- UID
- 2
- 精华
- 积分
- 7770
- 威望
- 点
- 宅币
- 个
- 贡献
- 次
- 宅之契约
- 份
- 最后登录
- 1970-1-1
- 在线时间
- 小时
|
32位win下进程创建的拦截
- 驱动部分:
-
-
-
- #include "Driver.h"
- #define
- SYSNAME "System"
- #define VERSIONLEN 100
-
- const WCHAR devLink[] =
- L"\\??\\MyEvent";
- const WCHAR devName[] =
- L"\\Device\\MyEvent";
- UNICODE_STRING
- devNameUnicd;
- UNICODE_STRING
- devLinkUnicd;
- PVOID gpEventObject =
- NULL; //
- 与应用程序通信的 Event 对象
- HANDLE
- outBuf;
- BOOLEAN BeginLog=FALSE;
- [/align]
- [p=30, 2, left]#pragma
- code_seg("INIT")
- extern "C" NTSTATUS DriverEntry(__in PDRIVER_OBJECT
- pDriverObject,__in PUNICODE_STRING RegistryPath)
- {
-
- NTSTATUS Status;
-
- PDEVICE_OBJECT pDevice;
-
- KdPrint(("DriverEntry
- called!\n"));
- UNREFERENCED_PARAMETER(RegistryPath);
- RtlInitUnicodeString
- (&devNameUnicd, devName );
- RtlInitUnicodeString (&devLinkUnicd,
- devLink );
-
- Status = IoCreateDevice
- (pDriverObject,0,&devNameUnicd,FILE_DEVICE_UNKNOWN,0,TRUE,&pDevice);
-
- if( !NT_SUCCESS(Status))
- {
- KdPrint(("Can not create
- device.\n"));
- return Status;
- }
-
- Status =
- IoCreateSymbolicLink (&devLinkUnicd, &devNameUnicd);
- if(
- !NT_SUCCESS(Status))
- {
- KdPrint(("Cannot create
- link.\n"));
- return Status;
- }
-
-
- pDriverObject->DriverUnload = (PDRIVER_UNLOAD)OnUnload;
-
- pDriverObject->MajorFunction[IRP_MJ_CREATE] =
-
- pDriverObject->MajorFunction[IRP_MJ_CLOSE] =
-
- pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =
- DeviceIoControlDispatch;
-
- Status =
- PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
- if (!NT_SUCCESS(
- Status ))
- {
-
- KdPrint(("PsSetCreateProcessNotifyRoutine()\n"));
- return Status;
-
- }
-
- if (!NT_SUCCESS( Status ))
- {
-
- KdPrint(("PsSetCreateThreadNotifyRoutine()\n"));
- return Status;
-
- }
-
- return STATUS_SUCCESS;
- }
- #pragma code_seg()
-
- VOID
- ProcessCreateMon(HANDLE hParentId,HANDLE PId,BOOLEAN bCreate)
- {
-
- NTSTATUS status;
-
- HANDLE
- TId;
-
- PAGED_CODE();
-
- UNREFERENCED_PARAMETER(hParentId);
-
- if(!BeginLog)
- {
- UNREFERENCED_PARAMETER(PId);
-
- UNREFERENCED_PARAMETER(bCreate);
- return;
- }
-
- if ( bCreate
- )
- {
- outBuf=PId;
- if(gpEventObject!=NULL)
-
- KeSetEvent((PRKEVENT)gpEventObject, 0, FALSE);
- }
- //
- else//进程退出事件
- // {
- //
- // }
- }
-
- NTSTATUS OnUnload(
- IN PDRIVER_OBJECT pDriverObject )
- {
-
- NTSTATUS
- status;
- KdPrint(("OnUnload called\n"));
-
- PAGED_CODE();
-
- if(gpEventObject)
- ObDereferenceObject(gpEventObject);
-
- PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
-
- if(pDriverObject->DeviceObject != NULL)
- {
-
- status=IoDeleteSymbolicLink( &devLinkUnicd );
- if ( !NT_SUCCESS(
- status ) )
- {
- KdPrint(( "IoDeleteSymbolicLink()
- failed\n" ));
- return status;
- }
-
- IoDeleteDevice( pDriverObject->DeviceObject );
