&devLinkUnicd, &devNameUnicd);
if(
!NT_SUCCESS(Status))
{
KdPrint(("Cannot create
link.\n"));
return Status;
}
pDriverObject->DriverUnload= (PDRIVER_UNLOAD)OnUnload;
pDriverObject->MajorFunction =
pDriverObject->MajorFunction =
pDriverObject->MajorFunction =
DeviceIoControlDispatch;
Status =
PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
if (!NT_SUCCESS(
Status ))
{
KdPrint(("PsSetCreateProcessNotifyRoutine()\n"));
return Status;
}
if (!NT_SUCCESS( Status ))
{
KdPrint(("PsSetCreateThreadNotifyRoutine()\n"));
return Status;
}
return STATUS_SUCCESS;
}
#pragma code_seg()
VOID
ProcessCreateMon(HANDLE hParentId,HANDLE PId,BOOLEAN bCreate)
{
NTSTATUS status;
HANDLE
TId;
PAGED_CODE();
UNREFERENCED_PARAMETER(hParentId);
if(!BeginLog)
{
UNREFERENCED_PARAMETER(PId);
UNREFERENCED_PARAMETER(bCreate);
return;
}
if ( bCreate
)
{
outBuf=PId;
if(gpEventObject!=NULL)
KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
}
//
else//进程退出事件
//{
//
//}
}
NTSTATUS OnUnload(
IN PDRIVER_OBJECT pDriverObject )
{
NTSTATUS
status;
KdPrint(("OnUnload called\n"));
PAGED_CODE();
if(gpEventObject)
ObDereferenceObject(gpEventObject);
PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
if(pDriverObject->DeviceObject != NULL)
{
status=IoDeleteSymbolicLink( &devLinkUnicd );
if ( !NT_SUCCESS(
status ) )
{
KdPrint(("IoDeleteSymbolicLink()
failed\n" ));
return status;
}
IoDeleteDevice( pDriverObject->DeviceObject );
}
return
STATUS_SUCCESS;
}
NTSTATUS DeviceIoControlDispatch(IN
PDEVICE_OBJECTDeviceObject,INPIRP pIrp)
{
PVOID
inputBuffer;
ULONG inputLength;
PVOID outputBuffer;
ULONG
outputLength;
OBJECT_HANDLE_INFORMATION objHandleInfo;
NTSTATUS
status=STATUS_SUCCESS;
UNREFERENCED_PARAMETER(DeviceObject);
PAGED_CODE();
KdPrint(("Enter DeviceIOControl\n"));
PIO_STACK_LOCATION
stack=IoGetCurrentIrpStackLocation(pIrp);
ULONG
cbin=stack->Parameters.DeviceIoControl.InputBufferLength;
ULONG
cbout=stack->Parameters.DeviceIoControl.OutputBufferLength;
switch(stack->MajorFunction)
{
case IRP_MJ_CREATE
:
KdPrint(("Call IRP_MJ_CREATE\n"));
BeginLog=TRUE;
break;
case
IRP_MJ_CLOSE:
BeginLog=FALSE;
KdPrint(("Call
IRP_MJ_CLOSE\n"));
break;
case
IRP_MJ_DEVICE_CONTROL:
KdPrint(("IRP_MJ_DEVICE_CONTROL\n"));
inputLength=stack->Parameters.DeviceIoControl.InputBufferLength;
outputLength=stack->Parameters.DeviceIoControl.OutputBufferLength;
switch (stack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_PASSEVENT:
//用事件做通信
inputBuffer =
pIrp->AssociatedIrp.SystemBuffer;
KdPrint(("inputBuffer:%08x\n",
(HANDLE)inputBuffer));
status =
ObReferenceObjectByHandle(*(HANDLE
*)inputBuffer,GENERIC_ALL,NULL,KernelMode,&gpEventObject,&objHandleInfo);//获取事件句柄对应指针
if(status!=STATUS_SUCCESS)
{
KdPrint(("gethandle
error!"));
break;
}
break;
case
IOCTL_UNPASSEVENT:
if(gpEventObject)
{
ObDereferenceObject(gpEventObject);
gpEventObject=NULL;
}
