内核层监控进程 线程 创建和销毁

#include "ntddk.h"
#include "windef.h"
#include "string.h"

#define SYSNAME "System"
ULONG ProcessNameOffset = 0;

ULONG GetProcessNameOffset();

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS CommonDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS *pEProcess);

VOID ProcessCreateMon(IN HANDLE hParentId, IN HANDLE PId, IN BOOLEAN bCreate);
VOID ThreadCreateMon(IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate);
//VOID ImageCreateMon(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo );

// Çý¶¯Èë¿Ú
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)

{
UNICODE_STRING  nameString, linkString;
PDEVICE_OBJECT  deviceObject;
NTSTATUS        status;
int             i;
//½¨Á¢É豸

RtlInitUnicodeString(&nameString, L"\\Device\\ProcWatch");
status = IoCreateDevice(DriverObject,
0,
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject
);

if (!NT_SUCCESS(status))
{
return status;
}

RtlInitUnicodeString(&linkString, L"\\DosDevices\\ProcWatch");
status = IoCreateSymbolicLink(&linkString, &nameString);

if (!NT_SUCCESS(status))
{
IoDeleteDevice(DriverObject->DeviceObject);
return status;
}
ProcessNameOffset = GetProcessNameOffset();
if (ProcessNameOffset == 0)
{
IoDeleteDevice(DriverObject->DeviceObject);
return STATUS_UNSUCCESSFUL;
}
//status = PsSetLoadImageNotifyRoutine(ImageCreateMon);

//if (!NT_SUCCESS( status ))
//{
//  IoDeleteDevice(DriverObject->DeviceObject);
//  DbgPrint("PsSetLoadImageNotifyRoutine()\n");
//  return status;
//}

status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);
if (!NT_SUCCESS( status ))
{
IoDeleteDevice(DriverObject->DeviceObject);
DbgPrint("PsSetCreateThreadNotifyRoutine()\n");
return status;
}

//status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
//if (!NT_SUCCESS(status))
//{
//	IoDeleteDevice(DriverObject->DeviceObject);
//	DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
//	return status;
//}

for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction[i] = CommonDispatch;
}

DriverObject->DriverUnload = DriverUnload;

return STATUS_SUCCESS;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING linkString;
//PsRemoveLoadImageNotifyRoutine(ImageCreateMon);
PsRemoveCreateThreadNotifyRoutine(ThreadCreateMon);
PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);
RtlInitUnicodeString(&linkString, L"\\DosDevices\\ProcWatch");
IoDeleteSymbolicLink(&linkString);
IoDeleteDevice(DriverObject->DeviceObject);
}

//´¦ÀíÉ豸¶ÔÏó²Ù×÷
NTSTATUS CommonDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest(Irp, 0);
return Irp->IoStatus.Status;
}

HANDLE g_dwProcessId;
BOOL g_bMainThread;

VOID ProcessCreateMon(IN HANDLE hParentId, IN HANDLE PId, IN BOOLEAN bCreate)
{
PEPROCESS   EProcess;
ULONG       ulCurrentProcessId;
LPTSTR      lpCurProc;
NTSTATUS    status;

#ifdef _AMD64_
ULONG ProcessId = HandleToUlong(PId);
status = PsLookupProcessByProcessId(ProcessId, &EProcess);
#else
HANDLE ProcessId = PId;
status = PsLookupProcessByProcessId((ULONG)PId, &EProcess);
#endif

if (!NT_SUCCESS(status))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return;
}

if (bCreate)
{
g_bMainThread = TRUE;
lpCurProc = (LPTSTR)EProcess;
lpCurProc = lpCurProc + ProcessNameOffset;
DbgPrint("CREATE PROCESS = PROCESS NAME: %s , PROCESS PARENTID: %d, PROCESS ID: %d, PROCESS ADDRESS %x:\n",
lpCurProc,
hParentId,
PId,
EProcess);
}
else
{
DbgPrint("TERMINATED == PROCESS ID: %d\n", PId);
}
}

VOID ThreadCreateMon(IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate)

{
PEPROCESS  EProcess, ParentEProcess;
LPTSTR     lpCurProc, lpParnentProc;
NTSTATUS   status;

#ifdef _AMD64_
ULONG System = 4;
ULONG dwParentPID = HandleToUlong(PsGetCurrentProcessId());//´´½¨¸ÃÏ̵߳Ľø³Ì
ULONG ProcessId = HandleToUlong(PId);
status = PsLookupProcessByProcessId(ProcessId, &EProcess);
status = PsLookupProcessByProcessId(dwParentPID, &ParentEProcess);
#else
HANDLE System = (HANDLE)4;
HANDLE dwParentPID = PsGetCurrentProcessId();//´´½¨¸ÃÏ̵߳Ľø³Ì
HANDLE ProcessId = PId;//ProcessId Êǽø³ÌºÅ£¬ÕâÀïµÄ½ø³ÌºÅÊÇÖ¸Ïò°üÀ¨¸ÃÏ̵߳Ľø³Ì£¬¶ø²»ÊÇ´´½¨¸ÃÏ̵߳Ľø³Ì
status = PsLookupProcessByProcessId((ULONG)ProcessId, &EProcess);
status = PsLookupProcessByProcessId((ULONG)dwParentPID, &ParentEProcess);
#endif

if (!NT_SUCCESS(status))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return;
}

if (bCreate)
{
if ((g_bMainThread == TRUE) && (ProcessId != System) && (ProcessId != dwParentPID))
{
HANDLE dwParentTID = PsGetCurrentThreadId();
lpCurProc = (LPTSTR)EProcess;
lpParnentProc = (LPTSTR)ParentEProcess;
lpCurProc += ProcessNameOffset;
lpParnentProc += ProcessNameOffset;
DbgPrint("caller: Name=%s PID=%d TID=%d\t\tcalled: Name=%s PID=%d TID=%d\n", \
lpParnentProc, dwParentPID, dwParentTID, lpCurProc, ProcessId, TId);
g_bMainThread = FALSE;
}

lpCurProc = (LPTSTR)EProcess;
lpCurProc = lpCurProc + ProcessNameOffset;
DbgPrint("CREATE THREAD = PROCESS NAME: %s PROCESS ID: %d, THREAD ID: %d\n", lpCurProc, PId, TId);
}
else
{
DbgPrint("TERMINATED == THREAD ID: %d\n", TId);
}
}

VOID ImageCreateMon(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo)

{
DbgPrint("FullImageName: %S,Process ID: %d\n", FullImageName->Buffer, ProcessId);
DbgPrint("ImageBase: %x,ImageSize: %d\n", ImageInfo->ImageBase, ImageInfo->ImageSize);
}

ULONG GetProcessNameOffset()
{
PEPROCESS   curproc;
int         i;

curproc = PsGetCurrentProcess();

//
// Scan for 12KB, hopping the KPEB never grows that big!
//
for (i = 0; i < 3 * PAGE_SIZE; i++)
{

if (!strncmp(SYSNAME, (PCHAR)curproc + i, strlen(SYSNAME)))
{
return i;
}
}

//
// Name not found - oh, well
//
return 0;
}