进程创建监控x86
来源:互联网 发布:cookie统计uv存数据 编辑:程序博客网 时间:2024/05/10 03:41
Hook_ZwCreateSection
XP:CreateProcessWCreateProcessInternalWNtCreateProcessExZwCreateSection
</pre><pre name="code" class="cpp">VISTA以上:CreateProcessWCreateProcessInternalWNtCreateUserProcessZwCreateSection
关键代码:
#include "precomp.h"#pragma pack(1)typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase;} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;#pragma pack()__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]#define SDT SYSTEMSERVICE#define KSDT KeServiceDescriptorTablevoid StartHook(void);void RemoveHook(void);NTSTATUS Hook_ZwOpenSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );NTSTATUS Hook_ZwCreateSection( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL );typedef NTSTATUS (*ZWCREATESECTION)( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL );typedef NTSTATUS (*ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );static ZWCREATESECTION OldZwCreateSection;static ZWOPENSECTION OldZwOpenSection;NTSTATUS Hook_ZwOpenSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ){ NTSTATUS rc; rc = OldZwOpenSection(SectionHandle,DesiredAccess,ObjectAttributes); return rc;}NTSTATUS NTAPI HOOK_NtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER SectionSize, ULONG Protect, ULONG Attributes, HANDLE FileHandle)//代理函数 {PFILE_OBJECT FileObject = NULL; POBJECT_NAME_INFORMATION wcFilePath = NULL;ANSI_STRING dst = {0};UNICODE_STRINGustrProcessPath = {0};WCHARwszProcessPath[MAX_PATH] = {0};NTSTATUSntStatus = 0;__try{if (Protect & (PAGE_EXECUTE/*|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY*/)&&(Attributes == SEC_IMAGE) && FileHandle){if (NT_SUCCESS(ObReferenceObjectByHandle(FileHandle,0,NULL,KernelMode,&FileObject,NULL)))//获取文件对象{//获取FileObject对应的文件全路径if (IoQueryFileDosDeviceName(FileObject, &wcFilePath)==STATUS_SUCCESS)//获取文件对象所对应的文件Dos设备名称,即是全路径{if (RtlCompareMemory(wcFilePath->Name.Buffer+wcFilePath->Name.Length/2-wcslen(L"Winobj.exe"),L"Winobj.exe",wcslen(L"Winobj.exe")*sizeof(WCHAR))==wcslen(L"Winobj.exe")*sizeof(WCHAR)&& RtlCompareMemory(wcFilePath->Name.Buffer+wcFilePath->Name.Length/2-wcslen(L"PopupClient.exe"),L"PopupClient.exe",wcslen(L"PopupClient.exe")*sizeof(WCHAR))!=wcslen(L"PopupClient.exe")*sizeof(WCHAR)){DbgPrint("Target:%wZ\n",&wcFilePath->Name);//PPID = HandleToUlong(PsGetCurrentProcessId());ustrProcessPath.Buffer = wszProcessPath;ustrProcessPath.Length = 0;ustrProcessPath.MaximumLength = sizeof(wszProcessPath);ntStatus = ntGetProcessFullNameByPid(PsGetCurrentProcessId(), &ustrProcessPath);DbgPrint("Parent:%wZ\n", &ustrProcessPath);if (NT_SUCCESS(ntStatus)){if (GetResultFromUser()==R3Result_Pass){ntStatus = OldZwCreateSection(SectionHandle,DesiredAccess,ObjectAttributes,SectionSize,Protect,Attributes,FileHandle);ObDereferenceObject(FileObject);//放弃对FileObject的引用ExFreePool(wcFilePath);return ntStatus;}ObDereferenceObject(FileObject);//放弃对FileObject的引用ExFreePool(wcFilePath);return STATUS_SUCCESS;}}ExFreePool(wcFilePath);//IoQueryFileDosDeviceName获取的OBJECT_NAME_INFORMATION 需要手动释放}ObDereferenceObject(FileObject);//放弃对FileObject的引用} }}__except(EXCEPTION_EXECUTE_HANDLER){}return OldZwCreateSection(SectionHandle,DesiredAccess,ObjectAttributes,SectionSize,Protect,Attributes,FileHandle);}void StartHook (void){ //获取未导出的服务函数索引号 HANDLE hFile; PCHAR pDllFile; ULONG ulSize; ULONG ulByteReaded; __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } OldZwCreateSection = (ZWCREATESECTION)InterlockedExchange((PLONG) &SDT(ZwCreateSection), (LONG)HOOK_NtCreateSection); OldZwOpenSection = (ZWOPENSECTION)InterlockedExchange((PLONG) &SDT(ZwOpenSection), (LONG)Hook_ZwOpenSection); //关闭 __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } return ;}void RemoveHook (void){ __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } InterlockedExchange( (PLONG) &SDT(ZwCreateSection) , (LONG) OldZwCreateSection ); InterlockedExchange( (PLONG) &SDT(ZwOpenSection) , (LONG) OldZwOpenSection ); __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax }}
使用
PsSetCreateProcessNotifyRoutineEx更好
0 0
- 进程创建监控x86
- 监控进程创建代码
- 驱动监控进程的创建
- 驱动监控进程的创建
- 驱动监控进程的创建
- C# 加载驱动程序,监控进程创建
- WH_CBT监控有窗体的进程创建
- shell 监控 Linux 系统进程创建
- 驱动加载监控x86
- 注册表操作监控x86
- 监控系统所有进程的创建和销毁 (PsSetCreateProcessNotifyRoutine)
- 创建Service程序并监控有界面的进程实现
- winxp下简单实现注册表修改、进程创建监控
- LINUX C:创建与监控多个子进程
- 《linux下进程的创建,执行,监控和终止》
- 内核层监控进程 线程 创建和销毁
- 内核层监控进程 线程 创建和销毁
- 进程监控
- JPEG文件编码格式说明_新
- 递归迭代和生成器
- JS判断是否为微信客户端
- 可变参数列表
- C++第3次上机实验报告(友元函数二题)
- 进程创建监控x86
- R语言︱ROC曲线——分类器的性能表现评价
- 临时对象
- PhoneGap极光推送插件使用
- Hibernate一对多关联映射(注解)
- 把字符串转换成整数
- HDU 4967 A simple water problem
- 1091. Acute Stroke (30)
- 在win8系统下,安装TortoiseGit报错2503的解决办法