内核层监控进程 线程 创建和销毁

#include "ntddk.h"
#include "windef.h"
#include "string.h"

#define SYSNAME "System"
ULONG ProcessNameOffset =0;

ULONG GetProcessNameOffset();

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS CommonDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS *pEProcess);

VOID ProcessCreateMon( IN HANDLE hParentId, IN HANDLE PId, IN BOOLEAN bCreate);
VOID ThreadCreateMon(IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate);
//VOID ImageCreateMon(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo );

// Çý¶¯Èë¿Ú
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )

{
UNICODE_STRING	nameString, linkString;
PDEVICE_OBJECT	deviceObject;
NTSTATUS		status;
int				i;
//½¨Á¢É豸

RtlInitUnicodeString( &nameString, L"\\Device\\ProcWatch" );
status = IoCreateDevice( DriverObject,
0,
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject
);

if (!NT_SUCCESS( status ))
{
return status;
}

RtlInitUnicodeString( &linkString, L"\\DosDevices\\ProcWatch" );
status = IoCreateSymbolicLink(&linkString, &nameString);

if (!NT_SUCCESS( status ))
{
IoDeleteDevice(DriverObject->DeviceObject);
return status;
}
ProcessNameOffset = GetProcessNameOffset();
if (ProcessNameOffset == 0)
{
IoDeleteDevice(DriverObject->DeviceObject);
return STATUS_UNSUCCESSFUL;
}
//status = PsSetLoadImageNotifyRoutine(ImageCreateMon);

//if (!NT_SUCCESS( status ))
//{
//	IoDeleteDevice(DriverObject->DeviceObject);
//	DbgPrint("PsSetLoadImageNotifyRoutine()\n");
//	return status;
//}

// status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);
// if (!NT_SUCCESS( status ))
// {
// 	IoDeleteDevice(DriverObject->DeviceObject);
// 	DbgPrint("PsSetCreateThreadNotifyRoutine()\n");
// 	return status;
// }

status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
if (!NT_SUCCESS( status ))
{
IoDeleteDevice(DriverObject->DeviceObject);
DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
return status;
}

for ( i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction[i] = CommonDispatch;
}

DriverObject->DriverUnload = DriverUnload;

return STATUS_SUCCESS;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING linkString;
//PsRemoveLoadImageNotifyRoutine(ImageCreateMon);
PsRemoveCreateThreadNotifyRoutine(ThreadCreateMon);
PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
RtlInitUnicodeString(&linkString, L"\\DosDevices\\ProcWatch");
IoDeleteSymbolicLink(&linkString);
IoDeleteDevice(DriverObject->DeviceObject);
}

//´¦ÀíÉ豸¶ÔÏó²Ù×÷
NTSTATUS CommonDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return Irp->IoStatus.Status;
}

HANDLE g_dwProcessId;
BOOL g_bMainThread;

VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate )
{
PEPROCESS	EProcess;
ULONG		ulCurrentProcessId;
LPTSTR		lpCurProc;
NTSTATUS	status;

#ifdef _AMD64_
ULONG ProcessId = HandleToUlong(PId);
status = PsLookupProcessByProcessId( ProcessId, &EProcess);
#else
HANDLE ProcessId =PId;
status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
#endif

if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return;
}

if ( bCreate )
{
g_bMainThread = TRUE;
lpCurProc = (LPTSTR)EProcess;
lpCurProc = lpCurProc + ProcessNameOffset;
DbgPrint( "CREATE PROCESS = PROCESS NAME: %s , PROCESS PARENTID: %d, PROCESS ID: %d, PROCESS ADDRESS %x:\n",
lpCurProc,
hParentId,
PId,
EProcess );
}
else
{
DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
}
}

VOID ThreadCreateMon (IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate)

{
PEPROCESS  EProcess,ParentEProcess;
LPTSTR     lpCurProc,lpParnentProc;
NTSTATUS   status;

#ifdef _AMD64_
ULONG System = 4;
ULONG dwParentPID = HandleToUlong(PsGetCurrentProcessId());//´´½¨¸ÃÏ̵߳Ľø³Ì
ULONG ProcessId = HandleToUlong(PId);
status = PsLookupProcessByProcessId( ProcessId, &EProcess);
status = PsLookupProcessByProcessId( dwParentPID, &ParentEProcess);
#else
HANDLE System = (HANDLE)4;
HANDLE dwParentPID = PsGetCurrentProcessId();//´´½¨¸ÃÏ̵߳Ľø³Ì
HANDLE ProcessId = PId;//ProcessId Êǽø³ÌºÅ£¬ÕâÀïµÄ½ø³ÌºÅÊÇÖ¸Ïò°üÀ¨¸ÃÏ̵߳Ľø³Ì£¬¶ø²»ÊÇ´´½¨¸ÃÏ̵߳Ľø³Ì
status = PsLookupProcessByProcessId( (ULONG)ProcessId, &EProcess);
status = PsLookupProcessByProcessId( (ULONG)dwParentPID, &ParentEProcess);
#endif

if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return;
}

if ( bCreate )
{
if((g_bMainThread==TRUE)&&(ProcessId!=System)&&(ProcessId!=dwParentPID))
{
HANDLE dwParentTID = PsGetCurrentThreadId();
lpCurProc  = (LPTSTR)EProcess;
lpParnentProc = (LPTSTR)ParentEProcess;
lpCurProc  +=  ProcessNameOffset;
lpParnentProc += ProcessNameOffset;
DbgPrint("caller: Name=%s PID=%d TID=%d\t\tcalled: Name=%s PID=%d TID=%d\n", \
lpParnentProc, dwParentPID, dwParentTID, lpCurProc, ProcessId, TId);
g_bMainThread = FALSE;
}

lpCurProc  = (LPTSTR)EProcess;
lpCurProc  = lpCurProc + ProcessNameOffset;
DbgPrint( "CREATE THREAD = PROCESS NAME: %s PROCESS ID: %d, THREAD ID: %d\n", lpCurProc, PId, TId );
}
else
{
DbgPrint( "TERMINATED == THREAD ID: %d\n", TId);
}
}

VOID ImageCreateMon (IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo )

{
DbgPrint("FullImageName: %S,Process ID: %d\n",FullImageName->Buffer,ProcessId);
DbgPrint("ImageBase: %x,ImageSize: %d\n",ImageInfo->ImageBase,ImageInfo->ImageSize);
}

ULONG GetProcessNameOffset()
{
PEPROCESS	curproc;
int			i;

curproc = PsGetCurrentProcess();

//
// Scan for 12KB, hopping the KPEB never grows that big!
//
for( i = 0; i < 3*PAGE_SIZE; i++ )
{

if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) ))
{
return i;
}
}

//
// Name not found - oh, well
//
return 0;
}