//win7 x64下測試通過： #include <ntifs.h> #include <ntddk.h>VOID UnloadDriver(PDRIVER_OBJECT pDriver);VOID CreateProcessRoutineSpy( IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create );typedef PPEB(__fastcall *P_PsGetProcessPeb)(PEPROCESS); typedef CHAR*(__fastcall *F_QueryProcessImageFileName)(PEPROCESS); P_PsGetProcessPeb PsGetProcessPeb = NULL; F_QueryProcessImageFileName QueryProcessImageFileName = NULL;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING Registry) {NTSTATUS status = STATUS_SUCCESS;UNICODE_STRING unstrFunName;UNREFERENCED_PARAMETER(pDriver);UNREFERENCED_PARAMETER(Registry);KdPrint(("[SysTest] DriverEntry Loading.\n"));RtlInitUnicodeString(&unstrFunName, L"PsGetProcessPeb");PsGetProcessPeb = MmGetSystemRoutineAddress(&unstrFunName);if (PsGetProcessPeb == NULL){DbgPrint("PsGetProcessPeb Resolve Failed");return STATUS_SUCCESS;}DbgPrint("PsGetProcessPeb:%p", PsGetProcessPeb);RtlInitUnicodeString(&unstrFunName, L"PsGetProcessImageFileName");QueryProcessImageFileName = MmGetSystemRoutineAddress(&unstrFunName);if (QueryProcessImageFileName == NULL){DbgPrint("PsGetProcessImageFileName Resolve Failed");return status;}status = PsSetCreateProcessNotifyRoutine(CreateProcessRoutineSpy, FALSE);if (!NT_SUCCESS(status)){KdPrint(("[SysTest] PsSetCreateProcessNotifyRoutine failed status:(%x).\n", status));return status;}pDriver->DriverUnload = UnloadDriver;return status; }//void LockFirefox(PEPROCESS CurrentProcess) //{ // PPEB iePeb = NULL; // if (!PsGetProcessPeb){ // return; // } // iePeb = PsGetProcessPeb(CurrentProcess); // KeAttachProcess(CurrentProcess); // if (iePeb != NULL) // { // ULONG_PTR* param = (ULONG_PTR*)*((ULONG_PTR*)((ULONG_PTR)iePeb + 0x20)); // PUNICODE_STRING commandline = (PUNICODE_STRING)((ULONG_PTR)param + 0x70); // commandline->MaximumLength += 100; // NTSTATUS Sta = RtlAppendUnicodeToString(commandline, LockUrl); // DbgPrint("sta:0x%x\n", Sta); // DbgPrint("command:%ws\n", commandline->Buffer); // } // KeDetachProcess(); //}VOID CreateProcessRoutineSpy( __inout PEPROCESS Process, __in HANDLE ProcessId, BOOLEAN Create ) {CHAR* ProcessName = NULL;PEPROCESS CurrentProcess = NULL;PsLookupProcessByProcessId(ProcessId, &CurrentProcess);ProcessName = QueryProcessImageFileName(CurrentProcess);if (Create){KdPrint(("[SysTest] Process Created. ParentId:(%d) Process:(%s).\n", Process, ProcessName));if (strstr(ProcessName, "chrome.exe") != NULL){//LockFirefox(CurrentProcess);}}else{KdPrint(("[SysTest] Process Terminated ProcessId:(%d).ParentId:(%d) .\n", ProcessId, Process));}return; }VOID UnloadDriver(PDRIVER_OBJECT pDriver) {UNREFERENCED_PARAMETER(pDriver);NTSTATUS status;status = PsSetCreateProcessNotifyRoutine(CreateProcessRoutineSpy, TRUE);if (NT_SUCCESS(status)){KdPrint(("[SysTest] UnloadDriver.\n"));}return; }

總結(jié)

以上是生活随笔為你收集整理的内核进程监控框架的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。