KdPrint(("unpassevent"));
break;
case IOCTL_PASSBUF:
RtlCopyMemory(pIrp->UserBuffer, &outBuf,
outputLength);
break;
default:
break;
}
break;
default:
KdPrint(("defaultcall"));
status=STATUS_INVALID_VARIANT;
break;
}
pIrp->IoStatus.Status=status;
pIrp->IoStatus.Information=0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
KdPrint(("Leave
DispatchRoutine\n"));
return status;
}
应用层部分:
#include <windows.h>
#include <winsvc.h>
#include
<conio.h>
#include <stdio.h>
#include "define.h"
//装载NT驱动程序
BOOL LoadNTDriver(char* lpszDriverName,char*
lpszDriverPath)
{
char szDriverImagePath;
//得到完整的驱动路径
GetFullPathName(lpszDriverPath, 256, szDriverImagePath, NULL);
BOOL
bRet = FALSE;
SC_HANDLE hServiceMgr=NULL;//SCM管理器的句柄
SC_HANDLE
hServiceDDK=NULL;//NT驱动程序的服务句柄
//打开服务控制管理器
hServiceMgr =
OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS );
if( hServiceMgr ==
NULL )
{
//OpenSCManager失败
printf(
"OpenSCManager() Faild %d ! \n", GetLastError() );
bRet =
FALSE;
goto BeforeLeave;
}
else
{
////OpenSCManager成功
printf( "OpenSCManager() ok ! \n" );
}
//创建驱动所对应的服务
hServiceDDK = CreateService( hServiceMgr,
lpszDriverName, //驱动程序的在注册表中的名字
lpszDriverName, // 注册表驱动程序的
DisplayName 值
SERVICE_ALL_ACCESS, // 加载驱动程序的访问权限
SERVICE_KERNEL_DRIVER,// 表示加载的服务是驱动程序
SERVICE_DEMAND_START, // 注册表驱动程序的 Start 值
SERVICE_ERROR_IGNORE,
// 注册表驱动程序的 ErrorControl 值
szDriverImagePath, // 注册表驱动程序的
ImagePath 值
NULL,
NULL,
NULL,
NULL,
NULL);
DWORD
dwRtn;
//判断服务是否失败
if( hServiceDDK == NULL )
{
dwRtn = GetLastError();
if( dwRtn != ERROR_IO_PENDING
&& dwRtn != ERROR_SERVICE_EXISTS )
{
//由于其他原因创建服务失败
printf( "CrateService() Faild %d
! \n", dwRtn );
bRet = FALSE;
goto
BeforeLeave;
}
else
{
//服务创建失败,是由于服务已经创立过
printf( "CreateService()
Faild Service is ERROR_IO_PENDING or ERROR_SERVICE_EXISTS! \n" );
}
// 驱动程序已经加载,只需要打开
hServiceDDK =
OpenService( hServiceMgr, lpszDriverName, SERVICE_ALL_ACCESS );
if( hServiceDDK == NULL )
{
//如果打开服务也失败,则意味错误
dwRtn = GetLastError();
printf( "OpenService() Faild %d ! \n", dwRtn );
bRet =
FALSE;
goto BeforeLeave;
}
else
{
printf( "OpenService() ok ! \n" );
}
}
else
{
printf( "CreateService() ok ! \n"
);
}
//开启此项服务
bRet= StartService( hServiceDDK, NULL, NULL
);
if( !bRet )
{
DWORD dwRtn =
GetLastError();
if( dwRtn != ERROR_IO_PENDING && dwRtn
!= ERROR_SERVICE_ALREADY_RUNNING )
{
printf( "StartService() Faild %d ! \n", dwRtn );
bRet =
FALSE;
goto BeforeLeave;
}
else
{
if( dwRtn == ERROR_IO_PENDING )
{
//设备被挂住
printf( "StartService() Faild ERROR_IO_PENDING ! \n");
bRet = FALSE;
goto BeforeLeave;
}
else
{
//服务已经开启
printf( "StartService() Faild
ERROR_SERVICE_ALREADY_RUNNING ! \n");
bRet =
TRUE;
goto BeforeLeave;
}
}
}
bRet = TRUE;
//离开前关闭句柄
BeforeLeave:
if(hServiceDDK)
{
CloseServiceHandle(hServiceDDK);
}
if(hServiceMgr)
{
CloseServiceHandle(hServiceMgr);
}
return bRet;
}
//卸载驱动程序
BOOL UnloadNTDriver( char *
szSvrName )
{
