内核层监控进程 线程 创建和销毁

#include "ntddk.h"  #include "windef.h"  #include "string.h"  #define SYSNAME "System"  ULONG ProcessNameOffset = 0;ULONG GetProcessNameOffset();VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);NTSTATUS CommonDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS *pEProcess);VOID ProcessCreateMon(IN HANDLE hParentId, IN HANDLE PId, IN BOOLEAN bCreate);VOID ThreadCreateMon(IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate);//VOID ImageCreateMon(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo );  // Çý¶¯Èë¿Ú  NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){UNICODE_STRING  nameString, linkString;PDEVICE_OBJECT  deviceObject;NTSTATUS        status;int             i;//½¨Á¢É豸  RtlInitUnicodeString(&nameString, L"\\Device\\ProcWatch");status = IoCreateDevice(DriverObject,0,&nameString,FILE_DEVICE_UNKNOWN,0,TRUE,&deviceObject);if (!NT_SUCCESS(status)){return status;}RtlInitUnicodeString(&linkString, L"\\DosDevices\\ProcWatch");status = IoCreateSymbolicLink(&linkString, &nameString);if (!NT_SUCCESS(status)){IoDeleteDevice(DriverObject->DeviceObject);return status;}ProcessNameOffset = GetProcessNameOffset();if (ProcessNameOffset == 0){IoDeleteDevice(DriverObject->DeviceObject);return STATUS_UNSUCCESSFUL;}//status = PsSetLoadImageNotifyRoutine(ImageCreateMon);  //if (!NT_SUCCESS( status ))  //{  //  IoDeleteDevice(DriverObject->DeviceObject);  //  DbgPrint("PsSetLoadImageNotifyRoutine()\n");  //  return status;  //}   status = PsSetCreateThreadNotifyRoutine(ThreadCreateMon);   if (!NT_SUCCESS( status ))   {    IoDeleteDevice(DriverObject->DeviceObject);    DbgPrint("PsSetCreateThreadNotifyRoutine()\n");    return status;   }    //status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);//if (!NT_SUCCESS(status))//{//IoDeleteDevice(DriverObject->DeviceObject);//DbgPrint("PsSetCreateProcessNotifyRoutine()\n");//return status;//}for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++){DriverObject->MajorFunction[i] = CommonDispatch;}DriverObject->DriverUnload = DriverUnload;return STATUS_SUCCESS;}VOID DriverUnload(IN PDRIVER_OBJECT DriverObject){UNICODE_STRING linkString;//PsRemoveLoadImageNotifyRoutine(ImageCreateMon);  PsRemoveCreateThreadNotifyRoutine(ThreadCreateMon);PsSetCreateProcessNotifyRoutine(ProcessCreateMon, TRUE);RtlInitUnicodeString(&linkString, L"\\DosDevices\\ProcWatch");IoDeleteSymbolicLink(&linkString);IoDeleteDevice(DriverObject->DeviceObject);}//´¦ÀíÉ豸¶ÔÏó²Ù×÷  NTSTATUS CommonDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){Irp->IoStatus.Status = STATUS_SUCCESS;Irp->IoStatus.Information = 0L;IoCompleteRequest(Irp, 0);return Irp->IoStatus.Status;}HANDLE g_dwProcessId;BOOL g_bMainThread;VOID ProcessCreateMon(IN HANDLE hParentId, IN HANDLE PId, IN BOOLEAN bCreate){PEPROCESS   EProcess;ULONG       ulCurrentProcessId;LPTSTR      lpCurProc;NTSTATUS    status;#ifdef _AMD64_  ULONG ProcessId = HandleToUlong(PId);status = PsLookupProcessByProcessId(ProcessId, &EProcess);#else  HANDLE ProcessId = PId;status = PsLookupProcessByProcessId((ULONG)PId, &EProcess);#endif  if (!NT_SUCCESS(status)){DbgPrint("PsLookupProcessByProcessId()\n");return;}if (bCreate){g_bMainThread = TRUE;lpCurProc = (LPTSTR)EProcess;lpCurProc = lpCurProc + ProcessNameOffset;DbgPrint("CREATE PROCESS = PROCESS NAME: %s , PROCESS PARENTID: %d, PROCESS ID: %d, PROCESS ADDRESS %x:\n",lpCurProc,hParentId,PId,EProcess);}else{DbgPrint("TERMINATED == PROCESS ID: %d\n", PId);}}VOID ThreadCreateMon(IN HANDLE PId, IN HANDLE TId, IN BOOLEAN bCreate){PEPROCESS  EProcess, ParentEProcess;LPTSTR     lpCurProc, lpParnentProc;NTSTATUS   status;#ifdef _AMD64_  ULONG System = 4;ULONG dwParentPID = HandleToUlong(PsGetCurrentProcessId());//´´½¨¸ÃÏ̵߳Ľø³Ì  ULONG ProcessId = HandleToUlong(PId);status = PsLookupProcessByProcessId(ProcessId, &EProcess);status = PsLookupProcessByProcessId(dwParentPID, &ParentEProcess);#else  HANDLE System = (HANDLE)4;HANDLE dwParentPID = PsGetCurrentProcessId();//´´½¨¸ÃÏ̵߳Ľø³Ì  HANDLE ProcessId = PId;//ProcessId Êǽø³ÌºÅ£¬ÕâÀïµÄ½ø³ÌºÅÊÇÖ¸Ïò°üÀ¨¸ÃÏ̵߳Ľø³Ì£¬¶ø²»ÊÇ´´½¨¸ÃÏ̵߳Ľø³Ì  status = PsLookupProcessByProcessId((ULONG)ProcessId, &EProcess);status = PsLookupProcessByProcessId((ULONG)dwParentPID, &ParentEProcess);#endif  if (!NT_SUCCESS(status)){DbgPrint("PsLookupProcessByProcessId()\n");return;}if (bCreate){if ((g_bMainThread == TRUE) && (ProcessId != System) && (ProcessId != dwParentPID)){HANDLE dwParentTID = PsGetCurrentThreadId();lpCurProc = (LPTSTR)EProcess;lpParnentProc = (LPTSTR)ParentEProcess;lpCurProc += ProcessNameOffset;lpParnentProc += ProcessNameOffset;DbgPrint("caller: Name=%s PID=%d TID=%d\t\tcalled: Name=%s PID=%d TID=%d\n", \lpParnentProc, dwParentPID, dwParentTID, lpCurProc, ProcessId, TId);g_bMainThread = FALSE;}lpCurProc = (LPTSTR)EProcess;lpCurProc = lpCurProc + ProcessNameOffset;DbgPrint("CREATE THREAD = PROCESS NAME: %s PROCESS ID: %d, THREAD ID: %d\n", lpCurProc, PId, TId);}else{DbgPrint("TERMINATED == THREAD ID: %d\n", TId);}}VOID ImageCreateMon(IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId, IN PIMAGE_INFO ImageInfo){DbgPrint("FullImageName: %S,Process ID: %d\n", FullImageName->Buffer, ProcessId);DbgPrint("ImageBase: %x,ImageSize: %d\n", ImageInfo->ImageBase, ImageInfo->ImageSize);}ULONG GetProcessNameOffset(){PEPROCESS   curproc;int         i;curproc = PsGetCurrentProcess();//  // Scan for 12KB, hopping the KPEB never grows that big!  //  for (i = 0; i < 3 * PAGE_SIZE; i++){if (!strncmp(SYSNAME, (PCHAR)curproc + i, strlen(SYSNAME))){return i;}}//  // Name not found - oh, well  //  return 0;}