vs設置:“項目-屬性-鏈接器-命令行”位置添加 /INTEGRITYCHECK 即可,不然注冊回調的時候會失敗
參考:https://xiaodaozhi.com/kernel/18.html
#include <ntddk.h>typedef NTSTATUS
(*PPsSetCreateProcessNotifyRoutineEx
)(
_In_ PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine
,
_In_ BOOLEAN Remove
);PPsSetCreateProcessNotifyRoutineEx pPsSetCreateProcessNotifyRoutineEx
= NULL;
BOOLEAN bRegister
= FALSE
;VOID
CreateProcessNotifyEx(_Inout_ PEPROCESS Process
,_In_ HANDLE ProcessId
,_In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
)
{HANDLE hParentId
= NULL;HANDLE hParentThreadId
= NULL;HANDLE hCurrentThreadId
= NULL;hCurrentThreadId
= PsGetCurrentThreadId();if (CreateInfo
== NULL){DbgPrint("ProcessDestory ThreadID[%d]", hCurrentThreadId
);return;}hParentId
= CreateInfo
->CreatingThreadId
.UniqueProcess
;hParentThreadId
= CreateInfo
->CreatingThreadId
.UniqueThread
;DbgPrint("CreateProcess ParentID[%d] Name:%wZ", hParentId
, CreateInfo
->ImageFileName
);return;}NTSTATUS
Unload(PDRIVER_OBJECT driver
)
{DbgPrint("unload driver");if (bRegister
&& pPsSetCreateProcessNotifyRoutineEx
){pPsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyEx
, TRUE
);bRegister
= FALSE
;}return STATUS_SUCCESS
;
}NTSTATUS
DriverEntry(PDRIVER_OBJECT driver
, PUNICODE_STRING RegPath
)
{DbgPrint("Driver Entry");driver
->DriverUnload
= Unload
;do{UNICODE_STRING uFunName
= { 0 };RtlInitUnicodeString(&uFunName
, L
"PsSetCreateProcessNotifyRoutineEx");pPsSetCreateProcessNotifyRoutineEx
= (PPsSetCreateProcessNotifyRoutineEx
)MmGetSystemRoutineAddress(&uFunName
);if (pPsSetCreateProcessNotifyRoutineEx
== NULL){DbgPrint("GetSetCreateProcessNotif Failed");break;}if (STATUS_SUCCESS
!= pPsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyEx
, FALSE
)){DbgPrint("Register Process Notify Failed");break;}bRegister
= TRUE
;DbgPrint("Register Process Notify Success");} while (FALSE
);return STATUS_SUCCESS
;
}
總結
以上是生活随笔為你收集整理的PsSetCreateProcessNotifyRoutineEx进程监控框架的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