- }
- return
- STATUS_SUCCESS;
- }
-
- NTSTATUS DeviceIoControlDispatch(IN
- PDEVICE_OBJECT DeviceObject,IN PIRP pIrp)
- {
- PVOID
- inputBuffer;
- ULONG inputLength;
- PVOID outputBuffer;
- ULONG
- outputLength;
- OBJECT_HANDLE_INFORMATION objHandleInfo;
-
- NTSTATUS
- status=STATUS_SUCCESS;
- UNREFERENCED_PARAMETER(DeviceObject);
-
-
- PAGED_CODE();
- KdPrint(("Enter DeviceIOControl\n"));
- PIO_STACK_LOCATION
- stack=IoGetCurrentIrpStackLocation(pIrp);
- ULONG
- cbin=stack->Parameters.DeviceIoControl.InputBufferLength;
- ULONG
- cbout=stack->Parameters.DeviceIoControl.OutputBufferLength;
-
-
- switch(stack->MajorFunction)
- {
- case IRP_MJ_CREATE
- :
- KdPrint(("Call IRP_MJ_CREATE\n"));
-
- BeginLog=TRUE;
- break;
-
- case
- IRP_MJ_CLOSE:
- BeginLog=FALSE;
- KdPrint(("Call
- IRP_MJ_CLOSE\n"));
- break;
-
- case
- IRP_MJ_DEVICE_CONTROL:
-
- KdPrint(("IRP_MJ_DEVICE_CONTROL\n"));
-
- inputLength=stack->Parameters.DeviceIoControl.InputBufferLength;
-
- outputLength=stack->Parameters.DeviceIoControl.OutputBufferLength;
-
- switch (stack->Parameters.DeviceIoControl.IoControlCode)
- {
- case IOCTL_PASSEVENT:
- //用事件做通信
- inputBuffer =
- pIrp->AssociatedIrp.SystemBuffer;
-
-
- KdPrint(("inputBuffer:%08x\n",
- (HANDLE)inputBuffer));
- status =
- ObReferenceObjectByHandle(*(HANDLE
- *)inputBuffer,GENERIC_ALL,NULL,KernelMode,&gpEventObject,&objHandleInfo);//获取事件句柄对应指针
-
-
- if(status!=STATUS_SUCCESS)
-
- {
- KdPrint(("gethandle
- error!"));
- break;
-
- }
- break;
-
- case
- IOCTL_UNPASSEVENT:
-
- if(gpEventObject)
-
- {
- ObDereferenceObject(gpEventObject);
-
- gpEventObject=NULL;
- }
-
- KdPrint(("unpassevent"));
- break;
-
- case IOCTL_PASSBUF:
-
- RtlCopyMemory(pIrp->UserBuffer, &outBuf,
- outputLength);
- break;
-
-
- default:
- break;
- }
-
- break;
-
- default:
-
- KdPrint(("defaultcall"));
-
- status=STATUS_INVALID_VARIANT;
- break;
- }
-
- pIrp->IoStatus.Status=status;
- pIrp->IoStatus.Information=0;
-
- IoCompleteRequest(pIrp,IO_NO_INCREMENT);
- KdPrint(("Leave
- DispatchRoutine\n"));
- return status;
- }[/p]
- [p=30, 2, left]
-
-
- 应用层部分:
-
- #include <windows.h>
- #include <winsvc.h>
- #include
- <conio.h>
- #include <stdio.h>
- #include "define.h"
-
- //装载NT驱动程序
- BOOL LoadNTDriver(char* lpszDriverName,char*
- lpszDriverPath)
- {
- char szDriverImagePath[256];
- //得到完整的驱动路径
-
- GetFullPathName(lpszDriverPath, 256, szDriverImagePath, NULL);
-
- BOOL
- bRet = FALSE;
-
- SC_HANDLE hServiceMgr=NULL;//SCM管理器的句柄
- SC_HANDLE
- hServiceDDK=NULL;//NT驱动程序的服务句柄
-
- //打开服务控制管理器
- hServiceMgr =
- OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS );
-
- if( hServiceMgr ==
- NULL )
- {
- //OpenSCManager失败
- printf(
- "OpenSCManager() Faild %d ! \n", GetLastError() );
- bRet =
- FALSE;
- goto BeforeLeave;
- }
- else
- {
-