BOOL bRet = FALSE;
SC_HANDLE
hServiceMgr=NULL;//SCM管理器的句柄
SC_HANDLE hServiceDDK=NULL;//NT驱动程序的服务句柄
SERVICE_STATUS SvrSta;
//打开SCM管理器
hServiceMgr = OpenSCManager( NULL,
NULL, SC_MANAGER_ALL_ACCESS );
if( hServiceMgr == NULL )
{
//带开SCM管理器失败
printf( "OpenSCManager() Faild %d ! \n",
GetLastError() );
bRet = FALSE;
goto BeforeLeave;
}
else
{
//带开SCM管理器失败成功
printf(
"OpenSCManager() ok ! \n" );
}
//打开驱动所对应的服务
hServiceDDK =
OpenService( hServiceMgr, szSvrName, SERVICE_ALL_ACCESS );
if(
hServiceDDK == NULL )
{
//打开驱动所对应的服务失败
printf(
"OpenService() Faild %d ! \n", GetLastError() );
bRet =
FALSE;
goto BeforeLeave;
}
else
{
printf( "OpenService() ok ! \n" );
}
//停止驱动程序,如果停止失败,只有重新启动才能,再动态加载。
if( !ControlService( hServiceDDK,
SERVICE_CONTROL_STOP , &SvrSta ) )
{
printf(
"ControlService() Faild %d !\n", GetLastError() );
}
else
{
//打开驱动所对应的失败
printf( "ControlService() ok
!\n" );
}
//动态卸载驱动程序。
if( !DeleteService(
hServiceDDK ) )
{
//卸载失败
printf( "DeleteSrevice()
Faild %d !\n", GetLastError() );
}
else
{
//卸载成功
printf( "DelServer:eleteSrevice() ok !\n" );
}
bRet = TRUE;
BeforeLeave:
//离开前关闭打开的句柄
if(hServiceDDK)
{
CloseServiceHandle(hServiceDDK);
}
if(hServiceMgr)
{
CloseServiceHandle(hServiceMgr);
}
return bRet;
}
int test()
{
HANDLE
hDevice;
BOOLstatus;
HANDLEm_hCommEvent;
ULONGdwReturn;
HANDLEPID;
hDevice =
NULL;
m_hCommEvent = NULL;
hDevice =
CreateFile(
"\\\\.\\MyEvent",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hDevice
== INVALID_HANDLE_VALUE)
{
printf("createfile
wrong\n");
getchar();
return
0;
}
m_hCommEvent =
CreateEvent(NULL,false,false,NULL);
printf("hEvent:%d\n",
m_hCommEvent);
status
=DeviceIoControl(hDevice,IOCTL_PASSEVENT,&m_hCommEvent,sizeof(m_hCommEvent),NULL,0,&dwReturn,NULL);
if( !status)
{
printf("IO wrong+%d\n",
GetLastError());
getchar();
return
0;
}
printf("[Process
PID]:\n");
while(1)
{
if(getchar() == 'q')
break;
ResetEvent(m_hCommEvent);
WaitForSingleObject(m_hCommEvent,INFINITE);
status
=DeviceIoControl(hDevice,IOCTL_PASSBUF,NULL,0,&PID,sizeof(HANDLE),&dwReturn,NULL);
if(
!status)
{
printf("IO wrong+%d\n", GetLastError());
return
0;
}
printf("%d\n",PID);
if(!OpenProcess(PROCESS_ALL_ACCESS,FALSE,(DWORD)PID))
printf("OpenProcess Error\n");
}
status
=DeviceIoControl(hDevice,IOCTL_UNPASSEVENT,NULL,0,NULL,0,&dwReturn,NULL);
if( !status)
{
printf("UNPASSEVENT wrong+%d\n",
GetLastError());
getchar();
return
0;
}
status = CloseHandle(
hDevice );
status =
CloseHandle(m_hCommEvent);
getchar();
return 0;
}
void main()
{
//加载驱动
BOOL bRet = LoadNTDriver(DRIVER_NAME,DRIVER_PATH);
// if
(!bRet)
{
//printf("LoadNTDriver error\n");
//goto
unload;
}
//加载成功
printf( "press q to quit!\n" );
test();
//这时候你可以通过注册表,或其他查看符号连接的软件验证。
printf(
"press any to unload the driver!\n" );
getch();
unload:
//卸载驱动
UnloadNTDriver(DRIVER_NAME);
if (!bRet)
{
printf("UnloadNTDriver error\n");
return;
}
}
看不懂,收下了先~!
页:
[1]