- ////OpenSCManager成功
- printf( "OpenSCManager() ok ! \n" );
-
- }
-
- //创建驱动所对应的服务
- hServiceDDK = CreateService( hServiceMgr,
-
- lpszDriverName, //驱动程序的在注册表中的名字
- lpszDriverName, // 注册表驱动程序的
- DisplayName 值
- SERVICE_ALL_ACCESS, // 加载驱动程序的访问权限
- SERVICE_KERNEL_DRIVER,// 表示加载的服务是驱动程序
-
- SERVICE_DEMAND_START, // 注册表驱动程序的 Start 值
- SERVICE_ERROR_IGNORE,
- // 注册表驱动程序的 ErrorControl 值
- szDriverImagePath, // 注册表驱动程序的
- ImagePath 值
- NULL,
- NULL,
-
- NULL,
- NULL,
- NULL); [/p]
- [p=30, 2, left] DWORD
- dwRtn;
- //判断服务是否失败
- if( hServiceDDK == NULL )
- {
- dwRtn = GetLastError();
- if( dwRtn != ERROR_IO_PENDING
- && dwRtn != ERROR_SERVICE_EXISTS )
- {
- //由于其他原因创建服务失败
- printf( "CrateService() Faild %d
- ! \n", dwRtn );
- bRet = FALSE;
- goto
- BeforeLeave;
- }
- else
-
- {
- //服务创建失败,是由于服务已经创立过
- printf( "CreateService()
- Faild Service is ERROR_IO_PENDING or ERROR_SERVICE_EXISTS! \n" );
- }
-
- // 驱动程序已经加载,只需要打开
- hServiceDDK =
- OpenService( hServiceMgr, lpszDriverName, SERVICE_ALL_ACCESS );
-
- if( hServiceDDK == NULL )
- {
-
- //如果打开服务也失败,则意味错误
- dwRtn = GetLastError();
-
- printf( "OpenService() Faild %d ! \n", dwRtn );
- bRet =
- FALSE;
- goto BeforeLeave;
- }
- else
- {
- printf( "OpenService() ok ! \n" );
- }
-
- }
- else
- {
- printf( "CreateService() ok ! \n"
- );
- }
-
- //开启此项服务
- bRet= StartService( hServiceDDK, NULL, NULL
- );
- if( !bRet )
- {
- DWORD dwRtn =
- GetLastError();
- if( dwRtn != ERROR_IO_PENDING && dwRtn
- != ERROR_SERVICE_ALREADY_RUNNING )
- {
-
- printf( "StartService() Faild %d ! \n", dwRtn );
- bRet =
- FALSE;
- goto BeforeLeave;
- }
- else
- {
- if( dwRtn == ERROR_IO_PENDING )
- {
- //设备被挂住
-
- printf( "StartService() Faild ERROR_IO_PENDING ! \n");
-
- bRet = FALSE;
- goto BeforeLeave;
- }
- else
- {
-
- //服务已经开启
- printf( "StartService() Faild
- ERROR_SERVICE_ALREADY_RUNNING ! \n");
- bRet =
- TRUE;
- goto BeforeLeave;
- }
-
- }
- }
- bRet = TRUE;
- //离开前关闭句柄
- BeforeLeave:
-
- if(hServiceDDK)
- {
- CloseServiceHandle(hServiceDDK);
- }
-
- if(hServiceMgr)
- {
- CloseServiceHandle(hServiceMgr);
- }
-
- return bRet;
- }
-
- //卸载驱动程序
- BOOL UnloadNTDriver( char *
- szSvrName )
- {
- BOOL bRet = FALSE;
- SC_HANDLE
- hServiceMgr=NULL;//SCM管理器的句柄
- SC_HANDLE hServiceDDK=NULL;//NT驱动程序的服务句柄
-
- SERVICE_STATUS SvrSta;
- //打开SCM管理器
- hServiceMgr = OpenSCManager( NULL,
- NULL, SC_MANAGER_ALL_ACCESS );
- if( hServiceMgr == NULL )
-
- {
- //带开SCM管理器失败
- printf( "OpenSCManager() Faild %d ! \n",
- GetLastError() );
- bRet = FALSE;
- goto BeforeLeave;
-
- }
- else
- {
- //带开SCM管理器失败成功
- printf(
- "OpenSCManager() ok ! \n" );
- }
- //打开驱动所对应的服务
- hServiceDDK =
- OpenService( hServiceMgr, szSvrName, SERVICE_ALL_ACCESS );
-
- if(
- hServiceDDK == NULL )
- {
- //打开驱动所对应的服务失败
- printf(
- "OpenService() Faild %d ! \n", GetLastError() );
- bRet =
- FALSE;
- goto BeforeLeave;
- }
- else
- {
- printf( "OpenService() ok ! \n" );
- }
-
- //停止驱动程序,如果停止失败,只有重新启动才能,再动态加载。
- if( !ControlService( hServiceDDK,
- SERVICE_CONTROL_STOP , &SvrSta ) )
- {
- printf(
- "ControlService() Faild %d !\n", GetLastError() );
- }
-
- else
- {
- //打开驱动所对应的失败
- printf( "ControlService() ok
- !\n" );
- }
- //动态卸载驱动程序。
- if( !DeleteService(
- hServiceDDK ) )
- {
- //卸载失败
- printf( "DeleteSrevice()
- Faild %d !\n", GetLastError() );
- }
- else
- {
- //卸载成功
- printf( "DelServer:eleteSrevice() ok !\n" );
- }
- bRet = TRUE;
- BeforeLeave:
- //离开前关闭打开的句柄
-
- if(hServiceDDK)
- {
- CloseServiceHandle(hServiceDDK);
- }
-
- if(hServiceMgr)
- {
- CloseServiceHandle(hServiceMgr);
- }
-
- return bRet;
- } [/p]
- [p=30, 2, left]int test()
- {
- HANDLE
- hDevice;
- BOOL status;
- HANDLE m_hCommEvent;
-
- ULONG dwReturn;
- HANDLE PID;
-
- hDevice =
- NULL;
- m_hCommEvent = NULL;
- hDevice =
- CreateFile(
- "\\\\.\\MyEvent",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,
-
- NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
- if(hDevice
- == INVALID_HANDLE_VALUE)
-
- {
- printf("createfile
- wrong\n");
-
- getchar();
- return
- 0;
- }
-
- m_hCommEvent =
- CreateEvent(NULL,false,false,NULL);
- printf("hEvent:%d\n",
- m_hCommEvent);
-
- status
- =DeviceIoControl(hDevice,IOCTL_PASSEVENT,&m_hCommEvent,sizeof(m_hCommEvent),NULL,0,&dwReturn,NULL);
- if( !status)
-
- {
- printf("IO wrong+%d\n",
- GetLastError());
-
- getchar();
- return
- 0;
- }
-
- printf("[Process
- PID]:\n");
- while(1)
-
- {
- if(getchar() == 'q')
- break;
-
- ResetEvent(m_hCommEvent);
-
- WaitForSingleObject(m_hCommEvent,INFINITE);
-
- status
- =DeviceIoControl(hDevice,IOCTL_PASSBUF,NULL,0,&PID,sizeof(HANDLE),&dwReturn,NULL);
- if(
- !status)
-
- {
-
- printf("IO wrong+%d\n", GetLastError());
-
- return
- 0;
- }
-
- printf("%d\n",PID);
-
- if(!OpenProcess(PROCESS_ALL_ACCESS,FALSE,(DWORD)PID))
-
- printf("OpenProcess Error\n");
- }
-
- status
- =DeviceIoControl(hDevice,IOCTL_UNPASSEVENT,NULL,0,NULL,0,&dwReturn,NULL);
- if( !status)
-
- {
- printf("UNPASSEVENT wrong+%d\n",
- GetLastError());
-
- getchar();
- return
- 0;
- }
-
- status = CloseHandle(
- hDevice );
- status =
- CloseHandle(m_hCommEvent);
-
- getchar();
- return 0;
- }
-
- void main()
- {
-
- //加载驱动
- BOOL bRet = LoadNTDriver(DRIVER_NAME,DRIVER_PATH);
- // if
- (!bRet)
- {
- // printf("LoadNTDriver error\n");
- // goto
- unload;
- }
- //加载成功
-
- printf( "press q to quit!\n" );
-
- test();
-
- //这时候你可以通过注册表,或其他查看符号连接的软件验证。
- printf(
- "press any to unload the driver!\n" );
- getch();
-
- unload:
- //卸载驱动
- UnloadNTDriver(DRIVER_NAME);
- if (!bRet)
-
- {
- printf("UnloadNTDriver error\n");
- return;
-
- [/p]
- [align=left]}
-
- }
-
-
复制代码
|
|